1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
|
.\" $Id: kadmin.8,v 1.4 1997/04/02 21:09:53 assar Exp $
.\" Copyright 1989 by the Massachusetts Institute of Technology.
.\"
.\" For copying and distribution information,
.\" please see the file <mit-copyright.h>.
.\"
.TH KADMIN 8 "Kerberos Version 4.0" "MIT Project Athena"
.SH NAME
kadmin \- network utility for Kerberos database administration
.SH SYNOPSIS
.B kadmin [-u user] [-r default_realm] [-m] [-t]
.SH DESCRIPTION
This utility provides a unified administration interface to
the
Kerberos
master database.
Kerberos
administrators
use
.I kadmin
to register new users and services to the master database,
and to change information about existing database entries.
For instance, an administrator can use
.I kadmin
to change a user's
Kerberos
password.
A Kerberos administrator is a user with an ``admin'' instance
whose name appears on one of the Kerberos administration access control
lists. If the \-u option is used,
.I user
will be used as the administrator instead of the local user.
If the \-r option is used,
.I default_realm
will be used as the default realm for transactions. Otherwise,
the local realm will be used by default.
If the \-m option is used, multiple requests will be permitted
on only one entry of the admin password. Some sites won't
support this option. The \-t option is used to tell kadmin to use the
existing ticket file instead of creating a new one.
The
.I kadmin
program communicates over the network with the
.I kadmind
program, which runs on the machine housing the Kerberos master
database.
The
.I kadmind
creates new entries and makes modifications to the database.
When you enter the
.I kadmin
command,
the program displays a message that welcomes you and explains
how to ask for help.
Then
.I kadmin
waits for you to enter commands (which are described below).
It then asks you for your
.I admin
password before accessing the database.
All commands can be abbreviated as long as they are unique. Some
short versions of the commands are also recognized for backwards
compatibility.
Use the
.I add_new_key
(or
.I ank
for short)
command to register a new principal
with the master database.
The command requires one argument,
the principal's name. The name
given can be fully qualified using
the standard
.I name.instance@realm
convention.
You are asked to enter your
.I admin
password,
then prompted twice to enter the principal's
new password. If no realm is specified,
the local realm is used unless another was
given on the commandline with the \-r flag.
If no instance is
specified, a null instance is used. If
a realm other than the default realm is specified,
you will need to supply your admin password for
the other realm.
Use the
.I change_password (cpw)
to change a principal's
Kerberos
password.
The command requires one argument,
the principal's
name.
You are asked to enter your
.I admin
password,
then prompted twice to enter the principal's new password.
The name
given can be fully qualified using
the standard
.I name.instance@realm
convention.
Use the
.I change_key (ckey)
if you have a need to change the raw key of a particular principal.
In other words, if you do not want to input a DES key instead of a
password that will get converted into a DES key.
Use the
.I change_admin_password (cap)
to change your
.I admin
instance password.
This command requires no arguments.
It prompts you for your old
.I admin
password, then prompts you twice to enter the new
.I admin
password. If this is your first command,
the default realm is used. Otherwise, the realm
used in the last command is used.
Use the
.I del_entry (del)
to remove an entry from the kerberos database.
Use the
.I mod_entry (mod)
to modify a particular entry, for example to change the expire date.
Use the
.I destroy_tickets (dest)
command to destroy your admin tickets explicitly.
Use the
.I list_requests (lr)
command to get a list of possible commands.
Use the
.I help
command to display
.IR kadmin's
various help messages.
If entered without an argument,
.I help
displays a general help message.
You can get detailed information on specific
.I kadmin
commands
by entering
.I help
.IR command_name .
To quit the program, type
.IR quit .
.SH BUGS
The user interface is primitive, and the command names could be better.
.SH "SEE ALSO"
kerberos(1), kadmind(8), kpasswd(1), ksrvutil(8)
.br
``A Subsystem Utilities Package for UNIX'' by Ken Raeburn
.SH AUTHORS
Jeffrey I. Schiller, MIT Project Athena
.br
Emanuel Jay Berkenbilt, MIT Project Athena
|