source: heimdal/trunk/kadmin/kadmin.cat8@ 4

KADMIN(8)                 BSD System Manager's Manual                KADMIN(8)

NNAAMMEE
     kkaaddmmiinn -- Kerberos administration utility

SSYYNNOOPPSSIISS
     kkaaddmmiinn [--pp _s_t_r_i_n_g | ----pprriinncciippaall==_s_t_r_i_n_g] [--KK _s_t_r_i_n_g | ----kkeeyyttaabb==_s_t_r_i_n_g]
            [--cc _f_i_l_e | ----ccoonnffiigg--ffiillee==_f_i_l_e] [--kk _f_i_l_e | ----kkeeyy--ffiillee==_f_i_l_e]
            [--rr _r_e_a_l_m | ----rreeaallmm==_r_e_a_l_m] [--aa _h_o_s_t | ----aaddmmiinn--sseerrvveerr==_h_o_s_t]
            [--ss _p_o_r_t _n_u_m_b_e_r | ----sseerrvveerr--ppoorrtt==_p_o_r_t _n_u_m_b_e_r] [--ll | ----llooccaall]
            [--hh | ----hheellpp] [--vv | ----vveerrssiioonn] [_c_o_m_m_a_n_d]

DDEESSCCRRIIPPTTIIOONN
     The kkaaddmmiinn program is used to make modifications to the Kerberos data-
     base, either remotely via the kadmind(8) daemon, or locally (with the --ll
     option).

     Supported options:

     --pp _s_t_r_i_n_g, ----pprriinncciippaall==_s_t_r_i_n_g
             principal to authenticate as

     --KK _s_t_r_i_n_g, ----kkeeyyttaabb==_s_t_r_i_n_g
             keytab for authentication principal

     --cc _f_i_l_e, ----ccoonnffiigg--ffiillee==_f_i_l_e
             location of config file

     --kk _f_i_l_e, ----kkeeyy--ffiillee==_f_i_l_e
             location of master key file

     --rr _r_e_a_l_m, ----rreeaallmm==_r_e_a_l_m
             realm to use

     --aa _h_o_s_t, ----aaddmmiinn--sseerrvveerr==_h_o_s_t
             server to contact

     --ss _p_o_r_t _n_u_m_b_e_r, ----sseerrvveerr--ppoorrtt==_p_o_r_t _n_u_m_b_e_r
             port to use

     --ll, ----llooccaall
             local admin mode

     If no _c_o_m_m_a_n_d is given on the command line, kkaaddmmiinn will prompt for com-
     mands to process. Some of the commands that take one or more principals
     as argument (ddeelleettee, eexxtt__kkeeyyttaabb, ggeett, mmooddiiffyy, and ppaasssswwdd) will accept a
     glob style wildcard, and perform the operation on all matching princi-
     pals.

     Commands include:

     aadddd [--rr | ----rraannddoomm--kkeeyy] [----rraannddoomm--ppaasssswwoorrdd] [--pp _s_t_r_i_n_g |
     ----ppaasssswwoorrdd==_s_t_r_i_n_g] [----kkeeyy==_s_t_r_i_n_g] [----mmaaxx--ttiicckkeett--lliiffee==_l_i_f_e_t_i_m_e]
     [----mmaaxx--rreenneewwaabbllee--lliiffee==_l_i_f_e_t_i_m_e] [----aattttrriibbuutteess==_a_t_t_r_i_b_u_t_e_s]
     [----eexxppiirraattiioonn--ttiimmee==_t_i_m_e] [----ppww--eexxppiirraattiioonn--ttiimmee==_t_i_m_e] _p_r_i_n_c_i_p_a_l_._._.

           Adds a new principal to the database. The options not passed on the
           command line will be promped for.

     aadddd__eennccttyyppee [--rr | ----rraannddoomm--kkeeyy] _p_r_i_n_c_i_p_a_l _e_n_c_t_y_p_e_s_._._.

           Adds a new encryption type to the principal, only random key are
           supported.

     ddeelleettee _p_r_i_n_c_i_p_a_l_._._.

           Removes a principal.

     ddeell__eennccttyyppee _p_r_i_n_c_i_p_a_l _e_n_c_t_y_p_e_s_._._.

           Removes some enctypes from a principal; this can be useful if the
           service belonging to the principal is known to not handle certain
           enctypes.

     eexxtt__kkeeyyttaabb [--kk _s_t_r_i_n_g | ----kkeeyyttaabb==_s_t_r_i_n_g] _p_r_i_n_c_i_p_a_l_._._.

           Creates a keytab with the keys of the specified principals.

     ggeett [--ll | ----lloonngg] [--ss | ----sshhoorrtt] [--tt | ----tteerrssee] [--oo _s_t_r_i_n_g |
     ----ccoolluummnn--iinnffoo==_s_t_r_i_n_g] _p_r_i_n_c_i_p_a_l_._._.

           Lists the matching principals, short prints the result as a table,
           while long format produces a more verbose output. Which columns to
           print can be selected with the --oo option. The argument is a comma
           separated list of column names optionally appended with an equal
           sign (`=') and a column header. Which columns are printed by
           default differ slightly between short and long output.

           The default terse output format is similar to --ss --oo _p_r_i_n_c_i_p_a_l_=,
           just printing the names of matched principals.

           Possible column names include: principal, princ_expire_time,
           pw_expiration, last_pwd_change, max_life, max_rlife, mod_time,
           mod_name, attributes, kvno, mkvno, last_success, last_failed,
           fail_auth_count, policy, and keytypes.

     mmooddiiffyy [--aa _a_t_t_r_i_b_u_t_e_s | ----aattttrriibbuutteess==_a_t_t_r_i_b_u_t_e_s]
     [----mmaaxx--ttiicckkeett--lliiffee==_l_i_f_e_t_i_m_e] [----mmaaxx--rreenneewwaabbllee--lliiffee==_l_i_f_e_t_i_m_e]
     [----eexxppiirraattiioonn--ttiimmee==_t_i_m_e] [----ppww--eexxppiirraattiioonn--ttiimmee==_t_i_m_e] [----kkvvnnoo==_n_u_m_b_e_r]
     _p_r_i_n_c_i_p_a_l_._._.

           Modifies certain attributes of a principal. If run without command
           line options, you will be prompted. With command line options, it
           will only change the ones specified.

           Possible attributes are: new-princ, support-desmd5,
           pwchange-service, disallow-svr, requires-pw-change,
           requires-hw-auth, requires-pre-auth, disallow-all-tix,
           disallow-dup-skey, disallow-proxiable, disallow-renewable,
           disallow-tgt-based, disallow-forwardable, disallow-postdated

           Attributes may be negated with a "-", e.g.,

           kadmin -l modify -a -disallow-proxiable user

     ppaasssswwdd [--rr | ----rraannddoomm--kkeeyy] [----rraannddoomm--ppaasssswwoorrdd] [--pp _s_t_r_i_n_g |
     ----ppaasssswwoorrdd==_s_t_r_i_n_g] [----kkeeyy==_s_t_r_i_n_g] _p_r_i_n_c_i_p_a_l_._._.

           Changes the password of an existing principal.

     ppaasssswwoorrdd--qquuaalliittyy _p_r_i_n_c_i_p_a_l _p_a_s_s_w_o_r_d

           Run the password quality check function locally.  You can run this
           on the host that is configured to run the kadmind process to verify
           that your configuration file is correct.  The verification is done
           locally, if kadmin is run in remote mode, no rpc call is done to
           the server.

     pprriivviilleeggeess

           Lists the operations you are allowed to perform. These include add,
           add_enctype, change-password, delete, del_enctype, get, list, and
           modify.

     rreennaammee _f_r_o_m _t_o

           Renames a principal. This is normally transparent, but since keys
           are salted with the principal name, they will have a non-standard
           salt, and clients which are unable to cope with this will fail.
           Kerberos 4 suffers from this.

     cchheecckk [_r_e_a_l_m]

           Check database for strange configurations on important principals.
           If no realm is given, the default realm is used.

     When running in local mode, the following commands can also be used:

     dduummpp [--dd | ----ddeeccrryypptt] [_d_u_m_p_-_f_i_l_e]

           Writes the database in ``human readable'' form to the specified
           file, or standard out. If the database is encrypted, the dump will
           also have encrypted keys, unless ----ddeeccrryypptt is used.

     iinniitt [----rreeaallmm--mmaaxx--ttiicckkeett--lliiffee==_s_t_r_i_n_g] [----rreeaallmm--mmaaxx--rreenneewwaabbllee--lliiffee==_s_t_r_i_n_g]
     _r_e_a_l_m

           Initializes the Kerberos database with entries for a new realm.
           It's possible to have more than one realm served by one server.

     llooaadd _f_i_l_e

           Reads a previously dumped database, and re-creates that database
           from scratch.

     mmeerrggee _f_i_l_e

           Similar to llooaadd but just modifies the database with the entries in
           the dump file.

     ssttaasshh [--ee _e_n_c_t_y_p_e | ----eennccttyyppee==_e_n_c_t_y_p_e] [--kk _k_e_y_f_i_l_e | ----kkeeyy--ffiillee==_k_e_y_f_i_l_e]
     [----ccoonnvveerrtt--ffiillee] [----mmaasstteerr--kkeeyy--ffdd==_f_d]

           Writes the Kerberos master key to a file used by the KDC.

SSEEEE AALLSSOO
     kadmind(8), kdc(8)

HEIMDAL                          Feb 22, 2007                          HEIMDAL