diff options
Diffstat (limited to 'doc/html/admin/admin_commands')
| -rw-r--r-- | doc/html/admin/admin_commands/index.html | 185 | ||||
| -rw-r--r-- | doc/html/admin/admin_commands/k5srvutil.html | 224 | ||||
| -rw-r--r-- | doc/html/admin/admin_commands/kadmin_local.html | 982 | ||||
| -rw-r--r-- | doc/html/admin/admin_commands/kadmind.html | 277 | ||||
| -rw-r--r-- | doc/html/admin/admin_commands/kdb5_ldap_util.html | 560 | ||||
| -rw-r--r-- | doc/html/admin/admin_commands/kdb5_util.html | 615 | ||||
| -rw-r--r-- | doc/html/admin/admin_commands/kprop.html | 223 | ||||
| -rw-r--r-- | doc/html/admin/admin_commands/kpropd.html | 286 | ||||
| -rw-r--r-- | doc/html/admin/admin_commands/kproplog.html | 249 | ||||
| -rw-r--r-- | doc/html/admin/admin_commands/krb5kdc.html | 277 | ||||
| -rw-r--r-- | doc/html/admin/admin_commands/ktutil.html | 292 | ||||
| -rw-r--r-- | doc/html/admin/admin_commands/sserver.html | 270 |
12 files changed, 4440 insertions, 0 deletions
diff --git a/doc/html/admin/admin_commands/index.html b/doc/html/admin/admin_commands/index.html new file mode 100644 index 000000000000..aeab6f19fdba --- /dev/null +++ b/doc/html/admin/admin_commands/index.html @@ -0,0 +1,185 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> + + +<html xmlns="http://www.w3.org/1999/xhtml"> + <head> + <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> + + <title>Administration programs — MIT Kerberos Documentation</title> + + <link rel="stylesheet" href="../../_static/agogo.css" type="text/css" /> + <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" /> + <link rel="stylesheet" href="../../_static/kerb.css" type="text/css" /> + + <script type="text/javascript"> + var DOCUMENTATION_OPTIONS = { + URL_ROOT: '../../', + VERSION: '1.15.1', + COLLAPSE_INDEX: false, + FILE_SUFFIX: '.html', + HAS_SOURCE: true + }; + </script> + <script type="text/javascript" src="../../_static/jquery.js"></script> + <script type="text/javascript" src="../../_static/underscore.js"></script> + <script type="text/javascript" src="../../_static/doctools.js"></script> + <link rel="author" title="About these documents" href="../../about.html" /> + <link rel="copyright" title="Copyright" href="../../copyright.html" /> + <link rel="top" title="MIT Kerberos Documentation" href="../../index.html" /> + <link rel="up" title="For administrators" href="../index.html" /> + <link rel="next" title="kadmin" href="kadmin_local.html" /> + <link rel="prev" title="Authentication indicators" href="../auth_indicator.html" /> + </head> + <body> + <div class="header-wrapper"> + <div class="header"> + + + <h1><a href="../../index.html">MIT Kerberos Documentation</a></h1> + + <div class="rel"> + + <a href="../../index.html" title="Full Table of Contents" + accesskey="C">Contents</a> | + <a href="../auth_indicator.html" title="Authentication indicators" + accesskey="P">previous</a> | + <a href="kadmin_local.html" title="kadmin" + accesskey="N">next</a> | + <a href="../../genindex.html" title="General Index" + accesskey="I">index</a> | + <a href="../../search.html" title="Enter search criteria" + accesskey="S">Search</a> | + <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Administration programs">feedback</a> + </div> + </div> + </div> + + <div class="content-wrapper"> + <div class="content"> + <div class="document"> + + <div class="documentwrapper"> + <div class="bodywrapper"> + <div class="body"> + + <div class="section" id="administration-programs"> +<h1>Administration programs<a class="headerlink" href="#administration-programs" title="Permalink to this headline">¶</a></h1> +<div class="toctree-wrapper compound"> +<ul> +<li class="toctree-l1"><a class="reference internal" href="kadmin_local.html">kadmin</a></li> +<li class="toctree-l1"><a class="reference internal" href="kadmind.html">kadmind</a></li> +<li class="toctree-l1"><a class="reference internal" href="kdb5_util.html">kdb5_util</a></li> +<li class="toctree-l1"><a class="reference internal" href="kdb5_ldap_util.html">kdb5_ldap_util</a></li> +<li class="toctree-l1"><a class="reference internal" href="krb5kdc.html">krb5kdc</a></li> +<li class="toctree-l1"><a class="reference internal" href="kprop.html">kprop</a></li> +<li class="toctree-l1"><a class="reference internal" href="kpropd.html">kpropd</a></li> +<li class="toctree-l1"><a class="reference internal" href="kproplog.html">kproplog</a></li> +<li class="toctree-l1"><a class="reference internal" href="ktutil.html">ktutil</a></li> +<li class="toctree-l1"><a class="reference internal" href="k5srvutil.html">k5srvutil</a></li> +<li class="toctree-l1"><a class="reference internal" href="sserver.html">sserver</a></li> +</ul> +</div> +</div> + + + </div> + </div> + </div> + </div> + <div class="sidebar"> + <h2>On this page</h2> + <ul> +<li><a class="reference internal" href="#">Administration programs</a></li> +</ul> + + <br/> + <h2>Table of contents</h2> + <ul class="current"> +<li class="toctree-l1"><a class="reference internal" href="../../user/index.html">For users</a></li> +<li class="toctree-l1 current"><a class="reference internal" href="../index.html">For administrators</a><ul class="current"> +<li class="toctree-l2"><a class="reference internal" href="../install.html">Installation guide</a></li> +<li class="toctree-l2"><a class="reference internal" href="../conf_files/index.html">Configuration Files</a></li> +<li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li> +<li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li> +<li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li> +<li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> +<li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li> +<li class="toctree-l2"><a class="reference internal" href="../host_config.html">Host configuration</a></li> +<li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li> +<li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li> +<li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li> +<li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li> +<li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li> +<li class="toctree-l2"><a class="reference internal" href="../auth_indicator.html">Authentication indicators</a></li> +<li class="toctree-l2 current"><a class="current reference internal" href="">Administration programs</a><ul> +<li class="toctree-l3"><a class="reference internal" href="kadmin_local.html">kadmin</a></li> +<li class="toctree-l3"><a class="reference internal" href="kadmind.html">kadmind</a></li> +<li class="toctree-l3"><a class="reference internal" href="kdb5_util.html">kdb5_util</a></li> +<li class="toctree-l3"><a class="reference internal" href="kdb5_ldap_util.html">kdb5_ldap_util</a></li> +<li class="toctree-l3"><a class="reference internal" href="krb5kdc.html">krb5kdc</a></li> +<li class="toctree-l3"><a class="reference internal" href="kprop.html">kprop</a></li> +<li class="toctree-l3"><a class="reference internal" href="kpropd.html">kpropd</a></li> +<li class="toctree-l3"><a class="reference internal" href="kproplog.html">kproplog</a></li> +<li class="toctree-l3"><a class="reference internal" href="ktutil.html">ktutil</a></li> +<li class="toctree-l3"><a class="reference internal" href="k5srvutil.html">k5srvutil</a></li> +<li class="toctree-l3"><a class="reference internal" href="sserver.html">sserver</a></li> +</ul> +</li> +<li class="toctree-l2"><a class="reference internal" href="../../mitK5defaults.html">MIT Kerberos defaults</a></li> +<li class="toctree-l2"><a class="reference internal" href="../env_variables.html">Environment variables</a></li> +<li class="toctree-l2"><a class="reference internal" href="../troubleshoot.html">Troubleshooting</a></li> +<li class="toctree-l2"><a class="reference internal" href="../advanced/index.html">Advanced topics</a></li> +<li class="toctree-l2"><a class="reference internal" href="../various_envs.html">Various links</a></li> +</ul> +</li> +<li class="toctree-l1"><a class="reference internal" href="../../appdev/index.html">For application developers</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../plugindev/index.html">For plugin module developers</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../build/index.html">Building Kerberos V5</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../basic/index.html">Kerberos V5 concepts</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../formats/index.html">Protocols and file formats</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../mitK5features.html">MIT Kerberos features</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../build_this.html">How to build this documentation from the source</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../about.html">Contributing to the MIT Kerberos Documentation</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../resources.html">Resources</a></li> +</ul> + + <br/> + <h4><a href="../../index.html">Full Table of Contents</a></h4> + <h4>Search</h4> + <form class="search" action="../../search.html" method="get"> + <input type="text" name="q" size="18" /> + <input type="submit" value="Go" /> + <input type="hidden" name="check_keywords" value="yes" /> + <input type="hidden" name="area" value="default" /> + </form> + </div> + <div class="clearer"></div> + </div> + </div> + + <div class="footer-wrapper"> + <div class="footer" > + <div class="right" ><i>Release: 1.15.1</i><br /> + © <a href="../../copyright.html">Copyright</a> 1985-2017, MIT. + </div> + <div class="left"> + + <a href="../../index.html" title="Full Table of Contents" + >Contents</a> | + <a href="../auth_indicator.html" title="Authentication indicators" + >previous</a> | + <a href="kadmin_local.html" title="kadmin" + >next</a> | + <a href="../../genindex.html" title="General Index" + >index</a> | + <a href="../../search.html" title="Enter search criteria" + >Search</a> | + <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Administration programs">feedback</a> + </div> + </div> + </div> + + </body> +</html>
\ No newline at end of file diff --git a/doc/html/admin/admin_commands/k5srvutil.html b/doc/html/admin/admin_commands/k5srvutil.html new file mode 100644 index 000000000000..6efa10e95cbe --- /dev/null +++ b/doc/html/admin/admin_commands/k5srvutil.html @@ -0,0 +1,224 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> + + +<html xmlns="http://www.w3.org/1999/xhtml"> + <head> + <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> + + <title>k5srvutil — MIT Kerberos Documentation</title> + + <link rel="stylesheet" href="../../_static/agogo.css" type="text/css" /> + <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" /> + <link rel="stylesheet" href="../../_static/kerb.css" type="text/css" /> + + <script type="text/javascript"> + var DOCUMENTATION_OPTIONS = { + URL_ROOT: '../../', + VERSION: '1.15.1', + COLLAPSE_INDEX: false, + FILE_SUFFIX: '.html', + HAS_SOURCE: true + }; + </script> + <script type="text/javascript" src="../../_static/jquery.js"></script> + <script type="text/javascript" src="../../_static/underscore.js"></script> + <script type="text/javascript" src="../../_static/doctools.js"></script> + <link rel="author" title="About these documents" href="../../about.html" /> + <link rel="copyright" title="Copyright" href="../../copyright.html" /> + <link rel="top" title="MIT Kerberos Documentation" href="../../index.html" /> + <link rel="up" title="Administration programs" href="index.html" /> + <link rel="next" title="sserver" href="sserver.html" /> + <link rel="prev" title="ktutil" href="ktutil.html" /> + </head> + <body> + <div class="header-wrapper"> + <div class="header"> + + + <h1><a href="../../index.html">MIT Kerberos Documentation</a></h1> + + <div class="rel"> + + <a href="../../index.html" title="Full Table of Contents" + accesskey="C">Contents</a> | + <a href="ktutil.html" title="ktutil" + accesskey="P">previous</a> | + <a href="sserver.html" title="sserver" + accesskey="N">next</a> | + <a href="../../genindex.html" title="General Index" + accesskey="I">index</a> | + <a href="../../search.html" title="Enter search criteria" + accesskey="S">Search</a> | + <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__k5srvutil">feedback</a> + </div> + </div> + </div> + + <div class="content-wrapper"> + <div class="content"> + <div class="document"> + + <div class="documentwrapper"> + <div class="bodywrapper"> + <div class="body"> + + <div class="section" id="k5srvutil"> +<span id="k5srvutil-1"></span><h1>k5srvutil<a class="headerlink" href="#k5srvutil" title="Permalink to this headline">¶</a></h1> +<div class="section" id="synopsis"> +<h2>SYNOPSIS<a class="headerlink" href="#synopsis" title="Permalink to this headline">¶</a></h2> +<p><strong>k5srvutil</strong> <em>operation</em> +[<strong>-i</strong>] +[<strong>-f</strong> <em>filename</em>] +[<strong>-e</strong> <em>keysalts</em>]</p> +</div> +<div class="section" id="description"> +<h2>DESCRIPTION<a class="headerlink" href="#description" title="Permalink to this headline">¶</a></h2> +<p>k5srvutil allows an administrator to list keys currently in +a keytab, to obtain new keys for a principal currently in a keytab, +or to delete non-current keys from a keytab.</p> +<p><em>operation</em> must be one of the following:</p> +<dl class="docutils"> +<dt><strong>list</strong></dt> +<dd>Lists the keys in a keytab, showing version number and principal +name.</dd> +<dt><strong>change</strong></dt> +<dd>Uses the kadmin protocol to update the keys in the Kerberos +database to new randomly-generated keys, and updates the keys in +the keytab to match. If a key’s version number doesn’t match the +version number stored in the Kerberos server’s database, then the +operation will fail. If the <strong>-i</strong> flag is given, k5srvutil will +prompt for confirmation before changing each key. If the <strong>-k</strong> +option is given, the old and new keys will be displayed. +Ordinarily, keys will be generated with the default encryption +types and key salts. This can be overridden with the <strong>-e</strong> +option. Old keys are retained in the keytab so that existing +tickets continue to work, but <strong>delold</strong> should be used after +such tickets expire, to prevent attacks against the old keys.</dd> +<dt><strong>delold</strong></dt> +<dd>Deletes keys that are not the most recent version from the keytab. +This operation should be used some time after a change operation +to remove old keys, after existing tickets issued for the service +have expired. If the <strong>-i</strong> flag is given, then k5srvutil will +prompt for confirmation for each principal.</dd> +<dt><strong>delete</strong></dt> +<dd>Deletes particular keys in the keytab, interactively prompting for +each key.</dd> +</dl> +<p>In all cases, the default keytab is used unless this is overridden by +the <strong>-f</strong> option.</p> +<p>k5srvutil uses the <a class="reference internal" href="kadmin_local.html#kadmin-1"><em>kadmin</em></a> program to edit the keytab in +place.</p> +</div> +<div class="section" id="see-also"> +<h2>SEE ALSO<a class="headerlink" href="#see-also" title="Permalink to this headline">¶</a></h2> +<p><a class="reference internal" href="kadmin_local.html#kadmin-1"><em>kadmin</em></a>, <a class="reference internal" href="ktutil.html#ktutil-1"><em>ktutil</em></a></p> +</div> +</div> + + + </div> + </div> + </div> + </div> + <div class="sidebar"> + <h2>On this page</h2> + <ul> +<li><a class="reference internal" href="#">k5srvutil</a><ul> +<li><a class="reference internal" href="#synopsis">SYNOPSIS</a></li> +<li><a class="reference internal" href="#description">DESCRIPTION</a></li> +<li><a class="reference internal" href="#see-also">SEE ALSO</a></li> +</ul> +</li> +</ul> + + <br/> + <h2>Table of contents</h2> + <ul class="current"> +<li class="toctree-l1"><a class="reference internal" href="../../user/index.html">For users</a></li> +<li class="toctree-l1 current"><a class="reference internal" href="../index.html">For administrators</a><ul class="current"> +<li class="toctree-l2"><a class="reference internal" href="../install.html">Installation guide</a></li> +<li class="toctree-l2"><a class="reference internal" href="../conf_files/index.html">Configuration Files</a></li> +<li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li> +<li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li> +<li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li> +<li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> +<li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li> +<li class="toctree-l2"><a class="reference internal" href="../host_config.html">Host configuration</a></li> +<li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li> +<li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li> +<li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li> +<li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li> +<li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li> +<li class="toctree-l2"><a class="reference internal" href="../auth_indicator.html">Authentication indicators</a></li> +<li class="toctree-l2 current"><a class="reference internal" href="index.html">Administration programs</a><ul class="current"> +<li class="toctree-l3"><a class="reference internal" href="kadmin_local.html">kadmin</a></li> +<li class="toctree-l3"><a class="reference internal" href="kadmind.html">kadmind</a></li> +<li class="toctree-l3"><a class="reference internal" href="kdb5_util.html">kdb5_util</a></li> +<li class="toctree-l3"><a class="reference internal" href="kdb5_ldap_util.html">kdb5_ldap_util</a></li> +<li class="toctree-l3"><a class="reference internal" href="krb5kdc.html">krb5kdc</a></li> +<li class="toctree-l3"><a class="reference internal" href="kprop.html">kprop</a></li> +<li class="toctree-l3"><a class="reference internal" href="kpropd.html">kpropd</a></li> +<li class="toctree-l3"><a class="reference internal" href="kproplog.html">kproplog</a></li> +<li class="toctree-l3"><a class="reference internal" href="ktutil.html">ktutil</a></li> +<li class="toctree-l3 current"><a class="current reference internal" href="">k5srvutil</a></li> +<li class="toctree-l3"><a class="reference internal" href="sserver.html">sserver</a></li> +</ul> +</li> +<li class="toctree-l2"><a class="reference internal" href="../../mitK5defaults.html">MIT Kerberos defaults</a></li> +<li class="toctree-l2"><a class="reference internal" href="../env_variables.html">Environment variables</a></li> +<li class="toctree-l2"><a class="reference internal" href="../troubleshoot.html">Troubleshooting</a></li> +<li class="toctree-l2"><a class="reference internal" href="../advanced/index.html">Advanced topics</a></li> +<li class="toctree-l2"><a class="reference internal" href="../various_envs.html">Various links</a></li> +</ul> +</li> +<li class="toctree-l1"><a class="reference internal" href="../../appdev/index.html">For application developers</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../plugindev/index.html">For plugin module developers</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../build/index.html">Building Kerberos V5</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../basic/index.html">Kerberos V5 concepts</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../formats/index.html">Protocols and file formats</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../mitK5features.html">MIT Kerberos features</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../build_this.html">How to build this documentation from the source</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../about.html">Contributing to the MIT Kerberos Documentation</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../resources.html">Resources</a></li> +</ul> + + <br/> + <h4><a href="../../index.html">Full Table of Contents</a></h4> + <h4>Search</h4> + <form class="search" action="../../search.html" method="get"> + <input type="text" name="q" size="18" /> + <input type="submit" value="Go" /> + <input type="hidden" name="check_keywords" value="yes" /> + <input type="hidden" name="area" value="default" /> + </form> + </div> + <div class="clearer"></div> + </div> + </div> + + <div class="footer-wrapper"> + <div class="footer" > + <div class="right" ><i>Release: 1.15.1</i><br /> + © <a href="../../copyright.html">Copyright</a> 1985-2017, MIT. + </div> + <div class="left"> + + <a href="../../index.html" title="Full Table of Contents" + >Contents</a> | + <a href="ktutil.html" title="ktutil" + >previous</a> | + <a href="sserver.html" title="sserver" + >next</a> | + <a href="../../genindex.html" title="General Index" + >index</a> | + <a href="../../search.html" title="Enter search criteria" + >Search</a> | + <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__k5srvutil">feedback</a> + </div> + </div> + </div> + + </body> +</html>
\ No newline at end of file diff --git a/doc/html/admin/admin_commands/kadmin_local.html b/doc/html/admin/admin_commands/kadmin_local.html new file mode 100644 index 000000000000..b1e796c3c214 --- /dev/null +++ b/doc/html/admin/admin_commands/kadmin_local.html @@ -0,0 +1,982 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> + + +<html xmlns="http://www.w3.org/1999/xhtml"> + <head> + <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> + + <title>kadmin — MIT Kerberos Documentation</title> + + <link rel="stylesheet" href="../../_static/agogo.css" type="text/css" /> + <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" /> + <link rel="stylesheet" href="../../_static/kerb.css" type="text/css" /> + + <script type="text/javascript"> + var DOCUMENTATION_OPTIONS = { + URL_ROOT: '../../', + VERSION: '1.15.1', + COLLAPSE_INDEX: false, + FILE_SUFFIX: '.html', + HAS_SOURCE: true + }; + </script> + <script type="text/javascript" src="../../_static/jquery.js"></script> + <script type="text/javascript" src="../../_static/underscore.js"></script> + <script type="text/javascript" src="../../_static/doctools.js"></script> + <link rel="author" title="About these documents" href="../../about.html" /> + <link rel="copyright" title="Copyright" href="../../copyright.html" /> + <link rel="top" title="MIT Kerberos Documentation" href="../../index.html" /> + <link rel="up" title="Administration programs" href="index.html" /> + <link rel="next" title="kadmind" href="kadmind.html" /> + <link rel="prev" title="Administration programs" href="index.html" /> + </head> + <body> + <div class="header-wrapper"> + <div class="header"> + + + <h1><a href="../../index.html">MIT Kerberos Documentation</a></h1> + + <div class="rel"> + + <a href="../../index.html" title="Full Table of Contents" + accesskey="C">Contents</a> | + <a href="index.html" title="Administration programs" + accesskey="P">previous</a> | + <a href="kadmind.html" title="kadmind" + accesskey="N">next</a> | + <a href="../../genindex.html" title="General Index" + accesskey="I">index</a> | + <a href="../../search.html" title="Enter search criteria" + accesskey="S">Search</a> | + <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__kadmin">feedback</a> + </div> + </div> + </div> + + <div class="content-wrapper"> + <div class="content"> + <div class="document"> + + <div class="documentwrapper"> + <div class="bodywrapper"> + <div class="body"> + + <div class="section" id="kadmin"> +<span id="kadmin-1"></span><h1>kadmin<a class="headerlink" href="#kadmin" title="Permalink to this headline">¶</a></h1> +<div class="section" id="synopsis"> +<h2>SYNOPSIS<a class="headerlink" href="#synopsis" title="Permalink to this headline">¶</a></h2> +<p id="kadmin-synopsis"><strong>kadmin</strong> +[<strong>-O</strong>|<strong>-N</strong>] +[<strong>-r</strong> <em>realm</em>] +[<strong>-p</strong> <em>principal</em>] +[<strong>-q</strong> <em>query</em>] +[[<strong>-c</strong> <em>cache_name</em>]|[<strong>-k</strong> [<strong>-t</strong> <em>keytab</em>]]|<strong>-n</strong>] +[<strong>-w</strong> <em>password</em>] +[<strong>-s</strong> <em>admin_server</em>[:<em>port</em>]] +[command args...]</p> +<p><strong>kadmin.local</strong> +[<strong>-r</strong> <em>realm</em>] +[<strong>-p</strong> <em>principal</em>] +[<strong>-q</strong> <em>query</em>] +[<strong>-d</strong> <em>dbname</em>] +[<strong>-e</strong> <em>enc</em>:<em>salt</em> ...] +[<strong>-m</strong>] +[<strong>-x</strong> <em>db_args</em>] +[command args...]</p> +</div> +<div class="section" id="description"> +<span id="kadmin-synopsis-end"></span><h2>DESCRIPTION<a class="headerlink" href="#description" title="Permalink to this headline">¶</a></h2> +<p>kadmin and kadmin.local are command-line interfaces to the Kerberos V5 +administration system. They provide nearly identical functionalities; +the difference is that kadmin.local directly accesses the KDC +database, while kadmin performs operations using <a class="reference internal" href="kadmind.html#kadmind-8"><em>kadmind</em></a>. +Except as explicitly noted otherwise, this man page will use “kadmin” +to refer to both versions. kadmin provides for the maintenance of +Kerberos principals, password policies, and service key tables +(keytabs).</p> +<p>The remote kadmin client uses Kerberos to authenticate to kadmind +using the service principal <tt class="docutils literal"><span class="pre">kadmin/ADMINHOST</span></tt> (where <em>ADMINHOST</em> is +the fully-qualified hostname of the admin server) or <tt class="docutils literal"><span class="pre">kadmin/admin</span></tt>. +If the credentials cache contains a ticket for one of these +principals, and the <strong>-c</strong> credentials_cache option is specified, that +ticket is used to authenticate to kadmind. Otherwise, the <strong>-p</strong> and +<strong>-k</strong> options are used to specify the client Kerberos principal name +used to authenticate. Once kadmin has determined the principal name, +it requests a service ticket from the KDC, and uses that service +ticket to authenticate to kadmind.</p> +<p>Since kadmin.local directly accesses the KDC database, it usually must +be run directly on the master KDC with sufficient permissions to read +the KDC database. If the KDC database uses the LDAP database module, +kadmin.local can be run on any host which can access the LDAP server.</p> +</div> +<div class="section" id="options"> +<h2>OPTIONS<a class="headerlink" href="#options" title="Permalink to this headline">¶</a></h2> +<dl class="docutils" id="kadmin-options"> +<dt><strong>-r</strong> <em>realm</em></dt> +<dd>Use <em>realm</em> as the default database realm.</dd> +<dt><strong>-p</strong> <em>principal</em></dt> +<dd>Use <em>principal</em> to authenticate. Otherwise, kadmin will append +<tt class="docutils literal"><span class="pre">/admin</span></tt> to the primary principal name of the default ccache, +the value of the <strong>USER</strong> environment variable, or the username as +obtained with getpwuid, in order of preference.</dd> +<dt><strong>-k</strong></dt> +<dd>Use a keytab to decrypt the KDC response instead of prompting for +a password. In this case, the default principal will be +<tt class="docutils literal"><span class="pre">host/hostname</span></tt>. If there is no keytab specified with the +<strong>-t</strong> option, then the default keytab will be used.</dd> +<dt><strong>-t</strong> <em>keytab</em></dt> +<dd>Use <em>keytab</em> to decrypt the KDC response. This can only be used +with the <strong>-k</strong> option.</dd> +<dt><strong>-n</strong></dt> +<dd>Requests anonymous processing. Two types of anonymous principals +are supported. For fully anonymous Kerberos, configure PKINIT on +the KDC and configure <strong>pkinit_anchors</strong> in the client’s +<a class="reference internal" href="../conf_files/krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a>. Then use the <strong>-n</strong> option with a principal +of the form <tt class="docutils literal"><span class="pre">@REALM</span></tt> (an empty principal name followed by the +at-sign and a realm name). If permitted by the KDC, an anonymous +ticket will be returned. A second form of anonymous tickets is +supported; these realm-exposed tickets hide the identity of the +client but not the client’s realm. For this mode, use <tt class="docutils literal"><span class="pre">kinit</span> +<span class="pre">-n</span></tt> with a normal principal name. If supported by the KDC, the +principal (but not realm) will be replaced by the anonymous +principal. As of release 1.8, the MIT Kerberos KDC only supports +fully anonymous operation.</dd> +<dt><strong>-c</strong> <em>credentials_cache</em></dt> +<dd>Use <em>credentials_cache</em> as the credentials cache. The +cache should contain a service ticket for the <tt class="docutils literal"><span class="pre">kadmin/ADMINHOST</span></tt> +(where <em>ADMINHOST</em> is the fully-qualified hostname of the admin +server) or <tt class="docutils literal"><span class="pre">kadmin/admin</span></tt> service; it can be acquired with the +<a class="reference internal" href="../../user/user_commands/kinit.html#kinit-1"><em>kinit</em></a> program. If this option is not specified, kadmin +requests a new service ticket from the KDC, and stores it in its +own temporary ccache.</dd> +<dt><strong>-w</strong> <em>password</em></dt> +<dd>Use <em>password</em> instead of prompting for one. Use this option with +care, as it may expose the password to other users on the system +via the process list.</dd> +<dt><strong>-q</strong> <em>query</em></dt> +<dd>Perform the specified query and then exit.</dd> +<dt><strong>-d</strong> <em>dbname</em></dt> +<dd>Specifies the name of the KDC database. This option does not +apply to the LDAP database module.</dd> +<dt><strong>-s</strong> <em>admin_server</em>[:<em>port</em>]</dt> +<dd>Specifies the admin server which kadmin should contact.</dd> +<dt><strong>-m</strong></dt> +<dd>If using kadmin.local, prompt for the database master password +instead of reading it from a stash file.</dd> +<dt><strong>-e</strong> “<em>enc</em>:<em>salt</em> ...”</dt> +<dd>Sets the keysalt list to be used for any new keys created. See +<a class="reference internal" href="../conf_files/kdc_conf.html#keysalt-lists"><em>Keysalt lists</em></a> in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> for a list of possible +values.</dd> +<dt><strong>-O</strong></dt> +<dd>Force use of old AUTH_GSSAPI authentication flavor.</dd> +<dt><strong>-N</strong></dt> +<dd>Prevent fallback to AUTH_GSSAPI authentication flavor.</dd> +<dt><strong>-x</strong> <em>db_args</em></dt> +<dd>Specifies the database specific arguments. See the next section +for supported options.</dd> +</dl> +<p id="kadmin-options-end">Starting with release 1.14, if any command-line arguments remain after +the options, they will be treated as a single query to be executed. +This mode of operation is intended for scripts and behaves differently +from the interactive mode in several respects:</p> +<ul class="simple"> +<li>Query arguments are split by the shell, not by kadmin.</li> +<li>Informational and warning messages are suppressed. Error messages +and query output (e.g. for <strong>get_principal</strong>) will still be +displayed.</li> +<li>Confirmation prompts are disabled (as if <strong>-force</strong> was given). +Password prompts will still be issued as required.</li> +<li>The exit status will be non-zero if the query fails.</li> +</ul> +<p>The <strong>-q</strong> option does not carry these behavior differences; the query +will be processed as if it was entered interactively. The <strong>-q</strong> +option cannot be used in combination with a query in the remaining +arguments.</p> +</div> +<div class="section" id="database-options"> +<span id="dboptions"></span><h2>DATABASE OPTIONS<a class="headerlink" href="#database-options" title="Permalink to this headline">¶</a></h2> +<p>Database options can be used to override database-specific defaults. +Supported options for the DB2 module are:</p> +<blockquote> +<div><dl class="docutils"> +<dt><strong>-x dbname=</strong>*filename*</dt> +<dd>Specifies the base filename of the DB2 database.</dd> +<dt><strong>-x lockiter</strong></dt> +<dd>Make iteration operations hold the lock for the duration of +the entire operation, rather than temporarily releasing the +lock while handling each principal. This is the default +behavior, but this option exists to allow command line +override of a [dbmodules] setting. First introduced in +release 1.13.</dd> +<dt><strong>-x unlockiter</strong></dt> +<dd>Make iteration operations unlock the database for each +principal, instead of holding the lock for the duration of the +entire operation. First introduced in release 1.13.</dd> +</dl> +</div></blockquote> +<p>Supported options for the LDAP module are:</p> +<blockquote> +<div><dl class="docutils"> +<dt><strong>-x host=</strong><em>ldapuri</em></dt> +<dd>Specifies the LDAP server to connect to by a LDAP URI.</dd> +<dt><strong>-x binddn=</strong><em>bind_dn</em></dt> +<dd>Specifies the DN used to bind to the LDAP server.</dd> +<dt><strong>-x bindpwd=</strong><em>password</em></dt> +<dd>Specifies the password or SASL secret used to bind to the LDAP +server. Using this option may expose the password to other +users on the system via the process list; to avoid this, +instead stash the password using the <strong>stashsrvpw</strong> command of +<a class="reference internal" href="kdb5_ldap_util.html#kdb5-ldap-util-8"><em>kdb5_ldap_util</em></a>.</dd> +<dt><strong>-x sasl_mech=</strong><em>mechanism</em></dt> +<dd>Specifies the SASL mechanism used to bind to the LDAP server. +The bind DN is ignored if a SASL mechanism is used. New in +release 1.13.</dd> +<dt><strong>-x sasl_authcid=</strong><em>name</em></dt> +<dd>Specifies the authentication name used when binding to the +LDAP server with a SASL mechanism, if the mechanism requires +one. New in release 1.13.</dd> +<dt><strong>-x sasl_authzid=</strong><em>name</em></dt> +<dd>Specifies the authorization name used when binding to the LDAP +server with a SASL mechanism. New in release 1.13.</dd> +<dt><strong>-x sasl_realm=</strong><em>realm</em></dt> +<dd>Specifies the realm used when binding to the LDAP server with +a SASL mechanism, if the mechanism uses one. New in release +1.13.</dd> +<dt><strong>-x debug=</strong><em>level</em></dt> +<dd>sets the OpenLDAP client library debug level. <em>level</em> is an +integer to be interpreted by the library. Debugging messages +are printed to standard error. New in release 1.12.</dd> +</dl> +</div></blockquote> +</div> +<div class="section" id="commands"> +<h2>COMMANDS<a class="headerlink" href="#commands" title="Permalink to this headline">¶</a></h2> +<p>When using the remote client, available commands may be restricted +according to the privileges specified in the <a class="reference internal" href="../conf_files/kadm5_acl.html#kadm5-acl-5"><em>kadm5.acl</em></a> file +on the admin server.</p> +<div class="section" id="add-principal"> +<span id="id1"></span><h3>add_principal<a class="headerlink" href="#add-principal" title="Permalink to this headline">¶</a></h3> +<blockquote> +<div><strong>add_principal</strong> [<em>options</em>] <em>newprinc</em></div></blockquote> +<p>Creates the principal <em>newprinc</em>, prompting twice for a password. If +no password policy is specified with the <strong>-policy</strong> option, and the +policy named <tt class="docutils literal"><span class="pre">default</span></tt> is assigned to the principal if it exists. +However, creating a policy named <tt class="docutils literal"><span class="pre">default</span></tt> will not automatically +assign this policy to previously existing principals. This policy +assignment can be suppressed with the <strong>-clearpolicy</strong> option.</p> +<p>This command requires the <strong>add</strong> privilege.</p> +<p>Aliases: <strong>addprinc</strong>, <strong>ank</strong></p> +<p>Options:</p> +<dl class="docutils"> +<dt><strong>-expire</strong> <em>expdate</em></dt> +<dd>(<a class="reference internal" href="../../basic/date_format.html#getdate"><em>getdate time</em></a> string) The expiration date of the principal.</dd> +<dt><strong>-pwexpire</strong> <em>pwexpdate</em></dt> +<dd>(<a class="reference internal" href="../../basic/date_format.html#getdate"><em>getdate time</em></a> string) The password expiration date.</dd> +<dt><strong>-maxlife</strong> <em>maxlife</em></dt> +<dd>(<a class="reference internal" href="../../basic/date_format.html#duration"><em>Time duration</em></a> or <a class="reference internal" href="../../basic/date_format.html#getdate"><em>getdate time</em></a> string) The maximum ticket life +for the principal.</dd> +<dt><strong>-maxrenewlife</strong> <em>maxrenewlife</em></dt> +<dd>(<a class="reference internal" href="../../basic/date_format.html#duration"><em>Time duration</em></a> or <a class="reference internal" href="../../basic/date_format.html#getdate"><em>getdate time</em></a> string) The maximum renewable +life of tickets for the principal.</dd> +<dt><strong>-kvno</strong> <em>kvno</em></dt> +<dd>The initial key version number.</dd> +<dt><strong>-policy</strong> <em>policy</em></dt> +<dd>The password policy used by this principal. If not specified, the +policy <tt class="docutils literal"><span class="pre">default</span></tt> is used if it exists (unless <strong>-clearpolicy</strong> +is specified).</dd> +<dt><strong>-clearpolicy</strong></dt> +<dd>Prevents any policy from being assigned when <strong>-policy</strong> is not +specified.</dd> +<dt>{-|+}<strong>allow_postdated</strong></dt> +<dd><strong>-allow_postdated</strong> prohibits this principal from obtaining +postdated tickets. <strong>+allow_postdated</strong> clears this flag.</dd> +<dt>{-|+}<strong>allow_forwardable</strong></dt> +<dd><strong>-allow_forwardable</strong> prohibits this principal from obtaining +forwardable tickets. <strong>+allow_forwardable</strong> clears this flag.</dd> +<dt>{-|+}<strong>allow_renewable</strong></dt> +<dd><strong>-allow_renewable</strong> prohibits this principal from obtaining +renewable tickets. <strong>+allow_renewable</strong> clears this flag.</dd> +<dt>{-|+}<strong>allow_proxiable</strong></dt> +<dd><strong>-allow_proxiable</strong> prohibits this principal from obtaining +proxiable tickets. <strong>+allow_proxiable</strong> clears this flag.</dd> +<dt>{-|+}<strong>allow_dup_skey</strong></dt> +<dd><strong>-allow_dup_skey</strong> disables user-to-user authentication for this +principal by prohibiting this principal from obtaining a session +key for another user. <strong>+allow_dup_skey</strong> clears this flag.</dd> +<dt>{-|+}<strong>requires_preauth</strong></dt> +<dd><strong>+requires_preauth</strong> requires this principal to preauthenticate +before being allowed to kinit. <strong>-requires_preauth</strong> clears this +flag. When <strong>+requires_preauth</strong> is set on a service principal, +the KDC will only issue service tickets for that service principal +if the client’s initial authentication was performed using +preauthentication.</dd> +<dt>{-|+}<strong>requires_hwauth</strong></dt> +<dd><strong>+requires_hwauth</strong> requires this principal to preauthenticate +using a hardware device before being allowed to kinit. +<strong>-requires_hwauth</strong> clears this flag. When <strong>+requires_hwauth</strong> is +set on a service principal, the KDC will only issue service tickets +for that service principal if the client’s initial authentication was +performed using a hardware device to preauthenticate.</dd> +<dt>{-|+}<strong>ok_as_delegate</strong></dt> +<dd><strong>+ok_as_delegate</strong> sets the <strong>okay as delegate</strong> flag on tickets +issued with this principal as the service. Clients may use this +flag as a hint that credentials should be delegated when +authenticating to the service. <strong>-ok_as_delegate</strong> clears this +flag.</dd> +<dt>{-|+}<strong>allow_svr</strong></dt> +<dd><strong>-allow_svr</strong> prohibits the issuance of service tickets for this +principal. <strong>+allow_svr</strong> clears this flag.</dd> +<dt>{-|+}<strong>allow_tgs_req</strong></dt> +<dd><strong>-allow_tgs_req</strong> specifies that a Ticket-Granting Service (TGS) +request for a service ticket for this principal is not permitted. +<strong>+allow_tgs_req</strong> clears this flag.</dd> +<dt>{-|+}<strong>allow_tix</strong></dt> +<dd><strong>-allow_tix</strong> forbids the issuance of any tickets for this +principal. <strong>+allow_tix</strong> clears this flag.</dd> +<dt>{-|+}<strong>needchange</strong></dt> +<dd><strong>+needchange</strong> forces a password change on the next initial +authentication to this principal. <strong>-needchange</strong> clears this +flag.</dd> +<dt>{-|+}<strong>password_changing_service</strong></dt> +<dd><strong>+password_changing_service</strong> marks this principal as a password +change service principal.</dd> +<dt>{-|+}<strong>ok_to_auth_as_delegate</strong></dt> +<dd><strong>+ok_to_auth_as_delegate</strong> allows this principal to acquire +forwardable tickets to itself from arbitrary users, for use with +constrained delegation.</dd> +<dt>{-|+}<strong>no_auth_data_required</strong></dt> +<dd><strong>+no_auth_data_required</strong> prevents PAC or AD-SIGNEDPATH data from +being added to service tickets for the principal.</dd> +<dt>{-|+}<strong>lockdown_keys</strong></dt> +<dd><strong>+lockdown_keys</strong> prevents keys for this principal from leaving +the KDC via kadmind. The chpass and extract operations are denied +for a principal with this attribute. The chrand operation is +allowed, but will not return the new keys. The delete and rename +operations are also denied if this attribute is set, in order to +prevent a malicious administrator from replacing principals like +krbtgt/* or kadmin/* with new principals without the attribute. +This attribute can be set via the network protocol, but can only +be removed using kadmin.local.</dd> +<dt><strong>-randkey</strong></dt> +<dd>Sets the key of the principal to a random value.</dd> +<dt><strong>-nokey</strong></dt> +<dd>Causes the principal to be created with no key. New in release +1.12.</dd> +<dt><strong>-pw</strong> <em>password</em></dt> +<dd>Sets the password of the principal to the specified string and +does not prompt for a password. Note: using this option in a +shell script may expose the password to other users on the system +via the process list.</dd> +<dt><strong>-e</strong> <em>enc</em>:<em>salt</em>,...</dt> +<dd>Uses the specified keysalt list for setting the keys of the +principal. See <a class="reference internal" href="../conf_files/kdc_conf.html#keysalt-lists"><em>Keysalt lists</em></a> in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> for a +list of possible values.</dd> +<dt><strong>-x</strong> <em>db_princ_args</em></dt> +<dd><p class="first">Indicates database-specific options. The options for the LDAP +database module are:</p> +<dl class="docutils"> +<dt><strong>-x dn=</strong><em>dn</em></dt> +<dd>Specifies the LDAP object that will contain the Kerberos +principal being created.</dd> +<dt><strong>-x linkdn=</strong><em>dn</em></dt> +<dd>Specifies the LDAP object to which the newly created Kerberos +principal object will point.</dd> +<dt><strong>-x containerdn=</strong><em>container_dn</em></dt> +<dd>Specifies the container object under which the Kerberos +principal is to be created.</dd> +<dt><strong>-x tktpolicy=</strong><em>policy</em></dt> +<dd>Associates a ticket policy to the Kerberos principal.</dd> +</dl> +<div class="last admonition note"> +<p class="first admonition-title">Note</p> +<ul class="last simple"> +<li>The <strong>containerdn</strong> and <strong>linkdn</strong> options cannot be +specified with the <strong>dn</strong> option.</li> +<li>If the <em>dn</em> or <em>containerdn</em> options are not specified while +adding the principal, the principals are created under the +principal container configured in the realm or the realm +container.</li> +<li><em>dn</em> and <em>containerdn</em> should be within the subtrees or +principal container configured in the realm.</li> +</ul> +</div> +</dd> +</dl> +<p>Example:</p> +<div class="highlight-python"><div class="highlight"><pre>kadmin: addprinc jennifer +WARNING: no policy specified for "jennifer@ATHENA.MIT.EDU"; +defaulting to no policy. +Enter password for principal jennifer@ATHENA.MIT.EDU: +Re-enter password for principal jennifer@ATHENA.MIT.EDU: +Principal "jennifer@ATHENA.MIT.EDU" created. +kadmin: +</pre></div> +</div> +</div> +<div class="section" id="modify-principal"> +<span id="add-principal-end"></span><span id="id2"></span><h3>modify_principal<a class="headerlink" href="#modify-principal" title="Permalink to this headline">¶</a></h3> +<blockquote> +<div><strong>modify_principal</strong> [<em>options</em>] <em>principal</em></div></blockquote> +<p>Modifies the specified principal, changing the fields as specified. +The options to <strong>add_principal</strong> also apply to this command, except +for the <strong>-randkey</strong>, <strong>-pw</strong>, and <strong>-e</strong> options. In addition, the +option <strong>-clearpolicy</strong> will clear the current policy of a principal.</p> +<p>This command requires the <em>modify</em> privilege.</p> +<p>Alias: <strong>modprinc</strong></p> +<p>Options (in addition to the <strong>addprinc</strong> options):</p> +<dl class="docutils"> +<dt><strong>-unlock</strong></dt> +<dd>Unlocks a locked principal (one which has received too many failed +authentication attempts without enough time between them according +to its password policy) so that it can successfully authenticate.</dd> +</dl> +</div> +<div class="section" id="rename-principal"> +<span id="modify-principal-end"></span><span id="id3"></span><h3>rename_principal<a class="headerlink" href="#rename-principal" title="Permalink to this headline">¶</a></h3> +<blockquote> +<div><strong>rename_principal</strong> [<strong>-force</strong>] <em>old_principal</em> <em>new_principal</em></div></blockquote> +<p>Renames the specified <em>old_principal</em> to <em>new_principal</em>. This +command prompts for confirmation, unless the <strong>-force</strong> option is +given.</p> +<p>This command requires the <strong>add</strong> and <strong>delete</strong> privileges.</p> +<p>Alias: <strong>renprinc</strong></p> +</div> +<div class="section" id="delete-principal"> +<span id="rename-principal-end"></span><span id="id4"></span><h3>delete_principal<a class="headerlink" href="#delete-principal" title="Permalink to this headline">¶</a></h3> +<blockquote> +<div><strong>delete_principal</strong> [<strong>-force</strong>] <em>principal</em></div></blockquote> +<p>Deletes the specified <em>principal</em> from the database. This command +prompts for deletion, unless the <strong>-force</strong> option is given.</p> +<p>This command requires the <strong>delete</strong> privilege.</p> +<p>Alias: <strong>delprinc</strong></p> +</div> +<div class="section" id="change-password"> +<span id="delete-principal-end"></span><span id="id5"></span><h3>change_password<a class="headerlink" href="#change-password" title="Permalink to this headline">¶</a></h3> +<blockquote> +<div><strong>change_password</strong> [<em>options</em>] <em>principal</em></div></blockquote> +<p>Changes the password of <em>principal</em>. Prompts for a new password if +neither <strong>-randkey</strong> or <strong>-pw</strong> is specified.</p> +<p>This command requires the <strong>changepw</strong> privilege, or that the +principal running the program is the same as the principal being +changed.</p> +<p>Alias: <strong>cpw</strong></p> +<p>The following options are available:</p> +<dl class="docutils"> +<dt><strong>-randkey</strong></dt> +<dd>Sets the key of the principal to a random value.</dd> +<dt><strong>-pw</strong> <em>password</em></dt> +<dd>Set the password to the specified string. Using this option in a +script may expose the password to other users on the system via +the process list.</dd> +<dt><strong>-e</strong> <em>enc</em>:<em>salt</em>,...</dt> +<dd>Uses the specified keysalt list for setting the keys of the +principal. See <a class="reference internal" href="../conf_files/kdc_conf.html#keysalt-lists"><em>Keysalt lists</em></a> in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> for a +list of possible values.</dd> +<dt><strong>-keepold</strong></dt> +<dd>Keeps the existing keys in the database. This flag is usually not +necessary except perhaps for <tt class="docutils literal"><span class="pre">krbtgt</span></tt> principals.</dd> +</dl> +<p>Example:</p> +<div class="highlight-python"><div class="highlight"><pre>kadmin: cpw systest +Enter password for principal systest@BLEEP.COM: +Re-enter password for principal systest@BLEEP.COM: +Password for systest@BLEEP.COM changed. +kadmin: +</pre></div> +</div> +</div> +<div class="section" id="purgekeys"> +<span id="change-password-end"></span><span id="id6"></span><h3>purgekeys<a class="headerlink" href="#purgekeys" title="Permalink to this headline">¶</a></h3> +<blockquote> +<div><strong>purgekeys</strong> [<strong>-all</strong>|<strong>-keepkvno</strong> <em>oldest_kvno_to_keep</em>] <em>principal</em></div></blockquote> +<p>Purges previously retained old keys (e.g., from <strong>change_password +-keepold</strong>) from <em>principal</em>. If <strong>-keepkvno</strong> is specified, then +only purges keys with kvnos lower than <em>oldest_kvno_to_keep</em>. If +<strong>-all</strong> is specified, then all keys are purged. The <strong>-all</strong> option +is new in release 1.12.</p> +<p>This command requires the <strong>modify</strong> privilege.</p> +</div> +<div class="section" id="get-principal"> +<span id="purgekeys-end"></span><span id="id7"></span><h3>get_principal<a class="headerlink" href="#get-principal" title="Permalink to this headline">¶</a></h3> +<blockquote> +<div><strong>get_principal</strong> [<strong>-terse</strong>] <em>principal</em></div></blockquote> +<p>Gets the attributes of principal. With the <strong>-terse</strong> option, outputs +fields as quoted tab-separated strings.</p> +<p>This command requires the <strong>inquire</strong> privilege, or that the principal +running the the program to be the same as the one being listed.</p> +<p>Alias: <strong>getprinc</strong></p> +<p>Examples:</p> +<div class="highlight-python"><div class="highlight"><pre>kadmin: getprinc tlyu/admin +Principal: tlyu/admin@BLEEP.COM +Expiration date: [never] +Last password change: Mon Aug 12 14:16:47 EDT 1996 +Password expiration date: [none] +Maximum ticket life: 0 days 10:00:00 +Maximum renewable life: 7 days 00:00:00 +Last modified: Mon Aug 12 14:16:47 EDT 1996 (bjaspan/admin@BLEEP.COM) +Last successful authentication: [never] +Last failed authentication: [never] +Failed password attempts: 0 +Number of keys: 2 +Key: vno 1, des-cbc-crc +Key: vno 1, des-cbc-crc:v4 +Attributes: +Policy: [none] + +kadmin: getprinc -terse systest +systest@BLEEP.COM 3 86400 604800 1 +785926535 753241234 785900000 +tlyu/admin@BLEEP.COM 786100034 0 0 +kadmin: +</pre></div> +</div> +</div> +<div class="section" id="list-principals"> +<span id="get-principal-end"></span><span id="id8"></span><h3>list_principals<a class="headerlink" href="#list-principals" title="Permalink to this headline">¶</a></h3> +<blockquote> +<div><strong>list_principals</strong> [<em>expression</em>]</div></blockquote> +<p>Retrieves all or some principal names. <em>expression</em> is a shell-style +glob expression that can contain the wild-card characters <tt class="docutils literal"><span class="pre">?</span></tt>, +<tt class="docutils literal"><span class="pre">*</span></tt>, and <tt class="docutils literal"><span class="pre">[]</span></tt>. All principal names matching the expression are +printed. If no expression is provided, all principal names are +printed. If the expression does not contain an <tt class="docutils literal"><span class="pre">@</span></tt> character, an +<tt class="docutils literal"><span class="pre">@</span></tt> character followed by the local realm is appended to the +expression.</p> +<p>This command requires the <strong>list</strong> privilege.</p> +<p>Alias: <strong>listprincs</strong>, <strong>get_principals</strong>, <strong>get_princs</strong></p> +<p>Example:</p> +<div class="highlight-python"><div class="highlight"><pre>kadmin: listprincs test* +test3@SECURE-TEST.OV.COM +test2@SECURE-TEST.OV.COM +test1@SECURE-TEST.OV.COM +testuser@SECURE-TEST.OV.COM +kadmin: +</pre></div> +</div> +</div> +<div class="section" id="get-strings"> +<span id="list-principals-end"></span><span id="id9"></span><h3>get_strings<a class="headerlink" href="#get-strings" title="Permalink to this headline">¶</a></h3> +<blockquote> +<div><strong>get_strings</strong> <em>principal</em></div></blockquote> +<p>Displays string attributes on <em>principal</em>.</p> +<p>This command requires the <strong>inquire</strong> privilege.</p> +<p>Alias: <strong>getstr</strong></p> +</div> +<div class="section" id="set-string"> +<span id="get-strings-end"></span><span id="id10"></span><h3>set_string<a class="headerlink" href="#set-string" title="Permalink to this headline">¶</a></h3> +<blockquote> +<div><strong>set_string</strong> <em>principal</em> <em>name</em> <em>value</em></div></blockquote> +<p>Sets a string attribute on <em>principal</em>. String attributes are used to +supply per-principal configuration to the KDC and some KDC plugin +modules. The following string attribute names are recognized by the +KDC:</p> +<dl class="docutils"> +<dt><strong>require_auth</strong></dt> +<dd>Specifies an authentication indicator which is required to +authenticate to the principal as a service. Multiple indicators +can be specified, separated by spaces; in this case any of the +specified indicators will be accepted. (New in release 1.14.)</dd> +<dt><strong>session_enctypes</strong></dt> +<dd>Specifies the encryption types supported for session keys when the +principal is authenticated to as a server. See +<a class="reference internal" href="../conf_files/kdc_conf.html#encryption-types"><em>Encryption types</em></a> in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> for a list of the +accepted values.</dd> +<dt><strong>otp</strong></dt> +<dd>Enables One Time Passwords (OTP) preauthentication for a client +<em>principal</em>. The <em>value</em> is a JSON string representing an array +of objects, each having optional <tt class="docutils literal"><span class="pre">type</span></tt> and <tt class="docutils literal"><span class="pre">username</span></tt> fields.</dd> +</dl> +<p>This command requires the <strong>modify</strong> privilege.</p> +<p>Alias: <strong>setstr</strong></p> +<p>Example:</p> +<div class="highlight-python"><div class="highlight"><pre>set_string host/foo.mit.edu session_enctypes aes128-cts +set_string user@FOO.COM otp "[{""type"":""hotp"",""username"":""al""}]" +</pre></div> +</div> +</div> +<div class="section" id="del-string"> +<span id="set-string-end"></span><span id="id11"></span><h3>del_string<a class="headerlink" href="#del-string" title="Permalink to this headline">¶</a></h3> +<blockquote> +<div><strong>del_string</strong> <em>principal</em> <em>key</em></div></blockquote> +<p>Deletes a string attribute from <em>principal</em>.</p> +<p>This command requires the <strong>delete</strong> privilege.</p> +<p>Alias: <strong>delstr</strong></p> +</div> +<div class="section" id="add-policy"> +<span id="del-string-end"></span><span id="id12"></span><h3>add_policy<a class="headerlink" href="#add-policy" title="Permalink to this headline">¶</a></h3> +<blockquote> +<div><strong>add_policy</strong> [<em>options</em>] <em>policy</em></div></blockquote> +<p>Adds a password policy named <em>policy</em> to the database.</p> +<p>This command requires the <strong>add</strong> privilege.</p> +<p>Alias: <strong>addpol</strong></p> +<p>The following options are available:</p> +<dl class="docutils"> +<dt><strong>-maxlife</strong> <em>time</em></dt> +<dd>(<a class="reference internal" href="../../basic/date_format.html#duration"><em>Time duration</em></a> or <a class="reference internal" href="../../basic/date_format.html#getdate"><em>getdate time</em></a> string) Sets the maximum +lifetime of a password.</dd> +<dt><strong>-minlife</strong> <em>time</em></dt> +<dd>(<a class="reference internal" href="../../basic/date_format.html#duration"><em>Time duration</em></a> or <a class="reference internal" href="../../basic/date_format.html#getdate"><em>getdate time</em></a> string) Sets the minimum +lifetime of a password.</dd> +<dt><strong>-minlength</strong> <em>length</em></dt> +<dd>Sets the minimum length of a password.</dd> +<dt><strong>-minclasses</strong> <em>number</em></dt> +<dd>Sets the minimum number of character classes required in a +password. The five character classes are lower case, upper case, +numbers, punctuation, and whitespace/unprintable characters.</dd> +<dt><strong>-history</strong> <em>number</em></dt> +<dd>Sets the number of past keys kept for a principal. This option is +not supported with the LDAP KDC database module.</dd> +</dl> +<dl class="docutils" id="policy-maxfailure"> +<dt><strong>-maxfailure</strong> <em>maxnumber</em></dt> +<dd>Sets the number of authentication failures before the principal is +locked. Authentication failures are only tracked for principals +which require preauthentication. The counter of failed attempts +resets to 0 after a successful attempt to authenticate. A +<em>maxnumber</em> value of 0 (the default) disables lockout.</dd> +</dl> +<dl class="docutils" id="policy-failurecountinterval"> +<dt><strong>-failurecountinterval</strong> <em>failuretime</em></dt> +<dd>(<a class="reference internal" href="../../basic/date_format.html#duration"><em>Time duration</em></a> or <a class="reference internal" href="../../basic/date_format.html#getdate"><em>getdate time</em></a> string) Sets the allowable time +between authentication failures. If an authentication failure +happens after <em>failuretime</em> has elapsed since the previous +failure, the number of authentication failures is reset to 1. A +<em>failuretime</em> value of 0 (the default) means forever.</dd> +</dl> +<dl class="docutils" id="policy-lockoutduration"> +<dt><strong>-lockoutduration</strong> <em>lockouttime</em></dt> +<dd>(<a class="reference internal" href="../../basic/date_format.html#duration"><em>Time duration</em></a> or <a class="reference internal" href="../../basic/date_format.html#getdate"><em>getdate time</em></a> string) Sets the duration for +which the principal is locked from authenticating if too many +authentication failures occur without the specified failure count +interval elapsing. A duration of 0 (the default) means the +principal remains locked out until it is administratively unlocked +with <tt class="docutils literal"><span class="pre">modprinc</span> <span class="pre">-unlock</span></tt>.</dd> +<dt><strong>-allowedkeysalts</strong></dt> +<dd>Specifies the key/salt tuples supported for long-term keys when +setting or changing a principal’s password/keys. See +<a class="reference internal" href="../conf_files/kdc_conf.html#keysalt-lists"><em>Keysalt lists</em></a> in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> for a list of the +accepted values, but note that key/salt tuples must be separated +with commas (‘,’) only. To clear the allowed key/salt policy use +a value of ‘-‘.</dd> +</dl> +<p>Example:</p> +<div class="highlight-python"><div class="highlight"><pre>kadmin: add_policy -maxlife "2 days" -minlength 5 guests +kadmin: +</pre></div> +</div> +</div> +<div class="section" id="modify-policy"> +<span id="add-policy-end"></span><span id="id13"></span><h3>modify_policy<a class="headerlink" href="#modify-policy" title="Permalink to this headline">¶</a></h3> +<blockquote> +<div><strong>modify_policy</strong> [<em>options</em>] <em>policy</em></div></blockquote> +<p>Modifies the password policy named <em>policy</em>. Options are as described +for <strong>add_policy</strong>.</p> +<p>This command requires the <strong>modify</strong> privilege.</p> +<p>Alias: <strong>modpol</strong></p> +</div> +<div class="section" id="delete-policy"> +<span id="modify-policy-end"></span><span id="id14"></span><h3>delete_policy<a class="headerlink" href="#delete-policy" title="Permalink to this headline">¶</a></h3> +<blockquote> +<div><strong>delete_policy</strong> [<strong>-force</strong>] <em>policy</em></div></blockquote> +<p>Deletes the password policy named <em>policy</em>. Prompts for confirmation +before deletion. The command will fail if the policy is in use by any +principals.</p> +<p>This command requires the <strong>delete</strong> privilege.</p> +<p>Alias: <strong>delpol</strong></p> +<p>Example:</p> +<div class="highlight-python"><div class="highlight"><pre>kadmin: del_policy guests +Are you sure you want to delete the policy "guests"? +(yes/no): yes +kadmin: +</pre></div> +</div> +</div> +<div class="section" id="get-policy"> +<span id="delete-policy-end"></span><span id="id15"></span><h3>get_policy<a class="headerlink" href="#get-policy" title="Permalink to this headline">¶</a></h3> +<blockquote> +<div><strong>get_policy</strong> [ <strong>-terse</strong> ] <em>policy</em></div></blockquote> +<p>Displays the values of the password policy named <em>policy</em>. With the +<strong>-terse</strong> flag, outputs the fields as quoted strings separated by +tabs.</p> +<p>This command requires the <strong>inquire</strong> privilege.</p> +<p>Alias: getpol</p> +<p>Examples:</p> +<div class="highlight-python"><div class="highlight"><pre>kadmin: get_policy admin +Policy: admin +Maximum password life: 180 days 00:00:00 +Minimum password life: 00:00:00 +Minimum password length: 6 +Minimum number of password character classes: 2 +Number of old keys kept: 5 +Reference count: 17 + +kadmin: get_policy -terse admin +admin 15552000 0 6 2 5 17 +kadmin: +</pre></div> +</div> +<p>The “Reference count” is the number of principals using that policy. +With the LDAP KDC database module, the reference count field is not +meaningful.</p> +</div> +<div class="section" id="list-policies"> +<span id="get-policy-end"></span><span id="id16"></span><h3>list_policies<a class="headerlink" href="#list-policies" title="Permalink to this headline">¶</a></h3> +<blockquote> +<div><strong>list_policies</strong> [<em>expression</em>]</div></blockquote> +<p>Retrieves all or some policy names. <em>expression</em> is a shell-style +glob expression that can contain the wild-card characters <tt class="docutils literal"><span class="pre">?</span></tt>, +<tt class="docutils literal"><span class="pre">*</span></tt>, and <tt class="docutils literal"><span class="pre">[]</span></tt>. All policy names matching the expression are +printed. If no expression is provided, all existing policy names are +printed.</p> +<p>This command requires the <strong>list</strong> privilege.</p> +<p>Aliases: <strong>listpols</strong>, <strong>get_policies</strong>, <strong>getpols</strong>.</p> +<p>Examples:</p> +<div class="highlight-python"><div class="highlight"><pre>kadmin: listpols +test-pol +dict-only +once-a-min +test-pol-nopw + +kadmin: listpols t* +test-pol +test-pol-nopw +kadmin: +</pre></div> +</div> +</div> +<div class="section" id="ktadd"> +<span id="list-policies-end"></span><span id="id17"></span><h3>ktadd<a class="headerlink" href="#ktadd" title="Permalink to this headline">¶</a></h3> +<blockquote> +<div><div class="line-block"> +<div class="line"><strong>ktadd</strong> [options] <em>principal</em></div> +<div class="line"><strong>ktadd</strong> [options] <strong>-glob</strong> <em>princ-exp</em></div> +</div> +</div></blockquote> +<p>Adds a <em>principal</em>, or all principals matching <em>princ-exp</em>, to a +keytab file. Each principal’s keys are randomized in the process. +The rules for <em>princ-exp</em> are described in the <strong>list_principals</strong> +command.</p> +<p>This command requires the <strong>inquire</strong> and <strong>changepw</strong> privileges. +With the <strong>-glob</strong> form, it also requires the <strong>list</strong> privilege.</p> +<p>The options are:</p> +<dl class="docutils"> +<dt><strong>-k[eytab]</strong> <em>keytab</em></dt> +<dd>Use <em>keytab</em> as the keytab file. Otherwise, the default keytab is +used.</dd> +<dt><strong>-e</strong> <em>enc</em>:<em>salt</em>,...</dt> +<dd>Uses the specified keysalt list for setting the new keys of the +principal. See <a class="reference internal" href="../conf_files/kdc_conf.html#keysalt-lists"><em>Keysalt lists</em></a> in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> for a +list of possible values.</dd> +<dt><strong>-q</strong></dt> +<dd>Display less verbose information.</dd> +<dt><strong>-norandkey</strong></dt> +<dd>Do not randomize the keys. The keys and their version numbers stay +unchanged. This option cannot be specified in combination with the +<strong>-e</strong> option.</dd> +</dl> +<p>An entry for each of the principal’s unique encryption types is added, +ignoring multiple keys with the same encryption type but different +salt types.</p> +<p>Example:</p> +<div class="highlight-python"><div class="highlight"><pre>kadmin: ktadd -k /tmp/foo-new-keytab host/foo.mit.edu +Entry for principal host/foo.mit.edu@ATHENA.MIT.EDU with kvno 3, + encryption type aes256-cts-hmac-sha1-96 added to keytab + FILE:/tmp/foo-new-keytab +kadmin: +</pre></div> +</div> +</div> +<div class="section" id="ktremove"> +<span id="ktadd-end"></span><span id="id18"></span><h3>ktremove<a class="headerlink" href="#ktremove" title="Permalink to this headline">¶</a></h3> +<blockquote> +<div><strong>ktremove</strong> [options] <em>principal</em> [<em>kvno</em> | <em>all</em> | <em>old</em>]</div></blockquote> +<p>Removes entries for the specified <em>principal</em> from a keytab. Requires +no permissions, since this does not require database access.</p> +<p>If the string “all” is specified, all entries for that principal are +removed; if the string “old” is specified, all entries for that +principal except those with the highest kvno are removed. Otherwise, +the value specified is parsed as an integer, and all entries whose +kvno match that integer are removed.</p> +<p>The options are:</p> +<dl class="docutils"> +<dt><strong>-k[eytab]</strong> <em>keytab</em></dt> +<dd>Use <em>keytab</em> as the keytab file. Otherwise, the default keytab is +used.</dd> +<dt><strong>-q</strong></dt> +<dd>Display less verbose information.</dd> +</dl> +<p>Example:</p> +<div class="highlight-python"><div class="highlight"><pre>kadmin: ktremove kadmin/admin all +Entry for principal kadmin/admin with kvno 3 removed from keytab + FILE:/etc/krb5.keytab +kadmin: +</pre></div> +</div> +</div> +<div class="section" id="lock"> +<span id="ktremove-end"></span><h3>lock<a class="headerlink" href="#lock" title="Permalink to this headline">¶</a></h3> +<p>Lock database exclusively. Use with extreme caution! This command +only works with the DB2 KDC database module.</p> +</div> +<div class="section" id="unlock"> +<h3>unlock<a class="headerlink" href="#unlock" title="Permalink to this headline">¶</a></h3> +<p>Release the exclusive database lock.</p> +</div> +<div class="section" id="list-requests"> +<h3>list_requests<a class="headerlink" href="#list-requests" title="Permalink to this headline">¶</a></h3> +<p>Lists available for kadmin requests.</p> +<p>Aliases: <strong>lr</strong>, <strong>?</strong></p> +</div> +<div class="section" id="quit"> +<h3>quit<a class="headerlink" href="#quit" title="Permalink to this headline">¶</a></h3> +<p>Exit program. If the database was locked, the lock is released.</p> +<p>Aliases: <strong>exit</strong>, <strong>q</strong></p> +</div> +</div> +<div class="section" id="history"> +<h2>HISTORY<a class="headerlink" href="#history" title="Permalink to this headline">¶</a></h2> +<p>The kadmin program was originally written by Tom Yu at MIT, as an +interface to the OpenVision Kerberos administration program.</p> +</div> +<div class="section" id="see-also"> +<h2>SEE ALSO<a class="headerlink" href="#see-also" title="Permalink to this headline">¶</a></h2> +<p><a class="reference internal" href="../../user/user_commands/kpasswd.html#kpasswd-1"><em>kpasswd</em></a>, <a class="reference internal" href="kadmind.html#kadmind-8"><em>kadmind</em></a></p> +</div> +</div> + + + </div> + </div> + </div> + </div> + <div class="sidebar"> + <h2>On this page</h2> + <ul> +<li><a class="reference internal" href="#">kadmin</a><ul> +<li><a class="reference internal" href="#synopsis">SYNOPSIS</a></li> +<li><a class="reference internal" href="#description">DESCRIPTION</a></li> +<li><a class="reference internal" href="#options">OPTIONS</a></li> +<li><a class="reference internal" href="#database-options">DATABASE OPTIONS</a></li> +<li><a class="reference internal" href="#commands">COMMANDS</a><ul> +<li><a class="reference internal" href="#add-principal">add_principal</a></li> +<li><a class="reference internal" href="#modify-principal">modify_principal</a></li> +<li><a class="reference internal" href="#rename-principal">rename_principal</a></li> +<li><a class="reference internal" href="#delete-principal">delete_principal</a></li> +<li><a class="reference internal" href="#change-password">change_password</a></li> +<li><a class="reference internal" href="#purgekeys">purgekeys</a></li> +<li><a class="reference internal" href="#get-principal">get_principal</a></li> +<li><a class="reference internal" href="#list-principals">list_principals</a></li> +<li><a class="reference internal" href="#get-strings">get_strings</a></li> +<li><a class="reference internal" href="#set-string">set_string</a></li> +<li><a class="reference internal" href="#del-string">del_string</a></li> +<li><a class="reference internal" href="#add-policy">add_policy</a></li> +<li><a class="reference internal" href="#modify-policy">modify_policy</a></li> +<li><a class="reference internal" href="#delete-policy">delete_policy</a></li> +<li><a class="reference internal" href="#get-policy">get_policy</a></li> +<li><a class="reference internal" href="#list-policies">list_policies</a></li> +<li><a class="reference internal" href="#ktadd">ktadd</a></li> +<li><a class="reference internal" href="#ktremove">ktremove</a></li> +<li><a class="reference internal" href="#lock">lock</a></li> +<li><a class="reference internal" href="#unlock">unlock</a></li> +<li><a class="reference internal" href="#list-requests">list_requests</a></li> +<li><a class="reference internal" href="#quit">quit</a></li> +</ul> +</li> +<li><a class="reference internal" href="#history">HISTORY</a></li> +<li><a class="reference internal" href="#see-also">SEE ALSO</a></li> +</ul> +</li> +</ul> + + <br/> + <h2>Table of contents</h2> + <ul class="current"> +<li class="toctree-l1"><a class="reference internal" href="../../user/index.html">For users</a></li> +<li class="toctree-l1 current"><a class="reference internal" href="../index.html">For administrators</a><ul class="current"> +<li class="toctree-l2"><a class="reference internal" href="../install.html">Installation guide</a></li> +<li class="toctree-l2"><a class="reference internal" href="../conf_files/index.html">Configuration Files</a></li> +<li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li> +<li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li> +<li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li> +<li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> +<li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li> +<li class="toctree-l2"><a class="reference internal" href="../host_config.html">Host configuration</a></li> +<li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li> +<li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li> +<li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li> +<li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li> +<li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li> +<li class="toctree-l2"><a class="reference internal" href="../auth_indicator.html">Authentication indicators</a></li> +<li class="toctree-l2 current"><a class="reference internal" href="index.html">Administration programs</a><ul class="current"> +<li class="toctree-l3 current"><a class="current reference internal" href="">kadmin</a></li> +<li class="toctree-l3"><a class="reference internal" href="kadmind.html">kadmind</a></li> +<li class="toctree-l3"><a class="reference internal" href="kdb5_util.html">kdb5_util</a></li> +<li class="toctree-l3"><a class="reference internal" href="kdb5_ldap_util.html">kdb5_ldap_util</a></li> +<li class="toctree-l3"><a class="reference internal" href="krb5kdc.html">krb5kdc</a></li> +<li class="toctree-l3"><a class="reference internal" href="kprop.html">kprop</a></li> +<li class="toctree-l3"><a class="reference internal" href="kpropd.html">kpropd</a></li> +<li class="toctree-l3"><a class="reference internal" href="kproplog.html">kproplog</a></li> +<li class="toctree-l3"><a class="reference internal" href="ktutil.html">ktutil</a></li> +<li class="toctree-l3"><a class="reference internal" href="k5srvutil.html">k5srvutil</a></li> +<li class="toctree-l3"><a class="reference internal" href="sserver.html">sserver</a></li> +</ul> +</li> +<li class="toctree-l2"><a class="reference internal" href="../../mitK5defaults.html">MIT Kerberos defaults</a></li> +<li class="toctree-l2"><a class="reference internal" href="../env_variables.html">Environment variables</a></li> +<li class="toctree-l2"><a class="reference internal" href="../troubleshoot.html">Troubleshooting</a></li> +<li class="toctree-l2"><a class="reference internal" href="../advanced/index.html">Advanced topics</a></li> +<li class="toctree-l2"><a class="reference internal" href="../various_envs.html">Various links</a></li> +</ul> +</li> +<li class="toctree-l1"><a class="reference internal" href="../../appdev/index.html">For application developers</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../plugindev/index.html">For plugin module developers</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../build/index.html">Building Kerberos V5</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../basic/index.html">Kerberos V5 concepts</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../formats/index.html">Protocols and file formats</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../mitK5features.html">MIT Kerberos features</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../build_this.html">How to build this documentation from the source</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../about.html">Contributing to the MIT Kerberos Documentation</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../resources.html">Resources</a></li> +</ul> + + <br/> + <h4><a href="../../index.html">Full Table of Contents</a></h4> + <h4>Search</h4> + <form class="search" action="../../search.html" method="get"> + <input type="text" name="q" size="18" /> + <input type="submit" value="Go" /> + <input type="hidden" name="check_keywords" value="yes" /> + <input type="hidden" name="area" value="default" /> + </form> + </div> + <div class="clearer"></div> + </div> + </div> + + <div class="footer-wrapper"> + <div class="footer" > + <div class="right" ><i>Release: 1.15.1</i><br /> + © <a href="../../copyright.html">Copyright</a> 1985-2017, MIT. + </div> + <div class="left"> + + <a href="../../index.html" title="Full Table of Contents" + >Contents</a> | + <a href="index.html" title="Administration programs" + >previous</a> | + <a href="kadmind.html" title="kadmind" + >next</a> | + <a href="../../genindex.html" title="General Index" + >index</a> | + <a href="../../search.html" title="Enter search criteria" + >Search</a> | + <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__kadmin">feedback</a> + </div> + </div> + </div> + + </body> +</html>
\ No newline at end of file diff --git a/doc/html/admin/admin_commands/kadmind.html b/doc/html/admin/admin_commands/kadmind.html new file mode 100644 index 000000000000..7cf3d38e7726 --- /dev/null +++ b/doc/html/admin/admin_commands/kadmind.html @@ -0,0 +1,277 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> + + +<html xmlns="http://www.w3.org/1999/xhtml"> + <head> + <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> + + <title>kadmind — MIT Kerberos Documentation</title> + + <link rel="stylesheet" href="../../_static/agogo.css" type="text/css" /> + <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" /> + <link rel="stylesheet" href="../../_static/kerb.css" type="text/css" /> + + <script type="text/javascript"> + var DOCUMENTATION_OPTIONS = { + URL_ROOT: '../../', + VERSION: '1.15.1', + COLLAPSE_INDEX: false, + FILE_SUFFIX: '.html', + HAS_SOURCE: true + }; + </script> + <script type="text/javascript" src="../../_static/jquery.js"></script> + <script type="text/javascript" src="../../_static/underscore.js"></script> + <script type="text/javascript" src="../../_static/doctools.js"></script> + <link rel="author" title="About these documents" href="../../about.html" /> + <link rel="copyright" title="Copyright" href="../../copyright.html" /> + <link rel="top" title="MIT Kerberos Documentation" href="../../index.html" /> + <link rel="up" title="Administration programs" href="index.html" /> + <link rel="next" title="kdb5_util" href="kdb5_util.html" /> + <link rel="prev" title="kadmin" href="kadmin_local.html" /> + </head> + <body> + <div class="header-wrapper"> + <div class="header"> + + + <h1><a href="../../index.html">MIT Kerberos Documentation</a></h1> + + <div class="rel"> + + <a href="../../index.html" title="Full Table of Contents" + accesskey="C">Contents</a> | + <a href="kadmin_local.html" title="kadmin" + accesskey="P">previous</a> | + <a href="kdb5_util.html" title="kdb5_util" + accesskey="N">next</a> | + <a href="../../genindex.html" title="General Index" + accesskey="I">index</a> | + <a href="../../search.html" title="Enter search criteria" + accesskey="S">Search</a> | + <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__kadmind">feedback</a> + </div> + </div> + </div> + + <div class="content-wrapper"> + <div class="content"> + <div class="document"> + + <div class="documentwrapper"> + <div class="bodywrapper"> + <div class="body"> + + <div class="section" id="kadmind"> +<span id="kadmind-8"></span><h1>kadmind<a class="headerlink" href="#kadmind" title="Permalink to this headline">¶</a></h1> +<div class="section" id="synopsis"> +<h2>SYNOPSIS<a class="headerlink" href="#synopsis" title="Permalink to this headline">¶</a></h2> +<p><strong>kadmind</strong> +[<strong>-x</strong> <em>db_args</em>] +[<strong>-r</strong> <em>realm</em>] +[<strong>-m</strong>] +[<strong>-nofork</strong>] +[<strong>-proponly</strong>] +[<strong>-port</strong> <em>port-number</em>] +[<strong>-P</strong> <em>pid_file</em>] +[<strong>-p</strong> <em>kdb5_util_path</em>] +[<strong>-K</strong> <em>kprop_path</em>] +[<strong>-k</strong> <em>kprop_port</em>] +[<strong>-F</strong> <em>dump_file</em>]</p> +</div> +<div class="section" id="description"> +<h2>DESCRIPTION<a class="headerlink" href="#description" title="Permalink to this headline">¶</a></h2> +<p>kadmind starts the Kerberos administration server. kadmind typically +runs on the master Kerberos server, which stores the KDC database. If +the KDC database uses the LDAP module, the administration server and +the KDC server need not run on the same machine. kadmind accepts +remote requests from programs such as <a class="reference internal" href="kadmin_local.html#kadmin-1"><em>kadmin</em></a> and +<a class="reference internal" href="../../user/user_commands/kpasswd.html#kpasswd-1"><em>kpasswd</em></a> to administer the information in these database.</p> +<p>kadmind requires a number of configuration files to be set up in order +for it to work:</p> +<dl class="docutils"> +<dt><a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a></dt> +<dd>The KDC configuration file contains configuration information for +the KDC and admin servers. kadmind uses settings in this file to +locate the Kerberos database, and is also affected by the +<strong>acl_file</strong>, <strong>dict_file</strong>, <strong>kadmind_port</strong>, and iprop-related +settings.</dd> +<dt><a class="reference internal" href="../conf_files/kadm5_acl.html#kadm5-acl-5"><em>kadm5.acl</em></a></dt> +<dd>kadmind’s ACL (access control list) tells it which principals are +allowed to perform administration actions. The pathname to the +ACL file can be specified with the <strong>acl_file</strong> <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> +variable; by default, it is <a class="reference internal" href="../../mitK5defaults.html#paths"><em>LOCALSTATEDIR</em></a><tt class="docutils literal"><span class="pre">/krb5kdc</span></tt><tt class="docutils literal"><span class="pre">/kadm5.acl</span></tt>.</dd> +</dl> +<p>After the server begins running, it puts itself in the background and +disassociates itself from its controlling terminal.</p> +<p>kadmind can be configured for incremental database propagation. +Incremental propagation allows slave KDC servers to receive principal +and policy updates incrementally instead of receiving full dumps of +the database. This facility can be enabled in the <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> +file with the <strong>iprop_enable</strong> option. Incremental propagation +requires the principal <tt class="docutils literal"><span class="pre">kiprop/MASTER\@REALM</span></tt> (where MASTER is the +master KDC’s canonical host name, and REALM the realm name). In +release 1.13, this principal is automatically created and registered +into the datebase.</p> +</div> +<div class="section" id="options"> +<h2>OPTIONS<a class="headerlink" href="#options" title="Permalink to this headline">¶</a></h2> +<dl class="docutils"> +<dt><strong>-r</strong> <em>realm</em></dt> +<dd>specifies the realm that kadmind will serve; if it is not +specified, the default realm of the host is used.</dd> +<dt><strong>-m</strong></dt> +<dd>causes the master database password to be fetched from the +keyboard (before the server puts itself in the background, if not +invoked with the <strong>-nofork</strong> option) rather than from a file on +disk.</dd> +<dt><strong>-nofork</strong></dt> +<dd>causes the server to remain in the foreground and remain +associated to the terminal. In normal operation, you should allow +the server to place itself in the background.</dd> +<dt><strong>-proponly</strong></dt> +<dd>causes the server to only listen and respond to Kerberos slave +incremental propagation polling requests. This option can be used +to set up a hierarchical propagation topology where a slave KDC +provides incremental updates to other Kerberos slaves.</dd> +<dt><strong>-port</strong> <em>port-number</em></dt> +<dd>specifies the port on which the administration server listens for +connections. The default port is determined by the +<strong>kadmind_port</strong> configuration variable in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>.</dd> +<dt><strong>-P</strong> <em>pid_file</em></dt> +<dd>specifies the file to which the PID of kadmind process should be +written after it starts up. This file can be used to identify +whether kadmind is still running and to allow init scripts to stop +the correct process.</dd> +<dt><strong>-p</strong> <em>kdb5_util_path</em></dt> +<dd>specifies the path to the kdb5_util command to use when dumping the +KDB in response to full resync requests when iprop is enabled.</dd> +<dt><strong>-K</strong> <em>kprop_path</em></dt> +<dd>specifies the path to the kprop command to use to send full dumps +to slaves in response to full resync requests.</dd> +<dt><strong>-k</strong> <em>kprop_port</em></dt> +<dd>specifies the port by which the kprop process that is spawned by kadmind +connects to the slave kpropd, in order to transfer the dump file during +an iprop full resync request.</dd> +<dt><strong>-F</strong> <em>dump_file</em></dt> +<dd>specifies the file path to be used for dumping the KDB in response +to full resync requests when iprop is enabled.</dd> +<dt><strong>-x</strong> <em>db_args</em></dt> +<dd>specifies database-specific arguments. See <a class="reference internal" href="kadmin_local.html#dboptions"><em>Database Options</em></a> in <a class="reference internal" href="kadmin_local.html#kadmin-1"><em>kadmin</em></a> for supported arguments.</dd> +</dl> +</div> +<div class="section" id="see-also"> +<h2>SEE ALSO<a class="headerlink" href="#see-also" title="Permalink to this headline">¶</a></h2> +<p><a class="reference internal" href="../../user/user_commands/kpasswd.html#kpasswd-1"><em>kpasswd</em></a>, <a class="reference internal" href="kadmin_local.html#kadmin-1"><em>kadmin</em></a>, <a class="reference internal" href="kdb5_util.html#kdb5-util-8"><em>kdb5_util</em></a>, +<a class="reference internal" href="kdb5_ldap_util.html#kdb5-ldap-util-8"><em>kdb5_ldap_util</em></a>, <a class="reference internal" href="../conf_files/kadm5_acl.html#kadm5-acl-5"><em>kadm5.acl</em></a></p> +</div> +</div> + + + </div> + </div> + </div> + </div> + <div class="sidebar"> + <h2>On this page</h2> + <ul> +<li><a class="reference internal" href="#">kadmind</a><ul> +<li><a class="reference internal" href="#synopsis">SYNOPSIS</a></li> +<li><a class="reference internal" href="#description">DESCRIPTION</a></li> +<li><a class="reference internal" href="#options">OPTIONS</a></li> +<li><a class="reference internal" href="#see-also">SEE ALSO</a></li> +</ul> +</li> +</ul> + + <br/> + <h2>Table of contents</h2> + <ul class="current"> +<li class="toctree-l1"><a class="reference internal" href="../../user/index.html">For users</a></li> +<li class="toctree-l1 current"><a class="reference internal" href="../index.html">For administrators</a><ul class="current"> +<li class="toctree-l2"><a class="reference internal" href="../install.html">Installation guide</a></li> +<li class="toctree-l2"><a class="reference internal" href="../conf_files/index.html">Configuration Files</a></li> +<li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li> +<li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li> +<li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li> +<li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> +<li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li> +<li class="toctree-l2"><a class="reference internal" href="../host_config.html">Host configuration</a></li> +<li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li> +<li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li> +<li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li> +<li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li> +<li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li> +<li class="toctree-l2"><a class="reference internal" href="../auth_indicator.html">Authentication indicators</a></li> +<li class="toctree-l2 current"><a class="reference internal" href="index.html">Administration programs</a><ul class="current"> +<li class="toctree-l3"><a class="reference internal" href="kadmin_local.html">kadmin</a></li> +<li class="toctree-l3 current"><a class="current reference internal" href="">kadmind</a></li> +<li class="toctree-l3"><a class="reference internal" href="kdb5_util.html">kdb5_util</a></li> +<li class="toctree-l3"><a class="reference internal" href="kdb5_ldap_util.html">kdb5_ldap_util</a></li> +<li class="toctree-l3"><a class="reference internal" href="krb5kdc.html">krb5kdc</a></li> +<li class="toctree-l3"><a class="reference internal" href="kprop.html">kprop</a></li> +<li class="toctree-l3"><a class="reference internal" href="kpropd.html">kpropd</a></li> +<li class="toctree-l3"><a class="reference internal" href="kproplog.html">kproplog</a></li> +<li class="toctree-l3"><a class="reference internal" href="ktutil.html">ktutil</a></li> +<li class="toctree-l3"><a class="reference internal" href="k5srvutil.html">k5srvutil</a></li> +<li class="toctree-l3"><a class="reference internal" href="sserver.html">sserver</a></li> +</ul> +</li> +<li class="toctree-l2"><a class="reference internal" href="../../mitK5defaults.html">MIT Kerberos defaults</a></li> +<li class="toctree-l2"><a class="reference internal" href="../env_variables.html">Environment variables</a></li> +<li class="toctree-l2"><a class="reference internal" href="../troubleshoot.html">Troubleshooting</a></li> +<li class="toctree-l2"><a class="reference internal" href="../advanced/index.html">Advanced topics</a></li> +<li class="toctree-l2"><a class="reference internal" href="../various_envs.html">Various links</a></li> +</ul> +</li> +<li class="toctree-l1"><a class="reference internal" href="../../appdev/index.html">For application developers</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../plugindev/index.html">For plugin module developers</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../build/index.html">Building Kerberos V5</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../basic/index.html">Kerberos V5 concepts</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../formats/index.html">Protocols and file formats</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../mitK5features.html">MIT Kerberos features</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../build_this.html">How to build this documentation from the source</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../about.html">Contributing to the MIT Kerberos Documentation</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../resources.html">Resources</a></li> +</ul> + + <br/> + <h4><a href="../../index.html">Full Table of Contents</a></h4> + <h4>Search</h4> + <form class="search" action="../../search.html" method="get"> + <input type="text" name="q" size="18" /> + <input type="submit" value="Go" /> + <input type="hidden" name="check_keywords" value="yes" /> + <input type="hidden" name="area" value="default" /> + </form> + </div> + <div class="clearer"></div> + </div> + </div> + + <div class="footer-wrapper"> + <div class="footer" > + <div class="right" ><i>Release: 1.15.1</i><br /> + © <a href="../../copyright.html">Copyright</a> 1985-2017, MIT. + </div> + <div class="left"> + + <a href="../../index.html" title="Full Table of Contents" + >Contents</a> | + <a href="kadmin_local.html" title="kadmin" + >previous</a> | + <a href="kdb5_util.html" title="kdb5_util" + >next</a> | + <a href="../../genindex.html" title="General Index" + >index</a> | + <a href="../../search.html" title="Enter search criteria" + >Search</a> | + <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__kadmind">feedback</a> + </div> + </div> + </div> + + </body> +</html>
\ No newline at end of file diff --git a/doc/html/admin/admin_commands/kdb5_ldap_util.html b/doc/html/admin/admin_commands/kdb5_ldap_util.html new file mode 100644 index 000000000000..673118aac6b8 --- /dev/null +++ b/doc/html/admin/admin_commands/kdb5_ldap_util.html @@ -0,0 +1,560 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> + + +<html xmlns="http://www.w3.org/1999/xhtml"> + <head> + <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> + + <title>kdb5_ldap_util — MIT Kerberos Documentation</title> + + <link rel="stylesheet" href="../../_static/agogo.css" type="text/css" /> + <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" /> + <link rel="stylesheet" href="../../_static/kerb.css" type="text/css" /> + + <script type="text/javascript"> + var DOCUMENTATION_OPTIONS = { + URL_ROOT: '../../', + VERSION: '1.15.1', + COLLAPSE_INDEX: false, + FILE_SUFFIX: '.html', + HAS_SOURCE: true + }; + </script> + <script type="text/javascript" src="../../_static/jquery.js"></script> + <script type="text/javascript" src="../../_static/underscore.js"></script> + <script type="text/javascript" src="../../_static/doctools.js"></script> + <link rel="author" title="About these documents" href="../../about.html" /> + <link rel="copyright" title="Copyright" href="../../copyright.html" /> + <link rel="top" title="MIT Kerberos Documentation" href="../../index.html" /> + <link rel="up" title="Administration programs" href="index.html" /> + <link rel="next" title="krb5kdc" href="krb5kdc.html" /> + <link rel="prev" title="kdb5_util" href="kdb5_util.html" /> + </head> + <body> + <div class="header-wrapper"> + <div class="header"> + + + <h1><a href="../../index.html">MIT Kerberos Documentation</a></h1> + + <div class="rel"> + + <a href="../../index.html" title="Full Table of Contents" + accesskey="C">Contents</a> | + <a href="kdb5_util.html" title="kdb5_util" + accesskey="P">previous</a> | + <a href="krb5kdc.html" title="krb5kdc" + accesskey="N">next</a> | + <a href="../../genindex.html" title="General Index" + accesskey="I">index</a> | + <a href="../../search.html" title="Enter search criteria" + accesskey="S">Search</a> | + <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__kdb5_ldap_util">feedback</a> + </div> + </div> + </div> + + <div class="content-wrapper"> + <div class="content"> + <div class="document"> + + <div class="documentwrapper"> + <div class="bodywrapper"> + <div class="body"> + + <div class="section" id="kdb5-ldap-util"> +<span id="kdb5-ldap-util-8"></span><h1>kdb5_ldap_util<a class="headerlink" href="#kdb5-ldap-util" title="Permalink to this headline">¶</a></h1> +<div class="section" id="synopsis"> +<h2>SYNOPSIS<a class="headerlink" href="#synopsis" title="Permalink to this headline">¶</a></h2> +<p id="kdb5-ldap-util-synopsis"><strong>kdb5_ldap_util</strong> +[<strong>-D</strong> <em>user_dn</em> [<strong>-w</strong> <em>passwd</em>]] +[<strong>-H</strong> <em>ldapuri</em>] +<strong>command</strong> +[<em>command_options</em>]</p> +</div> +<div class="section" id="description"> +<span id="kdb5-ldap-util-synopsis-end"></span><h2>DESCRIPTION<a class="headerlink" href="#description" title="Permalink to this headline">¶</a></h2> +<p>kdb5_ldap_util allows an administrator to manage realms, Kerberos +services and ticket policies.</p> +</div> +<div class="section" id="command-line-options"> +<h2>COMMAND-LINE OPTIONS<a class="headerlink" href="#command-line-options" title="Permalink to this headline">¶</a></h2> +<dl class="docutils" id="kdb5-ldap-util-options"> +<dt><strong>-D</strong> <em>user_dn</em></dt> +<dd>Specifies the Distinguished Name (DN) of the user who has +sufficient rights to perform the operation on the LDAP server.</dd> +<dt><strong>-w</strong> <em>passwd</em></dt> +<dd>Specifies the password of <em>user_dn</em>. This option is not +recommended.</dd> +<dt><strong>-H</strong> <em>ldapuri</em></dt> +<dd>Specifies the URI of the LDAP server. It is recommended to use +<tt class="docutils literal"><span class="pre">ldapi://</span></tt> or <tt class="docutils literal"><span class="pre">ldaps://</span></tt> to connect to the LDAP server.</dd> +</dl> +</div> +<div class="section" id="commands"> +<span id="kdb5-ldap-util-options-end"></span><h2>COMMANDS<a class="headerlink" href="#commands" title="Permalink to this headline">¶</a></h2> +<div class="section" id="create"> +<h3>create<a class="headerlink" href="#create" title="Permalink to this headline">¶</a></h3> +<blockquote id="kdb5-ldap-util-create"> +<div><strong>create</strong> +[<strong>-subtrees</strong> <em>subtree_dn_list</em>] +[<strong>-sscope</strong> <em>search_scope</em>] +[<strong>-containerref</strong> <em>container_reference_dn</em>] +[<strong>-k</strong> <em>mkeytype</em>] +[<strong>-kv</strong> <em>mkeyVNO</em>] +[<strong>-m|-P</strong> <em>password</em>|<strong>-sf</strong> <em>stashfilename</em>] +[<strong>-s</strong>] +[<strong>-r</strong> <em>realm</em>] +[<strong>-maxtktlife</strong> <em>max_ticket_life</em>] +[<strong>-maxrenewlife</strong> <em>max_renewable_ticket_life</em>] +[<em>ticket_flags</em>]</div></blockquote> +<p>Creates realm in directory. Options:</p> +<dl class="docutils"> +<dt><strong>-subtrees</strong> <em>subtree_dn_list</em></dt> +<dd>Specifies the list of subtrees containing the principals of a +realm. The list contains the DNs of the subtree objects separated +by colon (<tt class="docutils literal"><span class="pre">:</span></tt>).</dd> +<dt><strong>-sscope</strong> <em>search_scope</em></dt> +<dd>Specifies the scope for searching the principals under the +subtree. The possible values are 1 or one (one level), 2 or sub +(subtrees).</dd> +<dt><strong>-containerref</strong> <em>container_reference_dn</em></dt> +<dd>Specifies the DN of the container object in which the principals +of a realm will be created. If the container reference is not +configured for a realm, the principals will be created in the +realm container.</dd> +<dt><strong>-k</strong> <em>mkeytype</em></dt> +<dd>Specifies the key type of the master key in the database. The +default is given by the <strong>master_key_type</strong> variable in +<a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>.</dd> +<dt><strong>-kv</strong> <em>mkeyVNO</em></dt> +<dd>Specifies the version number of the master key in the database; +the default is 1. Note that 0 is not allowed.</dd> +<dt><strong>-m</strong></dt> +<dd>Specifies that the master database password should be read from +the TTY rather than fetched from a file on the disk.</dd> +<dt><strong>-P</strong> <em>password</em></dt> +<dd>Specifies the master database password. This option is not +recommended.</dd> +<dt><strong>-r</strong> <em>realm</em></dt> +<dd>Specifies the Kerberos realm of the database.</dd> +<dt><strong>-sf</strong> <em>stashfilename</em></dt> +<dd>Specifies the stash file of the master database password.</dd> +<dt><strong>-s</strong></dt> +<dd>Specifies that the stash file is to be created.</dd> +<dt><strong>-maxtktlife</strong> <em>max_ticket_life</em></dt> +<dd>(<a class="reference internal" href="../../basic/date_format.html#getdate"><em>getdate time</em></a> string) Specifies maximum ticket life for +principals in this realm.</dd> +<dt><strong>-maxrenewlife</strong> <em>max_renewable_ticket_life</em></dt> +<dd>(<a class="reference internal" href="../../basic/date_format.html#getdate"><em>getdate time</em></a> string) Specifies maximum renewable life of +tickets for principals in this realm.</dd> +<dt><em>ticket_flags</em></dt> +<dd>Specifies global ticket flags for the realm. Allowable flags are +documented in the description of the <strong>add_principal</strong> command in +<a class="reference internal" href="kadmin_local.html#kadmin-1"><em>kadmin</em></a>.</dd> +</dl> +<p>Example:</p> +<div class="highlight-python"><div class="highlight"><pre>kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu + create -subtrees o=org -sscope SUB -r ATHENA.MIT.EDU +Password for "cn=admin,o=org": +Initializing database for realm 'ATHENA.MIT.EDU' +You will be prompted for the database Master Password. +It is important that you NOT FORGET this password. +Enter KDC database master key: +Re-enter KDC database master key to verify: +</pre></div> +</div> +</div> +<div class="section" id="modify"> +<span id="kdb5-ldap-util-create-end"></span><h3>modify<a class="headerlink" href="#modify" title="Permalink to this headline">¶</a></h3> +<blockquote id="kdb5-ldap-util-modify"> +<div><strong>modify</strong> +[<strong>-subtrees</strong> <em>subtree_dn_list</em>] +[<strong>-sscope</strong> <em>search_scope</em>] +[<strong>-containerref</strong> <em>container_reference_dn</em>] +[<strong>-r</strong> <em>realm</em>] +[<strong>-maxtktlife</strong> <em>max_ticket_life</em>] +[<strong>-maxrenewlife</strong> <em>max_renewable_ticket_life</em>] +[<em>ticket_flags</em>]</div></blockquote> +<p>Modifies the attributes of a realm. Options:</p> +<dl class="docutils"> +<dt><strong>-subtrees</strong> <em>subtree_dn_list</em></dt> +<dd>Specifies the list of subtrees containing the principals of a +realm. The list contains the DNs of the subtree objects separated +by colon (<tt class="docutils literal"><span class="pre">:</span></tt>). This list replaces the existing list.</dd> +<dt><strong>-sscope</strong> <em>search_scope</em></dt> +<dd>Specifies the scope for searching the principals under the +subtrees. The possible values are 1 or one (one level), 2 or sub +(subtrees).</dd> +<dt><strong>-containerref</strong> <em>container_reference_dn</em> Specifies the DN of the</dt> +<dd>container object in which the principals of a realm will be +created.</dd> +<dt><strong>-r</strong> <em>realm</em></dt> +<dd>Specifies the Kerberos realm of the database.</dd> +<dt><strong>-maxtktlife</strong> <em>max_ticket_life</em></dt> +<dd>(<a class="reference internal" href="../../basic/date_format.html#getdate"><em>getdate time</em></a> string) Specifies maximum ticket life for +principals in this realm.</dd> +<dt><strong>-maxrenewlife</strong> <em>max_renewable_ticket_life</em></dt> +<dd>(<a class="reference internal" href="../../basic/date_format.html#getdate"><em>getdate time</em></a> string) Specifies maximum renewable life of +tickets for principals in this realm.</dd> +<dt><em>ticket_flags</em></dt> +<dd>Specifies global ticket flags for the realm. Allowable flags are +documented in the description of the <strong>add_principal</strong> command in +<a class="reference internal" href="kadmin_local.html#kadmin-1"><em>kadmin</em></a>.</dd> +</dl> +<p>Example:</p> +<div class="highlight-python"><div class="highlight"><pre>shell% kdb5_ldap_util -D cn=admin,o=org -H + ldaps://ldap-server1.mit.edu modify +requires_preauth -r + ATHENA.MIT.EDU +Password for "cn=admin,o=org": +shell% +</pre></div> +</div> +</div> +<div class="section" id="view"> +<span id="kdb5-ldap-util-modify-end"></span><h3>view<a class="headerlink" href="#view" title="Permalink to this headline">¶</a></h3> +<blockquote id="kdb5-ldap-util-view"> +<div><strong>view</strong> [<strong>-r</strong> <em>realm</em>]</div></blockquote> +<p>Displays the attributes of a realm. Options:</p> +<dl class="docutils"> +<dt><strong>-r</strong> <em>realm</em></dt> +<dd>Specifies the Kerberos realm of the database.</dd> +</dl> +<p>Example:</p> +<div class="highlight-python"><div class="highlight"><pre>kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu + view -r ATHENA.MIT.EDU +Password for "cn=admin,o=org": +Realm Name: ATHENA.MIT.EDU +Subtree: ou=users,o=org +Subtree: ou=servers,o=org +SearchScope: ONE +Maximum ticket life: 0 days 01:00:00 +Maximum renewable life: 0 days 10:00:00 +Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE +</pre></div> +</div> +</div> +<div class="section" id="destroy"> +<span id="kdb5-ldap-util-view-end"></span><h3>destroy<a class="headerlink" href="#destroy" title="Permalink to this headline">¶</a></h3> +<blockquote id="kdb5-ldap-util-destroy"> +<div><strong>destroy</strong> [<strong>-f</strong>] [<strong>-r</strong> <em>realm</em>]</div></blockquote> +<p>Destroys an existing realm. Options:</p> +<dl class="docutils"> +<dt><strong>-f</strong></dt> +<dd>If specified, will not prompt the user for confirmation.</dd> +<dt><strong>-r</strong> <em>realm</em></dt> +<dd>Specifies the Kerberos realm of the database.</dd> +</dl> +<p>Example:</p> +<div class="highlight-python"><div class="highlight"><pre>shell% kdb5_ldap_util -D cn=admin,o=org -H + ldaps://ldap-server1.mit.edu destroy -r ATHENA.MIT.EDU +Password for "cn=admin,o=org": +Deleting KDC database of 'ATHENA.MIT.EDU', are you sure? +(type 'yes' to confirm)? yes +OK, deleting database of 'ATHENA.MIT.EDU'... +shell% +</pre></div> +</div> +</div> +<div class="section" id="list"> +<span id="kdb5-ldap-util-destroy-end"></span><h3>list<a class="headerlink" href="#list" title="Permalink to this headline">¶</a></h3> +<blockquote id="kdb5-ldap-util-list"> +<div><strong>list</strong></div></blockquote> +<p>Lists the name of realms.</p> +<p>Example:</p> +<div class="highlight-python"><div class="highlight"><pre>shell% kdb5_ldap_util -D cn=admin,o=org -H + ldaps://ldap-server1.mit.edu list +Password for "cn=admin,o=org": +ATHENA.MIT.EDU +OPENLDAP.MIT.EDU +MEDIA-LAB.MIT.EDU +shell% +</pre></div> +</div> +</div> +<div class="section" id="stashsrvpw"> +<span id="kdb5-ldap-util-list-end"></span><h3>stashsrvpw<a class="headerlink" href="#stashsrvpw" title="Permalink to this headline">¶</a></h3> +<blockquote id="kdb5-ldap-util-stashsrvpw"> +<div><strong>stashsrvpw</strong> +[<strong>-f</strong> <em>filename</em>] +<em>name</em></div></blockquote> +<p>Allows an administrator to store the password for service object in a +file so that KDC and Administration server can use it to authenticate +to the LDAP server. Options:</p> +<dl class="docutils"> +<dt><strong>-f</strong> <em>filename</em></dt> +<dd>Specifies the complete path of the service password file. By +default, <tt class="docutils literal"><span class="pre">/usr/local/var/service_passwd</span></tt> is used.</dd> +<dt><em>name</em></dt> +<dd>Specifies the name of the object whose password is to be stored. +If <a class="reference internal" href="krb5kdc.html#krb5kdc-8"><em>krb5kdc</em></a> or <a class="reference internal" href="kadmind.html#kadmind-8"><em>kadmind</em></a> are configured for +simple binding, this should be the distinguished name it will +use as given by the <strong>ldap_kdc_dn</strong> or <strong>ldap_kadmind_dn</strong> +variable in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>. If the KDC or kadmind is +configured for SASL binding, this should be the authentication +name it will use as given by the <strong>ldap_kdc_sasl_authcid</strong> or +<strong>ldap_kadmind_sasl_authcid</strong> variable.</dd> +</dl> +<p>Example:</p> +<div class="highlight-python"><div class="highlight"><pre>kdb5_ldap_util stashsrvpw -f /home/andrew/conf_keyfile + cn=service-kdc,o=org +Password for "cn=service-kdc,o=org": +Re-enter password for "cn=service-kdc,o=org": +</pre></div> +</div> +</div> +<div class="section" id="create-policy"> +<span id="kdb5-ldap-util-stashsrvpw-end"></span><h3>create_policy<a class="headerlink" href="#create-policy" title="Permalink to this headline">¶</a></h3> +<blockquote id="kdb5-ldap-util-create-policy"> +<div><strong>create_policy</strong> +[<strong>-r</strong> <em>realm</em>] +[<strong>-maxtktlife</strong> <em>max_ticket_life</em>] +[<strong>-maxrenewlife</strong> <em>max_renewable_ticket_life</em>] +[<em>ticket_flags</em>] +<em>policy_name</em></div></blockquote> +<p>Creates a ticket policy in the directory. Options:</p> +<dl class="docutils"> +<dt><strong>-r</strong> <em>realm</em></dt> +<dd>Specifies the Kerberos realm of the database.</dd> +<dt><strong>-maxtktlife</strong> <em>max_ticket_life</em></dt> +<dd>(<a class="reference internal" href="../../basic/date_format.html#getdate"><em>getdate time</em></a> string) Specifies maximum ticket life for +principals.</dd> +<dt><strong>-maxrenewlife</strong> <em>max_renewable_ticket_life</em></dt> +<dd>(<a class="reference internal" href="../../basic/date_format.html#getdate"><em>getdate time</em></a> string) Specifies maximum renewable life of +tickets for principals.</dd> +<dt><em>ticket_flags</em></dt> +<dd>Specifies the ticket flags. If this option is not specified, by +default, no restriction will be set by the policy. Allowable +flags are documented in the description of the <strong>add_principal</strong> +command in <a class="reference internal" href="kadmin_local.html#kadmin-1"><em>kadmin</em></a>.</dd> +<dt><em>policy_name</em></dt> +<dd>Specifies the name of the ticket policy.</dd> +</dl> +<p>Example:</p> +<div class="highlight-python"><div class="highlight"><pre>kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu + create_policy -r ATHENA.MIT.EDU -maxtktlife "1 day" + -maxrenewlife "1 week" -allow_postdated +needchange + -allow_forwardable tktpolicy +Password for "cn=admin,o=org": +</pre></div> +</div> +</div> +<div class="section" id="modify-policy"> +<span id="kdb5-ldap-util-create-policy-end"></span><h3>modify_policy<a class="headerlink" href="#modify-policy" title="Permalink to this headline">¶</a></h3> +<blockquote id="kdb5-ldap-util-modify-policy"> +<div><strong>modify_policy</strong> +[<strong>-r</strong> <em>realm</em>] +[<strong>-maxtktlife</strong> <em>max_ticket_life</em>] +[<strong>-maxrenewlife</strong> <em>max_renewable_ticket_life</em>] +[<em>ticket_flags</em>] +<em>policy_name</em></div></blockquote> +<p>Modifies the attributes of a ticket policy. Options are same as for +<strong>create_policy</strong>.</p> +<p>Example:</p> +<div class="highlight-python"><div class="highlight"><pre>kdb5_ldap_util -D cn=admin,o=org -H + ldaps://ldap-server1.mit.edu modify_policy -r ATHENA.MIT.EDU + -maxtktlife "60 minutes" -maxrenewlife "10 hours" + +allow_postdated -requires_preauth tktpolicy +Password for "cn=admin,o=org": +</pre></div> +</div> +</div> +<div class="section" id="view-policy"> +<span id="kdb5-ldap-util-modify-policy-end"></span><h3>view_policy<a class="headerlink" href="#view-policy" title="Permalink to this headline">¶</a></h3> +<blockquote id="kdb5-ldap-util-view-policy"> +<div><strong>view_policy</strong> +[<strong>-r</strong> <em>realm</em>] +<em>policy_name</em></div></blockquote> +<p>Displays the attributes of a ticket policy. Options:</p> +<dl class="docutils"> +<dt><em>policy_name</em></dt> +<dd>Specifies the name of the ticket policy.</dd> +</dl> +<p>Example:</p> +<div class="highlight-python"><div class="highlight"><pre>kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu + view_policy -r ATHENA.MIT.EDU tktpolicy +Password for "cn=admin,o=org": +Ticket policy: tktpolicy +Maximum ticket life: 0 days 01:00:00 +Maximum renewable life: 0 days 10:00:00 +Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE +</pre></div> +</div> +</div> +<div class="section" id="destroy-policy"> +<span id="kdb5-ldap-util-view-policy-end"></span><h3>destroy_policy<a class="headerlink" href="#destroy-policy" title="Permalink to this headline">¶</a></h3> +<blockquote id="kdb5-ldap-util-destroy-policy"> +<div><strong>destroy_policy</strong> +[<strong>-r</strong> <em>realm</em>] +[<strong>-force</strong>] +<em>policy_name</em></div></blockquote> +<p>Destroys an existing ticket policy. Options:</p> +<dl class="docutils"> +<dt><strong>-r</strong> <em>realm</em></dt> +<dd>Specifies the Kerberos realm of the database.</dd> +<dt><strong>-force</strong></dt> +<dd>Forces the deletion of the policy object. If not specified, the +user will be prompted for confirmation before deleting the policy.</dd> +<dt><em>policy_name</em></dt> +<dd>Specifies the name of the ticket policy.</dd> +</dl> +<p>Example:</p> +<div class="highlight-python"><div class="highlight"><pre>kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu + destroy_policy -r ATHENA.MIT.EDU tktpolicy +Password for "cn=admin,o=org": +This will delete the policy object 'tktpolicy', are you sure? +(type 'yes' to confirm)? yes +** policy object 'tktpolicy' deleted. +</pre></div> +</div> +</div> +<div class="section" id="list-policy"> +<span id="kdb5-ldap-util-destroy-policy-end"></span><h3>list_policy<a class="headerlink" href="#list-policy" title="Permalink to this headline">¶</a></h3> +<blockquote id="kdb5-ldap-util-list-policy"> +<div><strong>list_policy</strong> +[<strong>-r</strong> <em>realm</em>]</div></blockquote> +<p>Lists the ticket policies in realm if specified or in the default +realm. Options:</p> +<dl class="docutils"> +<dt><strong>-r</strong> <em>realm</em></dt> +<dd>Specifies the Kerberos realm of the database.</dd> +</dl> +<p>Example:</p> +<div class="highlight-python"><div class="highlight"><pre>kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu + list_policy -r ATHENA.MIT.EDU +Password for "cn=admin,o=org": +tktpolicy +tmppolicy +userpolicy +</pre></div> +</div> +</div> +</div> +<div class="section" id="see-also"> +<span id="kdb5-ldap-util-list-policy-end"></span><h2>SEE ALSO<a class="headerlink" href="#see-also" title="Permalink to this headline">¶</a></h2> +<p><a class="reference internal" href="kadmin_local.html#kadmin-1"><em>kadmin</em></a></p> +</div> +</div> + + + </div> + </div> + </div> + </div> + <div class="sidebar"> + <h2>On this page</h2> + <ul> +<li><a class="reference internal" href="#">kdb5_ldap_util</a><ul> +<li><a class="reference internal" href="#synopsis">SYNOPSIS</a></li> +<li><a class="reference internal" href="#description">DESCRIPTION</a></li> +<li><a class="reference internal" href="#command-line-options">COMMAND-LINE OPTIONS</a></li> +<li><a class="reference internal" href="#commands">COMMANDS</a><ul> +<li><a class="reference internal" href="#create">create</a></li> +<li><a class="reference internal" href="#modify">modify</a></li> +<li><a class="reference internal" href="#view">view</a></li> +<li><a class="reference internal" href="#destroy">destroy</a></li> +<li><a class="reference internal" href="#list">list</a></li> +<li><a class="reference internal" href="#stashsrvpw">stashsrvpw</a></li> +<li><a class="reference internal" href="#create-policy">create_policy</a></li> +<li><a class="reference internal" href="#modify-policy">modify_policy</a></li> +<li><a class="reference internal" href="#view-policy">view_policy</a></li> +<li><a class="reference internal" href="#destroy-policy">destroy_policy</a></li> +<li><a class="reference internal" href="#list-policy">list_policy</a></li> +</ul> +</li> +<li><a class="reference internal" href="#see-also">SEE ALSO</a></li> +</ul> +</li> +</ul> + + <br/> + <h2>Table of contents</h2> + <ul class="current"> +<li class="toctree-l1"><a class="reference internal" href="../../user/index.html">For users</a></li> +<li class="toctree-l1 current"><a class="reference internal" href="../index.html">For administrators</a><ul class="current"> +<li class="toctree-l2"><a class="reference internal" href="../install.html">Installation guide</a></li> +<li class="toctree-l2"><a class="reference internal" href="../conf_files/index.html">Configuration Files</a></li> +<li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li> +<li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li> +<li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li> +<li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> +<li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li> +<li class="toctree-l2"><a class="reference internal" href="../host_config.html">Host configuration</a></li> +<li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li> +<li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li> +<li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li> +<li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li> +<li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li> +<li class="toctree-l2"><a class="reference internal" href="../auth_indicator.html">Authentication indicators</a></li> +<li class="toctree-l2 current"><a class="reference internal" href="index.html">Administration programs</a><ul class="current"> +<li class="toctree-l3"><a class="reference internal" href="kadmin_local.html">kadmin</a></li> +<li class="toctree-l3"><a class="reference internal" href="kadmind.html">kadmind</a></li> +<li class="toctree-l3"><a class="reference internal" href="kdb5_util.html">kdb5_util</a></li> +<li class="toctree-l3 current"><a class="current reference internal" href="">kdb5_ldap_util</a></li> +<li class="toctree-l3"><a class="reference internal" href="krb5kdc.html">krb5kdc</a></li> +<li class="toctree-l3"><a class="reference internal" href="kprop.html">kprop</a></li> +<li class="toctree-l3"><a class="reference internal" href="kpropd.html">kpropd</a></li> +<li class="toctree-l3"><a class="reference internal" href="kproplog.html">kproplog</a></li> +<li class="toctree-l3"><a class="reference internal" href="ktutil.html">ktutil</a></li> +<li class="toctree-l3"><a class="reference internal" href="k5srvutil.html">k5srvutil</a></li> +<li class="toctree-l3"><a class="reference internal" href="sserver.html">sserver</a></li> +</ul> +</li> +<li class="toctree-l2"><a class="reference internal" href="../../mitK5defaults.html">MIT Kerberos defaults</a></li> +<li class="toctree-l2"><a class="reference internal" href="../env_variables.html">Environment variables</a></li> +<li class="toctree-l2"><a class="reference internal" href="../troubleshoot.html">Troubleshooting</a></li> +<li class="toctree-l2"><a class="reference internal" href="../advanced/index.html">Advanced topics</a></li> +<li class="toctree-l2"><a class="reference internal" href="../various_envs.html">Various links</a></li> +</ul> +</li> +<li class="toctree-l1"><a class="reference internal" href="../../appdev/index.html">For application developers</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../plugindev/index.html">For plugin module developers</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../build/index.html">Building Kerberos V5</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../basic/index.html">Kerberos V5 concepts</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../formats/index.html">Protocols and file formats</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../mitK5features.html">MIT Kerberos features</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../build_this.html">How to build this documentation from the source</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../about.html">Contributing to the MIT Kerberos Documentation</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../resources.html">Resources</a></li> +</ul> + + <br/> + <h4><a href="../../index.html">Full Table of Contents</a></h4> + <h4>Search</h4> + <form class="search" action="../../search.html" method="get"> + <input type="text" name="q" size="18" /> + <input type="submit" value="Go" /> + <input type="hidden" name="check_keywords" value="yes" /> + <input type="hidden" name="area" value="default" /> + </form> + </div> + <div class="clearer"></div> + </div> + </div> + + <div class="footer-wrapper"> + <div class="footer" > + <div class="right" ><i>Release: 1.15.1</i><br /> + © <a href="../../copyright.html">Copyright</a> 1985-2017, MIT. + </div> + <div class="left"> + + <a href="../../index.html" title="Full Table of Contents" + >Contents</a> | + <a href="kdb5_util.html" title="kdb5_util" + >previous</a> | + <a href="krb5kdc.html" title="krb5kdc" + >next</a> | + <a href="../../genindex.html" title="General Index" + >index</a> | + <a href="../../search.html" title="Enter search criteria" + >Search</a> | + <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__kdb5_ldap_util">feedback</a> + </div> + </div> + </div> + + </body> +</html>
\ No newline at end of file diff --git a/doc/html/admin/admin_commands/kdb5_util.html b/doc/html/admin/admin_commands/kdb5_util.html new file mode 100644 index 000000000000..66fec5262644 --- /dev/null +++ b/doc/html/admin/admin_commands/kdb5_util.html @@ -0,0 +1,615 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> + + +<html xmlns="http://www.w3.org/1999/xhtml"> + <head> + <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> + + <title>kdb5_util — MIT Kerberos Documentation</title> + + <link rel="stylesheet" href="../../_static/agogo.css" type="text/css" /> + <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" /> + <link rel="stylesheet" href="../../_static/kerb.css" type="text/css" /> + + <script type="text/javascript"> + var DOCUMENTATION_OPTIONS = { + URL_ROOT: '../../', + VERSION: '1.15.1', + COLLAPSE_INDEX: false, + FILE_SUFFIX: '.html', + HAS_SOURCE: true + }; + </script> + <script type="text/javascript" src="../../_static/jquery.js"></script> + <script type="text/javascript" src="../../_static/underscore.js"></script> + <script type="text/javascript" src="../../_static/doctools.js"></script> + <link rel="author" title="About these documents" href="../../about.html" /> + <link rel="copyright" title="Copyright" href="../../copyright.html" /> + <link rel="top" title="MIT Kerberos Documentation" href="../../index.html" /> + <link rel="up" title="Administration programs" href="index.html" /> + <link rel="next" title="kdb5_ldap_util" href="kdb5_ldap_util.html" /> + <link rel="prev" title="kadmind" href="kadmind.html" /> + </head> + <body> + <div class="header-wrapper"> + <div class="header"> + + + <h1><a href="../../index.html">MIT Kerberos Documentation</a></h1> + + <div class="rel"> + + <a href="../../index.html" title="Full Table of Contents" + accesskey="C">Contents</a> | + <a href="kadmind.html" title="kadmind" + accesskey="P">previous</a> | + <a href="kdb5_ldap_util.html" title="kdb5_ldap_util" + accesskey="N">next</a> | + <a href="../../genindex.html" title="General Index" + accesskey="I">index</a> | + <a href="../../search.html" title="Enter search criteria" + accesskey="S">Search</a> | + <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__kdb5_util">feedback</a> + </div> + </div> + </div> + + <div class="content-wrapper"> + <div class="content"> + <div class="document"> + + <div class="documentwrapper"> + <div class="bodywrapper"> + <div class="body"> + + <div class="section" id="kdb5-util"> +<span id="kdb5-util-8"></span><h1>kdb5_util<a class="headerlink" href="#kdb5-util" title="Permalink to this headline">¶</a></h1> +<div class="section" id="synopsis"> +<h2>SYNOPSIS<a class="headerlink" href="#synopsis" title="Permalink to this headline">¶</a></h2> +<p id="kdb5-util-synopsis"><strong>kdb5_util</strong> +[<strong>-r</strong> <em>realm</em>] +[<strong>-d</strong> <em>dbname</em>] +[<strong>-k</strong> <em>mkeytype</em>] +[<strong>-M</strong> <em>mkeyname</em>] +[<strong>-kv</strong> <em>mkeyVNO</em>] +[<strong>-sf</strong> <em>stashfilename</em>] +[<strong>-m</strong>] +<em>command</em> [<em>command_options</em>]</p> +</div> +<div class="section" id="description"> +<span id="kdb5-util-synopsis-end"></span><h2>DESCRIPTION<a class="headerlink" href="#description" title="Permalink to this headline">¶</a></h2> +<p>kdb5_util allows an administrator to perform maintenance procedures on +the KDC database. Databases can be created, destroyed, and dumped to +or loaded from ASCII files. kdb5_util can create a Kerberos master +key stash file or perform live rollover of the master key.</p> +<p>When kdb5_util is run, it attempts to acquire the master key and open +the database. However, execution continues regardless of whether or +not kdb5_util successfully opens the database, because the database +may not exist yet or the stash file may be corrupt.</p> +<p>Note that some KDC database modules may not support all kdb5_util +commands.</p> +</div> +<div class="section" id="command-line-options"> +<h2>COMMAND-LINE OPTIONS<a class="headerlink" href="#command-line-options" title="Permalink to this headline">¶</a></h2> +<dl class="docutils" id="kdb5-util-options"> +<dt><strong>-r</strong> <em>realm</em></dt> +<dd>specifies the Kerberos realm of the database.</dd> +<dt><strong>-d</strong> <em>dbname</em></dt> +<dd>specifies the name under which the principal database is stored; +by default the database is that listed in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>. The +password policy database and lock files are also derived from this +value.</dd> +<dt><strong>-k</strong> <em>mkeytype</em></dt> +<dd>specifies the key type of the master key in the database. The +default is given by the <strong>master_key_type</strong> variable in +<a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>.</dd> +<dt><strong>-kv</strong> <em>mkeyVNO</em></dt> +<dd>Specifies the version number of the master key in the database; +the default is 1. Note that 0 is not allowed.</dd> +<dt><strong>-M</strong> <em>mkeyname</em></dt> +<dd>principal name for the master key in the database. If not +specified, the name is determined by the <strong>master_key_name</strong> +variable in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>.</dd> +<dt><strong>-m</strong></dt> +<dd>specifies that the master database password should be read from +the keyboard rather than fetched from a file on disk.</dd> +<dt><strong>-sf</strong> <em>stash_file</em></dt> +<dd>specifies the stash filename of the master database password. If +not specified, the filename is determined by the +<strong>key_stash_file</strong> variable in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>.</dd> +<dt><strong>-P</strong> <em>password</em></dt> +<dd>specifies the master database password. Using this option may +expose the password to other users on the system via the process +list.</dd> +</dl> +</div> +<div class="section" id="commands"> +<span id="kdb5-util-options-end"></span><h2>COMMANDS<a class="headerlink" href="#commands" title="Permalink to this headline">¶</a></h2> +<div class="section" id="create"> +<h3>create<a class="headerlink" href="#create" title="Permalink to this headline">¶</a></h3> +<blockquote id="kdb5-util-create"> +<div><strong>create</strong> [<strong>-s</strong>]</div></blockquote> +<p>Creates a new database. If the <strong>-s</strong> option is specified, the stash +file is also created. This command fails if the database already +exists. If the command is successful, the database is opened just as +if it had already existed when the program was first run.</p> +</div> +<div class="section" id="destroy"> +<span id="kdb5-util-create-end"></span><h3>destroy<a class="headerlink" href="#destroy" title="Permalink to this headline">¶</a></h3> +<blockquote id="kdb5-util-destroy"> +<div><strong>destroy</strong> [<strong>-f</strong>]</div></blockquote> +<p>Destroys the database, first overwriting the disk sectors and then +unlinking the files, after prompting the user for confirmation. With +the <strong>-f</strong> argument, does not prompt the user.</p> +</div> +<div class="section" id="stash"> +<span id="kdb5-util-destroy-end"></span><h3>stash<a class="headerlink" href="#stash" title="Permalink to this headline">¶</a></h3> +<blockquote id="kdb5-util-stash"> +<div><strong>stash</strong> [<strong>-f</strong> <em>keyfile</em>]</div></blockquote> +<p>Stores the master principal’s keys in a stash file. The <strong>-f</strong> +argument can be used to override the <em>keyfile</em> specified in +<a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>.</p> +</div> +<div class="section" id="dump"> +<span id="kdb5-util-stash-end"></span><h3>dump<a class="headerlink" href="#dump" title="Permalink to this headline">¶</a></h3> +<blockquote id="kdb5-util-dump"> +<div><strong>dump</strong> [<strong>-b7</strong>|<strong>-ov</strong>|<strong>-r13</strong>] [<strong>-verbose</strong>] +[<strong>-mkey_convert</strong>] [<strong>-new_mkey_file</strong> <em>mkey_file</em>] [<strong>-rev</strong>] +[<strong>-recurse</strong>] [<em>filename</em> [<em>principals</em>...]]</div></blockquote> +<p>Dumps the current Kerberos and KADM5 database into an ASCII file. By +default, the database is dumped in current format, “kdb5_util +load_dump version 7”. If filename is not specified, or is the string +“-”, the dump is sent to standard output. Options:</p> +<dl class="docutils"> +<dt><strong>-b7</strong></dt> +<dd>causes the dump to be in the Kerberos 5 Beta 7 format (“kdb5_util +load_dump version 4”). This was the dump format produced on +releases prior to 1.2.2.</dd> +<dt><strong>-ov</strong></dt> +<dd>causes the dump to be in “ovsec_adm_export” format.</dd> +<dt><strong>-r13</strong></dt> +<dd>causes the dump to be in the Kerberos 5 1.3 format (“kdb5_util +load_dump version 5”). This was the dump format produced on +releases prior to 1.8.</dd> +<dt><strong>-r18</strong></dt> +<dd>causes the dump to be in the Kerberos 5 1.8 format (“kdb5_util +load_dump version 6”). This was the dump format produced on +releases prior to 1.11.</dd> +<dt><strong>-verbose</strong></dt> +<dd>causes the name of each principal and policy to be printed as it +is dumped.</dd> +<dt><strong>-mkey_convert</strong></dt> +<dd>prompts for a new master key. This new master key will be used to +re-encrypt principal key data in the dumpfile. The principal keys +themselves will not be changed.</dd> +<dt><strong>-new_mkey_file</strong> <em>mkey_file</em></dt> +<dd>the filename of a stash file. The master key in this stash file +will be used to re-encrypt the key data in the dumpfile. The key +data in the database will not be changed.</dd> +<dt><strong>-rev</strong></dt> +<dd>dumps in reverse order. This may recover principals that do not +dump normally, in cases where database corruption has occurred.</dd> +<dt><strong>-recurse</strong></dt> +<dd><p class="first">causes the dump to walk the database recursively (btree only). +This may recover principals that do not dump normally, in cases +where database corruption has occurred. In cases of such +corruption, this option will probably retrieve more principals +than the <strong>-rev</strong> option will.</p> +<div class="versionchanged"> +<p><span class="versionmodified">Changed in version 1.15: </span>Release 1.15 restored the functionality of the <strong>-recurse</strong> +option.</p> +</div> +<div class="last versionchanged"> +<p><span class="versionmodified">Changed in version 1.5: </span>The <strong>-recurse</strong> option ceased working until release 1.15, +doing a normal dump instead of a recursive traversal.</p> +</div> +</dd> +</dl> +</div> +<div class="section" id="load"> +<span id="kdb5-util-dump-end"></span><h3>load<a class="headerlink" href="#load" title="Permalink to this headline">¶</a></h3> +<blockquote id="kdb5-util-load"> +<div><strong>load</strong> [<strong>-b7</strong>|<strong>-ov</strong>|<strong>-r13</strong>] [<strong>-hash</strong>] +[<strong>-verbose</strong>] [<strong>-update</strong>] <em>filename</em> [<em>dbname</em>]</div></blockquote> +<p>Loads a database dump from the named file into the named database. If +no option is given to determine the format of the dump file, the +format is detected automatically and handled as appropriate. Unless +the <strong>-update</strong> option is given, <strong>load</strong> creates a new database +containing only the data in the dump file, overwriting the contents of +any previously existing database. Note that when using the LDAP KDC +database module, the <strong>-update</strong> flag is required.</p> +<p>Options:</p> +<dl class="docutils"> +<dt><strong>-b7</strong></dt> +<dd>requires the database to be in the Kerberos 5 Beta 7 format +(“kdb5_util load_dump version 4”). This was the dump format +produced on releases prior to 1.2.2.</dd> +<dt><strong>-ov</strong></dt> +<dd>requires the database to be in “ovsec_adm_import” format. Must be +used with the <strong>-update</strong> option.</dd> +<dt><strong>-r13</strong></dt> +<dd>requires the database to be in Kerberos 5 1.3 format (“kdb5_util +load_dump version 5”). This was the dump format produced on +releases prior to 1.8.</dd> +<dt><strong>-r18</strong></dt> +<dd>requires the database to be in Kerberos 5 1.8 format (“kdb5_util +load_dump version 6”). This was the dump format produced on +releases prior to 1.11.</dd> +<dt><strong>-hash</strong></dt> +<dd>requires the database to be stored as a hash. If this option is +not specified, the database will be stored as a btree. This +option is not recommended, as databases stored in hash format are +known to corrupt data and lose principals.</dd> +<dt><strong>-verbose</strong></dt> +<dd>causes the name of each principal and policy to be printed as it +is dumped.</dd> +<dt><strong>-update</strong></dt> +<dd>records from the dump file are added to or updated in the existing +database. Otherwise, a new database is created containing only +what is in the dump file and the old one destroyed upon successful +completion.</dd> +</dl> +<p>If specified, <em>dbname</em> overrides the value specified on the command +line or the default.</p> +</div> +<div class="section" id="ark"> +<span id="kdb5-util-load-end"></span><h3>ark<a class="headerlink" href="#ark" title="Permalink to this headline">¶</a></h3> +<blockquote> +<div><strong>ark</strong> [<strong>-e</strong> <em>enc</em>:<em>salt</em>,...] <em>principal</em></div></blockquote> +<p>Adds new random keys to <em>principal</em> at the next available key version +number. Keys for the current highest key version number will be +preserved. The <strong>-e</strong> option specifies the list of encryption and +salt types to be used for the new keys.</p> +</div> +<div class="section" id="add-mkey"> +<h3>add_mkey<a class="headerlink" href="#add-mkey" title="Permalink to this headline">¶</a></h3> +<blockquote> +<div><strong>add_mkey</strong> [<strong>-e</strong> <em>etype</em>] [<strong>-s</strong>]</div></blockquote> +<p>Adds a new master key to the master key principal, but does not mark +it as active. Existing master keys will remain. The <strong>-e</strong> option +specifies the encryption type of the new master key; see +<a class="reference internal" href="../conf_files/kdc_conf.html#encryption-types"><em>Encryption types</em></a> in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> for a list of possible +values. The <strong>-s</strong> option stashes the new master key in the stash +file, which will be created if it doesn’t already exist.</p> +<p>After a new master key is added, it should be propagated to slave +servers via a manual or periodic invocation of <a class="reference internal" href="kprop.html#kprop-8"><em>kprop</em></a>. Then, +the stash files on the slave servers should be updated with the +kdb5_util <strong>stash</strong> command. Once those steps are complete, the key +is ready to be marked active with the kdb5_util <strong>use_mkey</strong> command.</p> +</div> +<div class="section" id="use-mkey"> +<h3>use_mkey<a class="headerlink" href="#use-mkey" title="Permalink to this headline">¶</a></h3> +<blockquote> +<div><strong>use_mkey</strong> <em>mkeyVNO</em> [<em>time</em>]</div></blockquote> +<p>Sets the activation time of the master key specified by <em>mkeyVNO</em>. +Once a master key becomes active, it will be used to encrypt newly +created principal keys. If no <em>time</em> argument is given, the current +time is used, causing the specified master key version to become +active immediately. The format for <em>time</em> is <a class="reference internal" href="../../basic/date_format.html#getdate"><em>getdate time</em></a> string.</p> +<p>After a new master key becomes active, the kdb5_util +<strong>update_princ_encryption</strong> command can be used to update all +principal keys to be encrypted in the new master key.</p> +</div> +<div class="section" id="list-mkeys"> +<h3>list_mkeys<a class="headerlink" href="#list-mkeys" title="Permalink to this headline">¶</a></h3> +<blockquote> +<div><strong>list_mkeys</strong></div></blockquote> +<p>List all master keys, from most recent to earliest, in the master key +principal. The output will show the kvno, enctype, and salt type for +each mkey, similar to the output of <a class="reference internal" href="kadmin_local.html#kadmin-1"><em>kadmin</em></a> <strong>getprinc</strong>. A +<tt class="docutils literal"><span class="pre">*</span></tt> following an mkey denotes the currently active master key.</p> +</div> +<div class="section" id="purge-mkeys"> +<h3>purge_mkeys<a class="headerlink" href="#purge-mkeys" title="Permalink to this headline">¶</a></h3> +<blockquote> +<div><strong>purge_mkeys</strong> [<strong>-f</strong>] [<strong>-n</strong>] [<strong>-v</strong>]</div></blockquote> +<p>Delete master keys from the master key principal that are not used to +protect any principals. This command can be used to remove old master +keys all principal keys are protected by a newer master key.</p> +<dl class="docutils"> +<dt><strong>-f</strong></dt> +<dd>does not prompt for confirmation.</dd> +<dt><strong>-n</strong></dt> +<dd>performs a dry run, showing master keys that would be purged, but +not actually purging any keys.</dd> +<dt><strong>-v</strong></dt> +<dd>gives more verbose output.</dd> +</dl> +</div> +<div class="section" id="update-princ-encryption"> +<h3>update_princ_encryption<a class="headerlink" href="#update-princ-encryption" title="Permalink to this headline">¶</a></h3> +<blockquote> +<div><strong>update_princ_encryption</strong> [<strong>-f</strong>] [<strong>-n</strong>] [<strong>-v</strong>] +[<em>princ-pattern</em>]</div></blockquote> +<p>Update all principal records (or only those matching the +<em>princ-pattern</em> glob pattern) to re-encrypt the key data using the +active database master key, if they are encrypted using a different +version, and give a count at the end of the number of principals +updated. If the <strong>-f</strong> option is not given, ask for confirmation +before starting to make changes. The <strong>-v</strong> option causes each +principal processed to be listed, with an indication as to whether it +needed updating or not. The <strong>-n</strong> option performs a dry run, only +showing the actions which would have been taken.</p> +</div> +<div class="section" id="tabdump"> +<h3>tabdump<a class="headerlink" href="#tabdump" title="Permalink to this headline">¶</a></h3> +<blockquote> +<div><strong>tabdump</strong> [<strong>-H</strong>] [<strong>-c</strong>] [<strong>-e</strong>] [<strong>-n</strong>] [<strong>-o</strong> <em>outfile</em>] +<em>dumptype</em></div></blockquote> +<p>Dump selected fields of the database in a tabular format suitable for +reporting (e.g., using traditional Unix text processing tools) or +importing into relational databases. The data format is tab-separated +(default), or optionally comma-separated (CSV), with a fixed number of +columns. The output begins with a header line containing field names, +unless suppression is requested using the <strong>-H</strong> option.</p> +<p>The <em>dumptype</em> parameter specifies the name of an output table (see +below).</p> +<p>Options:</p> +<dl class="docutils"> +<dt><strong>-H</strong></dt> +<dd>suppress writing the field names in a header line</dd> +<dt><strong>-c</strong></dt> +<dd>use comma separated values (CSV) format, with minimal quoting, +instead of the default tab-separated (unquoted, unescaped) format</dd> +<dt><strong>-e</strong></dt> +<dd>write empty hexadecimal string fields as empty fields instead of +as “-1”.</dd> +<dt><strong>-n</strong></dt> +<dd>produce numeric output for fields that normally have symbolic +output, such as enctypes and flag names. Also requests output of +time stamps as decimal POSIX time_t values.</dd> +<dt><strong>-o</strong> <em>outfile</em></dt> +<dd>write the dump to the specified output file instead of to standard +output</dd> +</dl> +<p>Dump types:</p> +<dl class="docutils"> +<dt><strong>keydata</strong></dt> +<dd><p class="first">principal encryption key information, including actual key data +(which is still encrypted in the master key)</p> +<dl class="last docutils"> +<dt><strong>name</strong></dt> +<dd>principal name</dd> +<dt><strong>keyindex</strong></dt> +<dd>index of this key in the principal’s key list</dd> +<dt><strong>kvno</strong></dt> +<dd>key version number</dd> +<dt><strong>enctype</strong></dt> +<dd>encryption type</dd> +<dt><strong>key</strong></dt> +<dd>key data as a hexadecimal string</dd> +<dt><strong>salttype</strong></dt> +<dd>salt type</dd> +<dt><strong>salt</strong></dt> +<dd>salt data as a hexadecimal string</dd> +</dl> +</dd> +<dt><strong>keyinfo</strong></dt> +<dd>principal encryption key information (as in <strong>keydata</strong> above), +excluding actual key data</dd> +<dt><strong>princ_flags</strong></dt> +<dd><p class="first">principal boolean attributes. Flag names print as hexadecimal +numbers if the <strong>-n</strong> option is specified, and all flag positions +are printed regardless of whether or not they are set. If <strong>-n</strong> +is not specified, print all known flag names for each principal, +but only print hexadecimal flag names if the corresponding flag is +set.</p> +<dl class="last docutils"> +<dt><strong>name</strong></dt> +<dd>principal name</dd> +<dt><strong>flag</strong></dt> +<dd>flag name</dd> +<dt><strong>value</strong></dt> +<dd>boolean value (0 for clear, or 1 for set)</dd> +</dl> +</dd> +<dt><strong>princ_lockout</strong></dt> +<dd><p class="first">state information used for tracking repeated password failures</p> +<dl class="last docutils"> +<dt><strong>name</strong></dt> +<dd>principal name</dd> +<dt><strong>last_success</strong></dt> +<dd>time stamp of most recent successful authentication</dd> +<dt><strong>last_failed</strong></dt> +<dd>time stamp of most recent failed authentication</dd> +<dt><strong>fail_count</strong></dt> +<dd>count of failed attempts</dd> +</dl> +</dd> +<dt><strong>princ_meta</strong></dt> +<dd><p class="first">principal metadata</p> +<dl class="last docutils"> +<dt><strong>name</strong></dt> +<dd>principal name</dd> +<dt><strong>modby</strong></dt> +<dd>name of last principal to modify this principal</dd> +<dt><strong>modtime</strong></dt> +<dd>timestamp of last modification</dd> +<dt><strong>lastpwd</strong></dt> +<dd>timestamp of last password change</dd> +<dt><strong>policy</strong></dt> +<dd>policy object name</dd> +<dt><strong>mkvno</strong></dt> +<dd>key version number of the master key that encrypts this +principal’s key data</dd> +<dt><strong>hist_kvno</strong></dt> +<dd>key version number of the history key that encrypts the key +history data for this principal</dd> +</dl> +</dd> +<dt><strong>princ_stringattrs</strong></dt> +<dd><p class="first">string attributes (key/value pairs)</p> +<dl class="last docutils"> +<dt><strong>name</strong></dt> +<dd>principal name</dd> +<dt><strong>key</strong></dt> +<dd>attribute name</dd> +<dt><strong>value</strong></dt> +<dd>attribute value</dd> +</dl> +</dd> +<dt><strong>princ_tktpolicy</strong></dt> +<dd><p class="first">per-principal ticket policy data, including maximum ticket +lifetimes</p> +<dl class="last docutils"> +<dt><strong>name</strong></dt> +<dd>principal name</dd> +<dt><strong>expiration</strong></dt> +<dd>principal expiration date</dd> +<dt><strong>pw_expiration</strong></dt> +<dd>password expiration date</dd> +<dt><strong>max_life</strong></dt> +<dd>maximum ticket lifetime</dd> +<dt><strong>max_renew_life</strong></dt> +<dd>maximum renewable ticket lifetime</dd> +</dl> +</dd> +</dl> +<p>Examples:</p> +<div class="highlight-python"><div class="highlight"><pre>$ kdb5_util tabdump -o keyinfo.txt keyinfo +$ cat keyinfo.txt +name keyindex kvno enctype salttype salt +foo@EXAMPLE.COM 0 1 aes128-cts-hmac-sha1-96 normal -1 +bar@EXAMPLE.COM 0 1 aes128-cts-hmac-sha1-96 normal -1 +bar@EXAMPLE.COM 1 1 des-cbc-crc normal -1 +$ sqlite3 +sqlite> .mode tabs +sqlite> .import keyinfo.txt keyinfo +sqlite> select * from keyinfo where enctype like 'des-cbc-%'; +bar@EXAMPLE.COM 1 1 des-cbc-crc normal -1 +sqlite> .quit +$ awk -F'\t' '$4 ~ /des-cbc-/ { print }' keyinfo.txt +bar@EXAMPLE.COM 1 1 des-cbc-crc normal -1 +</pre></div> +</div> +</div> +</div> +<div class="section" id="see-also"> +<h2>SEE ALSO<a class="headerlink" href="#see-also" title="Permalink to this headline">¶</a></h2> +<p><a class="reference internal" href="kadmin_local.html#kadmin-1"><em>kadmin</em></a></p> +</div> +</div> + + + </div> + </div> + </div> + </div> + <div class="sidebar"> + <h2>On this page</h2> + <ul> +<li><a class="reference internal" href="#">kdb5_util</a><ul> +<li><a class="reference internal" href="#synopsis">SYNOPSIS</a></li> +<li><a class="reference internal" href="#description">DESCRIPTION</a></li> +<li><a class="reference internal" href="#command-line-options">COMMAND-LINE OPTIONS</a></li> +<li><a class="reference internal" href="#commands">COMMANDS</a><ul> +<li><a class="reference internal" href="#create">create</a></li> +<li><a class="reference internal" href="#destroy">destroy</a></li> +<li><a class="reference internal" href="#stash">stash</a></li> +<li><a class="reference internal" href="#dump">dump</a></li> +<li><a class="reference internal" href="#load">load</a></li> +<li><a class="reference internal" href="#ark">ark</a></li> +<li><a class="reference internal" href="#add-mkey">add_mkey</a></li> +<li><a class="reference internal" href="#use-mkey">use_mkey</a></li> +<li><a class="reference internal" href="#list-mkeys">list_mkeys</a></li> +<li><a class="reference internal" href="#purge-mkeys">purge_mkeys</a></li> +<li><a class="reference internal" href="#update-princ-encryption">update_princ_encryption</a></li> +<li><a class="reference internal" href="#tabdump">tabdump</a></li> +</ul> +</li> +<li><a class="reference internal" href="#see-also">SEE ALSO</a></li> +</ul> +</li> +</ul> + + <br/> + <h2>Table of contents</h2> + <ul class="current"> +<li class="toctree-l1"><a class="reference internal" href="../../user/index.html">For users</a></li> +<li class="toctree-l1 current"><a class="reference internal" href="../index.html">For administrators</a><ul class="current"> +<li class="toctree-l2"><a class="reference internal" href="../install.html">Installation guide</a></li> +<li class="toctree-l2"><a class="reference internal" href="../conf_files/index.html">Configuration Files</a></li> +<li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li> +<li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li> +<li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li> +<li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> +<li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li> +<li class="toctree-l2"><a class="reference internal" href="../host_config.html">Host configuration</a></li> +<li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li> +<li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li> +<li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li> +<li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li> +<li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li> +<li class="toctree-l2"><a class="reference internal" href="../auth_indicator.html">Authentication indicators</a></li> +<li class="toctree-l2 current"><a class="reference internal" href="index.html">Administration programs</a><ul class="current"> +<li class="toctree-l3"><a class="reference internal" href="kadmin_local.html">kadmin</a></li> +<li class="toctree-l3"><a class="reference internal" href="kadmind.html">kadmind</a></li> +<li class="toctree-l3 current"><a class="current reference internal" href="">kdb5_util</a></li> +<li class="toctree-l3"><a class="reference internal" href="kdb5_ldap_util.html">kdb5_ldap_util</a></li> +<li class="toctree-l3"><a class="reference internal" href="krb5kdc.html">krb5kdc</a></li> +<li class="toctree-l3"><a class="reference internal" href="kprop.html">kprop</a></li> +<li class="toctree-l3"><a class="reference internal" href="kpropd.html">kpropd</a></li> +<li class="toctree-l3"><a class="reference internal" href="kproplog.html">kproplog</a></li> +<li class="toctree-l3"><a class="reference internal" href="ktutil.html">ktutil</a></li> +<li class="toctree-l3"><a class="reference internal" href="k5srvutil.html">k5srvutil</a></li> +<li class="toctree-l3"><a class="reference internal" href="sserver.html">sserver</a></li> +</ul> +</li> +<li class="toctree-l2"><a class="reference internal" href="../../mitK5defaults.html">MIT Kerberos defaults</a></li> +<li class="toctree-l2"><a class="reference internal" href="../env_variables.html">Environment variables</a></li> +<li class="toctree-l2"><a class="reference internal" href="../troubleshoot.html">Troubleshooting</a></li> +<li class="toctree-l2"><a class="reference internal" href="../advanced/index.html">Advanced topics</a></li> +<li class="toctree-l2"><a class="reference internal" href="../various_envs.html">Various links</a></li> +</ul> +</li> +<li class="toctree-l1"><a class="reference internal" href="../../appdev/index.html">For application developers</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../plugindev/index.html">For plugin module developers</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../build/index.html">Building Kerberos V5</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../basic/index.html">Kerberos V5 concepts</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../formats/index.html">Protocols and file formats</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../mitK5features.html">MIT Kerberos features</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../build_this.html">How to build this documentation from the source</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../about.html">Contributing to the MIT Kerberos Documentation</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../resources.html">Resources</a></li> +</ul> + + <br/> + <h4><a href="../../index.html">Full Table of Contents</a></h4> + <h4>Search</h4> + <form class="search" action="../../search.html" method="get"> + <input type="text" name="q" size="18" /> + <input type="submit" value="Go" /> + <input type="hidden" name="check_keywords" value="yes" /> + <input type="hidden" name="area" value="default" /> + </form> + </div> + <div class="clearer"></div> + </div> + </div> + + <div class="footer-wrapper"> + <div class="footer" > + <div class="right" ><i>Release: 1.15.1</i><br /> + © <a href="../../copyright.html">Copyright</a> 1985-2017, MIT. + </div> + <div class="left"> + + <a href="../../index.html" title="Full Table of Contents" + >Contents</a> | + <a href="kadmind.html" title="kadmind" + >previous</a> | + <a href="kdb5_ldap_util.html" title="kdb5_ldap_util" + >next</a> | + <a href="../../genindex.html" title="General Index" + >index</a> | + <a href="../../search.html" title="Enter search criteria" + >Search</a> | + <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__kdb5_util">feedback</a> + </div> + </div> + </div> + + </body> +</html>
\ No newline at end of file diff --git a/doc/html/admin/admin_commands/kprop.html b/doc/html/admin/admin_commands/kprop.html new file mode 100644 index 000000000000..962d316aab40 --- /dev/null +++ b/doc/html/admin/admin_commands/kprop.html @@ -0,0 +1,223 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> + + +<html xmlns="http://www.w3.org/1999/xhtml"> + <head> + <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> + + <title>kprop — MIT Kerberos Documentation</title> + + <link rel="stylesheet" href="../../_static/agogo.css" type="text/css" /> + <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" /> + <link rel="stylesheet" href="../../_static/kerb.css" type="text/css" /> + + <script type="text/javascript"> + var DOCUMENTATION_OPTIONS = { + URL_ROOT: '../../', + VERSION: '1.15.1', + COLLAPSE_INDEX: false, + FILE_SUFFIX: '.html', + HAS_SOURCE: true + }; + </script> + <script type="text/javascript" src="../../_static/jquery.js"></script> + <script type="text/javascript" src="../../_static/underscore.js"></script> + <script type="text/javascript" src="../../_static/doctools.js"></script> + <link rel="author" title="About these documents" href="../../about.html" /> + <link rel="copyright" title="Copyright" href="../../copyright.html" /> + <link rel="top" title="MIT Kerberos Documentation" href="../../index.html" /> + <link rel="up" title="Administration programs" href="index.html" /> + <link rel="next" title="kpropd" href="kpropd.html" /> + <link rel="prev" title="krb5kdc" href="krb5kdc.html" /> + </head> + <body> + <div class="header-wrapper"> + <div class="header"> + + + <h1><a href="../../index.html">MIT Kerberos Documentation</a></h1> + + <div class="rel"> + + <a href="../../index.html" title="Full Table of Contents" + accesskey="C">Contents</a> | + <a href="krb5kdc.html" title="krb5kdc" + accesskey="P">previous</a> | + <a href="kpropd.html" title="kpropd" + accesskey="N">next</a> | + <a href="../../genindex.html" title="General Index" + accesskey="I">index</a> | + <a href="../../search.html" title="Enter search criteria" + accesskey="S">Search</a> | + <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__kprop">feedback</a> + </div> + </div> + </div> + + <div class="content-wrapper"> + <div class="content"> + <div class="document"> + + <div class="documentwrapper"> + <div class="bodywrapper"> + <div class="body"> + + <div class="section" id="kprop"> +<span id="kprop-8"></span><h1>kprop<a class="headerlink" href="#kprop" title="Permalink to this headline">¶</a></h1> +<div class="section" id="synopsis"> +<h2>SYNOPSIS<a class="headerlink" href="#synopsis" title="Permalink to this headline">¶</a></h2> +<p><strong>kprop</strong> +[<strong>-r</strong> <em>realm</em>] +[<strong>-f</strong> <em>file</em>] +[<strong>-d</strong>] +[<strong>-P</strong> <em>port</em>] +[<strong>-s</strong> <em>keytab</em>] +<em>slave_host</em></p> +</div> +<div class="section" id="description"> +<h2>DESCRIPTION<a class="headerlink" href="#description" title="Permalink to this headline">¶</a></h2> +<p>kprop is used to securely propagate a Kerberos V5 database dump file +from the master Kerberos server to a slave Kerberos server, which is +specified by <em>slave_host</em>. The dump file must be created by +<a class="reference internal" href="kdb5_util.html#kdb5-util-8"><em>kdb5_util</em></a>.</p> +</div> +<div class="section" id="options"> +<h2>OPTIONS<a class="headerlink" href="#options" title="Permalink to this headline">¶</a></h2> +<dl class="docutils"> +<dt><strong>-r</strong> <em>realm</em></dt> +<dd>Specifies the realm of the master server.</dd> +<dt><strong>-f</strong> <em>file</em></dt> +<dd>Specifies the filename where the dumped principal database file is +to be found; by default the dumped database file is normally +<a class="reference internal" href="../../mitK5defaults.html#paths"><em>LOCALSTATEDIR</em></a><tt class="docutils literal"><span class="pre">/krb5kdc</span></tt><tt class="docutils literal"><span class="pre">/slave_datatrans</span></tt>.</dd> +<dt><strong>-P</strong> <em>port</em></dt> +<dd>Specifies the port to use to contact the <a class="reference internal" href="kpropd.html#kpropd-8"><em>kpropd</em></a> server +on the remote host.</dd> +<dt><strong>-d</strong></dt> +<dd>Prints debugging information.</dd> +<dt><strong>-s</strong> <em>keytab</em></dt> +<dd>Specifies the location of the keytab file.</dd> +</dl> +</div> +<div class="section" id="environment"> +<h2>ENVIRONMENT<a class="headerlink" href="#environment" title="Permalink to this headline">¶</a></h2> +<p><em>kprop</em> uses the following environment variable:</p> +<ul class="simple"> +<li><strong>KRB5_CONFIG</strong></li> +</ul> +</div> +<div class="section" id="see-also"> +<h2>SEE ALSO<a class="headerlink" href="#see-also" title="Permalink to this headline">¶</a></h2> +<p><a class="reference internal" href="kpropd.html#kpropd-8"><em>kpropd</em></a>, <a class="reference internal" href="kdb5_util.html#kdb5-util-8"><em>kdb5_util</em></a>, <a class="reference internal" href="krb5kdc.html#krb5kdc-8"><em>krb5kdc</em></a></p> +</div> +</div> + + + </div> + </div> + </div> + </div> + <div class="sidebar"> + <h2>On this page</h2> + <ul> +<li><a class="reference internal" href="#">kprop</a><ul> +<li><a class="reference internal" href="#synopsis">SYNOPSIS</a></li> +<li><a class="reference internal" href="#description">DESCRIPTION</a></li> +<li><a class="reference internal" href="#options">OPTIONS</a></li> +<li><a class="reference internal" href="#environment">ENVIRONMENT</a></li> +<li><a class="reference internal" href="#see-also">SEE ALSO</a></li> +</ul> +</li> +</ul> + + <br/> + <h2>Table of contents</h2> + <ul class="current"> +<li class="toctree-l1"><a class="reference internal" href="../../user/index.html">For users</a></li> +<li class="toctree-l1 current"><a class="reference internal" href="../index.html">For administrators</a><ul class="current"> +<li class="toctree-l2"><a class="reference internal" href="../install.html">Installation guide</a></li> +<li class="toctree-l2"><a class="reference internal" href="../conf_files/index.html">Configuration Files</a></li> +<li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li> +<li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li> +<li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li> +<li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> +<li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li> +<li class="toctree-l2"><a class="reference internal" href="../host_config.html">Host configuration</a></li> +<li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li> +<li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li> +<li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li> +<li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li> +<li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li> +<li class="toctree-l2"><a class="reference internal" href="../auth_indicator.html">Authentication indicators</a></li> +<li class="toctree-l2 current"><a class="reference internal" href="index.html">Administration programs</a><ul class="current"> +<li class="toctree-l3"><a class="reference internal" href="kadmin_local.html">kadmin</a></li> +<li class="toctree-l3"><a class="reference internal" href="kadmind.html">kadmind</a></li> +<li class="toctree-l3"><a class="reference internal" href="kdb5_util.html">kdb5_util</a></li> +<li class="toctree-l3"><a class="reference internal" href="kdb5_ldap_util.html">kdb5_ldap_util</a></li> +<li class="toctree-l3"><a class="reference internal" href="krb5kdc.html">krb5kdc</a></li> +<li class="toctree-l3 current"><a class="current reference internal" href="">kprop</a></li> +<li class="toctree-l3"><a class="reference internal" href="kpropd.html">kpropd</a></li> +<li class="toctree-l3"><a class="reference internal" href="kproplog.html">kproplog</a></li> +<li class="toctree-l3"><a class="reference internal" href="ktutil.html">ktutil</a></li> +<li class="toctree-l3"><a class="reference internal" href="k5srvutil.html">k5srvutil</a></li> +<li class="toctree-l3"><a class="reference internal" href="sserver.html">sserver</a></li> +</ul> +</li> +<li class="toctree-l2"><a class="reference internal" href="../../mitK5defaults.html">MIT Kerberos defaults</a></li> +<li class="toctree-l2"><a class="reference internal" href="../env_variables.html">Environment variables</a></li> +<li class="toctree-l2"><a class="reference internal" href="../troubleshoot.html">Troubleshooting</a></li> +<li class="toctree-l2"><a class="reference internal" href="../advanced/index.html">Advanced topics</a></li> +<li class="toctree-l2"><a class="reference internal" href="../various_envs.html">Various links</a></li> +</ul> +</li> +<li class="toctree-l1"><a class="reference internal" href="../../appdev/index.html">For application developers</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../plugindev/index.html">For plugin module developers</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../build/index.html">Building Kerberos V5</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../basic/index.html">Kerberos V5 concepts</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../formats/index.html">Protocols and file formats</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../mitK5features.html">MIT Kerberos features</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../build_this.html">How to build this documentation from the source</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../about.html">Contributing to the MIT Kerberos Documentation</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../resources.html">Resources</a></li> +</ul> + + <br/> + <h4><a href="../../index.html">Full Table of Contents</a></h4> + <h4>Search</h4> + <form class="search" action="../../search.html" method="get"> + <input type="text" name="q" size="18" /> + <input type="submit" value="Go" /> + <input type="hidden" name="check_keywords" value="yes" /> + <input type="hidden" name="area" value="default" /> + </form> + </div> + <div class="clearer"></div> + </div> + </div> + + <div class="footer-wrapper"> + <div class="footer" > + <div class="right" ><i>Release: 1.15.1</i><br /> + © <a href="../../copyright.html">Copyright</a> 1985-2017, MIT. + </div> + <div class="left"> + + <a href="../../index.html" title="Full Table of Contents" + >Contents</a> | + <a href="krb5kdc.html" title="krb5kdc" + >previous</a> | + <a href="kpropd.html" title="kpropd" + >next</a> | + <a href="../../genindex.html" title="General Index" + >index</a> | + <a href="../../search.html" title="Enter search criteria" + >Search</a> | + <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__kprop">feedback</a> + </div> + </div> + </div> + + </body> +</html>
\ No newline at end of file diff --git a/doc/html/admin/admin_commands/kpropd.html b/doc/html/admin/admin_commands/kpropd.html new file mode 100644 index 000000000000..b8252223a043 --- /dev/null +++ b/doc/html/admin/admin_commands/kpropd.html @@ -0,0 +1,286 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> + + +<html xmlns="http://www.w3.org/1999/xhtml"> + <head> + <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> + + <title>kpropd — MIT Kerberos Documentation</title> + + <link rel="stylesheet" href="../../_static/agogo.css" type="text/css" /> + <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" /> + <link rel="stylesheet" href="../../_static/kerb.css" type="text/css" /> + + <script type="text/javascript"> + var DOCUMENTATION_OPTIONS = { + URL_ROOT: '../../', + VERSION: '1.15.1', + COLLAPSE_INDEX: false, + FILE_SUFFIX: '.html', + HAS_SOURCE: true + }; + </script> + <script type="text/javascript" src="../../_static/jquery.js"></script> + <script type="text/javascript" src="../../_static/underscore.js"></script> + <script type="text/javascript" src="../../_static/doctools.js"></script> + <link rel="author" title="About these documents" href="../../about.html" /> + <link rel="copyright" title="Copyright" href="../../copyright.html" /> + <link rel="top" title="MIT Kerberos Documentation" href="../../index.html" /> + <link rel="up" title="Administration programs" href="index.html" /> + <link rel="next" title="kproplog" href="kproplog.html" /> + <link rel="prev" title="kprop" href="kprop.html" /> + </head> + <body> + <div class="header-wrapper"> + <div class="header"> + + + <h1><a href="../../index.html">MIT Kerberos Documentation</a></h1> + + <div class="rel"> + + <a href="../../index.html" title="Full Table of Contents" + accesskey="C">Contents</a> | + <a href="kprop.html" title="kprop" + accesskey="P">previous</a> | + <a href="kproplog.html" title="kproplog" + accesskey="N">next</a> | + <a href="../../genindex.html" title="General Index" + accesskey="I">index</a> | + <a href="../../search.html" title="Enter search criteria" + accesskey="S">Search</a> | + <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__kpropd">feedback</a> + </div> + </div> + </div> + + <div class="content-wrapper"> + <div class="content"> + <div class="document"> + + <div class="documentwrapper"> + <div class="bodywrapper"> + <div class="body"> + + <div class="section" id="kpropd"> +<span id="kpropd-8"></span><h1>kpropd<a class="headerlink" href="#kpropd" title="Permalink to this headline">¶</a></h1> +<div class="section" id="synopsis"> +<h2>SYNOPSIS<a class="headerlink" href="#synopsis" title="Permalink to this headline">¶</a></h2> +<p><strong>kpropd</strong> +[<strong>-r</strong> <em>realm</em>] +[<strong>-A</strong> <em>admin_server</em>] +[<strong>-a</strong> <em>acl_file</em>] +[<strong>-f</strong> <em>slave_dumpfile</em>] +[<strong>-F</strong> <em>principal_database</em>] +[<strong>-p</strong> <em>kdb5_util_prog</em>] +[<strong>-P</strong> <em>port</em>] +[<strong>-d</strong>] +[<strong>-t</strong>]</p> +</div> +<div class="section" id="description"> +<h2>DESCRIPTION<a class="headerlink" href="#description" title="Permalink to this headline">¶</a></h2> +<p>The <em>kpropd</em> command runs on the slave KDC server. It listens for +update requests made by the <a class="reference internal" href="kprop.html#kprop-8"><em>kprop</em></a> program. If incremental +propagation is enabled, it periodically requests incremental updates +from the master KDC.</p> +<p>When the slave receives a kprop request from the master, kpropd +accepts the dumped KDC database and places it in a file, and then runs +<a class="reference internal" href="kdb5_util.html#kdb5-util-8"><em>kdb5_util</em></a> to load the dumped database into the active +database which is used by <a class="reference internal" href="krb5kdc.html#krb5kdc-8"><em>krb5kdc</em></a>. This allows the master +Kerberos server to use <a class="reference internal" href="kprop.html#kprop-8"><em>kprop</em></a> to propagate its database to +the slave servers. Upon a successful download of the KDC database +file, the slave Kerberos server will have an up-to-date KDC database.</p> +<p>Where incremental propagation is not used, kpropd is commonly invoked +out of inetd(8) as a nowait service. This is done by adding a line to +the <tt class="docutils literal"><span class="pre">/etc/inetd.conf</span></tt> file which looks like this:</p> +<div class="highlight-python"><div class="highlight"><pre>kprop stream tcp nowait root /usr/local/sbin/kpropd kpropd +</pre></div> +</div> +<p>kpropd can also run as a standalone daemon, backgrounding itself and +waiting for connections on port 754 (or the port specified with the +<strong>-P</strong> option if given). Standalone mode is required for incremental +propagation. Starting in release 1.11, kpropd automatically detects +whether it was run from inetd and runs in standalone mode if it is +not. Prior to release 1.11, the <strong>-S</strong> option is required to run +kpropd in standalone mode; this option is now accepted for backward +compatibility but does nothing.</p> +<p>Incremental propagation may be enabled with the <strong>iprop_enable</strong> +variable in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>. If incremental propagation is +enabled, the slave periodically polls the master KDC for updates, at +an interval determined by the <strong>iprop_slave_poll</strong> variable. If the +slave receives updates, kpropd updates its log file with any updates +from the master. <a class="reference internal" href="kproplog.html#kproplog-8"><em>kproplog</em></a> can be used to view a summary of +the update entry log on the slave KDC. If incremental propagation is +enabled, the principal <tt class="docutils literal"><span class="pre">kiprop/slavehostname@REALM</span></tt> (where +<em>slavehostname</em> is the name of the slave KDC host, and <em>REALM</em> is the +name of the Kerberos realm) must be present in the slave’s keytab +file.</p> +<p><a class="reference internal" href="kproplog.html#kproplog-8"><em>kproplog</em></a> can be used to force full replication when iprop is +enabled.</p> +</div> +<div class="section" id="options"> +<h2>OPTIONS<a class="headerlink" href="#options" title="Permalink to this headline">¶</a></h2> +<dl class="docutils"> +<dt><strong>-r</strong> <em>realm</em></dt> +<dd>Specifies the realm of the master server.</dd> +<dt><strong>-A</strong> <em>admin_server</em></dt> +<dd>Specifies the server to be contacted for incremental updates; by +default, the master admin server is contacted.</dd> +<dt><strong>-f</strong> <em>file</em></dt> +<dd>Specifies the filename where the dumped principal database file is +to be stored; by default the dumped database file is <a class="reference internal" href="../../mitK5defaults.html#paths"><em>LOCALSTATEDIR</em></a><tt class="docutils literal"><span class="pre">/krb5kdc</span></tt><tt class="docutils literal"><span class="pre">/from_master</span></tt>.</dd> +<dt><strong>-p</strong></dt> +<dd>Allows the user to specify the pathname to the <a class="reference internal" href="kdb5_util.html#kdb5-util-8"><em>kdb5_util</em></a> +program; by default the pathname used is <a class="reference internal" href="../../mitK5defaults.html#paths"><em>SBINDIR</em></a><tt class="docutils literal"><span class="pre">/kdb5_util</span></tt>.</dd> +<dt><strong>-d</strong></dt> +<dd>Turn on debug mode. In this mode, kpropd will not detach +itself from the current job and run in the background. Instead, +it will run in the foreground and print out debugging messages +during the database propagation.</dd> +<dt><strong>-t</strong></dt> +<dd>In standalone mode without incremental propagation, exit after one +dump file is received. In incremental propagation mode, exit as +soon as the database is up to date, or if the master returns an +error.</dd> +<dt><strong>-P</strong></dt> +<dd>Allow for an alternate port number for kpropd to listen on. This +is only useful in combination with the <strong>-S</strong> option.</dd> +<dt><strong>-a</strong> <em>acl_file</em></dt> +<dd>Allows the user to specify the path to the kpropd.acl file; by +default the path used is <a class="reference internal" href="../../mitK5defaults.html#paths"><em>LOCALSTATEDIR</em></a><tt class="docutils literal"><span class="pre">/krb5kdc</span></tt><tt class="docutils literal"><span class="pre">/kpropd.acl</span></tt>.</dd> +</dl> +</div> +<div class="section" id="environment"> +<h2>ENVIRONMENT<a class="headerlink" href="#environment" title="Permalink to this headline">¶</a></h2> +<p>kpropd uses the following environment variables:</p> +<ul class="simple"> +<li><strong>KRB5_CONFIG</strong></li> +<li><strong>KRB5_KDC_PROFILE</strong></li> +</ul> +</div> +<div class="section" id="files"> +<h2>FILES<a class="headerlink" href="#files" title="Permalink to this headline">¶</a></h2> +<dl class="docutils"> +<dt>kpropd.acl</dt> +<dd>Access file for kpropd; the default location is +<tt class="docutils literal"><span class="pre">/usr/local/var/krb5kdc/kpropd.acl</span></tt>. Each entry is a line +containing the principal of a host from which the local machine +will allow Kerberos database propagation via <a class="reference internal" href="kprop.html#kprop-8"><em>kprop</em></a>.</dd> +</dl> +</div> +<div class="section" id="see-also"> +<h2>SEE ALSO<a class="headerlink" href="#see-also" title="Permalink to this headline">¶</a></h2> +<p><a class="reference internal" href="kprop.html#kprop-8"><em>kprop</em></a>, <a class="reference internal" href="kdb5_util.html#kdb5-util-8"><em>kdb5_util</em></a>, <a class="reference internal" href="krb5kdc.html#krb5kdc-8"><em>krb5kdc</em></a>, inetd(8)</p> +</div> +</div> + + + </div> + </div> + </div> + </div> + <div class="sidebar"> + <h2>On this page</h2> + <ul> +<li><a class="reference internal" href="#">kpropd</a><ul> +<li><a class="reference internal" href="#synopsis">SYNOPSIS</a></li> +<li><a class="reference internal" href="#description">DESCRIPTION</a></li> +<li><a class="reference internal" href="#options">OPTIONS</a></li> +<li><a class="reference internal" href="#environment">ENVIRONMENT</a></li> +<li><a class="reference internal" href="#files">FILES</a></li> +<li><a class="reference internal" href="#see-also">SEE ALSO</a></li> +</ul> +</li> +</ul> + + <br/> + <h2>Table of contents</h2> + <ul class="current"> +<li class="toctree-l1"><a class="reference internal" href="../../user/index.html">For users</a></li> +<li class="toctree-l1 current"><a class="reference internal" href="../index.html">For administrators</a><ul class="current"> +<li class="toctree-l2"><a class="reference internal" href="../install.html">Installation guide</a></li> +<li class="toctree-l2"><a class="reference internal" href="../conf_files/index.html">Configuration Files</a></li> +<li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li> +<li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li> +<li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li> +<li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> +<li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li> +<li class="toctree-l2"><a class="reference internal" href="../host_config.html">Host configuration</a></li> +<li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li> +<li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li> +<li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li> +<li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li> +<li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li> +<li class="toctree-l2"><a class="reference internal" href="../auth_indicator.html">Authentication indicators</a></li> +<li class="toctree-l2 current"><a class="reference internal" href="index.html">Administration programs</a><ul class="current"> +<li class="toctree-l3"><a class="reference internal" href="kadmin_local.html">kadmin</a></li> +<li class="toctree-l3"><a class="reference internal" href="kadmind.html">kadmind</a></li> +<li class="toctree-l3"><a class="reference internal" href="kdb5_util.html">kdb5_util</a></li> +<li class="toctree-l3"><a class="reference internal" href="kdb5_ldap_util.html">kdb5_ldap_util</a></li> +<li class="toctree-l3"><a class="reference internal" href="krb5kdc.html">krb5kdc</a></li> +<li class="toctree-l3"><a class="reference internal" href="kprop.html">kprop</a></li> +<li class="toctree-l3 current"><a class="current reference internal" href="">kpropd</a></li> +<li class="toctree-l3"><a class="reference internal" href="kproplog.html">kproplog</a></li> +<li class="toctree-l3"><a class="reference internal" href="ktutil.html">ktutil</a></li> +<li class="toctree-l3"><a class="reference internal" href="k5srvutil.html">k5srvutil</a></li> +<li class="toctree-l3"><a class="reference internal" href="sserver.html">sserver</a></li> +</ul> +</li> +<li class="toctree-l2"><a class="reference internal" href="../../mitK5defaults.html">MIT Kerberos defaults</a></li> +<li class="toctree-l2"><a class="reference internal" href="../env_variables.html">Environment variables</a></li> +<li class="toctree-l2"><a class="reference internal" href="../troubleshoot.html">Troubleshooting</a></li> +<li class="toctree-l2"><a class="reference internal" href="../advanced/index.html">Advanced topics</a></li> +<li class="toctree-l2"><a class="reference internal" href="../various_envs.html">Various links</a></li> +</ul> +</li> +<li class="toctree-l1"><a class="reference internal" href="../../appdev/index.html">For application developers</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../plugindev/index.html">For plugin module developers</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../build/index.html">Building Kerberos V5</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../basic/index.html">Kerberos V5 concepts</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../formats/index.html">Protocols and file formats</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../mitK5features.html">MIT Kerberos features</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../build_this.html">How to build this documentation from the source</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../about.html">Contributing to the MIT Kerberos Documentation</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../resources.html">Resources</a></li> +</ul> + + <br/> + <h4><a href="../../index.html">Full Table of Contents</a></h4> + <h4>Search</h4> + <form class="search" action="../../search.html" method="get"> + <input type="text" name="q" size="18" /> + <input type="submit" value="Go" /> + <input type="hidden" name="check_keywords" value="yes" /> + <input type="hidden" name="area" value="default" /> + </form> + </div> + <div class="clearer"></div> + </div> + </div> + + <div class="footer-wrapper"> + <div class="footer" > + <div class="right" ><i>Release: 1.15.1</i><br /> + © <a href="../../copyright.html">Copyright</a> 1985-2017, MIT. + </div> + <div class="left"> + + <a href="../../index.html" title="Full Table of Contents" + >Contents</a> | + <a href="kprop.html" title="kprop" + >previous</a> | + <a href="kproplog.html" title="kproplog" + >next</a> | + <a href="../../genindex.html" title="General Index" + >index</a> | + <a href="../../search.html" title="Enter search criteria" + >Search</a> | + <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__kpropd">feedback</a> + </div> + </div> + </div> + + </body> +</html>
\ No newline at end of file diff --git a/doc/html/admin/admin_commands/kproplog.html b/doc/html/admin/admin_commands/kproplog.html new file mode 100644 index 000000000000..a961170ccf98 --- /dev/null +++ b/doc/html/admin/admin_commands/kproplog.html @@ -0,0 +1,249 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> + + +<html xmlns="http://www.w3.org/1999/xhtml"> + <head> + <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> + + <title>kproplog — MIT Kerberos Documentation</title> + + <link rel="stylesheet" href="../../_static/agogo.css" type="text/css" /> + <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" /> + <link rel="stylesheet" href="../../_static/kerb.css" type="text/css" /> + + <script type="text/javascript"> + var DOCUMENTATION_OPTIONS = { + URL_ROOT: '../../', + VERSION: '1.15.1', + COLLAPSE_INDEX: false, + FILE_SUFFIX: '.html', + HAS_SOURCE: true + }; + </script> + <script type="text/javascript" src="../../_static/jquery.js"></script> + <script type="text/javascript" src="../../_static/underscore.js"></script> + <script type="text/javascript" src="../../_static/doctools.js"></script> + <link rel="author" title="About these documents" href="../../about.html" /> + <link rel="copyright" title="Copyright" href="../../copyright.html" /> + <link rel="top" title="MIT Kerberos Documentation" href="../../index.html" /> + <link rel="up" title="Administration programs" href="index.html" /> + <link rel="next" title="ktutil" href="ktutil.html" /> + <link rel="prev" title="kpropd" href="kpropd.html" /> + </head> + <body> + <div class="header-wrapper"> + <div class="header"> + + + <h1><a href="../../index.html">MIT Kerberos Documentation</a></h1> + + <div class="rel"> + + <a href="../../index.html" title="Full Table of Contents" + accesskey="C">Contents</a> | + <a href="kpropd.html" title="kpropd" + accesskey="P">previous</a> | + <a href="ktutil.html" title="ktutil" + accesskey="N">next</a> | + <a href="../../genindex.html" title="General Index" + accesskey="I">index</a> | + <a href="../../search.html" title="Enter search criteria" + accesskey="S">Search</a> | + <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__kproplog">feedback</a> + </div> + </div> + </div> + + <div class="content-wrapper"> + <div class="content"> + <div class="document"> + + <div class="documentwrapper"> + <div class="bodywrapper"> + <div class="body"> + + <div class="section" id="kproplog"> +<span id="kproplog-8"></span><h1>kproplog<a class="headerlink" href="#kproplog" title="Permalink to this headline">¶</a></h1> +<div class="section" id="synopsis"> +<h2>SYNOPSIS<a class="headerlink" href="#synopsis" title="Permalink to this headline">¶</a></h2> +<p><strong>kproplog</strong> [<strong>-h</strong>] [<strong>-e</strong> <em>num</em>] [-v] +<strong>kproplog</strong> [-R]</p> +</div> +<div class="section" id="description"> +<h2>DESCRIPTION<a class="headerlink" href="#description" title="Permalink to this headline">¶</a></h2> +<p>The kproplog command displays the contents of the KDC database update +log to standard output. It can be used to keep track of incremental +updates to the principal database. The update log file contains the +update log maintained by the <a class="reference internal" href="kadmind.html#kadmind-8"><em>kadmind</em></a> process on the master +KDC server and the <a class="reference internal" href="kpropd.html#kpropd-8"><em>kpropd</em></a> process on the slave KDC servers. +When updates occur, they are logged to this file. Subsequently any +KDC slave configured for incremental updates will request the current +data from the master KDC and update their log file with any updates +returned.</p> +<p>The kproplog command requires read access to the update log file. It +will display update entries only for the KDC it runs on.</p> +<p>If no options are specified, kproplog displays a summary of the update +log. If invoked on the master, kproplog also displays all of the +update entries. If invoked on a slave KDC server, kproplog displays +only a summary of the updates, which includes the serial number of the +last update received and the associated time stamp of the last update.</p> +</div> +<div class="section" id="options"> +<h2>OPTIONS<a class="headerlink" href="#options" title="Permalink to this headline">¶</a></h2> +<dl class="docutils"> +<dt><strong>-R</strong></dt> +<dd>Reset the update log. This forces full resynchronization. If used +on a slave then that slave will request a full resync. If used on +the master then all slaves will request full resyncs.</dd> +<dt><strong>-h</strong></dt> +<dd>Display a summary of the update log. This information includes +the database version number, state of the database, the number of +updates in the log, the time stamp of the first and last update, +and the version number of the first and last update entry.</dd> +<dt><strong>-e</strong> <em>num</em></dt> +<dd>Display the last <em>num</em> update entries in the log. This is useful +when debugging synchronization between KDC servers.</dd> +<dt><strong>-v</strong></dt> +<dd><p class="first">Display individual attributes per update. An example of the +output generated for one entry:</p> +<div class="last highlight-python"><div class="highlight"><pre>Update Entry + Update serial # : 4 + Update operation : Add + Update principal : test@EXAMPLE.COM + Update size : 424 + Update committed : True + Update time stamp : Fri Feb 20 23:37:42 2004 + Attributes changed : 6 + Principal + Key data + Password last changed + Modifying principal + Modification time + TL data +</pre></div> +</div> +</dd> +</dl> +</div> +<div class="section" id="environment"> +<h2>ENVIRONMENT<a class="headerlink" href="#environment" title="Permalink to this headline">¶</a></h2> +<p>kproplog uses the following environment variables:</p> +<ul class="simple"> +<li><strong>KRB5_KDC_PROFILE</strong></li> +</ul> +</div> +<div class="section" id="see-also"> +<h2>SEE ALSO<a class="headerlink" href="#see-also" title="Permalink to this headline">¶</a></h2> +<p><a class="reference internal" href="kpropd.html#kpropd-8"><em>kpropd</em></a></p> +</div> +</div> + + + </div> + </div> + </div> + </div> + <div class="sidebar"> + <h2>On this page</h2> + <ul> +<li><a class="reference internal" href="#">kproplog</a><ul> +<li><a class="reference internal" href="#synopsis">SYNOPSIS</a></li> +<li><a class="reference internal" href="#description">DESCRIPTION</a></li> +<li><a class="reference internal" href="#options">OPTIONS</a></li> +<li><a class="reference internal" href="#environment">ENVIRONMENT</a></li> +<li><a class="reference internal" href="#see-also">SEE ALSO</a></li> +</ul> +</li> +</ul> + + <br/> + <h2>Table of contents</h2> + <ul class="current"> +<li class="toctree-l1"><a class="reference internal" href="../../user/index.html">For users</a></li> +<li class="toctree-l1 current"><a class="reference internal" href="../index.html">For administrators</a><ul class="current"> +<li class="toctree-l2"><a class="reference internal" href="../install.html">Installation guide</a></li> +<li class="toctree-l2"><a class="reference internal" href="../conf_files/index.html">Configuration Files</a></li> +<li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li> +<li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li> +<li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li> +<li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> +<li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li> +<li class="toctree-l2"><a class="reference internal" href="../host_config.html">Host configuration</a></li> +<li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li> +<li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li> +<li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li> +<li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li> +<li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li> +<li class="toctree-l2"><a class="reference internal" href="../auth_indicator.html">Authentication indicators</a></li> +<li class="toctree-l2 current"><a class="reference internal" href="index.html">Administration programs</a><ul class="current"> +<li class="toctree-l3"><a class="reference internal" href="kadmin_local.html">kadmin</a></li> +<li class="toctree-l3"><a class="reference internal" href="kadmind.html">kadmind</a></li> +<li class="toctree-l3"><a class="reference internal" href="kdb5_util.html">kdb5_util</a></li> +<li class="toctree-l3"><a class="reference internal" href="kdb5_ldap_util.html">kdb5_ldap_util</a></li> +<li class="toctree-l3"><a class="reference internal" href="krb5kdc.html">krb5kdc</a></li> +<li class="toctree-l3"><a class="reference internal" href="kprop.html">kprop</a></li> +<li class="toctree-l3"><a class="reference internal" href="kpropd.html">kpropd</a></li> +<li class="toctree-l3 current"><a class="current reference internal" href="">kproplog</a></li> +<li class="toctree-l3"><a class="reference internal" href="ktutil.html">ktutil</a></li> +<li class="toctree-l3"><a class="reference internal" href="k5srvutil.html">k5srvutil</a></li> +<li class="toctree-l3"><a class="reference internal" href="sserver.html">sserver</a></li> +</ul> +</li> +<li class="toctree-l2"><a class="reference internal" href="../../mitK5defaults.html">MIT Kerberos defaults</a></li> +<li class="toctree-l2"><a class="reference internal" href="../env_variables.html">Environment variables</a></li> +<li class="toctree-l2"><a class="reference internal" href="../troubleshoot.html">Troubleshooting</a></li> +<li class="toctree-l2"><a class="reference internal" href="../advanced/index.html">Advanced topics</a></li> +<li class="toctree-l2"><a class="reference internal" href="../various_envs.html">Various links</a></li> +</ul> +</li> +<li class="toctree-l1"><a class="reference internal" href="../../appdev/index.html">For application developers</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../plugindev/index.html">For plugin module developers</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../build/index.html">Building Kerberos V5</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../basic/index.html">Kerberos V5 concepts</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../formats/index.html">Protocols and file formats</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../mitK5features.html">MIT Kerberos features</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../build_this.html">How to build this documentation from the source</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../about.html">Contributing to the MIT Kerberos Documentation</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../resources.html">Resources</a></li> +</ul> + + <br/> + <h4><a href="../../index.html">Full Table of Contents</a></h4> + <h4>Search</h4> + <form class="search" action="../../search.html" method="get"> + <input type="text" name="q" size="18" /> + <input type="submit" value="Go" /> + <input type="hidden" name="check_keywords" value="yes" /> + <input type="hidden" name="area" value="default" /> + </form> + </div> + <div class="clearer"></div> + </div> + </div> + + <div class="footer-wrapper"> + <div class="footer" > + <div class="right" ><i>Release: 1.15.1</i><br /> + © <a href="../../copyright.html">Copyright</a> 1985-2017, MIT. + </div> + <div class="left"> + + <a href="../../index.html" title="Full Table of Contents" + >Contents</a> | + <a href="kpropd.html" title="kpropd" + >previous</a> | + <a href="ktutil.html" title="ktutil" + >next</a> | + <a href="../../genindex.html" title="General Index" + >index</a> | + <a href="../../search.html" title="Enter search criteria" + >Search</a> | + <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__kproplog">feedback</a> + </div> + </div> + </div> + + </body> +</html>
\ No newline at end of file diff --git a/doc/html/admin/admin_commands/krb5kdc.html b/doc/html/admin/admin_commands/krb5kdc.html new file mode 100644 index 000000000000..22a0c0ca87e4 --- /dev/null +++ b/doc/html/admin/admin_commands/krb5kdc.html @@ -0,0 +1,277 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> + + +<html xmlns="http://www.w3.org/1999/xhtml"> + <head> + <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> + + <title>krb5kdc — MIT Kerberos Documentation</title> + + <link rel="stylesheet" href="../../_static/agogo.css" type="text/css" /> + <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" /> + <link rel="stylesheet" href="../../_static/kerb.css" type="text/css" /> + + <script type="text/javascript"> + var DOCUMENTATION_OPTIONS = { + URL_ROOT: '../../', + VERSION: '1.15.1', + COLLAPSE_INDEX: false, + FILE_SUFFIX: '.html', + HAS_SOURCE: true + }; + </script> + <script type="text/javascript" src="../../_static/jquery.js"></script> + <script type="text/javascript" src="../../_static/underscore.js"></script> + <script type="text/javascript" src="../../_static/doctools.js"></script> + <link rel="author" title="About these documents" href="../../about.html" /> + <link rel="copyright" title="Copyright" href="../../copyright.html" /> + <link rel="top" title="MIT Kerberos Documentation" href="../../index.html" /> + <link rel="up" title="Administration programs" href="index.html" /> + <link rel="next" title="kprop" href="kprop.html" /> + <link rel="prev" title="kdb5_ldap_util" href="kdb5_ldap_util.html" /> + </head> + <body> + <div class="header-wrapper"> + <div class="header"> + + + <h1><a href="../../index.html">MIT Kerberos Documentation</a></h1> + + <div class="rel"> + + <a href="../../index.html" title="Full Table of Contents" + accesskey="C">Contents</a> | + <a href="kdb5_ldap_util.html" title="kdb5_ldap_util" + accesskey="P">previous</a> | + <a href="kprop.html" title="kprop" + accesskey="N">next</a> | + <a href="../../genindex.html" title="General Index" + accesskey="I">index</a> | + <a href="../../search.html" title="Enter search criteria" + accesskey="S">Search</a> | + <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__krb5kdc">feedback</a> + </div> + </div> + </div> + + <div class="content-wrapper"> + <div class="content"> + <div class="document"> + + <div class="documentwrapper"> + <div class="bodywrapper"> + <div class="body"> + + <div class="section" id="krb5kdc"> +<span id="krb5kdc-8"></span><h1>krb5kdc<a class="headerlink" href="#krb5kdc" title="Permalink to this headline">¶</a></h1> +<div class="section" id="synopsis"> +<h2>SYNOPSIS<a class="headerlink" href="#synopsis" title="Permalink to this headline">¶</a></h2> +<p><strong>krb5kdc</strong> +[<strong>-x</strong> <em>db_args</em>] +[<strong>-d</strong> <em>dbname</em>] +[<strong>-k</strong> <em>keytype</em>] +[<strong>-M</strong> <em>mkeyname</em>] +[<strong>-p</strong> <em>portnum</em>] +[<strong>-m</strong>] +[<strong>-r</strong> <em>realm</em>] +[<strong>-n</strong>] +[<strong>-w</strong> <em>numworkers</em>] +[<strong>-P</strong> <em>pid_file</em>] +[<strong>-T</strong> <em>time_offset</em>]</p> +</div> +<div class="section" id="description"> +<h2>DESCRIPTION<a class="headerlink" href="#description" title="Permalink to this headline">¶</a></h2> +<p>krb5kdc is the Kerberos version 5 Authentication Service and Key +Distribution Center (AS/KDC).</p> +</div> +<div class="section" id="options"> +<h2>OPTIONS<a class="headerlink" href="#options" title="Permalink to this headline">¶</a></h2> +<p>The <strong>-r</strong> <em>realm</em> option specifies the realm for which the server +should provide service.</p> +<p>The <strong>-d</strong> <em>dbname</em> option specifies the name under which the +principal database can be found. This option does not apply to the +LDAP database.</p> +<p>The <strong>-k</strong> <em>keytype</em> option specifies the key type of the master key +to be entered manually as a password when <strong>-m</strong> is given; the default +is <tt class="docutils literal"><span class="pre">des-cbc-crc</span></tt>.</p> +<p>The <strong>-M</strong> <em>mkeyname</em> option specifies the principal name for the +master key in the database (usually <tt class="docutils literal"><span class="pre">K/M</span></tt> in the KDC’s realm).</p> +<p>The <strong>-m</strong> option specifies that the master database password should +be fetched from the keyboard rather than from a stash file.</p> +<p>The <strong>-n</strong> option specifies that the KDC does not put itself in the +background and does not disassociate itself from the terminal. In +normal operation, you should always allow the KDC to place itself in +the background.</p> +<p>The <strong>-P</strong> <em>pid_file</em> option tells the KDC to write its PID into +<em>pid_file</em> after it starts up. This can be used to identify whether +the KDC is still running and to allow init scripts to stop the correct +process.</p> +<p>The <strong>-p</strong> <em>portnum</em> option specifies the default UDP port numbers +which the KDC should listen on for Kerberos version 5 requests, as a +comma-separated list. This value overrides the UDP port numbers +specified in the <a class="reference internal" href="../conf_files/kdc_conf.html#kdcdefaults"><em>[kdcdefaults]</em></a> section of <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>, but +may be overridden by realm-specific values. If no value is given from +any source, the default port is 88.</p> +<p>The <strong>-w</strong> <em>numworkers</em> option tells the KDC to fork <em>numworkers</em> +processes to listen to the KDC ports and process requests in parallel. +The top level KDC process (whose pid is recorded in the pid file if +the <strong>-P</strong> option is also given) acts as a supervisor. The supervisor +will relay SIGHUP signals to the worker subprocesses, and will +terminate the worker subprocess if the it is itself terminated or if +any other worker process exits.</p> +<div class="admonition note"> +<p class="first admonition-title">Note</p> +<p class="last">On operating systems which do not have <em>pktinfo</em> support, +using worker processes will prevent the KDC from listening +for UDP packets on network interfaces created after the KDC +starts.</p> +</div> +<p>The <strong>-x</strong> <em>db_args</em> option specifies database-specific arguments. +See <a class="reference internal" href="kadmin_local.html#dboptions"><em>Database Options</em></a> in <a class="reference internal" href="kadmin_local.html#kadmin-1"><em>kadmin</em></a> for +supported arguments.</p> +<p>The <strong>-T</strong> <em>offset</em> option specifies a time offset, in seconds, which +the KDC will operate under. It is intended only for testing purposes.</p> +</div> +<div class="section" id="example"> +<h2>EXAMPLE<a class="headerlink" href="#example" title="Permalink to this headline">¶</a></h2> +<p>The KDC may service requests for multiple realms (maximum 32 realms). +The realms are listed on the command line. Per-realm options that can +be specified on the command line pertain for each realm that follows +it and are superseded by subsequent definitions of the same option.</p> +<p>For example:</p> +<div class="highlight-python"><div class="highlight"><pre>krb5kdc -p 2001 -r REALM1 -p 2002 -r REALM2 -r REALM3 +</pre></div> +</div> +<p>specifies that the KDC listen on port 2001 for REALM1 and on port 2002 +for REALM2 and REALM3. Additionally, per-realm parameters may be +specified in the <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> file. The location of this file +may be specified by the <strong>KRB5_KDC_PROFILE</strong> environment variable. +Per-realm parameters specified in this file take precedence over +options specified on the command line. See the <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> +description for further details.</p> +</div> +<div class="section" id="environment"> +<h2>ENVIRONMENT<a class="headerlink" href="#environment" title="Permalink to this headline">¶</a></h2> +<p>krb5kdc uses the following environment variables:</p> +<ul class="simple"> +<li><strong>KRB5_CONFIG</strong></li> +<li><strong>KRB5_KDC_PROFILE</strong></li> +</ul> +</div> +<div class="section" id="see-also"> +<h2>SEE ALSO<a class="headerlink" href="#see-also" title="Permalink to this headline">¶</a></h2> +<p><a class="reference internal" href="kdb5_util.html#kdb5-util-8"><em>kdb5_util</em></a>, <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>, <a class="reference internal" href="../conf_files/krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a>, +<a class="reference internal" href="kdb5_ldap_util.html#kdb5-ldap-util-8"><em>kdb5_ldap_util</em></a></p> +</div> +</div> + + + </div> + </div> + </div> + </div> + <div class="sidebar"> + <h2>On this page</h2> + <ul> +<li><a class="reference internal" href="#">krb5kdc</a><ul> +<li><a class="reference internal" href="#synopsis">SYNOPSIS</a></li> +<li><a class="reference internal" href="#description">DESCRIPTION</a></li> +<li><a class="reference internal" href="#options">OPTIONS</a></li> +<li><a class="reference internal" href="#example">EXAMPLE</a></li> +<li><a class="reference internal" href="#environment">ENVIRONMENT</a></li> +<li><a class="reference internal" href="#see-also">SEE ALSO</a></li> +</ul> +</li> +</ul> + + <br/> + <h2>Table of contents</h2> + <ul class="current"> +<li class="toctree-l1"><a class="reference internal" href="../../user/index.html">For users</a></li> +<li class="toctree-l1 current"><a class="reference internal" href="../index.html">For administrators</a><ul class="current"> +<li class="toctree-l2"><a class="reference internal" href="../install.html">Installation guide</a></li> +<li class="toctree-l2"><a class="reference internal" href="../conf_files/index.html">Configuration Files</a></li> +<li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li> +<li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li> +<li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li> +<li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> +<li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li> +<li class="toctree-l2"><a class="reference internal" href="../host_config.html">Host configuration</a></li> +<li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li> +<li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li> +<li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li> +<li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li> +<li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li> +<li class="toctree-l2"><a class="reference internal" href="../auth_indicator.html">Authentication indicators</a></li> +<li class="toctree-l2 current"><a class="reference internal" href="index.html">Administration programs</a><ul class="current"> +<li class="toctree-l3"><a class="reference internal" href="kadmin_local.html">kadmin</a></li> +<li class="toctree-l3"><a class="reference internal" href="kadmind.html">kadmind</a></li> +<li class="toctree-l3"><a class="reference internal" href="kdb5_util.html">kdb5_util</a></li> +<li class="toctree-l3"><a class="reference internal" href="kdb5_ldap_util.html">kdb5_ldap_util</a></li> +<li class="toctree-l3 current"><a class="current reference internal" href="">krb5kdc</a></li> +<li class="toctree-l3"><a class="reference internal" href="kprop.html">kprop</a></li> +<li class="toctree-l3"><a class="reference internal" href="kpropd.html">kpropd</a></li> +<li class="toctree-l3"><a class="reference internal" href="kproplog.html">kproplog</a></li> +<li class="toctree-l3"><a class="reference internal" href="ktutil.html">ktutil</a></li> +<li class="toctree-l3"><a class="reference internal" href="k5srvutil.html">k5srvutil</a></li> +<li class="toctree-l3"><a class="reference internal" href="sserver.html">sserver</a></li> +</ul> +</li> +<li class="toctree-l2"><a class="reference internal" href="../../mitK5defaults.html">MIT Kerberos defaults</a></li> +<li class="toctree-l2"><a class="reference internal" href="../env_variables.html">Environment variables</a></li> +<li class="toctree-l2"><a class="reference internal" href="../troubleshoot.html">Troubleshooting</a></li> +<li class="toctree-l2"><a class="reference internal" href="../advanced/index.html">Advanced topics</a></li> +<li class="toctree-l2"><a class="reference internal" href="../various_envs.html">Various links</a></li> +</ul> +</li> +<li class="toctree-l1"><a class="reference internal" href="../../appdev/index.html">For application developers</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../plugindev/index.html">For plugin module developers</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../build/index.html">Building Kerberos V5</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../basic/index.html">Kerberos V5 concepts</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../formats/index.html">Protocols and file formats</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../mitK5features.html">MIT Kerberos features</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../build_this.html">How to build this documentation from the source</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../about.html">Contributing to the MIT Kerberos Documentation</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../resources.html">Resources</a></li> +</ul> + + <br/> + <h4><a href="../../index.html">Full Table of Contents</a></h4> + <h4>Search</h4> + <form class="search" action="../../search.html" method="get"> + <input type="text" name="q" size="18" /> + <input type="submit" value="Go" /> + <input type="hidden" name="check_keywords" value="yes" /> + <input type="hidden" name="area" value="default" /> + </form> + </div> + <div class="clearer"></div> + </div> + </div> + + <div class="footer-wrapper"> + <div class="footer" > + <div class="right" ><i>Release: 1.15.1</i><br /> + © <a href="../../copyright.html">Copyright</a> 1985-2017, MIT. + </div> + <div class="left"> + + <a href="../../index.html" title="Full Table of Contents" + >Contents</a> | + <a href="kdb5_ldap_util.html" title="kdb5_ldap_util" + >previous</a> | + <a href="kprop.html" title="kprop" + >next</a> | + <a href="../../genindex.html" title="General Index" + >index</a> | + <a href="../../search.html" title="Enter search criteria" + >Search</a> | + <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__krb5kdc">feedback</a> + </div> + </div> + </div> + + </body> +</html>
\ No newline at end of file diff --git a/doc/html/admin/admin_commands/ktutil.html b/doc/html/admin/admin_commands/ktutil.html new file mode 100644 index 000000000000..de4700ef9cc1 --- /dev/null +++ b/doc/html/admin/admin_commands/ktutil.html @@ -0,0 +1,292 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> + + +<html xmlns="http://www.w3.org/1999/xhtml"> + <head> + <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> + + <title>ktutil — MIT Kerberos Documentation</title> + + <link rel="stylesheet" href="../../_static/agogo.css" type="text/css" /> + <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" /> + <link rel="stylesheet" href="../../_static/kerb.css" type="text/css" /> + + <script type="text/javascript"> + var DOCUMENTATION_OPTIONS = { + URL_ROOT: '../../', + VERSION: '1.15.1', + COLLAPSE_INDEX: false, + FILE_SUFFIX: '.html', + HAS_SOURCE: true + }; + </script> + <script type="text/javascript" src="../../_static/jquery.js"></script> + <script type="text/javascript" src="../../_static/underscore.js"></script> + <script type="text/javascript" src="../../_static/doctools.js"></script> + <link rel="author" title="About these documents" href="../../about.html" /> + <link rel="copyright" title="Copyright" href="../../copyright.html" /> + <link rel="top" title="MIT Kerberos Documentation" href="../../index.html" /> + <link rel="up" title="Administration programs" href="index.html" /> + <link rel="next" title="k5srvutil" href="k5srvutil.html" /> + <link rel="prev" title="kproplog" href="kproplog.html" /> + </head> + <body> + <div class="header-wrapper"> + <div class="header"> + + + <h1><a href="../../index.html">MIT Kerberos Documentation</a></h1> + + <div class="rel"> + + <a href="../../index.html" title="Full Table of Contents" + accesskey="C">Contents</a> | + <a href="kproplog.html" title="kproplog" + accesskey="P">previous</a> | + <a href="k5srvutil.html" title="k5srvutil" + accesskey="N">next</a> | + <a href="../../genindex.html" title="General Index" + accesskey="I">index</a> | + <a href="../../search.html" title="Enter search criteria" + accesskey="S">Search</a> | + <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__ktutil">feedback</a> + </div> + </div> + </div> + + <div class="content-wrapper"> + <div class="content"> + <div class="document"> + + <div class="documentwrapper"> + <div class="bodywrapper"> + <div class="body"> + + <div class="section" id="ktutil"> +<span id="ktutil-1"></span><h1>ktutil<a class="headerlink" href="#ktutil" title="Permalink to this headline">¶</a></h1> +<div class="section" id="synopsis"> +<h2>SYNOPSIS<a class="headerlink" href="#synopsis" title="Permalink to this headline">¶</a></h2> +<p><strong>ktutil</strong></p> +</div> +<div class="section" id="description"> +<h2>DESCRIPTION<a class="headerlink" href="#description" title="Permalink to this headline">¶</a></h2> +<p>The ktutil command invokes a command interface from which an +administrator can read, write, or edit entries in a keytab or Kerberos +V4 srvtab file.</p> +</div> +<div class="section" id="commands"> +<h2>COMMANDS<a class="headerlink" href="#commands" title="Permalink to this headline">¶</a></h2> +<div class="section" id="list"> +<h3>list<a class="headerlink" href="#list" title="Permalink to this headline">¶</a></h3> +<blockquote> +<div><strong>list</strong></div></blockquote> +<p>Displays the current keylist.</p> +<p>Alias: <strong>l</strong></p> +</div> +<div class="section" id="read-kt"> +<h3>read_kt<a class="headerlink" href="#read-kt" title="Permalink to this headline">¶</a></h3> +<blockquote> +<div><strong>read_kt</strong> <em>keytab</em></div></blockquote> +<p>Read the Kerberos V5 keytab file <em>keytab</em> into the current keylist.</p> +<p>Alias: <strong>rkt</strong></p> +</div> +<div class="section" id="read-st"> +<h3>read_st<a class="headerlink" href="#read-st" title="Permalink to this headline">¶</a></h3> +<blockquote> +<div><strong>read_st</strong> <em>srvtab</em></div></blockquote> +<p>Read the Kerberos V4 srvtab file <em>srvtab</em> into the current keylist.</p> +<p>Alias: <strong>rst</strong></p> +</div> +<div class="section" id="write-kt"> +<h3>write_kt<a class="headerlink" href="#write-kt" title="Permalink to this headline">¶</a></h3> +<blockquote> +<div><strong>write_kt</strong> <em>keytab</em></div></blockquote> +<p>Write the current keylist into the Kerberos V5 keytab file <em>keytab</em>.</p> +<p>Alias: <strong>wkt</strong></p> +</div> +<div class="section" id="write-st"> +<h3>write_st<a class="headerlink" href="#write-st" title="Permalink to this headline">¶</a></h3> +<blockquote> +<div><strong>write_st</strong> <em>srvtab</em></div></blockquote> +<p>Write the current keylist into the Kerberos V4 srvtab file <em>srvtab</em>.</p> +<p>Alias: <strong>wst</strong></p> +</div> +<div class="section" id="clear-list"> +<h3>clear_list<a class="headerlink" href="#clear-list" title="Permalink to this headline">¶</a></h3> +<blockquote> +<div><strong>clear_list</strong></div></blockquote> +<p>Clear the current keylist.</p> +<p>Alias: <strong>clear</strong></p> +</div> +<div class="section" id="delete-entry"> +<h3>delete_entry<a class="headerlink" href="#delete-entry" title="Permalink to this headline">¶</a></h3> +<blockquote> +<div><strong>delete_entry</strong> <em>slot</em></div></blockquote> +<p>Delete the entry in slot number <em>slot</em> from the current keylist.</p> +<p>Alias: <strong>delent</strong></p> +</div> +<div class="section" id="add-entry"> +<h3>add_entry<a class="headerlink" href="#add-entry" title="Permalink to this headline">¶</a></h3> +<blockquote> +<div><strong>add_entry</strong> {<strong>-key</strong>|<strong>-password</strong>} <strong>-p</strong> <em>principal</em> +<strong>-k</strong> <em>kvno</em> <strong>-e</strong> <em>enctype</em></div></blockquote> +<p>Add <em>principal</em> to keylist using key or password.</p> +<p>Alias: <strong>addent</strong></p> +</div> +<div class="section" id="list-requests"> +<h3>list_requests<a class="headerlink" href="#list-requests" title="Permalink to this headline">¶</a></h3> +<blockquote> +<div><strong>list_requests</strong></div></blockquote> +<p>Displays a listing of available commands.</p> +<p>Aliases: <strong>lr</strong>, <strong>?</strong></p> +</div> +<div class="section" id="quit"> +<h3>quit<a class="headerlink" href="#quit" title="Permalink to this headline">¶</a></h3> +<blockquote> +<div><strong>quit</strong></div></blockquote> +<p>Quits ktutil.</p> +<p>Aliases: <strong>exit</strong>, <strong>q</strong></p> +</div> +</div> +<div class="section" id="example"> +<h2>EXAMPLE<a class="headerlink" href="#example" title="Permalink to this headline">¶</a></h2> +<blockquote> +<div><div class="highlight-python"><div class="highlight"><pre>ktutil: add_entry -password -p alice@BLEEP.COM -k 1 -e + aes128-cts-hmac-sha1-96 +Password for alice@BLEEP.COM: +ktutil: add_entry -password -p alice@BLEEP.COM -k 1 -e + aes256-cts-hmac-sha1-96 +Password for alice@BLEEP.COM: +ktutil: write_kt keytab +ktutil: +</pre></div> +</div> +</div></blockquote> +</div> +<div class="section" id="see-also"> +<h2>SEE ALSO<a class="headerlink" href="#see-also" title="Permalink to this headline">¶</a></h2> +<p><a class="reference internal" href="kadmin_local.html#kadmin-1"><em>kadmin</em></a>, <a class="reference internal" href="kdb5_util.html#kdb5-util-8"><em>kdb5_util</em></a></p> +</div> +</div> + + + </div> + </div> + </div> + </div> + <div class="sidebar"> + <h2>On this page</h2> + <ul> +<li><a class="reference internal" href="#">ktutil</a><ul> +<li><a class="reference internal" href="#synopsis">SYNOPSIS</a></li> +<li><a class="reference internal" href="#description">DESCRIPTION</a></li> +<li><a class="reference internal" href="#commands">COMMANDS</a><ul> +<li><a class="reference internal" href="#list">list</a></li> +<li><a class="reference internal" href="#read-kt">read_kt</a></li> +<li><a class="reference internal" href="#read-st">read_st</a></li> +<li><a class="reference internal" href="#write-kt">write_kt</a></li> +<li><a class="reference internal" href="#write-st">write_st</a></li> +<li><a class="reference internal" href="#clear-list">clear_list</a></li> +<li><a class="reference internal" href="#delete-entry">delete_entry</a></li> +<li><a class="reference internal" href="#add-entry">add_entry</a></li> +<li><a class="reference internal" href="#list-requests">list_requests</a></li> +<li><a class="reference internal" href="#quit">quit</a></li> +</ul> +</li> +<li><a class="reference internal" href="#example">EXAMPLE</a></li> +<li><a class="reference internal" href="#see-also">SEE ALSO</a></li> +</ul> +</li> +</ul> + + <br/> + <h2>Table of contents</h2> + <ul class="current"> +<li class="toctree-l1"><a class="reference internal" href="../../user/index.html">For users</a></li> +<li class="toctree-l1 current"><a class="reference internal" href="../index.html">For administrators</a><ul class="current"> +<li class="toctree-l2"><a class="reference internal" href="../install.html">Installation guide</a></li> +<li class="toctree-l2"><a class="reference internal" href="../conf_files/index.html">Configuration Files</a></li> +<li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li> +<li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li> +<li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li> +<li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> +<li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li> +<li class="toctree-l2"><a class="reference internal" href="../host_config.html">Host configuration</a></li> +<li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li> +<li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li> +<li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li> +<li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li> +<li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li> +<li class="toctree-l2"><a class="reference internal" href="../auth_indicator.html">Authentication indicators</a></li> +<li class="toctree-l2 current"><a class="reference internal" href="index.html">Administration programs</a><ul class="current"> +<li class="toctree-l3"><a class="reference internal" href="kadmin_local.html">kadmin</a></li> +<li class="toctree-l3"><a class="reference internal" href="kadmind.html">kadmind</a></li> +<li class="toctree-l3"><a class="reference internal" href="kdb5_util.html">kdb5_util</a></li> +<li class="toctree-l3"><a class="reference internal" href="kdb5_ldap_util.html">kdb5_ldap_util</a></li> +<li class="toctree-l3"><a class="reference internal" href="krb5kdc.html">krb5kdc</a></li> +<li class="toctree-l3"><a class="reference internal" href="kprop.html">kprop</a></li> +<li class="toctree-l3"><a class="reference internal" href="kpropd.html">kpropd</a></li> +<li class="toctree-l3"><a class="reference internal" href="kproplog.html">kproplog</a></li> +<li class="toctree-l3 current"><a class="current reference internal" href="">ktutil</a></li> +<li class="toctree-l3"><a class="reference internal" href="k5srvutil.html">k5srvutil</a></li> +<li class="toctree-l3"><a class="reference internal" href="sserver.html">sserver</a></li> +</ul> +</li> +<li class="toctree-l2"><a class="reference internal" href="../../mitK5defaults.html">MIT Kerberos defaults</a></li> +<li class="toctree-l2"><a class="reference internal" href="../env_variables.html">Environment variables</a></li> +<li class="toctree-l2"><a class="reference internal" href="../troubleshoot.html">Troubleshooting</a></li> +<li class="toctree-l2"><a class="reference internal" href="../advanced/index.html">Advanced topics</a></li> +<li class="toctree-l2"><a class="reference internal" href="../various_envs.html">Various links</a></li> +</ul> +</li> +<li class="toctree-l1"><a class="reference internal" href="../../appdev/index.html">For application developers</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../plugindev/index.html">For plugin module developers</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../build/index.html">Building Kerberos V5</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../basic/index.html">Kerberos V5 concepts</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../formats/index.html">Protocols and file formats</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../mitK5features.html">MIT Kerberos features</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../build_this.html">How to build this documentation from the source</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../about.html">Contributing to the MIT Kerberos Documentation</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../resources.html">Resources</a></li> +</ul> + + <br/> + <h4><a href="../../index.html">Full Table of Contents</a></h4> + <h4>Search</h4> + <form class="search" action="../../search.html" method="get"> + <input type="text" name="q" size="18" /> + <input type="submit" value="Go" /> + <input type="hidden" name="check_keywords" value="yes" /> + <input type="hidden" name="area" value="default" /> + </form> + </div> + <div class="clearer"></div> + </div> + </div> + + <div class="footer-wrapper"> + <div class="footer" > + <div class="right" ><i>Release: 1.15.1</i><br /> + © <a href="../../copyright.html">Copyright</a> 1985-2017, MIT. + </div> + <div class="left"> + + <a href="../../index.html" title="Full Table of Contents" + >Contents</a> | + <a href="kproplog.html" title="kproplog" + >previous</a> | + <a href="k5srvutil.html" title="k5srvutil" + >next</a> | + <a href="../../genindex.html" title="General Index" + >index</a> | + <a href="../../search.html" title="Enter search criteria" + >Search</a> | + <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__ktutil">feedback</a> + </div> + </div> + </div> + + </body> +</html>
\ No newline at end of file diff --git a/doc/html/admin/admin_commands/sserver.html b/doc/html/admin/admin_commands/sserver.html new file mode 100644 index 000000000000..15e622cf0b5d --- /dev/null +++ b/doc/html/admin/admin_commands/sserver.html @@ -0,0 +1,270 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> + + +<html xmlns="http://www.w3.org/1999/xhtml"> + <head> + <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> + + <title>sserver — MIT Kerberos Documentation</title> + + <link rel="stylesheet" href="../../_static/agogo.css" type="text/css" /> + <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" /> + <link rel="stylesheet" href="../../_static/kerb.css" type="text/css" /> + + <script type="text/javascript"> + var DOCUMENTATION_OPTIONS = { + URL_ROOT: '../../', + VERSION: '1.15.1', + COLLAPSE_INDEX: false, + FILE_SUFFIX: '.html', + HAS_SOURCE: true + }; + </script> + <script type="text/javascript" src="../../_static/jquery.js"></script> + <script type="text/javascript" src="../../_static/underscore.js"></script> + <script type="text/javascript" src="../../_static/doctools.js"></script> + <link rel="author" title="About these documents" href="../../about.html" /> + <link rel="copyright" title="Copyright" href="../../copyright.html" /> + <link rel="top" title="MIT Kerberos Documentation" href="../../index.html" /> + <link rel="up" title="Administration programs" href="index.html" /> + <link rel="next" title="MIT Kerberos defaults" href="../../mitK5defaults.html" /> + <link rel="prev" title="k5srvutil" href="k5srvutil.html" /> + </head> + <body> + <div class="header-wrapper"> + <div class="header"> + + + <h1><a href="../../index.html">MIT Kerberos Documentation</a></h1> + + <div class="rel"> + + <a href="../../index.html" title="Full Table of Contents" + accesskey="C">Contents</a> | + <a href="k5srvutil.html" title="k5srvutil" + accesskey="P">previous</a> | + <a href="../../mitK5defaults.html" title="MIT Kerberos defaults" + accesskey="N">next</a> | + <a href="../../genindex.html" title="General Index" + accesskey="I">index</a> | + <a href="../../search.html" title="Enter search criteria" + accesskey="S">Search</a> | + <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__sserver">feedback</a> + </div> + </div> + </div> + + <div class="content-wrapper"> + <div class="content"> + <div class="document"> + + <div class="documentwrapper"> + <div class="bodywrapper"> + <div class="body"> + + <div class="section" id="sserver"> +<span id="sserver-8"></span><h1>sserver<a class="headerlink" href="#sserver" title="Permalink to this headline">¶</a></h1> +<div class="section" id="synopsis"> +<h2>SYNOPSIS<a class="headerlink" href="#synopsis" title="Permalink to this headline">¶</a></h2> +<p><strong>sserver</strong> +[ <strong>-p</strong> <em>port</em> ] +[ <strong>-S</strong> <em>keytab</em> ] +[ <em>server_port</em> ]</p> +</div> +<div class="section" id="description"> +<h2>DESCRIPTION<a class="headerlink" href="#description" title="Permalink to this headline">¶</a></h2> +<p>sserver and <a class="reference internal" href="../../user/user_commands/sclient.html#sclient-1"><em>sclient</em></a> are a simple demonstration client/server +application. When sclient connects to sserver, it performs a Kerberos +authentication, and then sserver returns to sclient the Kerberos +principal which was used for the Kerberos authentication. It makes a +good test that Kerberos has been successfully installed on a machine.</p> +<p>The service name used by sserver and sclient is sample. Hence, +sserver will require that there be a keytab entry for the service +<tt class="docutils literal"><span class="pre">sample/hostname.domain.name@REALM.NAME</span></tt>. This keytab is generated +using the <a class="reference internal" href="kadmin_local.html#kadmin-1"><em>kadmin</em></a> program. The keytab file is usually +installed as <a class="reference internal" href="../../mitK5defaults.html#paths"><em>DEFKTNAME</em></a>.</p> +<p>The <strong>-S</strong> option allows for a different keytab than the default.</p> +<p>sserver is normally invoked out of inetd(8), using a line in +<tt class="docutils literal"><span class="pre">/etc/inetd.conf</span></tt> that looks like this:</p> +<div class="highlight-python"><div class="highlight"><pre>sample stream tcp nowait root /usr/local/sbin/sserver sserver +</pre></div> +</div> +<p>Since <tt class="docutils literal"><span class="pre">sample</span></tt> is normally not a port defined in <tt class="docutils literal"><span class="pre">/etc/services</span></tt>, +you will usually have to add a line to <tt class="docutils literal"><span class="pre">/etc/services</span></tt> which looks +like this:</p> +<div class="highlight-python"><div class="highlight"><pre>sample 13135/tcp +</pre></div> +</div> +<p>When using sclient, you will first have to have an entry in the +Kerberos database, by using <a class="reference internal" href="kadmin_local.html#kadmin-1"><em>kadmin</em></a>, and then you have to get +Kerberos tickets, by using <a class="reference internal" href="../../user/user_commands/kinit.html#kinit-1"><em>kinit</em></a>. Also, if you are running +the sclient program on a different host than the sserver it will be +connecting to, be sure that both hosts have an entry in /etc/services +for the sample tcp port, and that the same port number is in both +files.</p> +<p>When you run sclient you should see something like this:</p> +<div class="highlight-python"><div class="highlight"><pre>sendauth succeeded, reply is: +reply len 32, contents: +You are nlgilman@JIMI.MIT.EDU +</pre></div> +</div> +</div> +<div class="section" id="common-error-messages"> +<h2>COMMON ERROR MESSAGES<a class="headerlink" href="#common-error-messages" title="Permalink to this headline">¶</a></h2> +<ol class="arabic"> +<li><p class="first">kinit returns the error:</p> +<div class="highlight-python"><div class="highlight"><pre>kinit: Client not found in Kerberos database while getting + initial credentials +</pre></div> +</div> +<p>This means that you didn’t create an entry for your username in the +Kerberos database.</p> +</li> +<li><p class="first">sclient returns the error:</p> +<div class="highlight-python"><div class="highlight"><pre>unknown service sample/tcp; check /etc/services +</pre></div> +</div> +<p>This means that you don’t have an entry in /etc/services for the +sample tcp port.</p> +</li> +<li><p class="first">sclient returns the error:</p> +<div class="highlight-python"><div class="highlight"><pre>connect: Connection refused +</pre></div> +</div> +<p>This probably means you didn’t edit /etc/inetd.conf correctly, or +you didn’t restart inetd after editing inetd.conf.</p> +</li> +<li><p class="first">sclient returns the error:</p> +<div class="highlight-python"><div class="highlight"><pre>sclient: Server not found in Kerberos database while using + sendauth +</pre></div> +</div> +<p>This means that the <tt class="docutils literal"><span class="pre">sample/hostname@LOCAL.REALM</span></tt> service was not +defined in the Kerberos database; it should be created using +<a class="reference internal" href="kadmin_local.html#kadmin-1"><em>kadmin</em></a>, and a keytab file needs to be generated to make +the key for that service principal available for sclient.</p> +</li> +<li><p class="first">sclient returns the error:</p> +<div class="highlight-python"><div class="highlight"><pre>sendauth rejected, error reply is: + "No such file or directory" +</pre></div> +</div> +<p>This probably means sserver couldn’t find the keytab file. It was +probably not installed in the proper directory.</p> +</li> +</ol> +</div> +<div class="section" id="see-also"> +<h2>SEE ALSO<a class="headerlink" href="#see-also" title="Permalink to this headline">¶</a></h2> +<p><a class="reference internal" href="../../user/user_commands/sclient.html#sclient-1"><em>sclient</em></a>, services(5), inetd(8)</p> +</div> +</div> + + + </div> + </div> + </div> + </div> + <div class="sidebar"> + <h2>On this page</h2> + <ul> +<li><a class="reference internal" href="#">sserver</a><ul> +<li><a class="reference internal" href="#synopsis">SYNOPSIS</a></li> +<li><a class="reference internal" href="#description">DESCRIPTION</a></li> +<li><a class="reference internal" href="#common-error-messages">COMMON ERROR MESSAGES</a></li> +<li><a class="reference internal" href="#see-also">SEE ALSO</a></li> +</ul> +</li> +</ul> + + <br/> + <h2>Table of contents</h2> + <ul class="current"> +<li class="toctree-l1"><a class="reference internal" href="../../user/index.html">For users</a></li> +<li class="toctree-l1 current"><a class="reference internal" href="../index.html">For administrators</a><ul class="current"> +<li class="toctree-l2"><a class="reference internal" href="../install.html">Installation guide</a></li> +<li class="toctree-l2"><a class="reference internal" href="../conf_files/index.html">Configuration Files</a></li> +<li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li> +<li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li> +<li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li> +<li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> +<li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li> +<li class="toctree-l2"><a class="reference internal" href="../host_config.html">Host configuration</a></li> +<li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li> +<li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li> +<li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li> +<li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li> +<li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li> +<li class="toctree-l2"><a class="reference internal" href="../auth_indicator.html">Authentication indicators</a></li> +<li class="toctree-l2 current"><a class="reference internal" href="index.html">Administration programs</a><ul class="current"> +<li class="toctree-l3"><a class="reference internal" href="kadmin_local.html">kadmin</a></li> +<li class="toctree-l3"><a class="reference internal" href="kadmind.html">kadmind</a></li> +<li class="toctree-l3"><a class="reference internal" href="kdb5_util.html">kdb5_util</a></li> +<li class="toctree-l3"><a class="reference internal" href="kdb5_ldap_util.html">kdb5_ldap_util</a></li> +<li class="toctree-l3"><a class="reference internal" href="krb5kdc.html">krb5kdc</a></li> +<li class="toctree-l3"><a class="reference internal" href="kprop.html">kprop</a></li> +<li class="toctree-l3"><a class="reference internal" href="kpropd.html">kpropd</a></li> +<li class="toctree-l3"><a class="reference internal" href="kproplog.html">kproplog</a></li> +<li class="toctree-l3"><a class="reference internal" href="ktutil.html">ktutil</a></li> +<li class="toctree-l3"><a class="reference internal" href="k5srvutil.html">k5srvutil</a></li> +<li class="toctree-l3 current"><a class="current reference internal" href="">sserver</a></li> +</ul> +</li> +<li class="toctree-l2"><a class="reference internal" href="../../mitK5defaults.html">MIT Kerberos defaults</a></li> +<li class="toctree-l2"><a class="reference internal" href="../env_variables.html">Environment variables</a></li> +<li class="toctree-l2"><a class="reference internal" href="../troubleshoot.html">Troubleshooting</a></li> +<li class="toctree-l2"><a class="reference internal" href="../advanced/index.html">Advanced topics</a></li> +<li class="toctree-l2"><a class="reference internal" href="../various_envs.html">Various links</a></li> +</ul> +</li> +<li class="toctree-l1"><a class="reference internal" href="../../appdev/index.html">For application developers</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../plugindev/index.html">For plugin module developers</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../build/index.html">Building Kerberos V5</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../basic/index.html">Kerberos V5 concepts</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../formats/index.html">Protocols and file formats</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../mitK5features.html">MIT Kerberos features</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../build_this.html">How to build this documentation from the source</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../about.html">Contributing to the MIT Kerberos Documentation</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../resources.html">Resources</a></li> +</ul> + + <br/> + <h4><a href="../../index.html">Full Table of Contents</a></h4> + <h4>Search</h4> + <form class="search" action="../../search.html" method="get"> + <input type="text" name="q" size="18" /> + <input type="submit" value="Go" /> + <input type="hidden" name="check_keywords" value="yes" /> + <input type="hidden" name="area" value="default" /> + </form> + </div> + <div class="clearer"></div> + </div> + </div> + + <div class="footer-wrapper"> + <div class="footer" > + <div class="right" ><i>Release: 1.15.1</i><br /> + © <a href="../../copyright.html">Copyright</a> 1985-2017, MIT. + </div> + <div class="left"> + + <a href="../../index.html" title="Full Table of Contents" + >Contents</a> | + <a href="k5srvutil.html" title="k5srvutil" + >previous</a> | + <a href="../../mitK5defaults.html" title="MIT Kerberos defaults" + >next</a> | + <a href="../../genindex.html" title="General Index" + >index</a> | + <a href="../../search.html" title="Enter search criteria" + >Search</a> | + <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__sserver">feedback</a> + </div> + </div> + </div> + + </body> +</html>
\ No newline at end of file |