krb5: Import MIT 1.21.3 - src - FreeBSD source tree

diff options


context:
space:
mode:

author	Cy Schubert <cy@FreeBSD.org>	2025-03-19 22:12:25 +0000
committer	Cy Schubert <cy@FreeBSD.org>	2025-03-19 22:12:25 +0000
commit	8f7d3ef26dec89a92ec0665de84a5936310a5574 (patch)
tree	9a465418bd4056bf0d369751320a414eaed29fa4 /doc/html/admin/admin_commands
parent	1a79b20663ca26acc2998b90ea2ff2aefd8af5b1 (diff)

Diffstat (limited to 'doc/html/admin/admin_commands')

-rw-r--r--

doc/html/admin/admin_commands/index.html

-rw-r--r--

doc/html/admin/admin_commands/k5srvutil.html

-rw-r--r--

doc/html/admin/admin_commands/kadmin_local.html

790

-rw-r--r--

doc/html/admin/admin_commands/kadmind.html

148

-rw-r--r--

doc/html/admin/admin_commands/kdb5_ldap_util.html

375

-rw-r--r--

doc/html/admin/admin_commands/kdb5_util.html

517

-rw-r--r--

doc/html/admin/admin_commands/kprop.html

-rw-r--r--

doc/html/admin/admin_commands/kpropd.html

152

-rw-r--r--

doc/html/admin/admin_commands/kproplog.html

-rw-r--r--

doc/html/admin/admin_commands/krb5kdc.html

-rw-r--r--

doc/html/admin/admin_commands/ktutil.html

130

-rw-r--r--

doc/html/admin/admin_commands/sserver.html

102

12 files changed, 1287 insertions, 1320 deletions

diff --git a/doc/html/admin/admin_commands/index.html b/doc/html/admin/admin_commands/index.html
index 56e36b025f55..42935051839f 100644
--- a/doc/html/admin/admin_commands/index.html
+++ b/doc/html/admin/admin_commands/index.html

@@ -1,35 +1,26 @@

-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"

- "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

+<!DOCTYPE html>

-<html xmlns="http://www.w3.org/1999/xhtml">

+<html>

<head>

- <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

+ <meta charset="utf-8" />

+ <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="generator" content="Docutils 0.17.1: http://docutils.sourceforge.net/" />

<title>Administration programs — MIT Kerberos Documentation</title>

- <link rel="stylesheet" href="../../_static/agogo.css" type="text/css" />

- <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" />

- <link rel="stylesheet" href="../../_static/kerb.css" type="text/css" />

- <script type="text/javascript">

- var DOCUMENTATION_OPTIONS = {

- URL_ROOT: '../../',

- VERSION: '1.21.2',

- COLLAPSE_INDEX: false,

- FILE_SUFFIX: '.html',

- HAS_SOURCE: true,

- SOURCELINK_SUFFIX: '.txt'

- };

- </script>

- <script type="text/javascript" src="../../_static/jquery.js"></script>

- <script type="text/javascript" src="../../_static/underscore.js"></script>

- <script type="text/javascript" src="../../_static/doctools.js"></script>

+ <link rel="stylesheet" type="text/css" href="../../_static/pygments.css" />

+ <link rel="stylesheet" type="text/css" href="../../_static/agogo.css" />

+ <link rel="stylesheet" type="text/css" href="../../_static/kerb.css" />

+ <script data-url_root="../../" id="documentation_options" src="../../_static/documentation_options.js"></script>

+ <script src="../../_static/jquery.js"></script>

+ <script src="../../_static/underscore.js"></script>

+ <script src="../../_static/doctools.js"></script>

- </head>

- <body>

+ </head><body>

@@ -61,7 +52,7 @@

- <div class="section" id="administration-programs">

+ <section id="administration-programs">

<h1>Administration programs<a class="headerlink" href="#administration-programs" title="Permalink to this headline">¶</a></h1>

<ul>

@@ -78,14 +69,16 @@

<li class="toctree-l1"><a class="reference internal" href="sserver.html">sserver</a></li>

</ul>

</div>

-</div>

+</section>

+ <div class="clearer"></div>

</div>

<ul>

<li><a class="reference internal" href="#">Administration programs</a></li>

@@ -155,6 +148,7 @@

</form>

</div>

</div>

@@ -162,8 +156,8 @@

- <div class="right" ><i>Release: 1.21.2</i><br />

+ <div class="right" ><i>Release: 1.21.3</i><br />

+ © <a href="../../copyright.html">Copyright</a> 1985-2024, MIT.

</div>

diff --git a/doc/html/admin/admin_commands/k5srvutil.html b/doc/html/admin/admin_commands/k5srvutil.html
index 9b5aa023dfae..e2e3bc5f54d1 100644
--- a/doc/html/admin/admin_commands/k5srvutil.html
+++ b/doc/html/admin/admin_commands/k5srvutil.html

@@ -1,35 +1,26 @@

-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"

- "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

+<!DOCTYPE html>

-<html xmlns="http://www.w3.org/1999/xhtml">

+<html>

<head>

- <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

+ <meta charset="utf-8" />

+ <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="generator" content="Docutils 0.17.1: http://docutils.sourceforge.net/" />

<title>k5srvutil — MIT Kerberos Documentation</title>

- <link rel="stylesheet" href="../../_static/agogo.css" type="text/css" />

- <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" />

- <link rel="stylesheet" href="../../_static/kerb.css" type="text/css" />

- <script type="text/javascript">

- var DOCUMENTATION_OPTIONS = {

- URL_ROOT: '../../',

- VERSION: '1.21.2',

- COLLAPSE_INDEX: false,

- FILE_SUFFIX: '.html',

- HAS_SOURCE: true,

- SOURCELINK_SUFFIX: '.txt'

- };

- </script>

- <script type="text/javascript" src="../../_static/jquery.js"></script>

- <script type="text/javascript" src="../../_static/underscore.js"></script>

- <script type="text/javascript" src="../../_static/doctools.js"></script>

+ <link rel="stylesheet" type="text/css" href="../../_static/pygments.css" />

+ <link rel="stylesheet" type="text/css" href="../../_static/agogo.css" />

+ <link rel="stylesheet" type="text/css" href="../../_static/kerb.css" />

+ <script data-url_root="../../" id="documentation_options" src="../../_static/documentation_options.js"></script>

+ <script src="../../_static/jquery.js"></script>

+ <script src="../../_static/underscore.js"></script>

+ <script src="../../_static/doctools.js"></script>

- </head>

- <body>

+ </head><body>

@@ -61,27 +52,26 @@

- <div class="section" id="k5srvutil">

+ <section id="k5srvutil">

<span id="k5srvutil-1"></span><h1>k5srvutil<a class="headerlink" href="#k5srvutil" title="Permalink to this headline">¶</a></h1>

-<div class="section" id="synopsis">

+<section id="synopsis">

<h2>SYNOPSIS<a class="headerlink" href="#synopsis" title="Permalink to this headline">¶</a></h2>

<p><strong>k5srvutil</strong> <em>operation</em>

[<strong>-i</strong>]

[<strong>-f</strong> <em>filename</em>]

[<strong>-e</strong> <em>keysalts</em>]</p>

-</div>

-<div class="section" id="description">

+</section>

+<section id="description">

<h2>DESCRIPTION<a class="headerlink" href="#description" title="Permalink to this headline">¶</a></h2>

<p>k5srvutil allows an administrator to list keys currently in

a keytab, to obtain new keys for a principal currently in a keytab,

or to delete non-current keys from a keytab.</p>

<p><em>operation</em> must be one of the following:</p>

-<dl class="docutils">

-<dt><strong>list</strong></dt>

-<dd>Lists the keys in a keytab, showing version number and principal

-name.</dd>

-<dt><strong>change</strong></dt>

-<dd>Uses the kadmin protocol to update the keys in the Kerberos

+<dl class="simple">

+<dt><strong>list</strong></dt><dd><p>Lists the keys in a keytab, showing version number and principal

+name.</p>

+</dd>

+<dt><strong>change</strong></dt><dd><p>Uses the kadmin protocol to update the keys in the Kerberos

database to new randomly-generated keys, and updates the keys in

the keytab to match. If a key’s version number doesn’t match the

version number stored in the Kerberos server’s database, then the

@@ -92,39 +82,42 @@ Ordinarily, keys will be generated with the default encryption

types and key salts. This can be overridden with the <strong>-e</strong>

option. Old keys are retained in the keytab so that existing

tickets continue to work, but <strong>delold</strong> should be used after

-such tickets expire, to prevent attacks against the old keys.</dd>

-<dt><strong>delold</strong></dt>

-<dd>Deletes keys that are not the most recent version from the keytab.

+such tickets expire, to prevent attacks against the old keys.</p>

+</dd>

+<dt><strong>delold</strong></dt><dd><p>Deletes keys that are not the most recent version from the keytab.

This operation should be used some time after a change operation

to remove old keys, after existing tickets issued for the service

have expired. If the <strong>-i</strong> flag is given, then k5srvutil will

-prompt for confirmation for each principal.</dd>

-<dt><strong>delete</strong></dt>

-<dd>Deletes particular keys in the keytab, interactively prompting for

-each key.</dd>

+prompt for confirmation for each principal.</p>

+</dd>

+<dt><strong>delete</strong></dt><dd><p>Deletes particular keys in the keytab, interactively prompting for

+each key.</p>

+</dd>

</dl>

<p>In all cases, the default keytab is used unless this is overridden by

the <strong>-f</strong> option.</p>

<p>k5srvutil uses the <a class="reference internal" href="kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> program to edit the keytab in

place.</p>

-</div>

-<div class="section" id="environment">

+</section>

+<section id="environment">

<h2>ENVIRONMENT<a class="headerlink" href="#environment" title="Permalink to this headline">¶</a></h2>

<p>See <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a> for a description of Kerberos environment

variables.</p>

-</div>

-<div class="section" id="see-also">

+</section>

+<section id="see-also">

<p><a class="reference internal" href="kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a>, <a class="reference internal" href="ktutil.html#ktutil-1"><span class="std std-ref">ktutil</span></a>, <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a></p>

-</div>

+</section>

+ <div class="clearer"></div>

</div>

<ul>

<li><a class="reference internal" href="#">k5srvutil</a><ul>

@@ -200,6 +193,7 @@ variables.</p>

</form>

</div>

</div>

@@ -207,8 +201,8 @@ variables.</p>

- <div class="right" ><i>Release: 1.21.2</i><br />

+ <div class="right" ><i>Release: 1.21.3</i><br />

+ © <a href="../../copyright.html">Copyright</a> 1985-2024, MIT.

</div>

diff --git a/doc/html/admin/admin_commands/kadmin_local.html b/doc/html/admin/admin_commands/kadmin_local.html
index 6c8e131ac9ca..1b6e42b31ac4 100644
--- a/doc/html/admin/admin_commands/kadmin_local.html
+++ b/doc/html/admin/admin_commands/kadmin_local.html

@@ -1,35 +1,26 @@

-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"

- "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

+<!DOCTYPE html>

-<html xmlns="http://www.w3.org/1999/xhtml">

+<html>

<head>

- <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

+ <meta charset="utf-8" />

+ <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="generator" content="Docutils 0.17.1: http://docutils.sourceforge.net/" />

<title>kadmin — MIT Kerberos Documentation</title>

- <link rel="stylesheet" href="../../_static/agogo.css" type="text/css" />

- <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" />

- <link rel="stylesheet" href="../../_static/kerb.css" type="text/css" />

- <script type="text/javascript">

- var DOCUMENTATION_OPTIONS = {

- URL_ROOT: '../../',

- VERSION: '1.21.2',

- COLLAPSE_INDEX: false,

- FILE_SUFFIX: '.html',

- HAS_SOURCE: true,

- SOURCELINK_SUFFIX: '.txt'

- };

- </script>

- <script type="text/javascript" src="../../_static/jquery.js"></script>

- <script type="text/javascript" src="../../_static/underscore.js"></script>

- <script type="text/javascript" src="../../_static/doctools.js"></script>

+ <link rel="stylesheet" type="text/css" href="../../_static/pygments.css" />

+ <link rel="stylesheet" type="text/css" href="../../_static/agogo.css" />

+ <link rel="stylesheet" type="text/css" href="../../_static/kerb.css" />

+ <script data-url_root="../../" id="documentation_options" src="../../_static/documentation_options.js"></script>

+ <script src="../../_static/jquery.js"></script>

+ <script src="../../_static/underscore.js"></script>

+ <script src="../../_static/doctools.js"></script>

- </head>

- <body>

+ </head><body>

@@ -61,9 +52,9 @@

- <div class="section" id="kadmin">

+ <section id="kadmin">

<span id="kadmin-1"></span><h1>kadmin<a class="headerlink" href="#kadmin" title="Permalink to this headline">¶</a></h1>

-<div class="section" id="synopsis">

+<section id="synopsis">

<h2>SYNOPSIS<a class="headerlink" href="#synopsis" title="Permalink to this headline">¶</a></h2>

<p id="kadmin-synopsis"><strong>kadmin</strong>

[<strong>-O</strong>|<strong>-N</strong>]

@@ -83,8 +74,8 @@

[<strong>-m</strong>]

[<strong>-x</strong> <em>db_args</em>]

[command args…]</p>

-</div>

-<div class="section" id="description">

+</section>

+<section id="description">

<h2>DESCRIPTION<a class="headerlink" href="#description" title="Permalink to this headline">¶</a></h2>

<p>kadmin and kadmin.local are command-line interfaces to the Kerberos V5

administration system. They provide nearly identical functionalities;

@@ -95,7 +86,7 @@ to refer to both versions. kadmin provides for the maintenance of

Kerberos principals, password policies, and service key tables

(keytabs).</p>

<p>The remote kadmin client uses Kerberos to authenticate to kadmind

-using the service principal <code class="docutils literal"><span class="pre">kadmin/admin</span></code> or <code class="docutils literal"><span class="pre">kadmin/ADMINHOST</span></code>

+using the service principal <code class="docutils literal notranslate"><span class="pre">kadmin/admin</span></code> or <code class="docutils literal notranslate"><span class="pre">kadmin/ADMINHOST</span></code>

(where <em>ADMINHOST</em> is the fully-qualified hostname of the admin

server). If the credentials cache contains a ticket for one of these

principals, and the <strong>-c</strong> credentials_cache option is specified, that

@@ -108,250 +99,250 @@ ticket to authenticate to kadmind.</p>

be run directly on the primary KDC with sufficient permissions to read

the KDC database. If the KDC database uses the LDAP database module,

kadmin.local can be run on any host which can access the LDAP server.</p>

-</div>

-<div class="section" id="options">

+</section>

+<section id="options">

<h2>OPTIONS<a class="headerlink" href="#options" title="Permalink to this headline">¶</a></h2>

-<dl class="docutils" id="kadmin-options">

-<dt><strong>-r</strong> <em>realm</em></dt>

-<dd>Use <em>realm</em> as the default database realm.</dd>

-<dt><strong>-p</strong> <em>principal</em></dt>

-<dd>Use <em>principal</em> to authenticate. Otherwise, kadmin will append

-<code class="docutils literal"><span class="pre">/admin</span></code> to the primary principal name of the default ccache,

+<dl class="simple" id="kadmin-options">

+<dt><strong>-r</strong> <em>realm</em></dt><dd><p>Use <em>realm</em> as the default database realm.</p>

+</dd>

+<dt><strong>-p</strong> <em>principal</em></dt><dd><p>Use <em>principal</em> to authenticate. Otherwise, kadmin will append

+<code class="docutils literal notranslate"><span class="pre">/admin</span></code> to the primary principal name of the default ccache,

the value of the <strong>USER</strong> environment variable, or the username as

-obtained with getpwuid, in order of preference.</dd>

-<dt><strong>-k</strong></dt>

-<dd>Use a keytab to decrypt the KDC response instead of prompting for

+obtained with getpwuid, in order of preference.</p>

+</dd>

+<dt><strong>-k</strong></dt><dd><p>Use a keytab to decrypt the KDC response instead of prompting for

a password. In this case, the default principal will be

-<code class="docutils literal"><span class="pre">host/hostname</span></code>. If there is no keytab specified with the

-<strong>-t</strong> option, then the default keytab will be used.</dd>

-<dt><strong>-t</strong> <em>keytab</em></dt>

-<dd>Use <em>keytab</em> to decrypt the KDC response. This can only be used

-with the <strong>-k</strong> option.</dd>

-<dt><strong>-n</strong></dt>

-<dd>Requests anonymous processing. Two types of anonymous principals

+<code class="docutils literal notranslate"><span class="pre">host/hostname</span></code>. If there is no keytab specified with the

+<strong>-t</strong> option, then the default keytab will be used.</p>

+</dd>

+<dt><strong>-t</strong> <em>keytab</em></dt><dd><p>Use <em>keytab</em> to decrypt the KDC response. This can only be used

+with the <strong>-k</strong> option.</p>

+</dd>

+<dt><strong>-n</strong></dt><dd><p>Requests anonymous processing. Two types of anonymous principals

are supported. For fully anonymous Kerberos, configure PKINIT on

the KDC and configure <strong>pkinit_anchors</strong> in the client’s

<a class="reference internal" href="../conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a>. Then use the <strong>-n</strong> option with a principal

-of the form <code class="docutils literal"><span class="pre">@REALM</span></code> (an empty principal name followed by the

+of the form <code class="docutils literal notranslate"><span class="pre">@REALM</span></code> (an empty principal name followed by the

at-sign and a realm name). If permitted by the KDC, an anonymous

ticket will be returned. A second form of anonymous tickets is

supported; these realm-exposed tickets hide the identity of the

-client but not the client’s realm. For this mode, use <code class="docutils literal"><span class="pre">kinit</span>

+client but not the client’s realm. For this mode, use <code class="docutils literal notranslate"><span class="pre">kinit</span>

<span class="pre">-n</span></code> with a normal principal name. If supported by the KDC, the

principal (but not realm) will be replaced by the anonymous

principal. As of release 1.8, the MIT Kerberos KDC only supports

-fully anonymous operation.</dd>

-<dt><strong>-c</strong> <em>credentials_cache</em></dt>

-<dd>Use <em>credentials_cache</em> as the credentials cache. The cache

-should contain a service ticket for the <code class="docutils literal"><span class="pre">kadmin/admin</span></code> or

-<code class="docutils literal"><span class="pre">kadmin/ADMINHOST</span></code> (where <em>ADMINHOST</em> is the fully-qualified

+fully anonymous operation.</p>

+</dd>

+<dt><strong>-c</strong> <em>credentials_cache</em></dt><dd><p>Use <em>credentials_cache</em> as the credentials cache. The cache

+should contain a service ticket for the <code class="docutils literal notranslate"><span class="pre">kadmin/admin</span></code> or

+<code class="docutils literal notranslate"><span class="pre">kadmin/ADMINHOST</span></code> (where <em>ADMINHOST</em> is the fully-qualified

hostname of the admin server) service; it can be acquired with the

<a class="reference internal" href="../../user/user_commands/kinit.html#kinit-1"><span class="std std-ref">kinit</span></a> program. If this option is not specified, kadmin

requests a new service ticket from the KDC, and stores it in its

-own temporary ccache.</dd>

-<dt><strong>-w</strong> <em>password</em></dt>

-<dd>Use <em>password</em> instead of prompting for one. Use this option with

+own temporary ccache.</p>

+</dd>

+<dt><strong>-w</strong> <em>password</em></dt><dd><p>Use <em>password</em> instead of prompting for one. Use this option with

care, as it may expose the password to other users on the system

-via the process list.</dd>

-<dt><strong>-q</strong> <em>query</em></dt>

-<dd>Perform the specified query and then exit.</dd>

-<dt><strong>-d</strong> <em>dbname</em></dt>

-<dd>Specifies the name of the KDC database. This option does not

-apply to the LDAP database module.</dd>

-<dt><strong>-s</strong> <em>admin_server</em>[:<em>port</em>]</dt>

-<dd>Specifies the admin server which kadmin should contact.</dd>

-<dt><strong>-m</strong></dt>

-<dd>If using kadmin.local, prompt for the database master password

-instead of reading it from a stash file.</dd>

-<dt><strong>-e</strong> “<em>enc</em>:<em>salt</em> …”</dt>

-<dd>Sets the keysalt list to be used for any new keys created. See

+via the process list.</p>

+</dd>

+<dt><strong>-q</strong> <em>query</em></dt><dd><p>Perform the specified query and then exit.</p>

+</dd>

+<dt><strong>-d</strong> <em>dbname</em></dt><dd><p>Specifies the name of the KDC database. This option does not

+apply to the LDAP database module.</p>

+</dd>

+<dt><strong>-s</strong> <em>admin_server</em>[:<em>port</em>]</dt><dd><p>Specifies the admin server which kadmin should contact.</p>

+</dd>

+<dt><strong>-m</strong></dt><dd><p>If using kadmin.local, prompt for the database master password

+instead of reading it from a stash file.</p>

+</dd>

+<dt><strong>-e</strong> “<em>enc</em>:<em>salt</em> …”</dt><dd><p>Sets the keysalt list to be used for any new keys created. See

<a class="reference internal" href="../conf_files/kdc_conf.html#keysalt-lists"><span class="std std-ref">Keysalt lists</span></a> in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a> for a list of possible

-values.</dd>

-<dt><strong>-O</strong></dt>

-<dd>Force use of old AUTH_GSSAPI authentication flavor.</dd>

-<dt><strong>-N</strong></dt>

-<dd>Prevent fallback to AUTH_GSSAPI authentication flavor.</dd>

-<dt><strong>-x</strong> <em>db_args</em></dt>

-<dd>Specifies the database specific arguments. See the next section

-for supported options.</dd>

+values.</p>

+</dd>

+<dt><strong>-O</strong></dt><dd><p>Force use of old AUTH_GSSAPI authentication flavor.</p>

+</dd>

+<dt><strong>-N</strong></dt><dd><p>Prevent fallback to AUTH_GSSAPI authentication flavor.</p>

+</dd>

+<dt><strong>-x</strong> <em>db_args</em></dt><dd><p>Specifies the database specific arguments. See the next section

+for supported options.</p>

+</dd>

</dl>

<p>Starting with release 1.14, if any command-line arguments remain after

the options, they will be treated as a single query to be executed.

This mode of operation is intended for scripts and behaves differently

from the interactive mode in several respects:</p>

-<li>Query arguments are split by the shell, not by kadmin.</li>

-<li>Informational and warning messages are suppressed. Error messages

+<li><p>Query arguments are split by the shell, not by kadmin.</p></li>

+<li><p>Informational and warning messages are suppressed. Error messages

and query output (e.g. for <strong>get_principal</strong>) will still be

-displayed.</li>

-<li>Confirmation prompts are disabled (as if <strong>-force</strong> was given).

-Password prompts will still be issued as required.</li>

-<li>The exit status will be non-zero if the query fails.</li>

+displayed.</p></li>

+<li><p>Confirmation prompts are disabled (as if <strong>-force</strong> was given).

+Password prompts will still be issued as required.</p></li>

+<li><p>The exit status will be non-zero if the query fails.</p></li>

</ul>

<p>The <strong>-q</strong> option does not carry these behavior differences; the query

will be processed as if it was entered interactively. The <strong>-q</strong>

option cannot be used in combination with a query in the remaining

arguments.</p>

-</div>

-<div class="section" id="database-options">

+</section>

+<section id="database-options">

<span id="dboptions"></span><h2>DATABASE OPTIONS<a class="headerlink" href="#database-options" title="Permalink to this headline">¶</a></h2>

<p>Database options can be used to override database-specific defaults.

Supported options for the DB2 module are:</p>

-<div><dl class="docutils">

-<dt><strong>-x dbname=</strong>*filename*</dt>

-<dd>Specifies the base filename of the DB2 database.</dd>

-<dt><strong>-x lockiter</strong></dt>

-<dd>Make iteration operations hold the lock for the duration of

+<div><dl class="simple">

+<dt><strong>-x dbname=</strong>*filename*</dt><dd><p>Specifies the base filename of the DB2 database.</p>

+</dd>

+<dt><strong>-x lockiter</strong></dt><dd><p>Make iteration operations hold the lock for the duration of

the entire operation, rather than temporarily releasing the

lock while handling each principal. This is the default

behavior, but this option exists to allow command line

override of a [dbmodules] setting. First introduced in

-release 1.13.</dd>

-<dt><strong>-x unlockiter</strong></dt>

-<dd>Make iteration operations unlock the database for each

+release 1.13.</p>

+</dd>

+<dt><strong>-x unlockiter</strong></dt><dd><p>Make iteration operations unlock the database for each

principal, instead of holding the lock for the duration of the

-entire operation. First introduced in release 1.13.</dd>

+entire operation. First introduced in release 1.13.</p>

+</dd>

</dl>

</div></blockquote>

<p>Supported options for the LDAP module are:</p>

-<div><dl class="docutils">

-<dt><strong>-x host=</strong><em>ldapuri</em></dt>

-<dd>Specifies the LDAP server to connect to by a LDAP URI.</dd>

-<dt><strong>-x binddn=</strong><em>bind_dn</em></dt>

-<dd>Specifies the DN used to bind to the LDAP server.</dd>

-<dt><strong>-x bindpwd=</strong><em>password</em></dt>

-<dd>Specifies the password or SASL secret used to bind to the LDAP

+<div><dl class="simple">

+<dt><strong>-x host=</strong><em>ldapuri</em></dt><dd><p>Specifies the LDAP server to connect to by a LDAP URI.</p>

+</dd>

+<dt><strong>-x binddn=</strong><em>bind_dn</em></dt><dd><p>Specifies the DN used to bind to the LDAP server.</p>

+</dd>

+<dt><strong>-x bindpwd=</strong><em>password</em></dt><dd><p>Specifies the password or SASL secret used to bind to the LDAP

server. Using this option may expose the password to other

users on the system via the process list; to avoid this,

instead stash the password using the <strong>stashsrvpw</strong> command of

-<a class="reference internal" href="kdb5_ldap_util.html#kdb5-ldap-util-8"><span class="std std-ref">kdb5_ldap_util</span></a>.</dd>

-<dt><strong>-x sasl_mech=</strong><em>mechanism</em></dt>

-<dd>Specifies the SASL mechanism used to bind to the LDAP server.

+<a class="reference internal" href="kdb5_ldap_util.html#kdb5-ldap-util-8"><span class="std std-ref">kdb5_ldap_util</span></a>.</p>

+</dd>

+<dt><strong>-x sasl_mech=</strong><em>mechanism</em></dt><dd><p>Specifies the SASL mechanism used to bind to the LDAP server.

The bind DN is ignored if a SASL mechanism is used. New in

-release 1.13.</dd>

-<dt><strong>-x sasl_authcid=</strong><em>name</em></dt>

-<dd>Specifies the authentication name used when binding to the

+release 1.13.</p>

+</dd>

+<dt><strong>-x sasl_authcid=</strong><em>name</em></dt><dd><p>Specifies the authentication name used when binding to the

LDAP server with a SASL mechanism, if the mechanism requires

-one. New in release 1.13.</dd>

-<dt><strong>-x sasl_authzid=</strong><em>name</em></dt>

-<dd>Specifies the authorization name used when binding to the LDAP

-server with a SASL mechanism. New in release 1.13.</dd>

-<dt><strong>-x sasl_realm=</strong><em>realm</em></dt>

-<dd>Specifies the realm used when binding to the LDAP server with

+one. New in release 1.13.</p>

+</dd>

+<dt><strong>-x sasl_authzid=</strong><em>name</em></dt><dd><p>Specifies the authorization name used when binding to the LDAP

+server with a SASL mechanism. New in release 1.13.</p>

+</dd>

+<dt><strong>-x sasl_realm=</strong><em>realm</em></dt><dd><p>Specifies the realm used when binding to the LDAP server with

a SASL mechanism, if the mechanism uses one. New in release

-1.13.</dd>

-<dt><strong>-x debug=</strong><em>level</em></dt>

-<dd>sets the OpenLDAP client library debug level. <em>level</em> is an

+1.13.</p>

+</dd>

+<dt><strong>-x debug=</strong><em>level</em></dt><dd><p>sets the OpenLDAP client library debug level. <em>level</em> is an

integer to be interpreted by the library. Debugging messages

-are printed to standard error. New in release 1.12.</dd>

+are printed to standard error. New in release 1.12.</p>

+</dd>

</dl>

</div></blockquote>

-</div>

-<div class="section" id="commands">

+</section>

+<section id="commands">

<h2>COMMANDS<a class="headerlink" href="#commands" title="Permalink to this headline">¶</a></h2>

<p>When using the remote client, available commands may be restricted

according to the privileges specified in the <a class="reference internal" href="../conf_files/kadm5_acl.html#kadm5-acl-5"><span class="std std-ref">kadm5.acl</span></a> file

on the admin server.</p>

-<div class="section" id="add-principal">

+<section id="add-principal">

<span id="id1"></span><h3>add_principal<a class="headerlink" href="#add-principal" title="Permalink to this headline">¶</a></h3>

-<div><strong>add_principal</strong> [<em>options</em>] <em>newprinc</em></div></blockquote>

+<div><p><strong>add_principal</strong> [<em>options</em>] <em>newprinc</em></p>

+</div></blockquote>

<p>Creates the principal <em>newprinc</em>, prompting twice for a password. If

no password policy is specified with the <strong>-policy</strong> option, and the

-policy named <code class="docutils literal"><span class="pre">default</span></code> is assigned to the principal if it exists.

-However, creating a policy named <code class="docutils literal"><span class="pre">default</span></code> will not automatically

+policy named <code class="docutils literal notranslate"><span class="pre">default</span></code> is assigned to the principal if it exists.

+However, creating a policy named <code class="docutils literal notranslate"><span class="pre">default</span></code> will not automatically

assign this policy to previously existing principals. This policy

assignment can be suppressed with the <strong>-clearpolicy</strong> option.</p>

<p>This command requires the <strong>add</strong> privilege.</p>

<p>Aliases: <strong>addprinc</strong>, <strong>ank</strong></p>

<p>Options:</p>

-<dl class="docutils">

-<dt><strong>-expire</strong> <em>expdate</em></dt>

-<dd>(<a class="reference internal" href="../../basic/date_format.html#getdate"><span class="std std-ref">getdate time</span></a> string) The expiration date of the principal.</dd>

-<dt><strong>-pwexpire</strong> <em>pwexpdate</em></dt>

-<dd>(<a class="reference internal" href="../../basic/date_format.html#getdate"><span class="std std-ref">getdate time</span></a> string) The password expiration date.</dd>

-<dt><strong>-maxlife</strong> <em>maxlife</em></dt>

-<dd>(<a class="reference internal" href="../../basic/date_format.html#duration"><span class="std std-ref">Time duration</span></a> or <a class="reference internal" href="../../basic/date_format.html#getdate"><span class="std std-ref">getdate time</span></a> string) The maximum ticket life

-for the principal.</dd>

-<dt><strong>-maxrenewlife</strong> <em>maxrenewlife</em></dt>

-life of tickets for the principal.</dd>

-<dt><strong>-kvno</strong> <em>kvno</em></dt>

-<dd>The initial key version number.</dd>

-<dt><strong>-policy</strong> <em>policy</em></dt>

-<dd>The password policy used by this principal. If not specified, the

-policy <code class="docutils literal"><span class="pre">default</span></code> is used if it exists (unless <strong>-clearpolicy</strong>

-is specified).</dd>

-<dt><strong>-clearpolicy</strong></dt>

-<dd>Prevents any policy from being assigned when <strong>-policy</strong> is not

-specified.</dd>

-<dt>{-|+}<strong>allow_postdated</strong></dt>

-<dd><strong>-allow_postdated</strong> prohibits this principal from obtaining

-postdated tickets. <strong>+allow_postdated</strong> clears this flag.</dd>

-<dt>{-|+}<strong>allow_forwardable</strong></dt>

-<dd><strong>-allow_forwardable</strong> prohibits this principal from obtaining

-forwardable tickets. <strong>+allow_forwardable</strong> clears this flag.</dd>

-<dt>{-|+}<strong>allow_renewable</strong></dt>

-<dd><strong>-allow_renewable</strong> prohibits this principal from obtaining

-renewable tickets. <strong>+allow_renewable</strong> clears this flag.</dd>

-<dt>{-|+}<strong>allow_proxiable</strong></dt>

-<dd><strong>-allow_proxiable</strong> prohibits this principal from obtaining

-proxiable tickets. <strong>+allow_proxiable</strong> clears this flag.</dd>

-<dt>{-|+}<strong>allow_dup_skey</strong></dt>

-<dd><strong>-allow_dup_skey</strong> disables user-to-user authentication for this

+<dl>

+<dt><strong>-expire</strong> <em>expdate</em></dt><dd><p>(<a class="reference internal" href="../../basic/date_format.html#getdate"><span class="std std-ref">getdate time</span></a> string) The expiration date of the principal.</p>

+</dd>

+<dt><strong>-pwexpire</strong> <em>pwexpdate</em></dt><dd><p>(<a class="reference internal" href="../../basic/date_format.html#getdate"><span class="std std-ref">getdate time</span></a> string) The password expiration date.</p>

+</dd>

+<dt><strong>-maxlife</strong> <em>maxlife</em></dt><dd><p>(<a class="reference internal" href="../../basic/date_format.html#duration"><span class="std std-ref">Time duration</span></a> or <a class="reference internal" href="../../basic/date_format.html#getdate"><span class="std std-ref">getdate time</span></a> string) The maximum ticket life

+for the principal.</p>

+</dd>

+<dt><strong>-maxrenewlife</strong> <em>maxrenewlife</em></dt><dd><p>(<a class="reference internal" href="../../basic/date_format.html#duration"><span class="std std-ref">Time duration</span></a> or <a class="reference internal" href="../../basic/date_format.html#getdate"><span class="std std-ref">getdate time</span></a> string) The maximum renewable

+life of tickets for the principal.</p>

+</dd>

+<dt><strong>-kvno</strong> <em>kvno</em></dt><dd><p>The initial key version number.</p>

+</dd>

+<dt><strong>-policy</strong> <em>policy</em></dt><dd><p>The password policy used by this principal. If not specified, the

+policy <code class="docutils literal notranslate"><span class="pre">default</span></code> is used if it exists (unless <strong>-clearpolicy</strong>

+is specified).</p>

+</dd>

+<dt><strong>-clearpolicy</strong></dt><dd><p>Prevents any policy from being assigned when <strong>-policy</strong> is not

+specified.</p>

+</dd>

+<dt>{-|+}<strong>allow_postdated</strong></dt><dd><p><strong>-allow_postdated</strong> prohibits this principal from obtaining

+postdated tickets. <strong>+allow_postdated</strong> clears this flag.</p>

+</dd>

+<dt>{-|+}<strong>allow_forwardable</strong></dt><dd><p><strong>-allow_forwardable</strong> prohibits this principal from obtaining

+forwardable tickets. <strong>+allow_forwardable</strong> clears this flag.</p>

+</dd>

+<dt>{-|+}<strong>allow_renewable</strong></dt><dd><p><strong>-allow_renewable</strong> prohibits this principal from obtaining

+renewable tickets. <strong>+allow_renewable</strong> clears this flag.</p>

+</dd>

+<dt>{-|+}<strong>allow_proxiable</strong></dt><dd><p><strong>-allow_proxiable</strong> prohibits this principal from obtaining

+proxiable tickets. <strong>+allow_proxiable</strong> clears this flag.</p>

+</dd>

+<dt>{-|+}<strong>allow_dup_skey</strong></dt><dd><p><strong>-allow_dup_skey</strong> disables user-to-user authentication for this

principal by prohibiting others from obtaining a service ticket

encrypted in this principal’s TGT session key.

-<strong>+allow_dup_skey</strong> clears this flag.</dd>

-<dt>{-|+}<strong>requires_preauth</strong></dt>

-<dd><strong>+requires_preauth</strong> requires this principal to preauthenticate

+<strong>+allow_dup_skey</strong> clears this flag.</p>

+</dd>

+<dt>{-|+}<strong>requires_preauth</strong></dt><dd><p><strong>+requires_preauth</strong> requires this principal to preauthenticate

before being allowed to kinit. <strong>-requires_preauth</strong> clears this

flag. When <strong>+requires_preauth</strong> is set on a service principal,

the KDC will only issue service tickets for that service principal

if the client’s initial authentication was performed using

-preauthentication.</dd>

-<dt>{-|+}<strong>requires_hwauth</strong></dt>

-<dd><strong>+requires_hwauth</strong> requires this principal to preauthenticate

+preauthentication.</p>

+</dd>

+<dt>{-|+}<strong>requires_hwauth</strong></dt><dd><p><strong>+requires_hwauth</strong> requires this principal to preauthenticate

using a hardware device before being allowed to kinit.

<strong>-requires_hwauth</strong> clears this flag. When <strong>+requires_hwauth</strong> is

set on a service principal, the KDC will only issue service tickets

for that service principal if the client’s initial authentication was

-performed using a hardware device to preauthenticate.</dd>

-<dt>{-|+}<strong>ok_as_delegate</strong></dt>

-<dd><strong>+ok_as_delegate</strong> sets the <strong>okay as delegate</strong> flag on tickets

+performed using a hardware device to preauthenticate.</p>

+</dd>

+<dt>{-|+}<strong>ok_as_delegate</strong></dt><dd><p><strong>+ok_as_delegate</strong> sets the <strong>okay as delegate</strong> flag on tickets

issued with this principal as the service. Clients may use this

flag as a hint that credentials should be delegated when

authenticating to the service. <strong>-ok_as_delegate</strong> clears this

-flag.</dd>

-<dt>{-|+}<strong>allow_svr</strong></dt>

-<dd><strong>-allow_svr</strong> prohibits the issuance of service tickets for this

+flag.</p>

+</dd>

+<dt>{-|+}<strong>allow_svr</strong></dt><dd><p><strong>-allow_svr</strong> prohibits the issuance of service tickets for this

principal. In release 1.17 and later, user-to-user service

tickets are still allowed unless the <strong>-allow_dup_skey</strong> flag is

-also set. <strong>+allow_svr</strong> clears this flag.</dd>

-<dt>{-|+}<strong>allow_tgs_req</strong></dt>

-<dd><strong>-allow_tgs_req</strong> specifies that a Ticket-Granting Service (TGS)

+also set. <strong>+allow_svr</strong> clears this flag.</p>

+</dd>

+<dt>{-|+}<strong>allow_tgs_req</strong></dt><dd><p><strong>-allow_tgs_req</strong> specifies that a Ticket-Granting Service (TGS)

request for a service ticket for this principal is not permitted.

-<strong>+allow_tgs_req</strong> clears this flag.</dd>

-<dt>{-|+}<strong>allow_tix</strong></dt>

-<dd><strong>-allow_tix</strong> forbids the issuance of any tickets for this

-principal. <strong>+allow_tix</strong> clears this flag.</dd>

-<dt>{-|+}<strong>needchange</strong></dt>

-<dd><strong>+needchange</strong> forces a password change on the next initial

+<strong>+allow_tgs_req</strong> clears this flag.</p>

+</dd>

+<dt>{-|+}<strong>allow_tix</strong></dt><dd><p><strong>-allow_tix</strong> forbids the issuance of any tickets for this

+principal. <strong>+allow_tix</strong> clears this flag.</p>

+</dd>

+<dt>{-|+}<strong>needchange</strong></dt><dd><p><strong>+needchange</strong> forces a password change on the next initial

authentication to this principal. <strong>-needchange</strong> clears this

-flag.</dd>

-<dt>{-|+}<strong>password_changing_service</strong></dt>

-<dd><strong>+password_changing_service</strong> marks this principal as a password

-change service principal.</dd>

-<dt>{-|+}<strong>ok_to_auth_as_delegate</strong></dt>

-<dd><strong>+ok_to_auth_as_delegate</strong> allows this principal to acquire

+flag.</p>

+</dd>

+<dt>{-|+}<strong>password_changing_service</strong></dt><dd><p><strong>+password_changing_service</strong> marks this principal as a password

+change service principal.</p>

+</dd>

+<dt>{-|+}<strong>ok_to_auth_as_delegate</strong></dt><dd><p><strong>+ok_to_auth_as_delegate</strong> allows this principal to acquire

forwardable tickets to itself from arbitrary users, for use with

-constrained delegation.</dd>

-<dt>{-|+}<strong>no_auth_data_required</strong></dt>

-<dd><strong>+no_auth_data_required</strong> prevents PAC or AD-SIGNEDPATH data from

-being added to service tickets for the principal.</dd>

-<dt>{-|+}<strong>lockdown_keys</strong></dt>

-<dd><strong>+lockdown_keys</strong> prevents keys for this principal from leaving

+constrained delegation.</p>

+</dd>

+<dt>{-|+}<strong>no_auth_data_required</strong></dt><dd><p><strong>+no_auth_data_required</strong> prevents PAC or AD-SIGNEDPATH data from

+being added to service tickets for the principal.</p>

+</dd>

+<dt>{-|+}<strong>lockdown_keys</strong></dt><dd><p><strong>+lockdown_keys</strong> prevents keys for this principal from leaving

the KDC via kadmind. The chpass and extract operations are denied

for a principal with this attribute. The chrand operation is

allowed, but will not return the new keys. The delete and rename

@@ -359,54 +350,54 @@ operations are also denied if this attribute is set, in order to

prevent a malicious administrator from replacing principals like

krbtgt/* or kadmin/* with new principals without the attribute.

This attribute can be set via the network protocol, but can only

-be removed using kadmin.local.</dd>

-<dt><strong>-randkey</strong></dt>

-<dd>Sets the key of the principal to a random value.</dd>

-<dt><strong>-nokey</strong></dt>

-<dd>Causes the principal to be created with no key. New in release

-1.12.</dd>

-<dt><strong>-pw</strong> <em>password</em></dt>

-<dd>Sets the password of the principal to the specified string and

+be removed using kadmin.local.</p>

+</dd>

+<dt><strong>-randkey</strong></dt><dd><p>Sets the key of the principal to a random value.</p>

+</dd>

+<dt><strong>-nokey</strong></dt><dd><p>Causes the principal to be created with no key. New in release

+1.12.</p>

+</dd>

+<dt><strong>-pw</strong> <em>password</em></dt><dd><p>Sets the password of the principal to the specified string and

does not prompt for a password. Note: using this option in a

shell script may expose the password to other users on the system

-via the process list.</dd>

-<dt><strong>-e</strong> <em>enc</em>:<em>salt</em>,…</dt>

-<dd>Uses the specified keysalt list for setting the keys of the

+via the process list.</p>

+</dd>

+<dt><strong>-e</strong> <em>enc</em>:<em>salt</em>,…</dt><dd><p>Uses the specified keysalt list for setting the keys of the

principal. See <a class="reference internal" href="../conf_files/kdc_conf.html#keysalt-lists"><span class="std std-ref">Keysalt lists</span></a> in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a> for a

-list of possible values.</dd>

-<dt><strong>-x</strong> <em>db_princ_args</em></dt>

-<dd><p class="first">Indicates database-specific options. The options for the LDAP

+list of possible values.</p>

+</dd>

+<dt><strong>-x</strong> <em>db_princ_args</em></dt><dd><p>Indicates database-specific options. The options for the LDAP

database module are:</p>

-<dl class="docutils">

-<dt><strong>-x dn=</strong><em>dn</em></dt>

-<dd>Specifies the LDAP object that will contain the Kerberos

-principal being created.</dd>

-<dt><strong>-x linkdn=</strong><em>dn</em></dt>

-<dd>Specifies the LDAP object to which the newly created Kerberos

-principal object will point.</dd>

-<dt><strong>-x containerdn=</strong><em>container_dn</em></dt>

-<dd>Specifies the container object under which the Kerberos

-principal is to be created.</dd>

-<dt><strong>-x tktpolicy=</strong><em>policy</em></dt>

-<dd>Associates a ticket policy to the Kerberos principal.</dd>

+<dl class="simple">

+<dt><strong>-x dn=</strong><em>dn</em></dt><dd><p>Specifies the LDAP object that will contain the Kerberos

+principal being created.</p>

+</dd>

+<dt><strong>-x linkdn=</strong><em>dn</em></dt><dd><p>Specifies the LDAP object to which the newly created Kerberos

+principal object will point.</p>

+</dd>

+<dt><strong>-x containerdn=</strong><em>container_dn</em></dt><dd><p>Specifies the container object under which the Kerberos

+principal is to be created.</p>

+</dd>

+<dt><strong>-x tktpolicy=</strong><em>policy</em></dt><dd><p>Associates a ticket policy to the Kerberos principal.</p>

+</dd>

</dl>

-<div class="last admonition note">

-<p class="first admonition-title">Note</p>

-<ul class="last simple">

-<li>The <strong>containerdn</strong> and <strong>linkdn</strong> options cannot be

-specified with the <strong>dn</strong> option.</li>

-<li>If the <em>dn</em> or <em>containerdn</em> options are not specified while

+<div class="admonition note">

+<p class="admonition-title">Note</p>

+<ul class="simple">

+<li><p>The <strong>containerdn</strong> and <strong>linkdn</strong> options cannot be

+specified with the <strong>dn</strong> option.</p></li>

+<li><p>If the <em>dn</em> or <em>containerdn</em> options are not specified while

adding the principal, the principals are created under the

principal container configured in the realm or the realm

-container.</li>

-<li><em>dn</em> and <em>containerdn</em> should be within the subtrees or

-principal container configured in the realm.</li>

+container.</p></li>

+<li><p><em>dn</em> and <em>containerdn</em> should be within the subtrees or

+principal container configured in the realm.</p></li>

</ul>

</div>

</dd>

</dl>

<p>Example:</p>

-<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">addprinc</span> <span class="n">jennifer</span>

<span class="n">No</span> <span class="n">policy</span> <span class="n">specified</span> <span class="k">for</span> <span class="s2">"jennifer@ATHENA.MIT.EDU"</span><span class="p">;</span>

<span class="n">defaulting</span> <span class="n">to</span> <span class="n">no</span> <span class="n">policy</span><span class="o">.</span>

<span class="n">Enter</span> <span class="n">password</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">jennifer</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span><span class="p">:</span>

@@ -415,11 +406,12 @@ principal container configured in the realm.</li>

<span class="n">kadmin</span><span class="p">:</span>

</pre></div>

</div>

-</div>

-<div class="section" id="modify-principal">

+</section>

+<section id="modify-principal">

<span id="id2"></span><h3>modify_principal<a class="headerlink" href="#modify-principal" title="Permalink to this headline">¶</a></h3>

-<div><strong>modify_principal</strong> [<em>options</em>] <em>principal</em></div></blockquote>

+<div><p><strong>modify_principal</strong> [<em>options</em>] <em>principal</em></p>

+</div></blockquote>

<p>Modifies the specified principal, changing the fields as specified.

The options to <strong>add_principal</strong> also apply to this command, except

for the <strong>-randkey</strong>, <strong>-pw</strong>, and <strong>-e</strong> options. In addition, the

@@ -427,36 +419,39 @@ option <strong>-clearpolicy</strong> will clear the current policy of a principa

<p>This command requires the <em>modify</em> privilege.</p>

<p>Alias: <strong>modprinc</strong></p>

<p>Options (in addition to the <strong>addprinc</strong> options):</p>

-<dl class="docutils">

-<dt><strong>-unlock</strong></dt>

-<dd>Unlocks a locked principal (one which has received too many failed

+<dl class="simple">

+<dt><strong>-unlock</strong></dt><dd><p>Unlocks a locked principal (one which has received too many failed

authentication attempts without enough time between them according

-to its password policy) so that it can successfully authenticate.</dd>

+to its password policy) so that it can successfully authenticate.</p>

+</dd>

</dl>

-</div>

-<div class="section" id="rename-principal">

+</section>

+<section id="rename-principal">

<span id="id3"></span><h3>rename_principal<a class="headerlink" href="#rename-principal" title="Permalink to this headline">¶</a></h3>

-<div><strong>rename_principal</strong> [<strong>-force</strong>] <em>old_principal</em> <em>new_principal</em></div></blockquote>

+<div><p><strong>rename_principal</strong> [<strong>-force</strong>] <em>old_principal</em> <em>new_principal</em></p>

+</div></blockquote>

<p>Renames the specified <em>old_principal</em> to <em>new_principal</em>. This

command prompts for confirmation, unless the <strong>-force</strong> option is

given.</p>

<p>This command requires the <strong>add</strong> and <strong>delete</strong> privileges.</p>

<p>Alias: <strong>renprinc</strong></p>

-</div>

-<div class="section" id="delete-principal">

+</section>

+<section id="delete-principal">

<span id="id4"></span><h3>delete_principal<a class="headerlink" href="#delete-principal" title="Permalink to this headline">¶</a></h3>

-<div><strong>delete_principal</strong> [<strong>-force</strong>] <em>principal</em></div></blockquote>

+<div><p><strong>delete_principal</strong> [<strong>-force</strong>] <em>principal</em></p>

+</div></blockquote>

<p>Deletes the specified <em>principal</em> from the database. This command

prompts for deletion, unless the <strong>-force</strong> option is given.</p>

<p>This command requires the <strong>delete</strong> privilege.</p>

<p>Alias: <strong>delprinc</strong></p>

-</div>

-<div class="section" id="change-password">

+</section>

+<section id="change-password">

<span id="id5"></span><h3>change_password<a class="headerlink" href="#change-password" title="Permalink to this headline">¶</a></h3>

-<div><strong>change_password</strong> [<em>options</em>] <em>principal</em></div></blockquote>

+<div><p><strong>change_password</strong> [<em>options</em>] <em>principal</em></p>

+</div></blockquote>

<p>Changes the password of <em>principal</em>. Prompts for a new password if

neither <strong>-randkey</strong> or <strong>-pw</strong> is specified.</p>

<p>This command requires the <strong>changepw</strong> privilege, or that the

@@ -464,52 +459,54 @@ principal running the program is the same as the principal being

changed.</p>

<p>Alias: <strong>cpw</strong></p>

<p>The following options are available:</p>

-<dl class="docutils">

-<dt><strong>-randkey</strong></dt>

-<dd>Sets the key of the principal to a random value.</dd>

-<dt><strong>-pw</strong> <em>password</em></dt>

-<dd>Set the password to the specified string. Using this option in a

+<dl class="simple">

+<dt><strong>-randkey</strong></dt><dd><p>Sets the key of the principal to a random value.</p>

+</dd>

+<dt><strong>-pw</strong> <em>password</em></dt><dd><p>Set the password to the specified string. Using this option in a

script may expose the password to other users on the system via

-the process list.</dd>

-<dt><strong>-e</strong> <em>enc</em>:<em>salt</em>,…</dt>

-<dd>Uses the specified keysalt list for setting the keys of the

+the process list.</p>

+</dd>

+<dt><strong>-e</strong> <em>enc</em>:<em>salt</em>,…</dt><dd><p>Uses the specified keysalt list for setting the keys of the

-list of possible values.</dd>

-<dt><strong>-keepold</strong></dt>

-<dd>Keeps the existing keys in the database. This flag is usually not

-necessary except perhaps for <code class="docutils literal"><span class="pre">krbtgt</span></code> principals.</dd>

+list of possible values.</p>

+</dd>

+<dt><strong>-keepold</strong></dt><dd><p>Keeps the existing keys in the database. This flag is usually not

+necessary except perhaps for <code class="docutils literal notranslate"><span class="pre">krbtgt</span></code> principals.</p>

+</dd>

</dl>

<p>Example:</p>

-<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">cpw</span> <span class="n">systest</span>

+<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">cpw</span> <span class="n">systest</span>

<span class="n">Enter</span> <span class="n">password</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">systest</span><span class="nd">@BLEEP</span><span class="o">.</span><span class="n">COM</span><span class="p">:</span>

<span class="n">Re</span><span class="o">-</span><span class="n">enter</span> <span class="n">password</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">systest</span><span class="nd">@BLEEP</span><span class="o">.</span><span class="n">COM</span><span class="p">:</span>

<span class="n">Password</span> <span class="k">for</span> <span class="n">systest</span><span class="nd">@BLEEP</span><span class="o">.</span><span class="n">COM</span> <span class="n">changed</span><span class="o">.</span>

<span class="n">kadmin</span><span class="p">:</span>

</pre></div>

</div>

-</div>

-<div class="section" id="purgekeys">

+</section>

+<section id="purgekeys">

<span id="id6"></span><h3>purgekeys<a class="headerlink" href="#purgekeys" title="Permalink to this headline">¶</a></h3>

-<div><strong>purgekeys</strong> [<strong>-all</strong>|<strong>-keepkvno</strong> <em>oldest_kvno_to_keep</em>] <em>principal</em></div></blockquote>

+<div><p><strong>purgekeys</strong> [<strong>-all</strong>|<strong>-keepkvno</strong> <em>oldest_kvno_to_keep</em>] <em>principal</em></p>

+</div></blockquote>

<p>Purges previously retained old keys (e.g., from <strong>change_password

-keepold</strong>) from <em>principal</em>. If <strong>-keepkvno</strong> is specified, then

only purges keys with kvnos lower than <em>oldest_kvno_to_keep</em>. If

<strong>-all</strong> is specified, then all keys are purged. The <strong>-all</strong> option

is new in release 1.12.</p>

<p>This command requires the <strong>modify</strong> privilege.</p>

-</div>

-<div class="section" id="get-principal">

+</section>

+<section id="get-principal">

<span id="id7"></span><h3>get_principal<a class="headerlink" href="#get-principal" title="Permalink to this headline">¶</a></h3>

-<div><strong>get_principal</strong> [<strong>-terse</strong>] <em>principal</em></div></blockquote>

+<div><p><strong>get_principal</strong> [<strong>-terse</strong>] <em>principal</em></p>

+</div></blockquote>

<p>Gets the attributes of principal. With the <strong>-terse</strong> option, outputs

fields as quoted tab-separated strings.</p>

<p>This command requires the <strong>inquire</strong> privilege, or that the principal

running the the program to be the same as the one being listed.</p>

<p>Alias: <strong>getprinc</strong></p>

<p>Examples:</p>

-<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">getprinc</span> <span class="n">tlyu</span><span class="o">/</span><span class="n">admin</span>

+<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">getprinc</span> <span class="n">tlyu</span><span class="o">/</span><span class="n">admin</span>

<span class="n">Principal</span><span class="p">:</span> <span class="n">tlyu</span><span class="o">/</span><span class="n">admin</span><span class="nd">@BLEEP</span><span class="o">.</span><span class="n">COM</span>

<span class="n">Expiration</span> <span class="n">date</span><span class="p">:</span> <span class="p">[</span><span class="n">never</span><span class="p">]</span>

<span class="n">Last</span> <span class="n">password</span> <span class="n">change</span><span class="p">:</span> <span class="n">Mon</span> <span class="n">Aug</span> <span class="mi">12</span> <span class="mi">14</span><span class="p">:</span><span class="mi">16</span><span class="p">:</span><span class="mi">47</span> <span class="n">EDT</span> <span class="mi">1996</span>

@@ -533,22 +530,23 @@ running the the program to be the same as the one being listed.</p>

<span class="n">kadmin</span><span class="p">:</span>

</pre></div>

</div>

-</div>

-<div class="section" id="list-principals">

+</section>

+<section id="list-principals">

<span id="id8"></span><h3>list_principals<a class="headerlink" href="#list-principals" title="Permalink to this headline">¶</a></h3>

-<div><strong>list_principals</strong> [<em>expression</em>]</div></blockquote>

+<div><p><strong>list_principals</strong> [<em>expression</em>]</p>

+</div></blockquote>

<p>Retrieves all or some principal names. <em>expression</em> is a shell-style

-glob expression that can contain the wild-card characters <code class="docutils literal"><span class="pre">?</span></code>,

-<code class="docutils literal"><span class="pre">*</span></code>, and <code class="docutils literal"><span class="pre">[]</span></code>. All principal names matching the expression are

+glob expression that can contain the wild-card characters <code class="docutils literal notranslate"><span class="pre">?</span></code>,

+<code class="docutils literal notranslate"><span class="pre">*</span></code>, and <code class="docutils literal notranslate"><span class="pre">[]</span></code>. All principal names matching the expression are

printed. If no expression is provided, all principal names are

-printed. If the expression does not contain an <code class="docutils literal"><span class="pre">@</span></code> character, an

-<code class="docutils literal"><span class="pre">@</span></code> character followed by the local realm is appended to the

+printed. If the expression does not contain an <code class="docutils literal notranslate"><span class="pre">@</span></code> character, an

+<code class="docutils literal notranslate"><span class="pre">@</span></code> character followed by the local realm is appended to the

expression.</p>

<p>This command requires the <strong>list</strong> privilege.</p>

<p>Alias: <strong>listprincs</strong>, <strong>get_principals</strong>, <strong>getprincs</strong></p>

<p>Example:</p>

-<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">listprincs</span> <span class="n">test</span><span class="o">*</span>

+<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">listprincs</span> <span class="n">test</span><span class="o">*</span>

<span class="n">test3</span><span class="nd">@SECURE</span><span class="o">-</span><span class="n">TEST</span><span class="o">.</span><span class="n">OV</span><span class="o">.</span><span class="n">COM</span>

<span class="n">test2</span><span class="nd">@SECURE</span><span class="o">-</span><span class="n">TEST</span><span class="o">.</span><span class="n">OV</span><span class="o">.</span><span class="n">COM</span>

<span class="n">test1</span><span class="nd">@SECURE</span><span class="o">-</span><span class="n">TEST</span><span class="o">.</span><span class="n">OV</span><span class="o">.</span><span class="n">COM</span>

@@ -556,169 +554,176 @@ expression.</p>

<span class="n">kadmin</span><span class="p">:</span>

</pre></div>

</div>

-</div>

-<div class="section" id="get-strings">

+</section>

+<section id="get-strings">

<span id="id9"></span><h3>get_strings<a class="headerlink" href="#get-strings" title="Permalink to this headline">¶</a></h3>

-<div><strong>get_strings</strong> <em>principal</em></div></blockquote>

+<div><p><strong>get_strings</strong> <em>principal</em></p>

+</div></blockquote>

<p>Displays string attributes on <em>principal</em>.</p>

<p>This command requires the <strong>inquire</strong> privilege.</p>

<p>Alias: <strong>getstrs</strong></p>

-</div>

-<div class="section" id="set-string">

+</section>

+<section id="set-string">

<span id="id10"></span><h3>set_string<a class="headerlink" href="#set-string" title="Permalink to this headline">¶</a></h3>

-<div><strong>set_string</strong> <em>principal</em> <em>name</em> <em>value</em></div></blockquote>

+<div><p><strong>set_string</strong> <em>principal</em> <em>name</em> <em>value</em></p>

+</div></blockquote>

<p>Sets a string attribute on <em>principal</em>. String attributes are used to

supply per-principal configuration to the KDC and some KDC plugin

modules. The following string attribute names are recognized by the

KDC:</p>

-<dl class="docutils">

-<dt><strong>require_auth</strong></dt>

-<dd>Specifies an authentication indicator which is required to

+<dl class="simple">

+<dt><strong>require_auth</strong></dt><dd><p>Specifies an authentication indicator which is required to

authenticate to the principal as a service. Multiple indicators

can be specified, separated by spaces; in this case any of the

-specified indicators will be accepted. (New in release 1.14.)</dd>

-<dt><strong>session_enctypes</strong></dt>

-<dd>Specifies the encryption types supported for session keys when the

+specified indicators will be accepted. (New in release 1.14.)</p>

+</dd>

+<dt><strong>session_enctypes</strong></dt><dd><p>Specifies the encryption types supported for session keys when the

principal is authenticated to as a server. See

<a class="reference internal" href="../conf_files/kdc_conf.html#encryption-types"><span class="std std-ref">Encryption types</span></a> in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a> for a list of the

-accepted values.</dd>

-<dt><strong>otp</strong></dt>

-<dd>Enables One Time Passwords (OTP) preauthentication for a client

+accepted values.</p>

+</dd>

+<dt><strong>otp</strong></dt><dd><p>Enables One Time Passwords (OTP) preauthentication for a client

<em>principal</em>. The <em>value</em> is a JSON string representing an array

-of objects, each having optional <code class="docutils literal"><span class="pre">type</span></code> and <code class="docutils literal"><span class="pre">username</span></code> fields.</dd>

-<dt><strong>pkinit_cert_match</strong></dt>

-<dd>Specifies a matching expression that defines the certificate

+of objects, each having optional <code class="docutils literal notranslate"><span class="pre">type</span></code> and <code class="docutils literal notranslate"><span class="pre">username</span></code> fields.</p>

+</dd>

+<dt><strong>pkinit_cert_match</strong></dt><dd><p>Specifies a matching expression that defines the certificate

attributes required for the client certificate used by the

principal during PKINIT authentication. The matching expression

is in the same format as those used by the <strong>pkinit_cert_match</strong>

-option in <a class="reference internal" href="../conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a>. (New in release 1.16.)</dd>

-<dt><strong>pac_privsvr_enctype</strong></dt>

-<dd>Forces the encryption type of the PAC KDC checksum buffers to the

+option in <a class="reference internal" href="../conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a>. (New in release 1.16.)</p>

+</dd>

+<dt><strong>pac_privsvr_enctype</strong></dt><dd><p>Forces the encryption type of the PAC KDC checksum buffers to the

specified encryption type for tickets issued to this server, by

deriving a key from the local krbtgt key if it is of a different

encryption type. It may be necessary to set this value to

“aes256-sha1” on the cross-realm krbtgt entry for an Active

Directory realm when using aes-sha2 keys on the local krbtgt

-entry.</dd>

+entry.</p>

+</dd>

</dl>

<p>This command requires the <strong>modify</strong> privilege.</p>

<p>Alias: <strong>setstr</strong></p>

<p>Example:</p>

-<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">set_string</span> <span class="n">host</span><span class="o">/</span><span class="n">foo</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> <span class="n">session_enctypes</span> <span class="n">aes128</span><span class="o">-</span><span class="n">cts</span>

+<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">set_string</span> <span class="n">host</span><span class="o">/</span><span class="n">foo</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> <span class="n">session_enctypes</span> <span class="n">aes128</span><span class="o">-</span><span class="n">cts</span>

<span class="n">set_string</span> <span class="n">user</span><span class="nd">@FOO</span><span class="o">.</span><span class="n">COM</span> <span class="n">otp</span> <span class="s2">"[{""type"":""hotp"",""username"":""al""}]"</span>

</pre></div>

</div>

-</div>

-<div class="section" id="del-string">

+</section>

+<section id="del-string">

<span id="id11"></span><h3>del_string<a class="headerlink" href="#del-string" title="Permalink to this headline">¶</a></h3>

-<div><strong>del_string</strong> <em>principal</em> <em>key</em></div></blockquote>

+<div><p><strong>del_string</strong> <em>principal</em> <em>key</em></p>

+</div></blockquote>

<p>Deletes a string attribute from <em>principal</em>.</p>

<p>This command requires the <strong>delete</strong> privilege.</p>

<p>Alias: <strong>delstr</strong></p>

-</div>

-<div class="section" id="add-policy">

+</section>

+<section id="add-policy">

<span id="id12"></span><h3>add_policy<a class="headerlink" href="#add-policy" title="Permalink to this headline">¶</a></h3>

-<div><strong>add_policy</strong> [<em>options</em>] <em>policy</em></div></blockquote>

+<div><p><strong>add_policy</strong> [<em>options</em>] <em>policy</em></p>

+</div></blockquote>

<p>Adds a password policy named <em>policy</em> to the database.</p>

<p>This command requires the <strong>add</strong> privilege.</p>

<p>Alias: <strong>addpol</strong></p>

<p>The following options are available:</p>

-<dl class="docutils">

-<dt><strong>-maxlife</strong> <em>time</em></dt>

-lifetime of a password.</dd>

-<dt><strong>-minlife</strong> <em>time</em></dt>

-lifetime of a password.</dd>

-<dt><strong>-minlength</strong> <em>length</em></dt>

-<dd>Sets the minimum length of a password.</dd>

-<dt><strong>-minclasses</strong> <em>number</em></dt>

-<dd>Sets the minimum number of character classes required in a

+<dl class="simple">

+<dt><strong>-maxlife</strong> <em>time</em></dt><dd><p>(<a class="reference internal" href="../../basic/date_format.html#duration"><span class="std std-ref">Time duration</span></a> or <a class="reference internal" href="../../basic/date_format.html#getdate"><span class="std std-ref">getdate time</span></a> string) Sets the maximum

+lifetime of a password.</p>

+</dd>

+<dt><strong>-minlife</strong> <em>time</em></dt><dd><p>(<a class="reference internal" href="../../basic/date_format.html#duration"><span class="std std-ref">Time duration</span></a> or <a class="reference internal" href="../../basic/date_format.html#getdate"><span class="std std-ref">getdate time</span></a> string) Sets the minimum

+lifetime of a password.</p>

+</dd>

+<dt><strong>-minlength</strong> <em>length</em></dt><dd><p>Sets the minimum length of a password.</p>

+</dd>

+<dt><strong>-minclasses</strong> <em>number</em></dt><dd><p>Sets the minimum number of character classes required in a

password. The five character classes are lower case, upper case,

-numbers, punctuation, and whitespace/unprintable characters.</dd>

-<dt><strong>-history</strong> <em>number</em></dt>

-<dd>Sets the number of past keys kept for a principal. This option is

-not supported with the LDAP KDC database module.</dd>

+numbers, punctuation, and whitespace/unprintable characters.</p>

+</dd>

+<dt><strong>-history</strong> <em>number</em></dt><dd><p>Sets the number of past keys kept for a principal. This option is

+not supported with the LDAP KDC database module.</p>

+</dd>

</dl>

-<dl class="docutils" id="policy-maxfailure">

-<dt><strong>-maxfailure</strong> <em>maxnumber</em></dt>

-<dd>Sets the number of authentication failures before the principal is

+<dl class="simple" id="policy-maxfailure">

+<dt><strong>-maxfailure</strong> <em>maxnumber</em></dt><dd><p>Sets the number of authentication failures before the principal is

locked. Authentication failures are only tracked for principals

which require preauthentication. The counter of failed attempts

resets to 0 after a successful attempt to authenticate. A

-<em>maxnumber</em> value of 0 (the default) disables lockout.</dd>

+<em>maxnumber</em> value of 0 (the default) disables lockout.</p>

+</dd>

</dl>

-<dl class="docutils" id="policy-failurecountinterval">

-<dt><strong>-failurecountinterval</strong> <em>failuretime</em></dt>

+<dl class="simple" id="policy-failurecountinterval">

+<dt><strong>-failurecountinterval</strong> <em>failuretime</em></dt><dd><p>(<a class="reference internal" href="../../basic/date_format.html#duration"><span class="std std-ref">Time duration</span></a> or <a class="reference internal" href="../../basic/date_format.html#getdate"><span class="std std-ref">getdate time</span></a> string) Sets the allowable time

between authentication failures. If an authentication failure

happens after <em>failuretime</em> has elapsed since the previous

failure, the number of authentication failures is reset to 1. A

-<em>failuretime</em> value of 0 (the default) means forever.</dd>

+<em>failuretime</em> value of 0 (the default) means forever.</p>

+</dd>

</dl>

-<dl class="docutils" id="policy-lockoutduration">

-<dt><strong>-lockoutduration</strong> <em>lockouttime</em></dt>

+<dl class="simple" id="policy-lockoutduration">

+<dt><strong>-lockoutduration</strong> <em>lockouttime</em></dt><dd><p>(<a class="reference internal" href="../../basic/date_format.html#duration"><span class="std std-ref">Time duration</span></a> or <a class="reference internal" href="../../basic/date_format.html#getdate"><span class="std std-ref">getdate time</span></a> string) Sets the duration for

which the principal is locked from authenticating if too many

authentication failures occur without the specified failure count

interval elapsing. A duration of 0 (the default) means the

principal remains locked out until it is administratively unlocked

-with <code class="docutils literal"><span class="pre">modprinc</span> <span class="pre">-unlock</span></code>.</dd>

-<dt><strong>-allowedkeysalts</strong></dt>

-<dd>Specifies the key/salt tuples supported for long-term keys when

+with <code class="docutils literal notranslate"><span class="pre">modprinc</span> <span class="pre">-unlock</span></code>.</p>

+</dd>

+<dt><strong>-allowedkeysalts</strong></dt><dd><p>Specifies the key/salt tuples supported for long-term keys when

setting or changing a principal’s password/keys. See

accepted values, but note that key/salt tuples must be separated

with commas (‘,’) only. To clear the allowed key/salt policy use

-a value of ‘-‘.</dd>

+a value of ‘-‘.</p>

+</dd>

</dl>

<p>Example:</p>

-<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">add_policy</span> <span class="o">-</span><span class="n">maxlife</span> <span class="s2">"2 days"</span> <span class="o">-</span><span class="n">minlength</span> <span class="mi">5</span> <span class="n">guests</span>

+<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">add_policy</span> <span class="o">-</span><span class="n">maxlife</span> <span class="s2">"2 days"</span> <span class="o">-</span><span class="n">minlength</span> <span class="mi">5</span> <span class="n">guests</span>

<span class="n">kadmin</span><span class="p">:</span>

</pre></div>

</div>

-</div>

-<div class="section" id="modify-policy">

+</section>

+<section id="modify-policy">

<span id="id13"></span><h3>modify_policy<a class="headerlink" href="#modify-policy" title="Permalink to this headline">¶</a></h3>

-<div><strong>modify_policy</strong> [<em>options</em>] <em>policy</em></div></blockquote>

+<div><p><strong>modify_policy</strong> [<em>options</em>] <em>policy</em></p>

+</div></blockquote>

<p>Modifies the password policy named <em>policy</em>. Options are as described

for <strong>add_policy</strong>.</p>

<p>This command requires the <strong>modify</strong> privilege.</p>

<p>Alias: <strong>modpol</strong></p>

-</div>

-<div class="section" id="delete-policy">

+</section>

+<section id="delete-policy">

<span id="id14"></span><h3>delete_policy<a class="headerlink" href="#delete-policy" title="Permalink to this headline">¶</a></h3>

-<div><strong>delete_policy</strong> [<strong>-force</strong>] <em>policy</em></div></blockquote>

+<div><p><strong>delete_policy</strong> [<strong>-force</strong>] <em>policy</em></p>

+</div></blockquote>

<p>Deletes the password policy named <em>policy</em>. Prompts for confirmation

before deletion. The command will fail if the policy is in use by any

principals.</p>

<p>This command requires the <strong>delete</strong> privilege.</p>

<p>Alias: <strong>delpol</strong></p>

<p>Example:</p>

-<div class="highlight-default"><div class="highlight"><pre><span></span>kadmin: del_policy guests

+<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>kadmin: del_policy guests

Are you sure you want to delete the policy "guests"?

(yes/no): yes

kadmin:

</pre></div>

</div>

-</div>

-<div class="section" id="get-policy">

+</section>

+<section id="get-policy">

<span id="id15"></span><h3>get_policy<a class="headerlink" href="#get-policy" title="Permalink to this headline">¶</a></h3>

-<div><strong>get_policy</strong> [ <strong>-terse</strong> ] <em>policy</em></div></blockquote>

+<div><p><strong>get_policy</strong> [ <strong>-terse</strong> ] <em>policy</em></p>

+</div></blockquote>

<p>Displays the values of the password policy named <em>policy</em>. With the

<strong>-terse</strong> flag, outputs the fields as quoted strings separated by

tabs.</p>

<p>This command requires the <strong>inquire</strong> privilege.</p>

<p>Alias: <strong>getpol</strong></p>

<p>Examples:</p>

-<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">get_policy</span> <span class="n">admin</span>

<span class="n">Policy</span><span class="p">:</span> <span class="n">admin</span>

<span class="n">Maximum</span> <span class="n">password</span> <span class="n">life</span><span class="p">:</span> <span class="mi">180</span> <span class="n">days</span> <span class="mi">00</span><span class="p">:</span><span class="mi">00</span><span class="p">:</span><span class="mi">00</span>

<span class="n">Minimum</span> <span class="n">password</span> <span class="n">life</span><span class="p">:</span> <span class="mi">00</span><span class="p">:</span><span class="mi">00</span><span class="p">:</span><span class="mi">00</span>

@@ -735,20 +740,21 @@ tabs.</p>

<p>The “Reference count” is the number of principals using that policy.

With the LDAP KDC database module, the reference count field is not

meaningful.</p>

-</div>

-<div class="section" id="list-policies">

+</section>

+<section id="list-policies">

<span id="id16"></span><h3>list_policies<a class="headerlink" href="#list-policies" title="Permalink to this headline">¶</a></h3>

-<div><strong>list_policies</strong> [<em>expression</em>]</div></blockquote>

+<div><p><strong>list_policies</strong> [<em>expression</em>]</p>

+</div></blockquote>

<p>Retrieves all or some policy names. <em>expression</em> is a shell-style

-glob expression that can contain the wild-card characters <code class="docutils literal"><span class="pre">?</span></code>,

-<code class="docutils literal"><span class="pre">*</span></code>, and <code class="docutils literal"><span class="pre">[]</span></code>. All policy names matching the expression are

+glob expression that can contain the wild-card characters <code class="docutils literal notranslate"><span class="pre">?</span></code>,

printed. If no expression is provided, all existing policy names are

printed.</p>

<p>This command requires the <strong>list</strong> privilege.</p>

<p>Aliases: <strong>listpols</strong>, <strong>get_policies</strong>, <strong>getpols</strong>.</p>

<p>Examples:</p>

-<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">listpols</span>

+<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">listpols</span>

@@ -760,8 +766,8 @@ printed.</p>

<span class="n">kadmin</span><span class="p">:</span>

</pre></div>

</div>

-</div>

-<div class="section" id="ktadd">

+</section>

+<section id="ktadd">

<span id="id17"></span><h3>ktadd<a class="headerlink" href="#ktadd" title="Permalink to this headline">¶</a></h3>

@@ -776,38 +782,39 @@ command.</p>

<p>This command requires the <strong>inquire</strong> and <strong>changepw</strong> privileges.

With the <strong>-glob</strong> form, it also requires the <strong>list</strong> privilege.</p>

<p>The options are:</p>

-<dl class="docutils">

-<dt><strong>-k[eytab]</strong> <em>keytab</em></dt>

-<dd>Use <em>keytab</em> as the keytab file. Otherwise, the default keytab is

-used.</dd>

-<dt><strong>-e</strong> <em>enc</em>:<em>salt</em>,…</dt>

-<dd>Uses the specified keysalt list for setting the new keys of the

+<dl class="simple">

+<dt><strong>-k[eytab]</strong> <em>keytab</em></dt><dd><p>Use <em>keytab</em> as the keytab file. Otherwise, the default keytab is

+used.</p>

+</dd>

+<dt><strong>-e</strong> <em>enc</em>:<em>salt</em>,…</dt><dd><p>Uses the specified keysalt list for setting the new keys of the

-list of possible values.</dd>

-<dt><strong>-q</strong></dt>

-<dd>Display less verbose information.</dd>

-<dt><strong>-norandkey</strong></dt>

-<dd>Do not randomize the keys. The keys and their version numbers stay

+list of possible values.</p>

+</dd>

+<dt><strong>-q</strong></dt><dd><p>Display less verbose information.</p>

+</dd>

+<dt><strong>-norandkey</strong></dt><dd><p>Do not randomize the keys. The keys and their version numbers stay

unchanged. This option cannot be specified in combination with the

-<strong>-e</strong> option.</dd>

+<strong>-e</strong> option.</p>

+</dd>

</dl>

<p>An entry for each of the principal’s unique encryption types is added,

ignoring multiple keys with the same encryption type but different

salt types.</p>

<p>Alias: <strong>xst</strong></p>

<p>Example:</p>

-<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">ktadd</span> <span class="o">-</span><span class="n">k</span> <span class="o">/</span><span class="n">tmp</span><span class="o">/</span><span class="n">foo</span><span class="o">-</span><span class="n">new</span><span class="o">-</span><span class="n">keytab</span> <span class="n">host</span><span class="o">/</span><span class="n">foo</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span>

+<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">ktadd</span> <span class="o">-</span><span class="n">k</span> <span class="o">/</span><span class="n">tmp</span><span class="o">/</span><span class="n">foo</span><span class="o">-</span><span class="n">new</span><span class="o">-</span><span class="n">keytab</span> <span class="n">host</span><span class="o">/</span><span class="n">foo</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span>

<span class="n">Entry</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">host</span><span class="o">/</span><span class="n">foo</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="k">with</span> <span class="n">kvno</span> <span class="mi">3</span><span class="p">,</span>

<span class="n">encryption</span> <span class="nb">type</span> <span class="n">aes256</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="o">-</span><span class="mi">96</span> <span class="n">added</span> <span class="n">to</span> <span class="n">keytab</span>

<span class="n">FILE</span><span class="p">:</span><span class="o">/</span><span class="n">tmp</span><span class="o">/</span><span class="n">foo</span><span class="o">-</span><span class="n">new</span><span class="o">-</span><span class="n">keytab</span>

<span class="n">kadmin</span><span class="p">:</span>

</pre></div>

</div>

-</div>

-<div class="section" id="ktremove">

+</section>

+<section id="ktremove">

<span id="id18"></span><h3>ktremove<a class="headerlink" href="#ktremove" title="Permalink to this headline">¶</a></h3>

-<div><strong>ktremove</strong> [options] <em>principal</em> [<em>kvno</em> | <em>all</em> | <em>old</em>]</div></blockquote>

+<div><p><strong>ktremove</strong> [options] <em>principal</em> [<em>kvno</em> | <em>all</em> | <em>old</em>]</p>

+</div></blockquote>

<p>Removes entries for the specified <em>principal</em> from a keytab. Requires

no permissions, since this does not require database access.</p>

<p>If the string “all” is specified, all entries for that principal are

@@ -816,64 +823,66 @@ principal except those with the highest kvno are removed. Otherwise,

the value specified is parsed as an integer, and all entries whose

kvno match that integer are removed.</p>

<p>The options are:</p>

-<dl class="docutils">

-<dt><strong>-k[eytab]</strong> <em>keytab</em></dt>

-<dd>Use <em>keytab</em> as the keytab file. Otherwise, the default keytab is

-used.</dd>

-<dt><strong>-q</strong></dt>

-<dd>Display less verbose information.</dd>

+<dl class="simple">

+<dt><strong>-k[eytab]</strong> <em>keytab</em></dt><dd><p>Use <em>keytab</em> as the keytab file. Otherwise, the default keytab is

+used.</p>

+</dd>

+<dt><strong>-q</strong></dt><dd><p>Display less verbose information.</p>

+</dd>

</dl>

<p>Alias: <strong>ktrem</strong></p>

<p>Example:</p>

-<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">ktremove</span> <span class="n">kadmin</span><span class="o">/</span><span class="n">admin</span> <span class="nb">all</span>

<span class="n">Entry</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">kadmin</span><span class="o">/</span><span class="n">admin</span> <span class="k">with</span> <span class="n">kvno</span> <span class="mi">3</span> <span class="n">removed</span> <span class="kn">from</span> <span class="nn">keytab</span>

<span class="n">FILE</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">krb5</span><span class="o">.</span><span class="n">keytab</span>

<span class="n">kadmin</span><span class="p">:</span>

</pre></div>

</div>

-</div>

-<div class="section" id="lock">

+</section>

+<section id="lock">

<p>Lock database exclusively. Use with extreme caution! This command

only works with the DB2 KDC database module.</p>

-</div>

-<div class="section" id="unlock">

+</section>

+<section id="unlock">

<h3>unlock<a class="headerlink" href="#unlock" title="Permalink to this headline">¶</a></h3>

<p>Release the exclusive database lock.</p>

-</div>

-<div class="section" id="list-requests">

+</section>

+<section id="list-requests">

<h3>list_requests<a class="headerlink" href="#list-requests" title="Permalink to this headline">¶</a></h3>

<p>Lists available for kadmin requests.</p>

<p>Aliases: <strong>lr</strong>, <strong>?</strong></p>

-</div>

-<div class="section" id="quit">

+</section>

+<section id="quit">

<p>Exit program. If the database was locked, the lock is released.</p>

<p>Aliases: <strong>exit</strong>, <strong>q</strong></p>

-</div>

-<div class="section" id="history">

+</section>

+<section id="history">

<h2>HISTORY<a class="headerlink" href="#history" title="Permalink to this headline">¶</a></h2>

<p>The kadmin program was originally written by Tom Yu at MIT, as an

interface to the OpenVision Kerberos administration program.</p>

-</div>

-<div class="section" id="environment">

+</section>

+<section id="environment">

<h2>ENVIRONMENT<a class="headerlink" href="#environment" title="Permalink to this headline">¶</a></h2>

<p>See <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a> for a description of Kerberos environment

variables.</p>

-</div>

-<div class="section" id="see-also">

+</section>

+<section id="see-also">

<p><a class="reference internal" href="../../user/user_commands/kpasswd.html#kpasswd-1"><span class="std std-ref">kpasswd</span></a>, <a class="reference internal" href="kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a>, <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a></p>

-</div>

+</section>

+ <div class="clearer"></div>

</div>

<ul>

<li><a class="reference internal" href="#">kadmin</a><ul>

@@ -977,6 +986,7 @@ variables.</p>

</form>

</div>

</div>

@@ -984,8 +994,8 @@ variables.</p>

- <div class="right" ><i>Release: 1.21.2</i><br />

+ <div class="right" ><i>Release: 1.21.3</i><br />

+ © <a href="../../copyright.html">Copyright</a> 1985-2024, MIT.

</div>

diff --git a/doc/html/admin/admin_commands/kadmind.html b/doc/html/admin/admin_commands/kadmind.html
index 0b103a0b6619..66b384d775c4 100644
--- a/doc/html/admin/admin_commands/kadmind.html
+++ b/doc/html/admin/admin_commands/kadmind.html

@@ -1,35 +1,26 @@

-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"

- "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

+<!DOCTYPE html>

-<html xmlns="http://www.w3.org/1999/xhtml">

+<html>

<head>

- <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

+ <meta charset="utf-8" />

+ <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="generator" content="Docutils 0.17.1: http://docutils.sourceforge.net/" />

<title>kadmind — MIT Kerberos Documentation</title>

- <link rel="stylesheet" href="../../_static/agogo.css" type="text/css" />

- <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" />

- <link rel="stylesheet" href="../../_static/kerb.css" type="text/css" />

- <script type="text/javascript">

- var DOCUMENTATION_OPTIONS = {

- URL_ROOT: '../../',

- VERSION: '1.21.2',

- COLLAPSE_INDEX: false,

- FILE_SUFFIX: '.html',

- HAS_SOURCE: true,

- SOURCELINK_SUFFIX: '.txt'

- };

- </script>

- <script type="text/javascript" src="../../_static/jquery.js"></script>

- <script type="text/javascript" src="../../_static/underscore.js"></script>

- <script type="text/javascript" src="../../_static/doctools.js"></script>

+ <link rel="stylesheet" type="text/css" href="../../_static/pygments.css" />

+ <link rel="stylesheet" type="text/css" href="../../_static/agogo.css" />

+ <link rel="stylesheet" type="text/css" href="../../_static/kerb.css" />

+ <script data-url_root="../../" id="documentation_options" src="../../_static/documentation_options.js"></script>

+ <script src="../../_static/jquery.js"></script>

+ <script src="../../_static/underscore.js"></script>

+ <script src="../../_static/doctools.js"></script>

- </head>

- <body>

+ </head><body>

@@ -61,9 +52,9 @@

- <div class="section" id="kadmind">

+ <section id="kadmind">

<span id="kadmind-8"></span><h1>kadmind<a class="headerlink" href="#kadmind" title="Permalink to this headline">¶</a></h1>

-<div class="section" id="synopsis">

+<section id="synopsis">

<h2>SYNOPSIS<a class="headerlink" href="#synopsis" title="Permalink to this headline">¶</a></h2>

<p><strong>kadmind</strong>

[<strong>-x</strong> <em>db_args</em>]

@@ -77,8 +68,8 @@

[<strong>-K</strong> <em>kprop_path</em>]

[<strong>-k</strong> <em>kprop_port</em>]

[<strong>-F</strong> <em>dump_file</em>]</p>

-</div>

-<div class="section" id="description">

+</section>

+<section id="description">

<h2>DESCRIPTION<a class="headerlink" href="#description" title="Permalink to this headline">¶</a></h2>

<p>kadmind starts the Kerberos administration server. kadmind typically

runs on the primary Kerberos server, which stores the KDC database.

@@ -88,18 +79,18 @@ remote requests from programs such as <a class="reference internal" href="kadmin

<a class="reference internal" href="../../user/user_commands/kpasswd.html#kpasswd-1"><span class="std std-ref">kpasswd</span></a> to administer the information in these database.</p>

<p>kadmind requires a number of configuration files to be set up in order

for it to work:</p>

-<dl class="docutils">

-<dt><a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a></dt>

-<dd>The KDC configuration file contains configuration information for

+<dl class="simple">

+<dt><a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a></dt><dd><p>The KDC configuration file contains configuration information for

the KDC and admin servers. kadmind uses settings in this file to

locate the Kerberos database, and is also affected by the

<strong>acl_file</strong>, <strong>dict_file</strong>, <strong>kadmind_port</strong>, and iprop-related

-settings.</dd>

-<dt><a class="reference internal" href="../conf_files/kadm5_acl.html#kadm5-acl-5"><span class="std std-ref">kadm5.acl</span></a></dt>

-<dd>kadmind’s ACL (access control list) tells it which principals are

+settings.</p>

+</dd>

+<dt><a class="reference internal" href="../conf_files/kadm5_acl.html#kadm5-acl-5"><span class="std std-ref">kadm5.acl</span></a></dt><dd><p>kadmind’s ACL (access control list) tells it which principals are

allowed to perform administration actions. The pathname to the

ACL file can be specified with the <strong>acl_file</strong> <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>

-variable; by default, it is <a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">LOCALSTATEDIR</span></a><code class="docutils literal"><span class="pre">/krb5kdc</span></code><code class="docutils literal"><span class="pre">/kadm5.acl</span></code>.</dd>

+variable; by default, it is <a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">LOCALSTATEDIR</span></a><code class="docutils literal notranslate"><span class="pre">/krb5kdc</span></code><code class="docutils literal notranslate"><span class="pre">/kadm5.acl</span></code>.</p>

+</dd>

</dl>

<p>After the server begins running, it puts itself in the background and

disassociates itself from its controlling terminal.</p>

@@ -108,74 +99,76 @@ Incremental propagation allows replica KDC servers to receive

principal and policy updates incrementally instead of receiving full

dumps of the database. This facility can be enabled in the

<a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a> file with the <strong>iprop_enable</strong> option. Incremental

-propagation requires the principal <code class="docutils literal"><span class="pre">kiprop/PRIMARY\@REALM</span></code> (where

+propagation requires the principal <code class="docutils literal notranslate"><span class="pre">kiprop/PRIMARY\@REALM</span></code> (where

PRIMARY is the primary KDC’s canonical host name, and REALM the realm

name). In release 1.13, this principal is automatically created and

registered into the datebase.</p>

-</div>

-<div class="section" id="options">

+</section>

+<section id="options">

<h2>OPTIONS<a class="headerlink" href="#options" title="Permalink to this headline">¶</a></h2>

-<dl class="docutils">

-<dt><strong>-r</strong> <em>realm</em></dt>

-<dd>specifies the realm that kadmind will serve; if it is not

-specified, the default realm of the host is used.</dd>

-<dt><strong>-m</strong></dt>

-<dd>causes the master database password to be fetched from the

+<dl class="simple">

+<dt><strong>-r</strong> <em>realm</em></dt><dd><p>specifies the realm that kadmind will serve; if it is not

+specified, the default realm of the host is used.</p>

+</dd>

+<dt><strong>-m</strong></dt><dd><p>causes the master database password to be fetched from the

keyboard (before the server puts itself in the background, if not

invoked with the <strong>-nofork</strong> option) rather than from a file on

-disk.</dd>

-<dt><strong>-nofork</strong></dt>

-<dd>causes the server to remain in the foreground and remain

-associated to the terminal.</dd>

-<dt><strong>-proponly</strong></dt>

-<dd>causes the server to only listen and respond to Kerberos replica

+disk.</p>

+</dd>

+<dt><strong>-nofork</strong></dt><dd><p>causes the server to remain in the foreground and remain

+associated to the terminal.</p>

+</dd>

+<dt><strong>-proponly</strong></dt><dd><p>causes the server to only listen and respond to Kerberos replica

incremental propagation polling requests. This option can be used

to set up a hierarchical propagation topology where a replica KDC

-provides incremental updates to other Kerberos replicas.</dd>

-<dt><strong>-port</strong> <em>port-number</em></dt>

-<dd>specifies the port on which the administration server listens for

+provides incremental updates to other Kerberos replicas.</p>

+</dd>

+<dt><strong>-port</strong> <em>port-number</em></dt><dd><p>specifies the port on which the administration server listens for

connections. The default port is determined by the

-<strong>kadmind_port</strong> configuration variable in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>.</dd>

-<dt><strong>-P</strong> <em>pid_file</em></dt>

-<dd>specifies the file to which the PID of kadmind process should be

+<strong>kadmind_port</strong> configuration variable in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>.</p>

+</dd>

+<dt><strong>-P</strong> <em>pid_file</em></dt><dd><p>specifies the file to which the PID of kadmind process should be

written after it starts up. This file can be used to identify

whether kadmind is still running and to allow init scripts to stop

-the correct process.</dd>

-<dt><strong>-p</strong> <em>kdb5_util_path</em></dt>

-<dd>specifies the path to the kdb5_util command to use when dumping the

-KDB in response to full resync requests when iprop is enabled.</dd>

-<dt><strong>-K</strong> <em>kprop_path</em></dt>

-<dd>specifies the path to the kprop command to use to send full dumps

-to replicas in response to full resync requests.</dd>

-<dt><strong>-k</strong> <em>kprop_port</em></dt>

-<dd>specifies the port by which the kprop process that is spawned by

+the correct process.</p>

+</dd>

+<dt><strong>-p</strong> <em>kdb5_util_path</em></dt><dd><p>specifies the path to the kdb5_util command to use when dumping the

+KDB in response to full resync requests when iprop is enabled.</p>

+</dd>

+<dt><strong>-K</strong> <em>kprop_path</em></dt><dd><p>specifies the path to the kprop command to use to send full dumps

+to replicas in response to full resync requests.</p>

+</dd>

+<dt><strong>-k</strong> <em>kprop_port</em></dt><dd><p>specifies the port by which the kprop process that is spawned by

kadmind connects to the replica kpropd, in order to transfer the

-dump file during an iprop full resync request.</dd>

-<dt><strong>-F</strong> <em>dump_file</em></dt>

-<dd>specifies the file path to be used for dumping the KDB in response

-to full resync requests when iprop is enabled.</dd>

-<dt><strong>-x</strong> <em>db_args</em></dt>

-<dd>specifies database-specific arguments. See <a class="reference internal" href="kadmin_local.html#dboptions"><span class="std std-ref">Database Options</span></a> in <a class="reference internal" href="kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> for supported arguments.</dd>

+dump file during an iprop full resync request.</p>

+</dd>

+<dt><strong>-F</strong> <em>dump_file</em></dt><dd><p>specifies the file path to be used for dumping the KDB in response

+to full resync requests when iprop is enabled.</p>

+</dd>

+<dt><strong>-x</strong> <em>db_args</em></dt><dd><p>specifies database-specific arguments. See <a class="reference internal" href="kadmin_local.html#dboptions"><span class="std std-ref">Database Options</span></a> in <a class="reference internal" href="kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> for supported arguments.</p>

+</dd>

</dl>

-</div>

-<div class="section" id="environment">

+</section>

+<section id="environment">

<h2>ENVIRONMENT<a class="headerlink" href="#environment" title="Permalink to this headline">¶</a></h2>

<p>See <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a> for a description of Kerberos environment

variables.</p>

-</div>

-<div class="section" id="see-also">

+</section>

+<section id="see-also">

<p><a class="reference internal" href="../../user/user_commands/kpasswd.html#kpasswd-1"><span class="std std-ref">kpasswd</span></a>, <a class="reference internal" href="kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a>, <a class="reference internal" href="kdb5_util.html#kdb5-util-8"><span class="std std-ref">kdb5_util</span></a>,

<a class="reference internal" href="kdb5_ldap_util.html#kdb5-ldap-util-8"><span class="std std-ref">kdb5_ldap_util</span></a>, <a class="reference internal" href="../conf_files/kadm5_acl.html#kadm5-acl-5"><span class="std std-ref">kadm5.acl</span></a>, <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a></p>

-</div>

+</section>

+ <div class="clearer"></div>

</div>

<ul>

<li><a class="reference internal" href="#">kadmind</a><ul>

@@ -252,6 +245,7 @@ variables.</p>

</form>

</div>

</div>

@@ -259,8 +253,8 @@ variables.</p>

- <div class="right" ><i>Release: 1.21.2</i><br />

+ <div class="right" ><i>Release: 1.21.3</i><br />

+ © <a href="../../copyright.html">Copyright</a> 1985-2024, MIT.

</div>

diff --git a/doc/html/admin/admin_commands/kdb5_ldap_util.html b/doc/html/admin/admin_commands/kdb5_ldap_util.html
index fdead5e699a0..7b6321b5b8d9 100644
--- a/doc/html/admin/admin_commands/kdb5_ldap_util.html
+++ b/doc/html/admin/admin_commands/kdb5_ldap_util.html

@@ -1,35 +1,26 @@

-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"

- "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

+<!DOCTYPE html>

-<html xmlns="http://www.w3.org/1999/xhtml">

+<html>

<head>

- <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

+ <meta charset="utf-8" />

+ <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="generator" content="Docutils 0.17.1: http://docutils.sourceforge.net/" />

<title>kdb5_ldap_util — MIT Kerberos Documentation</title>

- <link rel="stylesheet" href="../../_static/agogo.css" type="text/css" />

- <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" />

- <link rel="stylesheet" href="../../_static/kerb.css" type="text/css" />

- <script type="text/javascript">

- var DOCUMENTATION_OPTIONS = {

- URL_ROOT: '../../',

- VERSION: '1.21.2',

- COLLAPSE_INDEX: false,

- FILE_SUFFIX: '.html',

- HAS_SOURCE: true,

- SOURCELINK_SUFFIX: '.txt'

- };

- </script>

- <script type="text/javascript" src="../../_static/jquery.js"></script>

- <script type="text/javascript" src="../../_static/underscore.js"></script>

- <script type="text/javascript" src="../../_static/doctools.js"></script>

+ <link rel="stylesheet" type="text/css" href="../../_static/pygments.css" />

+ <link rel="stylesheet" type="text/css" href="../../_static/agogo.css" />

+ <link rel="stylesheet" type="text/css" href="../../_static/kerb.css" />

+ <script data-url_root="../../" id="documentation_options" src="../../_static/documentation_options.js"></script>

+ <script src="../../_static/jquery.js"></script>

+ <script src="../../_static/underscore.js"></script>

+ <script src="../../_static/doctools.js"></script>

- </head>

- <body>

+ </head><body>

@@ -61,46 +52,46 @@

- <div class="section" id="kdb5-ldap-util">

+ <section id="kdb5-ldap-util">

-<div class="section" id="synopsis">

+<section id="synopsis">

<h2>SYNOPSIS<a class="headerlink" href="#synopsis" title="Permalink to this headline">¶</a></h2>

[<strong>-D</strong> <em>user_dn</em> [<strong>-w</strong> <em>passwd</em>]]

[<strong>-H</strong> <em>ldapuri</em>]

<strong>command</strong>

[<em>command_options</em>]</p>

-</div>

-<div class="section" id="description">

+</section>

+<section id="description">

<span id="kdb5-ldap-util-synopsis-end"></span><h2>DESCRIPTION<a class="headerlink" href="#description" title="Permalink to this headline">¶</a></h2>

<p>kdb5_ldap_util allows an administrator to manage realms, Kerberos

services and ticket policies.</p>

-</div>

-<div class="section" id="command-line-options">

+</section>

+<section id="command-line-options">

<h2>COMMAND-LINE OPTIONS<a class="headerlink" href="#command-line-options" title="Permalink to this headline">¶</a></h2>

-<dl class="docutils" id="kdb5-ldap-util-options">

-<dt><strong>-r</strong> <em>realm</em></dt>

-<dd>Specifies the realm to be operated on.</dd>

-<dt><strong>-D</strong> <em>user_dn</em></dt>

-<dd>Specifies the Distinguished Name (DN) of the user who has

-sufficient rights to perform the operation on the LDAP server.</dd>

-<dt><strong>-w</strong> <em>passwd</em></dt>

-<dd>Specifies the password of <em>user_dn</em>. This option is not

-recommended.</dd>

-<dt><strong>-H</strong> <em>ldapuri</em></dt>

-<dd>Specifies the URI of the LDAP server.</dd>

+<dl class="simple" id="kdb5-ldap-util-options">

+<dt><strong>-r</strong> <em>realm</em></dt><dd><p>Specifies the realm to be operated on.</p>

+</dd>

+<dt><strong>-D</strong> <em>user_dn</em></dt><dd><p>Specifies the Distinguished Name (DN) of the user who has

+sufficient rights to perform the operation on the LDAP server.</p>

+</dd>

+<dt><strong>-w</strong> <em>passwd</em></dt><dd><p>Specifies the password of <em>user_dn</em>. This option is not

+recommended.</p>

+</dd>

+<dt><strong>-H</strong> <em>ldapuri</em></dt><dd><p>Specifies the URI of the LDAP server.</p>

+</dd>

</dl>

<p>By default, kdb5_ldap_util operates on the default realm (as specified

in <a class="reference internal" href="../conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a>) and connects and authenticates to the LDAP

server in the same manner as :ref:kadmind(8)` would given the

parameters in <a class="reference internal" href="../conf_files/kdc_conf.html#dbdefaults"><span class="std std-ref">[dbdefaults]</span></a> in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>.</p>

-</div>

-<div class="section" id="commands">

+</section>

+<section id="commands">

<span id="kdb5-ldap-util-options-end"></span><h2>COMMANDS<a class="headerlink" href="#commands" title="Permalink to this headline">¶</a></h2>

-<div class="section" id="create">

+<section id="create">

<h3>create<a class="headerlink" href="#create" title="Permalink to this headline">¶</a></h3>

-<div><strong>create</strong>

+<div><p><strong>create</strong>

[<strong>-subtrees</strong> <em>subtree_dn_list</em>]

[<strong>-sscope</strong> <em>search_scope</em>]

[<strong>-containerref</strong> <em>container_reference_dn</em>]

@@ -111,56 +102,57 @@ parameters in <a class="reference internal" href="../conf_files/kdc_conf.html#db

[<strong>-s</strong>]

[<strong>-maxtktlife</strong> <em>max_ticket_life</em>]

[<strong>-maxrenewlife</strong> <em>max_renewable_ticket_life</em>]

-[<em>ticket_flags</em>]</div></blockquote>

+[<em>ticket_flags</em>]</p>

+</div></blockquote>

<p>Creates realm in directory. Options:</p>

-<dl class="docutils">

-<dt><strong>-subtrees</strong> <em>subtree_dn_list</em></dt>

-<dd>Specifies the list of subtrees containing the principals of a

+<dl class="simple">

+<dt><strong>-subtrees</strong> <em>subtree_dn_list</em></dt><dd><p>Specifies the list of subtrees containing the principals of a

realm. The list contains the DNs of the subtree objects separated

-by colon (<code class="docutils literal"><span class="pre">:</span></code>).</dd>

-<dt><strong>-sscope</strong> <em>search_scope</em></dt>

-<dd>Specifies the scope for searching the principals under the

+by colon (<code class="docutils literal notranslate"><span class="pre">:</span></code>).</p>

+</dd>

+<dt><strong>-sscope</strong> <em>search_scope</em></dt><dd><p>Specifies the scope for searching the principals under the

subtree. The possible values are 1 or one (one level), 2 or sub

-(subtrees).</dd>

-<dt><strong>-containerref</strong> <em>container_reference_dn</em></dt>

-<dd>Specifies the DN of the container object in which the principals

+(subtrees).</p>

+</dd>

+<dt><strong>-containerref</strong> <em>container_reference_dn</em></dt><dd><p>Specifies the DN of the container object in which the principals

of a realm will be created. If the container reference is not

configured for a realm, the principals will be created in the

-realm container.</dd>

-<dt><strong>-k</strong> <em>mkeytype</em></dt>

-<dd>Specifies the key type of the master key in the database. The

+realm container.</p>

+</dd>

+<dt><strong>-k</strong> <em>mkeytype</em></dt><dd><p>Specifies the key type of the master key in the database. The

default is given by the <strong>master_key_type</strong> variable in

-<a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>.</dd>

-<dt><strong>-kv</strong> <em>mkeyVNO</em></dt>

-<dd>Specifies the version number of the master key in the database;

-the default is 1. Note that 0 is not allowed.</dd>

-<dt><strong>-M</strong> <em>mkeyname</em></dt>

-<dd>Specifies the principal name for the master key in the database.

+<a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>.</p>

+</dd>

+<dt><strong>-kv</strong> <em>mkeyVNO</em></dt><dd><p>Specifies the version number of the master key in the database;

+the default is 1. Note that 0 is not allowed.</p>

+</dd>

+<dt><strong>-M</strong> <em>mkeyname</em></dt><dd><p>Specifies the principal name for the master key in the database.

If not specified, the name is determined by the

-<strong>master_key_name</strong> variable in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>.</dd>

-<dt><strong>-m</strong></dt>

-<dd>Specifies that the master database password should be read from

-the TTY rather than fetched from a file on the disk.</dd>

-<dt><strong>-P</strong> <em>password</em></dt>

-<dd>Specifies the master database password. This option is not

-recommended.</dd>

-<dt><strong>-sf</strong> <em>stashfilename</em></dt>

-<dd>Specifies the stash file of the master database password.</dd>

-<dt><strong>-s</strong></dt>

-<dd>Specifies that the stash file is to be created.</dd>

-<dt><strong>-maxtktlife</strong> <em>max_ticket_life</em></dt>

-<dd>(<a class="reference internal" href="../../basic/date_format.html#getdate"><span class="std std-ref">getdate time</span></a> string) Specifies maximum ticket life for

-principals in this realm.</dd>

-<dt><strong>-maxrenewlife</strong> <em>max_renewable_ticket_life</em></dt>

-<dd>(<a class="reference internal" href="../../basic/date_format.html#getdate"><span class="std std-ref">getdate time</span></a> string) Specifies maximum renewable life of

-tickets for principals in this realm.</dd>

-<dt><em>ticket_flags</em></dt>

-<dd>Specifies global ticket flags for the realm. Allowable flags are

+<strong>master_key_name</strong> variable in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>.</p>

+</dd>

+<dt><strong>-m</strong></dt><dd><p>Specifies that the master database password should be read from

+the TTY rather than fetched from a file on the disk.</p>

+</dd>

+<dt><strong>-P</strong> <em>password</em></dt><dd><p>Specifies the master database password. This option is not

+recommended.</p>

+</dd>

+<dt><strong>-sf</strong> <em>stashfilename</em></dt><dd><p>Specifies the stash file of the master database password.</p>

+</dd>

+<dt><strong>-s</strong></dt><dd><p>Specifies that the stash file is to be created.</p>

+</dd>

+<dt><strong>-maxtktlife</strong> <em>max_ticket_life</em></dt><dd><p>(<a class="reference internal" href="../../basic/date_format.html#getdate"><span class="std std-ref">getdate time</span></a> string) Specifies maximum ticket life for

+principals in this realm.</p>

+</dd>

+<dt><strong>-maxrenewlife</strong> <em>max_renewable_ticket_life</em></dt><dd><p>(<a class="reference internal" href="../../basic/date_format.html#getdate"><span class="std std-ref">getdate time</span></a> string) Specifies maximum renewable life of

+tickets for principals in this realm.</p>

+</dd>

+<dt><em>ticket_flags</em></dt><dd><p>Specifies global ticket flags for the realm. Allowable flags are

documented in the description of the <strong>add_principal</strong> command in

-<a class="reference internal" href="kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a>.</dd>

+<a class="reference internal" href="kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a>.</p>

+</dd>

</dl>

<p>Example:</p>

-<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">kdb5_ldap_util</span> <span class="o">-</span><span class="n">D</span> <span class="n">cn</span><span class="o">=</span><span class="n">admin</span><span class="p">,</span><span class="n">o</span><span class="o">=</span><span class="n">org</span> <span class="o">-</span><span class="n">H</span> <span class="n">ldaps</span><span class="p">:</span><span class="o">//</span><span class="n">ldap</span><span class="o">-</span><span class="n">server1</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span>

+<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">kdb5_ldap_util</span> <span class="o">-</span><span class="n">D</span> <span class="n">cn</span><span class="o">=</span><span class="n">admin</span><span class="p">,</span><span class="n">o</span><span class="o">=</span><span class="n">org</span> <span class="o">-</span><span class="n">H</span> <span class="n">ldaps</span><span class="p">:</span><span class="o">//</span><span class="n">ldap</span><span class="o">-</span><span class="n">server1</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span>

<span class="o">-</span><span class="n">r</span> <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="n">create</span> <span class="o">-</span><span class="n">subtrees</span> <span class="n">o</span><span class="o">=</span><span class="n">org</span> <span class="o">-</span><span class="n">sscope</span> <span class="n">SUB</span>

<span class="n">Password</span> <span class="k">for</span> <span class="s2">"cn=admin,o=org"</span><span class="p">:</span>

<span class="n">Initializing</span> <span class="n">database</span> <span class="k">for</span> <span class="n">realm</span> <span class="s1">'ATHENA.MIT.EDU'</span>

@@ -170,56 +162,58 @@ documented in the description of the <strong>add_principal</strong> command in

<span class="n">Re</span><span class="o">-</span><span class="n">enter</span> <span class="n">KDC</span> <span class="n">database</span> <span class="n">master</span> <span class="n">key</span> <span class="n">to</span> <span class="n">verify</span><span class="p">:</span>

</pre></div>

</div>

-</div>

-<div class="section" id="modify">

+</section>

+<section id="modify">

<span id="kdb5-ldap-util-create-end"></span><h3>modify<a class="headerlink" href="#modify" title="Permalink to this headline">¶</a></h3>

-<div><strong>modify</strong>

+<div><p><strong>modify</strong>

[<strong>-subtrees</strong> <em>subtree_dn_list</em>]

[<strong>-sscope</strong> <em>search_scope</em>]

[<strong>-containerref</strong> <em>container_reference_dn</em>]

[<strong>-maxtktlife</strong> <em>max_ticket_life</em>]

[<strong>-maxrenewlife</strong> <em>max_renewable_ticket_life</em>]

-[<em>ticket_flags</em>]</div></blockquote>

+[<em>ticket_flags</em>]</p>

+</div></blockquote>

<p>Modifies the attributes of a realm. Options:</p>

-<dl class="docutils">

-<dt><strong>-subtrees</strong> <em>subtree_dn_list</em></dt>

-<dd>Specifies the list of subtrees containing the principals of a

+<dl class="simple">

+<dt><strong>-subtrees</strong> <em>subtree_dn_list</em></dt><dd><p>Specifies the list of subtrees containing the principals of a

realm. The list contains the DNs of the subtree objects separated

-by colon (<code class="docutils literal"><span class="pre">:</span></code>). This list replaces the existing list.</dd>

-<dt><strong>-sscope</strong> <em>search_scope</em></dt>

-<dd>Specifies the scope for searching the principals under the

+by colon (<code class="docutils literal notranslate"><span class="pre">:</span></code>). This list replaces the existing list.</p>

+</dd>

+<dt><strong>-sscope</strong> <em>search_scope</em></dt><dd><p>Specifies the scope for searching the principals under the

subtrees. The possible values are 1 or one (one level), 2 or sub

-(subtrees).</dd>

-<dt><strong>-containerref</strong> <em>container_reference_dn</em> Specifies the DN of the</dt>

-<dd>container object in which the principals of a realm will be

-created.</dd>

-<dt><strong>-maxtktlife</strong> <em>max_ticket_life</em></dt>

-<dd>(<a class="reference internal" href="../../basic/date_format.html#getdate"><span class="std std-ref">getdate time</span></a> string) Specifies maximum ticket life for

-principals in this realm.</dd>

-<dt><strong>-maxrenewlife</strong> <em>max_renewable_ticket_life</em></dt>

-<dd>(<a class="reference internal" href="../../basic/date_format.html#getdate"><span class="std std-ref">getdate time</span></a> string) Specifies maximum renewable life of

-tickets for principals in this realm.</dd>

-<dt><em>ticket_flags</em></dt>

-<dd>Specifies global ticket flags for the realm. Allowable flags are

+(subtrees).</p>

+</dd>

+<dt><strong>-containerref</strong> <em>container_reference_dn</em> Specifies the DN of the</dt><dd><p>container object in which the principals of a realm will be

+created.</p>

+</dd>

+principals in this realm.</p>

+</dd>

+tickets for principals in this realm.</p>

+</dd>

+<dt><em>ticket_flags</em></dt><dd><p>Specifies global ticket flags for the realm. Allowable flags are

documented in the description of the <strong>add_principal</strong> command in

-<a class="reference internal" href="kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a>.</dd>

+<a class="reference internal" href="kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a>.</p>

+</dd>

</dl>

<p>Example:</p>

-<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">shell</span><span class="o">%</span> <span class="n">kdb5_ldap_util</span> <span class="o">-</span><span class="n">r</span> <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="o">-</span><span class="n">D</span> <span class="n">cn</span><span class="o">=</span><span class="n">admin</span><span class="p">,</span><span class="n">o</span><span class="o">=</span><span class="n">org</span> <span class="o">-</span><span class="n">H</span>

+<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">shell</span><span class="o">%</span> <span class="n">kdb5_ldap_util</span> <span class="o">-</span><span class="n">r</span> <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="o">-</span><span class="n">D</span> <span class="n">cn</span><span class="o">=</span><span class="n">admin</span><span class="p">,</span><span class="n">o</span><span class="o">=</span><span class="n">org</span> <span class="o">-</span><span class="n">H</span>

<span class="n">ldaps</span><span class="p">:</span><span class="o">//</span><span class="n">ldap</span><span class="o">-</span><span class="n">server1</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> <span class="n">modify</span> <span class="o">+</span><span class="n">requires_preauth</span>

<span class="n">Password</span> <span class="k">for</span> <span class="s2">"cn=admin,o=org"</span><span class="p">:</span>

<span class="n">shell</span><span class="o">%</span>

</pre></div>

</div>

-</div>

-<div class="section" id="view">

+</section>

+<section id="view">

-<div><strong>view</strong></div></blockquote>

+<div><p><strong>view</strong></p>

+</div></blockquote>

<p>Displays the attributes of a realm.</p>

<p>Example:</p>

<span class="n">Password</span> <span class="k">for</span> <span class="s2">"cn=admin,o=org"</span><span class="p">:</span>

<span class="n">Realm</span> <span class="n">Name</span><span class="p">:</span> <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span>

@@ -231,18 +225,19 @@ documented in the description of the <strong>add_principal</strong> command in

<span class="n">Ticket</span> <span class="n">flags</span><span class="p">:</span> <span class="n">DISALLOW_FORWARDABLE</span> <span class="n">REQUIRES_PWCHANGE</span>

</pre></div>

</div>

-</div>

-<div class="section" id="destroy">

+</section>

+<section id="destroy">

<span id="kdb5-ldap-util-view-end"></span><h3>destroy<a class="headerlink" href="#destroy" title="Permalink to this headline">¶</a></h3>

-<div><strong>destroy</strong> [<strong>-f</strong>]</div></blockquote>

+<div><p><strong>destroy</strong> [<strong>-f</strong>]</p>

+</div></blockquote>

<p>Destroys an existing realm. Options:</p>

-<dl class="docutils">

-<dt><strong>-f</strong></dt>

-<dd>If specified, will not prompt the user for confirmation.</dd>

+<dl class="simple">

+<dt><strong>-f</strong></dt><dd><p>If specified, will not prompt the user for confirmation.</p>

+</dd>

</dl>

<p>Example:</p>

-<div class="highlight-default"><div class="highlight"><pre><span></span>shell% kdb5_ldap_util -r ATHENA.MIT.EDU -D cn=admin,o=org -H

+<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>shell% kdb5_ldap_util -r ATHENA.MIT.EDU -D cn=admin,o=org -H

ldaps://ldap-server1.mit.edu destroy

Password for "cn=admin,o=org":

Deleting KDC database of 'ATHENA.MIT.EDU', are you sure?

@@ -251,14 +246,15 @@ OK, deleting database of 'ATHENA.MIT.EDU'...

shell%

</pre></div>

</div>

-</div>

-<div class="section" id="list">

+</section>

+<section id="list">

-<div><strong>list</strong></div></blockquote>

+<div><p><strong>list</strong></p>

+</div></blockquote>

<p>Lists the names of realms under the container.</p>

<p>Example:</p>

-<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">shell</span><span class="o">%</span> <span class="n">kdb5_ldap_util</span> <span class="o">-</span><span class="n">D</span> <span class="n">cn</span><span class="o">=</span><span class="n">admin</span><span class="p">,</span><span class="n">o</span><span class="o">=</span><span class="n">org</span> <span class="o">-</span><span class="n">H</span>

+<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">shell</span><span class="o">%</span> <span class="n">kdb5_ldap_util</span> <span class="o">-</span><span class="n">D</span> <span class="n">cn</span><span class="o">=</span><span class="n">admin</span><span class="p">,</span><span class="n">o</span><span class="o">=</span><span class="n">org</span> <span class="o">-</span><span class="n">H</span>

<span class="n">Password</span> <span class="k">for</span> <span class="s2">"cn=admin,o=org"</span><span class="p">:</span>

<span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span>

@@ -267,98 +263,102 @@ shell%

<span class="n">shell</span><span class="o">%</span>

</pre></div>

</div>

-</div>

-<div class="section" id="stashsrvpw">

+</section>

+<section id="stashsrvpw">

<span id="kdb5-ldap-util-list-end"></span><h3>stashsrvpw<a class="headerlink" href="#stashsrvpw" title="Permalink to this headline">¶</a></h3>

-<div><strong>stashsrvpw</strong>

+<div><p><strong>stashsrvpw</strong>

[<strong>-f</strong> <em>filename</em>]

-<em>name</em></div></blockquote>

+<em>name</em></p>

+</div></blockquote>

<p>Allows an administrator to store the password for service object in a

file so that KDC and Administration server can use it to authenticate

to the LDAP server. Options:</p>

-<dl class="docutils">

-<dt><strong>-f</strong> <em>filename</em></dt>

-<dd>Specifies the complete path of the service password file. By

-default, <code class="docutils literal"><span class="pre">/usr/local/var/service_passwd</span></code> is used.</dd>

-<dt><em>name</em></dt>

-<dd>Specifies the name of the object whose password is to be stored.

+<dl class="simple">

+<dt><strong>-f</strong> <em>filename</em></dt><dd><p>Specifies the complete path of the service password file. By

+default, <code class="docutils literal notranslate"><span class="pre">/usr/local/var/service_passwd</span></code> is used.</p>

+</dd>

+<dt><em>name</em></dt><dd><p>Specifies the name of the object whose password is to be stored.

If <a class="reference internal" href="krb5kdc.html#krb5kdc-8"><span class="std std-ref">krb5kdc</span></a> or <a class="reference internal" href="kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> are configured for

simple binding, this should be the distinguished name it will

use as given by the <strong>ldap_kdc_dn</strong> or <strong>ldap_kadmind_dn</strong>

variable in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>. If the KDC or kadmind is

configured for SASL binding, this should be the authentication

name it will use as given by the <strong>ldap_kdc_sasl_authcid</strong> or

-<strong>ldap_kadmind_sasl_authcid</strong> variable.</dd>

+<strong>ldap_kadmind_sasl_authcid</strong> variable.</p>

+</dd>

</dl>

<p>Example:</p>

-<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">kdb5_ldap_util</span> <span class="n">stashsrvpw</span> <span class="o">-</span><span class="n">f</span> <span class="o">/</span><span class="n">home</span><span class="o">/</span><span class="n">andrew</span><span class="o">/</span><span class="n">conf_keyfile</span>

+<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">kdb5_ldap_util</span> <span class="n">stashsrvpw</span> <span class="o">-</span><span class="n">f</span> <span class="o">/</span><span class="n">home</span><span class="o">/</span><span class="n">andrew</span><span class="o">/</span><span class="n">conf_keyfile</span>

<span class="n">cn</span><span class="o">=</span><span class="n">service</span><span class="o">-</span><span class="n">kdc</span><span class="p">,</span><span class="n">o</span><span class="o">=</span><span class="n">org</span>

<span class="n">Password</span> <span class="k">for</span> <span class="s2">"cn=service-kdc,o=org"</span><span class="p">:</span>

<span class="n">Re</span><span class="o">-</span><span class="n">enter</span> <span class="n">password</span> <span class="k">for</span> <span class="s2">"cn=service-kdc,o=org"</span><span class="p">:</span>

</pre></div>

</div>

-</div>

-<div class="section" id="create-policy">

+</section>

+<section id="create-policy">

<span id="kdb5-ldap-util-stashsrvpw-end"></span><h3>create_policy<a class="headerlink" href="#create-policy" title="Permalink to this headline">¶</a></h3>

-<div><strong>create_policy</strong>

+<div><p><strong>create_policy</strong>

[<strong>-maxtktlife</strong> <em>max_ticket_life</em>]

[<strong>-maxrenewlife</strong> <em>max_renewable_ticket_life</em>]

[<em>ticket_flags</em>]

-<em>policy_name</em></div></blockquote>

+<em>policy_name</em></p>

+</div></blockquote>

<p>Creates a ticket policy in the directory. Options:</p>

-<dl class="docutils">

-<dt><strong>-maxtktlife</strong> <em>max_ticket_life</em></dt>

-<dd>(<a class="reference internal" href="../../basic/date_format.html#getdate"><span class="std std-ref">getdate time</span></a> string) Specifies maximum ticket life for

-principals.</dd>

-<dt><strong>-maxrenewlife</strong> <em>max_renewable_ticket_life</em></dt>

-<dd>(<a class="reference internal" href="../../basic/date_format.html#getdate"><span class="std std-ref">getdate time</span></a> string) Specifies maximum renewable life of

-tickets for principals.</dd>

-<dt><em>ticket_flags</em></dt>

-<dd>Specifies the ticket flags. If this option is not specified, by

+<dl class="simple">

+principals.</p>

+</dd>

+tickets for principals.</p>

+</dd>

+<dt><em>ticket_flags</em></dt><dd><p>Specifies the ticket flags. If this option is not specified, by

default, no restriction will be set by the policy. Allowable

flags are documented in the description of the <strong>add_principal</strong>

-command in <a class="reference internal" href="kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a>.</dd>

-<dt><em>policy_name</em></dt>

-<dd>Specifies the name of the ticket policy.</dd>

+command in <a class="reference internal" href="kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a>.</p>

+</dd>

+<dt><em>policy_name</em></dt><dd><p>Specifies the name of the ticket policy.</p>

+</dd>

</dl>

<p>Example:</p>

<span class="o">-</span><span class="n">r</span> <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="n">create_policy</span> <span class="o">-</span><span class="n">maxtktlife</span> <span class="s2">"1 day"</span>

<span class="o">-</span><span class="n">maxrenewlife</span> <span class="s2">"1 week"</span> <span class="o">-</span><span class="n">allow_postdated</span> <span class="o">+</span><span class="n">needchange</span>

<span class="o">-</span><span class="n">allow_forwardable</span> <span class="n">tktpolicy</span>

<span class="n">Password</span> <span class="k">for</span> <span class="s2">"cn=admin,o=org"</span><span class="p">:</span>

</pre></div>

</div>

-</div>

-<div class="section" id="modify-policy">

+</section>

+<section id="modify-policy">

<span id="kdb5-ldap-util-create-policy-end"></span><h3>modify_policy<a class="headerlink" href="#modify-policy" title="Permalink to this headline">¶</a></h3>

-<div><strong>modify_policy</strong>

+<div><p><strong>modify_policy</strong>

[<strong>-maxtktlife</strong> <em>max_ticket_life</em>]

[<strong>-maxrenewlife</strong> <em>max_renewable_ticket_life</em>]

[<em>ticket_flags</em>]

-<em>policy_name</em></div></blockquote>

+<em>policy_name</em></p>

+</div></blockquote>

<p>Modifies the attributes of a ticket policy. Options are same as for

<strong>create_policy</strong>.</p>

<p>Example:</p>

<span class="n">ldaps</span><span class="p">:</span><span class="o">//</span><span class="n">ldap</span><span class="o">-</span><span class="n">server1</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> <span class="o">-</span><span class="n">r</span> <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="n">modify_policy</span>

<span class="o">-</span><span class="n">maxtktlife</span> <span class="s2">"60 minutes"</span> <span class="o">-</span><span class="n">maxrenewlife</span> <span class="s2">"10 hours"</span>

<span class="o">+</span><span class="n">allow_postdated</span> <span class="o">-</span><span class="n">requires_preauth</span> <span class="n">tktpolicy</span>

<span class="n">Password</span> <span class="k">for</span> <span class="s2">"cn=admin,o=org"</span><span class="p">:</span>

</pre></div>

</div>

-</div>

-<div class="section" id="view-policy">

+</section>

+<section id="view-policy">

<span id="kdb5-ldap-util-modify-policy-end"></span><h3>view_policy<a class="headerlink" href="#view-policy" title="Permalink to this headline">¶</a></h3>

-<div><strong>view_policy</strong>

-<em>policy_name</em></div></blockquote>

+<div><p><strong>view_policy</strong>

+<em>policy_name</em></p>

+</div></blockquote>

<p>Displays the attributes of the named ticket policy.</p>

<p>Example:</p>

<span class="n">Password</span> <span class="k">for</span> <span class="s2">"cn=admin,o=org"</span><span class="p">:</span>

<span class="n">Ticket</span> <span class="n">policy</span><span class="p">:</span> <span class="n">tktpolicy</span>

@@ -367,23 +367,24 @@ command in <a class="reference internal" href="kadmin_local.html#kadmin-1"><span

<span class="n">Ticket</span> <span class="n">flags</span><span class="p">:</span> <span class="n">DISALLOW_FORWARDABLE</span> <span class="n">REQUIRES_PWCHANGE</span>

</pre></div>

</div>

-</div>

-<div class="section" id="destroy-policy">

+</section>

+<section id="destroy-policy">

<span id="kdb5-ldap-util-view-policy-end"></span><h3>destroy_policy<a class="headerlink" href="#destroy-policy" title="Permalink to this headline">¶</a></h3>

-<div><strong>destroy_policy</strong>

+<div><p><strong>destroy_policy</strong>

[<strong>-force</strong>]

-<em>policy_name</em></div></blockquote>

+<em>policy_name</em></p>

+</div></blockquote>

<p>Destroys an existing ticket policy. Options:</p>

-<dl class="docutils">

-<dt><strong>-force</strong></dt>

-<dd>Forces the deletion of the policy object. If not specified, the

-user will be prompted for confirmation before deleting the policy.</dd>

-<dt><em>policy_name</em></dt>

-<dd>Specifies the name of the ticket policy.</dd>

+<dl class="simple">

+<dt><strong>-force</strong></dt><dd><p>Forces the deletion of the policy object. If not specified, the

+user will be prompted for confirmation before deleting the policy.</p>

+</dd>

+<dt><em>policy_name</em></dt><dd><p>Specifies the name of the ticket policy.</p>

+</dd>

</dl>

<p>Example:</p>

-<div class="highlight-default"><div class="highlight"><pre><span></span>kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu

+<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu

-r ATHENA.MIT.EDU destroy_policy tktpolicy

Password for "cn=admin,o=org":

This will delete the policy object 'tktpolicy', are you sure?

@@ -391,14 +392,15 @@ This will delete the policy object 'tktpolicy', are you sure?

** policy object 'tktpolicy' deleted.

</pre></div>

</div>

-</div>

-<div class="section" id="list-policy">

+</section>

+<section id="list-policy">

<span id="kdb5-ldap-util-destroy-policy-end"></span><h3>list_policy<a class="headerlink" href="#list-policy" title="Permalink to this headline">¶</a></h3>

-<div><strong>list_policy</strong></div></blockquote>

+<div><p><strong>list_policy</strong></p>

+</div></blockquote>

<p>Lists ticket policies.</p>

<p>Example:</p>

<span class="n">Password</span> <span class="k">for</span> <span class="s2">"cn=admin,o=org"</span><span class="p">:</span>

<span class="n">tktpolicy</span>

@@ -406,25 +408,27 @@ This will delete the policy object 'tktpolicy', are you sure?

<span class="n">userpolicy</span>

</pre></div>

</div>

-</div>

-<div class="section" id="environment">

+</section>

+<section id="environment">

<span id="kdb5-ldap-util-list-policy-end"></span><h2>ENVIRONMENT<a class="headerlink" href="#environment" title="Permalink to this headline">¶</a></h2>

<p>See <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a> for a description of Kerberos environment

variables.</p>

-</div>

-<div class="section" id="see-also">

+</section>

+<section id="see-also">

<p><a class="reference internal" href="kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a>, <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a></p>

-</div>

+</section>

+ <div class="clearer"></div>

</div>

<ul>

@@ -515,6 +519,7 @@ variables.</p>

</form>

</div>

</div>

@@ -522,8 +527,8 @@ variables.</p>

- <div class="right" ><i>Release: 1.21.2</i><br />

+ <div class="right" ><i>Release: 1.21.3</i><br />

+ © <a href="../../copyright.html">Copyright</a> 1985-2024, MIT.

</div>

diff --git a/doc/html/admin/admin_commands/kdb5_util.html b/doc/html/admin/admin_commands/kdb5_util.html
index e9b685610836..eb50fcd78b51 100644
--- a/doc/html/admin/admin_commands/kdb5_util.html
+++ b/doc/html/admin/admin_commands/kdb5_util.html

@@ -1,35 +1,26 @@

-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"

- "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

+<!DOCTYPE html>

-<html xmlns="http://www.w3.org/1999/xhtml">

+<html>

<head>

- <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

+ <meta charset="utf-8" />

+ <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="generator" content="Docutils 0.17.1: http://docutils.sourceforge.net/" />

<title>kdb5_util — MIT Kerberos Documentation</title>

- <link rel="stylesheet" href="../../_static/agogo.css" type="text/css" />

- <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" />

- <link rel="stylesheet" href="../../_static/kerb.css" type="text/css" />

- <script type="text/javascript">

- var DOCUMENTATION_OPTIONS = {

- URL_ROOT: '../../',

- VERSION: '1.21.2',

- COLLAPSE_INDEX: false,

- FILE_SUFFIX: '.html',

- HAS_SOURCE: true,

- SOURCELINK_SUFFIX: '.txt'

- };

- </script>

- <script type="text/javascript" src="../../_static/jquery.js"></script>

- <script type="text/javascript" src="../../_static/underscore.js"></script>

- <script type="text/javascript" src="../../_static/doctools.js"></script>

+ <link rel="stylesheet" type="text/css" href="../../_static/pygments.css" />

+ <link rel="stylesheet" type="text/css" href="../../_static/agogo.css" />

+ <link rel="stylesheet" type="text/css" href="../../_static/kerb.css" />

+ <script data-url_root="../../" id="documentation_options" src="../../_static/documentation_options.js"></script>

+ <script src="../../_static/jquery.js"></script>

+ <script src="../../_static/underscore.js"></script>

+ <script src="../../_static/doctools.js"></script>

- </head>

- <body>

+ </head><body>

@@ -61,9 +52,9 @@

- <div class="section" id="kdb5-util">

+ <section id="kdb5-util">

-<div class="section" id="synopsis">

+<section id="synopsis">

<h2>SYNOPSIS<a class="headerlink" href="#synopsis" title="Permalink to this headline">¶</a></h2>

[<strong>-r</strong> <em>realm</em>]

@@ -76,8 +67,8 @@

[<strong>-P</strong> <em>password</em>]

[<strong>-x</strong> <em>db_args</em>]

<em>command</em> [<em>command_options</em>]</p>

-</div>

-<div class="section" id="description">

+</section>

+<section id="description">

<span id="kdb5-util-synopsis-end"></span><h2>DESCRIPTION<a class="headerlink" href="#description" title="Permalink to this headline">¶</a></h2>

<p>kdb5_util allows an administrator to perform maintenance procedures on

the KDC database. Databases can be created, destroyed, and dumped to

@@ -89,131 +80,135 @@ not kdb5_util successfully opens the database, because the database

may not exist yet or the stash file may be corrupt.</p>

<p>Note that some KDC database modules may not support all kdb5_util

commands.</p>

-</div>

-<div class="section" id="command-line-options">

+</section>

+<section id="command-line-options">

<h2>COMMAND-LINE OPTIONS<a class="headerlink" href="#command-line-options" title="Permalink to this headline">¶</a></h2>

-<dl class="docutils" id="kdb5-util-options">

-<dt><strong>-r</strong> <em>realm</em></dt>

-<dd>specifies the Kerberos realm of the database.</dd>

-<dt><strong>-d</strong> <em>dbname</em></dt>

-<dd>specifies the name under which the principal database is stored;

+<dl class="simple" id="kdb5-util-options">

+<dt><strong>-r</strong> <em>realm</em></dt><dd><p>specifies the Kerberos realm of the database.</p>

+</dd>

+<dt><strong>-d</strong> <em>dbname</em></dt><dd><p>specifies the name under which the principal database is stored;

by default the database is that listed in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>. The

password policy database and lock files are also derived from this

-value.</dd>

-<dt><strong>-k</strong> <em>mkeytype</em></dt>

-<dd>specifies the key type of the master key in the database. The

+value.</p>

+</dd>

+<dt><strong>-k</strong> <em>mkeytype</em></dt><dd><p>specifies the key type of the master key in the database. The

default is given by the <strong>master_key_type</strong> variable in

-<a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>.</dd>

-<dt><strong>-kv</strong> <em>mkeyVNO</em></dt>

-<dd>Specifies the version number of the master key in the database;

-the default is 1. Note that 0 is not allowed.</dd>

-<dt><strong>-M</strong> <em>mkeyname</em></dt>

-<dd>principal name for the master key in the database. If not

+<a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>.</p>

+</dd>

+<dt><strong>-kv</strong> <em>mkeyVNO</em></dt><dd><p>Specifies the version number of the master key in the database;

+the default is 1. Note that 0 is not allowed.</p>

+</dd>

+<dt><strong>-M</strong> <em>mkeyname</em></dt><dd><p>principal name for the master key in the database. If not

specified, the name is determined by the <strong>master_key_name</strong>

-variable in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>.</dd>

-<dt><strong>-m</strong></dt>

-<dd>specifies that the master database password should be read from

-the keyboard rather than fetched from a file on disk.</dd>

-<dt><strong>-sf</strong> <em>stash_file</em></dt>

-<dd>specifies the stash filename of the master database password. If

+variable in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>.</p>

+</dd>

+<dt><strong>-m</strong></dt><dd><p>specifies that the master database password should be read from

+the keyboard rather than fetched from a file on disk.</p>

+</dd>

+<dt><strong>-sf</strong> <em>stash_file</em></dt><dd><p>specifies the stash filename of the master database password. If

not specified, the filename is determined by the

-<strong>key_stash_file</strong> variable in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>.</dd>

-<dt><strong>-P</strong> <em>password</em></dt>

-<dd>specifies the master database password. Using this option may

+<strong>key_stash_file</strong> variable in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>.</p>

+</dd>

+<dt><strong>-P</strong> <em>password</em></dt><dd><p>specifies the master database password. Using this option may

expose the password to other users on the system via the process

-list.</dd>

-<dt><strong>-x</strong> <em>db_args</em></dt>

-<dd>specifies database-specific options. See <a class="reference internal" href="kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> for

-supported options.</dd>

+list.</p>

+</dd>

+<dt><strong>-x</strong> <em>db_args</em></dt><dd><p>specifies database-specific options. See <a class="reference internal" href="kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> for

+supported options.</p>

+</dd>

</dl>

-</div>

-<div class="section" id="commands">

+</section>

+<section id="commands">

<span id="kdb5-util-options-end"></span><h2>COMMANDS<a class="headerlink" href="#commands" title="Permalink to this headline">¶</a></h2>

-<div class="section" id="create">

+<section id="create">

<h3>create<a class="headerlink" href="#create" title="Permalink to this headline">¶</a></h3>

-<div><strong>create</strong> [<strong>-s</strong>]</div></blockquote>

+<div><p><strong>create</strong> [<strong>-s</strong>]</p>

+</div></blockquote>

<p>Creates a new database. If the <strong>-s</strong> option is specified, the stash

file is also created. This command fails if the database already

exists. If the command is successful, the database is opened just as

if it had already existed when the program was first run.</p>

-</div>

-<div class="section" id="destroy">

+</section>

+<section id="destroy">

<span id="kdb5-util-create-end"></span><h3>destroy<a class="headerlink" href="#destroy" title="Permalink to this headline">¶</a></h3>

-<div><strong>destroy</strong> [<strong>-f</strong>]</div></blockquote>

+<div><p><strong>destroy</strong> [<strong>-f</strong>]</p>

+</div></blockquote>

<p>Destroys the database, first overwriting the disk sectors and then

unlinking the files, after prompting the user for confirmation. With

the <strong>-f</strong> argument, does not prompt the user.</p>

-</div>

-<div class="section" id="stash">

+</section>

+<section id="stash">

<span id="kdb5-util-destroy-end"></span><h3>stash<a class="headerlink" href="#stash" title="Permalink to this headline">¶</a></h3>

-<div><strong>stash</strong> [<strong>-f</strong> <em>keyfile</em>]</div></blockquote>

+<div><p><strong>stash</strong> [<strong>-f</strong> <em>keyfile</em>]</p>

+</div></blockquote>

<p>Stores the master principal’s keys in a stash file. The <strong>-f</strong>

argument can be used to override the <em>keyfile</em> specified in

-</div>

-<div class="section" id="dump">

+</section>

+<section id="dump">

-<div><strong>dump</strong> [<strong>-b7</strong>|<strong>-r13</strong>|<strong>-r18</strong>]

+<div><p><strong>dump</strong> [<strong>-b7</strong>|<strong>-r13</strong>|<strong>-r18</strong>]

[<strong>-verbose</strong>] [<strong>-mkey_convert</strong>] [<strong>-new_mkey_file</strong>

<em>mkey_file</em>] [<strong>-rev</strong>] [<strong>-recurse</strong>] [<em>filename</em>

-[<em>principals</em>…]]</div></blockquote>

+[<em>principals</em>…]]</p>

+</div></blockquote>

<p>Dumps the current Kerberos and KADM5 database into an ASCII file. By

default, the database is dumped in current format, “kdb5_util

load_dump version 7”. If filename is not specified, or is the string

-“-“, the dump is sent to standard output. Options:</p>

-<dl class="docutils">

-<dt><strong>-b7</strong></dt>

-<dd>causes the dump to be in the Kerberos 5 Beta 7 format (“kdb5_util

+“-”, the dump is sent to standard output. Options:</p>

+<dl>

+<dt><strong>-b7</strong></dt><dd><p>causes the dump to be in the Kerberos 5 Beta 7 format (“kdb5_util

load_dump version 4”). This was the dump format produced on

-releases prior to 1.2.2.</dd>

-<dt><strong>-r13</strong></dt>

-<dd>causes the dump to be in the Kerberos 5 1.3 format (“kdb5_util

+releases prior to 1.2.2.</p>

+</dd>

+<dt><strong>-r13</strong></dt><dd><p>causes the dump to be in the Kerberos 5 1.3 format (“kdb5_util

load_dump version 5”). This was the dump format produced on

-releases prior to 1.8.</dd>

-<dt><strong>-r18</strong></dt>

-<dd>causes the dump to be in the Kerberos 5 1.8 format (“kdb5_util

+releases prior to 1.8.</p>

+</dd>

+<dt><strong>-r18</strong></dt><dd><p>causes the dump to be in the Kerberos 5 1.8 format (“kdb5_util

load_dump version 6”). This was the dump format produced on

-releases prior to 1.11.</dd>

-<dt><strong>-verbose</strong></dt>

-<dd>causes the name of each principal and policy to be printed as it

-is dumped.</dd>

-<dt><strong>-mkey_convert</strong></dt>

-<dd>prompts for a new master key. This new master key will be used to

+releases prior to 1.11.</p>

+</dd>

+<dt><strong>-verbose</strong></dt><dd><p>causes the name of each principal and policy to be printed as it

+is dumped.</p>

+</dd>

+<dt><strong>-mkey_convert</strong></dt><dd><p>prompts for a new master key. This new master key will be used to

re-encrypt principal key data in the dumpfile. The principal keys

-themselves will not be changed.</dd>

-<dt><strong>-new_mkey_file</strong> <em>mkey_file</em></dt>

-<dd>the filename of a stash file. The master key in this stash file

+themselves will not be changed.</p>

+</dd>

+<dt><strong>-new_mkey_file</strong> <em>mkey_file</em></dt><dd><p>the filename of a stash file. The master key in this stash file

will be used to re-encrypt the key data in the dumpfile. The key

-data in the database will not be changed.</dd>

-<dt><strong>-rev</strong></dt>

-<dd>dumps in reverse order. This may recover principals that do not

-dump normally, in cases where database corruption has occurred.</dd>

-<dt><strong>-recurse</strong></dt>

-<dd><p class="first">causes the dump to walk the database recursively (btree only).

+data in the database will not be changed.</p>

+</dd>

+<dt><strong>-rev</strong></dt><dd><p>dumps in reverse order. This may recover principals that do not

+dump normally, in cases where database corruption has occurred.</p>

+</dd>

+<dt><strong>-recurse</strong></dt><dd><p>causes the dump to walk the database recursively (btree only).

This may recover principals that do not dump normally, in cases

where database corruption has occurred. In cases of such

corruption, this option will probably retrieve more principals

than the <strong>-rev</strong> option will.</p>

-<p><span class="versionmodified">Changed in version 1.15: </span>Release 1.15 restored the functionality of the <strong>-recurse</strong>

+<p><span class="versionmodified changed">Changed in version 1.15: </span>Release 1.15 restored the functionality of the <strong>-recurse</strong>

option.</p>

</div>

-<div class="last versionchanged">

-<p><span class="versionmodified">Changed in version 1.5: </span>The <strong>-recurse</strong> option ceased working until release 1.15,

+<div class="versionchanged">

+<p><span class="versionmodified changed">Changed in version 1.5: </span>The <strong>-recurse</strong> option ceased working until release 1.15,

doing a normal dump instead of a recursive traversal.</p>

</div>

</dd>

</dl>

-</div>

-<div class="section" id="load">

+</section>

+<section id="load">

-<div><strong>load</strong> [<strong>-b7</strong>|<strong>-r13</strong>|<strong>-r18</strong>] [<strong>-hash</strong>]

-[<strong>-verbose</strong>] [<strong>-update</strong>] <em>filename</em></div></blockquote>

+<div><p><strong>load</strong> [<strong>-b7</strong>|<strong>-r13</strong>|<strong>-r18</strong>] [<strong>-hash</strong>]

+[<strong>-verbose</strong>] [<strong>-update</strong>] <em>filename</em></p>

+</div></blockquote>

<p>Loads a database dump from the named file into the named database. If

no option is given to determine the format of the dump file, the

format is detected automatically and handled as appropriate. Unless

@@ -222,48 +217,50 @@ containing only the data in the dump file, overwriting the contents of

any previously existing database. Note that when using the LDAP KDC

database module, the <strong>-update</strong> flag is required.</p>

<p>Options:</p>

-<dl class="docutils">

-<dt><strong>-b7</strong></dt>

-<dd>requires the database to be in the Kerberos 5 Beta 7 format

+<dl class="simple">

+<dt><strong>-b7</strong></dt><dd><p>requires the database to be in the Kerberos 5 Beta 7 format

(“kdb5_util load_dump version 4”). This was the dump format

-produced on releases prior to 1.2.2.</dd>

-<dt><strong>-r13</strong></dt>

-<dd>requires the database to be in Kerberos 5 1.3 format (“kdb5_util

+produced on releases prior to 1.2.2.</p>

+</dd>

+<dt><strong>-r13</strong></dt><dd><p>requires the database to be in Kerberos 5 1.3 format (“kdb5_util

load_dump version 5”). This was the dump format produced on

-releases prior to 1.8.</dd>

-<dt><strong>-r18</strong></dt>

-<dd>requires the database to be in Kerberos 5 1.8 format (“kdb5_util

+releases prior to 1.8.</p>

+</dd>

+<dt><strong>-r18</strong></dt><dd><p>requires the database to be in Kerberos 5 1.8 format (“kdb5_util

load_dump version 6”). This was the dump format produced on

-releases prior to 1.11.</dd>

-<dt><strong>-hash</strong></dt>

-<dd>stores the database in hash format, if using the DB2 database

+releases prior to 1.11.</p>

+</dd>

+<dt><strong>-hash</strong></dt><dd><p>stores the database in hash format, if using the DB2 database

type. If this option is not specified, the database will be

stored in btree format. This option is not recommended, as

databases stored in hash format are known to corrupt data and lose

-principals.</dd>

-<dt><strong>-verbose</strong></dt>

-<dd>causes the name of each principal and policy to be printed as it

-is dumped.</dd>

-<dt><strong>-update</strong></dt>

-<dd>records from the dump file are added to or updated in the existing

+principals.</p>

+</dd>

+<dt><strong>-verbose</strong></dt><dd><p>causes the name of each principal and policy to be printed as it

+is dumped.</p>

+</dd>

+<dt><strong>-update</strong></dt><dd><p>records from the dump file are added to or updated in the existing

database. Otherwise, a new database is created containing only

what is in the dump file and the old one destroyed upon successful

-completion.</dd>

+completion.</p>

+</dd>

</dl>

-</div>

-<div class="section" id="ark">

+</section>

+<section id="ark">

-<div><strong>ark</strong> [<strong>-e</strong> <em>enc</em>:<em>salt</em>,…] <em>principal</em></div></blockquote>

+<div><p><strong>ark</strong> [<strong>-e</strong> <em>enc</em>:<em>salt</em>,…] <em>principal</em></p>

+</div></blockquote>

<p>Adds new random keys to <em>principal</em> at the next available key version

number. Keys for the current highest key version number will be

preserved. The <strong>-e</strong> option specifies the list of encryption and

salt types to be used for the new keys.</p>

-</div>

-<div class="section" id="add-mkey">

+</section>

+<section id="add-mkey">

-<div><strong>add_mkey</strong> [<strong>-e</strong> <em>etype</em>] [<strong>-s</strong>]</div></blockquote>

+<div><p><strong>add_mkey</strong> [<strong>-e</strong> <em>etype</em>] [<strong>-s</strong>]</p>

+</div></blockquote>

<p>Adds a new master key to the master key principal, but does not mark

it as active. Existing master keys will remain. The <strong>-e</strong> option

specifies the encryption type of the new master key; see

@@ -275,11 +272,12 @@ servers via a manual or periodic invocation of <a class="reference internal" hre

the stash files on the replica servers should be updated with the

kdb5_util <strong>stash</strong> command. Once those steps are complete, the key

is ready to be marked active with the kdb5_util <strong>use_mkey</strong> command.</p>

-</div>

-<div class="section" id="use-mkey">

+</section>

+<section id="use-mkey">

-<div><strong>use_mkey</strong> <em>mkeyVNO</em> [<em>time</em>]</div></blockquote>

+<div><p><strong>use_mkey</strong> <em>mkeyVNO</em> [<em>time</em>]</p>

+</div></blockquote>

<p>Sets the activation time of the master key specified by <em>mkeyVNO</em>.

Once a master key becomes active, it will be used to encrypt newly

created principal keys. If no <em>time</em> argument is given, the current

@@ -288,38 +286,41 @@ active immediately. The format for <em>time</em> is <a class="reference interna

<p>After a new master key becomes active, the kdb5_util

<strong>update_princ_encryption</strong> command can be used to update all

principal keys to be encrypted in the new master key.</p>

-</div>

-<div class="section" id="list-mkeys">

+</section>

+<section id="list-mkeys">

<h3>list_mkeys<a class="headerlink" href="#list-mkeys" title="Permalink to this headline">¶</a></h3>

-<div><strong>list_mkeys</strong></div></blockquote>

+<div><p><strong>list_mkeys</strong></p>

+</div></blockquote>

<p>List all master keys, from most recent to earliest, in the master key

principal. The output will show the kvno, enctype, and salt type for

each mkey, similar to the output of <a class="reference internal" href="kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> <strong>getprinc</strong>. A

-<code class="docutils literal"><span class="pre">*</span></code> following an mkey denotes the currently active master key.</p>

-</div>

-<div class="section" id="purge-mkeys">

+<code class="docutils literal notranslate"><span class="pre">*</span></code> following an mkey denotes the currently active master key.</p>

+</section>

+<section id="purge-mkeys">

<h3>purge_mkeys<a class="headerlink" href="#purge-mkeys" title="Permalink to this headline">¶</a></h3>

-<div><strong>purge_mkeys</strong> [<strong>-f</strong>] [<strong>-n</strong>] [<strong>-v</strong>]</div></blockquote>

+<div><p><strong>purge_mkeys</strong> [<strong>-f</strong>] [<strong>-n</strong>] [<strong>-v</strong>]</p>

+</div></blockquote>

<p>Delete master keys from the master key principal that are not used to

protect any principals. This command can be used to remove old master

keys all principal keys are protected by a newer master key.</p>

-<dl class="docutils">

-<dt><strong>-f</strong></dt>

-<dd>does not prompt for confirmation.</dd>

-<dt><strong>-n</strong></dt>

-<dd>performs a dry run, showing master keys that would be purged, but

-not actually purging any keys.</dd>

-<dt><strong>-v</strong></dt>

-<dd>gives more verbose output.</dd>

+<dl class="simple">

+<dt><strong>-f</strong></dt><dd><p>does not prompt for confirmation.</p>

+</dd>

+<dt><strong>-n</strong></dt><dd><p>performs a dry run, showing master keys that would be purged, but

+not actually purging any keys.</p>

+</dd>

+<dt><strong>-v</strong></dt><dd><p>gives more verbose output.</p>

+</dd>

</dl>

-</div>

-<div class="section" id="update-princ-encryption">

+</section>

+<section id="update-princ-encryption">

<h3>update_princ_encryption<a class="headerlink" href="#update-princ-encryption" title="Permalink to this headline">¶</a></h3>

-<div><strong>update_princ_encryption</strong> [<strong>-f</strong>] [<strong>-n</strong>] [<strong>-v</strong>]

-[<em>princ-pattern</em>]</div></blockquote>

+<div><p><strong>update_princ_encryption</strong> [<strong>-f</strong>] [<strong>-n</strong>] [<strong>-v</strong>]

+[<em>princ-pattern</em>]</p>

+</div></blockquote>

<p>Update all principal records (or only those matching the

<em>princ-pattern</em> glob pattern) to re-encrypt the key data using the

active database master key, if they are encrypted using a different

@@ -329,12 +330,13 @@ before starting to make changes. The <strong>-v</strong> option causes each

principal processed to be listed, with an indication as to whether it

needed updating or not. The <strong>-n</strong> option performs a dry run, only

showing the actions which would have been taken.</p>

-</div>

-<div class="section" id="tabdump">

+</section>

+<section id="tabdump">

<h3>tabdump<a class="headerlink" href="#tabdump" title="Permalink to this headline">¶</a></h3>

-<div><strong>tabdump</strong> [<strong>-H</strong>] [<strong>-c</strong>] [<strong>-e</strong>] [<strong>-n</strong>] [<strong>-o</strong> <em>outfile</em>]

-<em>dumptype</em></div></blockquote>

+<div><p><strong>tabdump</strong> [<strong>-H</strong>] [<strong>-c</strong>] [<strong>-e</strong>] [<strong>-n</strong>] [<strong>-o</strong> <em>outfile</em>]

+<em>dumptype</em></p>

+</div></blockquote>

<p>Dump selected fields of the database in a tabular format suitable for

reporting (e.g., using traditional Unix text processing tools) or

importing into relational databases. The data format is tab-separated

@@ -344,128 +346,122 @@ unless suppression is requested using the <strong>-H</strong> option.</p>

<p>The <em>dumptype</em> parameter specifies the name of an output table (see

below).</p>

<p>Options:</p>

-<dl class="docutils">

-<dt><strong>-H</strong></dt>

-<dd>suppress writing the field names in a header line</dd>

-<dt><strong>-c</strong></dt>

-<dd>use comma separated values (CSV) format, with minimal quoting,

-instead of the default tab-separated (unquoted, unescaped) format</dd>

-<dt><strong>-e</strong></dt>

-<dd>write empty hexadecimal string fields as empty fields instead of

-as “-1”.</dd>

-<dt><strong>-n</strong></dt>

-<dd>produce numeric output for fields that normally have symbolic

+<dl class="simple">

+<dt><strong>-H</strong></dt><dd><p>suppress writing the field names in a header line</p>

+</dd>

+<dt><strong>-c</strong></dt><dd><p>use comma separated values (CSV) format, with minimal quoting,

+instead of the default tab-separated (unquoted, unescaped) format</p>

+</dd>

+<dt><strong>-e</strong></dt><dd><p>write empty hexadecimal string fields as empty fields instead of

+as “-1”.</p>

+</dd>

+<dt><strong>-n</strong></dt><dd><p>produce numeric output for fields that normally have symbolic

output, such as enctypes and flag names. Also requests output of

-time stamps as decimal POSIX time_t values.</dd>

-<dt><strong>-o</strong> <em>outfile</em></dt>

-<dd>write the dump to the specified output file instead of to standard

-output</dd>

+time stamps as decimal POSIX time_t values.</p>

+</dd>

+<dt><strong>-o</strong> <em>outfile</em></dt><dd><p>write the dump to the specified output file instead of to standard

+output</p>

+</dd>

</dl>

<p>Dump types:</p>

-<dl class="docutils">

-<dt><strong>keydata</strong></dt>

-<dd><p class="first">principal encryption key information, including actual key data

+<dl>

+<dt><strong>keydata</strong></dt><dd><p>principal encryption key information, including actual key data

(which is still encrypted in the master key)</p>

-<dl class="last docutils">

-<dt><strong>name</strong></dt>

-<dd>principal name</dd>

-<dt><strong>keyindex</strong></dt>

-<dd>index of this key in the principal’s key list</dd>

-<dt><strong>kvno</strong></dt>

-<dd>key version number</dd>

-<dt><strong>enctype</strong></dt>

-<dd>encryption type</dd>

-<dt><strong>key</strong></dt>

-<dd>key data as a hexadecimal string</dd>

-<dt><strong>salttype</strong></dt>

-<dd>salt type</dd>

-<dt><strong>salt</strong></dt>

-<dd>salt data as a hexadecimal string</dd>

+<dl class="simple">

+<dt><strong>name</strong></dt><dd><p>principal name</p>

+</dd>

+<dt><strong>keyindex</strong></dt><dd><p>index of this key in the principal’s key list</p>

+</dd>

+<dt><strong>kvno</strong></dt><dd><p>key version number</p>

+</dd>

+<dt><strong>enctype</strong></dt><dd><p>encryption type</p>

+</dd>

+<dt><strong>key</strong></dt><dd><p>key data as a hexadecimal string</p>

+</dd>

+<dt><strong>salttype</strong></dt><dd><p>salt type</p>

+</dd>

+<dt><strong>salt</strong></dt><dd><p>salt data as a hexadecimal string</p>

+</dd>

</dl>

</dd>

-<dt><strong>keyinfo</strong></dt>

-<dd>principal encryption key information (as in <strong>keydata</strong> above),

-excluding actual key data</dd>

-<dt><strong>princ_flags</strong></dt>

-<dd><p class="first">principal boolean attributes. Flag names print as hexadecimal

+<dt><strong>keyinfo</strong></dt><dd><p>principal encryption key information (as in <strong>keydata</strong> above),

+excluding actual key data</p>

+</dd>

+<dt><strong>princ_flags</strong></dt><dd><p>principal boolean attributes. Flag names print as hexadecimal

numbers if the <strong>-n</strong> option is specified, and all flag positions

are printed regardless of whether or not they are set. If <strong>-n</strong>

is not specified, print all known flag names for each principal,

but only print hexadecimal flag names if the corresponding flag is

set.</p>

-<dl class="last docutils">

-<dt><strong>name</strong></dt>

-<dd>principal name</dd>

-<dt><strong>flag</strong></dt>

-<dd>flag name</dd>

-<dt><strong>value</strong></dt>

-<dd>boolean value (0 for clear, or 1 for set)</dd>

+<dl class="simple">

+<dt><strong>name</strong></dt><dd><p>principal name</p>

+</dd>

+<dt><strong>flag</strong></dt><dd><p>flag name</p>

+</dd>

+<dt><strong>value</strong></dt><dd><p>boolean value (0 for clear, or 1 for set)</p>

+</dd>

</dl>

</dd>

-<dt><strong>princ_lockout</strong></dt>

-<dd><p class="first">state information used for tracking repeated password failures</p>

-<dl class="last docutils">

-<dt><strong>name</strong></dt>

-<dd>principal name</dd>

-<dt><strong>last_success</strong></dt>

-<dd>time stamp of most recent successful authentication</dd>

-<dt><strong>last_failed</strong></dt>

-<dd>time stamp of most recent failed authentication</dd>

-<dt><strong>fail_count</strong></dt>

-<dd>count of failed attempts</dd>

+<dt><strong>princ_lockout</strong></dt><dd><p>state information used for tracking repeated password failures</p>

+<dl class="simple">

+<dt><strong>name</strong></dt><dd><p>principal name</p>

+</dd>

+<dt><strong>last_success</strong></dt><dd><p>time stamp of most recent successful authentication</p>

+</dd>

+<dt><strong>last_failed</strong></dt><dd><p>time stamp of most recent failed authentication</p>

+</dd>

+<dt><strong>fail_count</strong></dt><dd><p>count of failed attempts</p>

+</dd>

</dl>

</dd>

-<dt><strong>princ_meta</strong></dt>

-<dd><p class="first">principal metadata</p>

-<dl class="last docutils">

-<dt><strong>name</strong></dt>

-<dd>principal name</dd>

-<dt><strong>modby</strong></dt>

-<dd>name of last principal to modify this principal</dd>

-<dt><strong>modtime</strong></dt>

-<dd>timestamp of last modification</dd>

-<dt><strong>lastpwd</strong></dt>

-<dd>timestamp of last password change</dd>

-<dt><strong>policy</strong></dt>

-<dd>policy object name</dd>

-<dt><strong>mkvno</strong></dt>

-<dd>key version number of the master key that encrypts this

-principal’s key data</dd>

-<dt><strong>hist_kvno</strong></dt>

-<dd>key version number of the history key that encrypts the key

-history data for this principal</dd>

+<dt><strong>princ_meta</strong></dt><dd><p>principal metadata</p>

+<dl class="simple">

+<dt><strong>name</strong></dt><dd><p>principal name</p>

+</dd>

+<dt><strong>modby</strong></dt><dd><p>name of last principal to modify this principal</p>

+</dd>

+<dt><strong>modtime</strong></dt><dd><p>timestamp of last modification</p>

+</dd>

+<dt><strong>lastpwd</strong></dt><dd><p>timestamp of last password change</p>

+</dd>

+<dt><strong>policy</strong></dt><dd><p>policy object name</p>

+</dd>

+<dt><strong>mkvno</strong></dt><dd><p>key version number of the master key that encrypts this

+principal’s key data</p>

+</dd>

+<dt><strong>hist_kvno</strong></dt><dd><p>key version number of the history key that encrypts the key

+history data for this principal</p>

+</dd>

</dl>

</dd>

-<dt><strong>princ_stringattrs</strong></dt>

-<dd><p class="first">string attributes (key/value pairs)</p>

-<dl class="last docutils">

-<dt><strong>name</strong></dt>

-<dd>principal name</dd>

-<dt><strong>key</strong></dt>

-<dd>attribute name</dd>

-<dt><strong>value</strong></dt>

-<dd>attribute value</dd>

+<dt><strong>princ_stringattrs</strong></dt><dd><p>string attributes (key/value pairs)</p>

+<dl class="simple">

+<dt><strong>name</strong></dt><dd><p>principal name</p>

+</dd>

+<dt><strong>key</strong></dt><dd><p>attribute name</p>

+</dd>

+<dt><strong>value</strong></dt><dd><p>attribute value</p>

+</dd>

</dl>

</dd>

-<dt><strong>princ_tktpolicy</strong></dt>

-<dd><p class="first">per-principal ticket policy data, including maximum ticket

+<dt><strong>princ_tktpolicy</strong></dt><dd><p>per-principal ticket policy data, including maximum ticket

lifetimes</p>

-<dl class="last docutils">

-<dt><strong>name</strong></dt>

-<dd>principal name</dd>

-<dt><strong>expiration</strong></dt>

-<dd>principal expiration date</dd>

-<dt><strong>pw_expiration</strong></dt>

-<dd>password expiration date</dd>

-<dt><strong>max_life</strong></dt>

-<dd>maximum ticket lifetime</dd>

-<dt><strong>max_renew_life</strong></dt>

-<dd>maximum renewable ticket lifetime</dd>

+<dl class="simple">

+<dt><strong>name</strong></dt><dd><p>principal name</p>

+</dd>

+<dt><strong>expiration</strong></dt><dd><p>principal expiration date</p>

+</dd>

+<dt><strong>pw_expiration</strong></dt><dd><p>password expiration date</p>

+</dd>

+<dt><strong>max_life</strong></dt><dd><p>maximum ticket lifetime</p>

+</dd>

+<dt><strong>max_renew_life</strong></dt><dd><p>maximum renewable ticket lifetime</p>

+</dd>

</dl>

</dd>

</dl>

<p>Examples:</p>

-<div class="highlight-default"><div class="highlight"><pre><span></span>$ kdb5_util tabdump -o keyinfo.txt keyinfo

+<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>$ kdb5_util tabdump -o keyinfo.txt keyinfo

$ cat keyinfo.txt

name keyindex kvno enctype salttype salt

K/M@EXAMPLE.COM 0 1 aes256-cts-hmac-sha384-192 normal -1

@@ -481,25 +477,27 @@ $ awk -F'\t' '$4 ~ /aes256-/ { print }' keyinfo.txt

K/M@EXAMPLE.COM 1 1 aes256-cts-hmac-sha384-192 normal -1

</pre></div>

</div>

-</div>

-<div class="section" id="environment">

+</section>

+<section id="environment">

<h2>ENVIRONMENT<a class="headerlink" href="#environment" title="Permalink to this headline">¶</a></h2>

<p>See <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a> for a description of Kerberos environment

variables.</p>

-</div>

-<div class="section" id="see-also">

+</section>

+<section id="see-also">

-</div>

+</section>

+ <div class="clearer"></div>

</div>

<ul>

@@ -591,6 +589,7 @@ variables.</p>

</form>

</div>

</div>

@@ -598,8 +597,8 @@ variables.</p>

- <div class="right" ><i>Release: 1.21.2</i><br />

+ <div class="right" ><i>Release: 1.21.3</i><br />

</div>

diff --git a/doc/html/admin/admin_commands/kprop.html b/doc/html/admin/admin_commands/kprop.html
index 1f2f65de284b..71d2f701bc71 100644
--- a/doc/html/admin/admin_commands/kprop.html
+++ b/doc/html/admin/admin_commands/kprop.html

@@ -1,35 +1,26 @@

-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"

- "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

+<!DOCTYPE html>

-<html xmlns="http://www.w3.org/1999/xhtml">

+<html>

<head>

- <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

+ <meta charset="utf-8" />

+ <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="generator" content="Docutils 0.17.1: http://docutils.sourceforge.net/" />

<title>kprop — MIT Kerberos Documentation</title>

- <link rel="stylesheet" href="../../_static/agogo.css" type="text/css" />

- <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" />

- <link rel="stylesheet" href="../../_static/kerb.css" type="text/css" />

- <script type="text/javascript">

- var DOCUMENTATION_OPTIONS = {

- URL_ROOT: '../../',

- VERSION: '1.21.2',

- COLLAPSE_INDEX: false,

- FILE_SUFFIX: '.html',

- HAS_SOURCE: true,

- SOURCELINK_SUFFIX: '.txt'

- };

- </script>

- <script type="text/javascript" src="../../_static/jquery.js"></script>

- <script type="text/javascript" src="../../_static/underscore.js"></script>

- <script type="text/javascript" src="../../_static/doctools.js"></script>

+ <link rel="stylesheet" type="text/css" href="../../_static/pygments.css" />

+ <link rel="stylesheet" type="text/css" href="../../_static/agogo.css" />

+ <link rel="stylesheet" type="text/css" href="../../_static/kerb.css" />

+ <script data-url_root="../../" id="documentation_options" src="../../_static/documentation_options.js"></script>

+ <script src="../../_static/jquery.js"></script>

+ <script src="../../_static/underscore.js"></script>

+ <script src="../../_static/doctools.js"></script>

- </head>

- <body>

+ </head><body>

@@ -61,9 +52,9 @@

- <div class="section" id="kprop">

+ <section id="kprop">

<span id="kprop-8"></span><h1>kprop<a class="headerlink" href="#kprop" title="Permalink to this headline">¶</a></h1>

-<div class="section" id="synopsis">

+<section id="synopsis">

<h2>SYNOPSIS<a class="headerlink" href="#synopsis" title="Permalink to this headline">¶</a></h2>

<p><strong>kprop</strong>

[<strong>-r</strong> <em>realm</em>]

@@ -72,50 +63,52 @@

[<strong>-P</strong> <em>port</em>]

[<strong>-s</strong> <em>keytab</em>]

<em>replica_host</em></p>

-</div>

-<div class="section" id="description">

+</section>

+<section id="description">

<h2>DESCRIPTION<a class="headerlink" href="#description" title="Permalink to this headline">¶</a></h2>

<p>kprop is used to securely propagate a Kerberos V5 database dump file

from the primary Kerberos server to a replica Kerberos server, which is

specified by <em>replica_host</em>. The dump file must be created by

-</div>

-<div class="section" id="options">

+</section>

+<section id="options">

<h2>OPTIONS<a class="headerlink" href="#options" title="Permalink to this headline">¶</a></h2>

-<dl class="docutils">

-<dt><strong>-r</strong> <em>realm</em></dt>

-<dd>Specifies the realm of the primary server.</dd>

-<dt><strong>-f</strong> <em>file</em></dt>

-<dd>Specifies the filename where the dumped principal database file is

+<dl class="simple">

+<dt><strong>-r</strong> <em>realm</em></dt><dd><p>Specifies the realm of the primary server.</p>

+</dd>

+<dt><strong>-f</strong> <em>file</em></dt><dd><p>Specifies the filename where the dumped principal database file is

to be found; by default the dumped database file is normally

-<a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">LOCALSTATEDIR</span></a><code class="docutils literal"><span class="pre">/krb5kdc</span></code><code class="docutils literal"><span class="pre">/replica_datatrans</span></code>.</dd>

-<dt><strong>-P</strong> <em>port</em></dt>

-<dd>Specifies the port to use to contact the <a class="reference internal" href="kpropd.html#kpropd-8"><span class="std std-ref">kpropd</span></a> server

-on the remote host.</dd>

-<dt><strong>-d</strong></dt>

-<dd>Prints debugging information.</dd>

-<dt><strong>-s</strong> <em>keytab</em></dt>

-<dd>Specifies the location of the keytab file.</dd>

+<a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">LOCALSTATEDIR</span></a><code class="docutils literal notranslate"><span class="pre">/krb5kdc</span></code><code class="docutils literal notranslate"><span class="pre">/replica_datatrans</span></code>.</p>

+</dd>

+<dt><strong>-P</strong> <em>port</em></dt><dd><p>Specifies the port to use to contact the <a class="reference internal" href="kpropd.html#kpropd-8"><span class="std std-ref">kpropd</span></a> server

+on the remote host.</p>

+</dd>

+<dt><strong>-d</strong></dt><dd><p>Prints debugging information.</p>

+</dd>

+<dt><strong>-s</strong> <em>keytab</em></dt><dd><p>Specifies the location of the keytab file.</p>

+</dd>

</dl>

-</div>

-<div class="section" id="environment">

+</section>

+<section id="environment">

<h2>ENVIRONMENT<a class="headerlink" href="#environment" title="Permalink to this headline">¶</a></h2>

<p>See <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a> for a description of Kerberos environment

variables.</p>

-</div>

-<div class="section" id="see-also">

+</section>

+<section id="see-also">

<p><a class="reference internal" href="kpropd.html#kpropd-8"><span class="std std-ref">kpropd</span></a>, <a class="reference internal" href="kdb5_util.html#kdb5-util-8"><span class="std std-ref">kdb5_util</span></a>, <a class="reference internal" href="krb5kdc.html#krb5kdc-8"><span class="std std-ref">krb5kdc</span></a>,

<a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a></p>

-</div>

+</section>

+ <div class="clearer"></div>

</div>

<ul>

<li><a class="reference internal" href="#">kprop</a><ul>

@@ -192,6 +185,7 @@ variables.</p>

</form>

</div>

</div>

@@ -199,8 +193,8 @@ variables.</p>

- <div class="right" ><i>Release: 1.21.2</i><br />

+ <div class="right" ><i>Release: 1.21.3</i><br />

</div>

diff --git a/doc/html/admin/admin_commands/kpropd.html b/doc/html/admin/admin_commands/kpropd.html
index aa3e86c11a47..4b9a07f09fc4 100644
--- a/doc/html/admin/admin_commands/kpropd.html
+++ b/doc/html/admin/admin_commands/kpropd.html

@@ -1,35 +1,26 @@

-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"

- "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

+<!DOCTYPE html>

-<html xmlns="http://www.w3.org/1999/xhtml">

+<html>

<head>

- <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

+ <meta charset="utf-8" />

+ <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="generator" content="Docutils 0.17.1: http://docutils.sourceforge.net/" />

<title>kpropd — MIT Kerberos Documentation</title>

- <link rel="stylesheet" href="../../_static/agogo.css" type="text/css" />

- <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" />

- <link rel="stylesheet" href="../../_static/kerb.css" type="text/css" />

- <script type="text/javascript">

- var DOCUMENTATION_OPTIONS = {

- URL_ROOT: '../../',

- VERSION: '1.21.2',

- COLLAPSE_INDEX: false,

- FILE_SUFFIX: '.html',

- HAS_SOURCE: true,

- SOURCELINK_SUFFIX: '.txt'

- };

- </script>

- <script type="text/javascript" src="../../_static/jquery.js"></script>

- <script type="text/javascript" src="../../_static/underscore.js"></script>

- <script type="text/javascript" src="../../_static/doctools.js"></script>

+ <link rel="stylesheet" type="text/css" href="../../_static/pygments.css" />

+ <link rel="stylesheet" type="text/css" href="../../_static/agogo.css" />

+ <link rel="stylesheet" type="text/css" href="../../_static/kerb.css" />

+ <script data-url_root="../../" id="documentation_options" src="../../_static/documentation_options.js"></script>

+ <script src="../../_static/jquery.js"></script>

+ <script src="../../_static/underscore.js"></script>

+ <script src="../../_static/doctools.js"></script>

- </head>

- <body>

+ </head><body>

@@ -61,9 +52,9 @@

- <div class="section" id="kpropd">

+ <section id="kpropd">

<span id="kpropd-8"></span><h1>kpropd<a class="headerlink" href="#kpropd" title="Permalink to this headline">¶</a></h1>

-<div class="section" id="synopsis">

+<section id="synopsis">

<h2>SYNOPSIS<a class="headerlink" href="#synopsis" title="Permalink to this headline">¶</a></h2>

<p><strong>kpropd</strong>

[<strong>-r</strong> <em>realm</em>]

@@ -77,8 +68,8 @@

[<strong>-D</strong>]

[<strong>-d</strong>]

[<strong>-s</strong> <em>keytab_file</em>]</p>

-</div>

-<div class="section" id="description">

+</section>

+<section id="description">

<h2>DESCRIPTION<a class="headerlink" href="#description" title="Permalink to this headline">¶</a></h2>

<p>The <em>kpropd</em> command runs on the replica KDC server. It listens for

update requests made by the <a class="reference internal" href="kprop.html#kprop-8"><span class="std std-ref">kprop</span></a> program. If incremental

@@ -94,8 +85,8 @@ file, the replica Kerberos server will have an up-to-date KDC

database.</p>

<p>Where incremental propagation is not used, kpropd is commonly invoked

out of inetd(8) as a nowait service. This is done by adding a line to

-the <code class="docutils literal"><span class="pre">/etc/inetd.conf</span></code> file which looks like this:</p>

-<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">kprop</span> <span class="n">stream</span> <span class="n">tcp</span> <span class="n">nowait</span> <span class="n">root</span> <span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">local</span><span class="o">/</span><span class="n">sbin</span><span class="o">/</span><span class="n">kpropd</span> <span class="n">kpropd</span>

+the <code class="docutils literal notranslate"><span class="pre">/etc/inetd.conf</span></code> file which looks like this:</p>

+<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">kprop</span> <span class="n">stream</span> <span class="n">tcp</span> <span class="n">nowait</span> <span class="n">root</span> <span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">local</span><span class="o">/</span><span class="n">sbin</span><span class="o">/</span><span class="n">kpropd</span> <span class="n">kpropd</span>

</pre></div>

</div>

<p>kpropd can also run as a standalone daemon, backgrounding itself and

@@ -113,80 +104,82 @@ an interval determined by the <strong>iprop_replica_poll</strong> variable. If

replica receives updates, kpropd updates its log file with any updates

from the primary. <a class="reference internal" href="kproplog.html#kproplog-8"><span class="std std-ref">kproplog</span></a> can be used to view a summary of

the update entry log on the replica KDC. If incremental propagation

-is enabled, the principal <code class="docutils literal"><span class="pre">kiprop/replicahostname@REALM</span></code> (where

+is enabled, the principal <code class="docutils literal notranslate"><span class="pre">kiprop/replicahostname@REALM</span></code> (where

<em>replicahostname</em> is the name of the replica KDC host, and <em>REALM</em> is

the name of the Kerberos realm) must be present in the replica’s

keytab file.</p>

<p><a class="reference internal" href="kproplog.html#kproplog-8"><span class="std std-ref">kproplog</span></a> can be used to force full replication when iprop is

enabled.</p>

-</div>

-<div class="section" id="options">

+</section>

+<section id="options">

<h2>OPTIONS<a class="headerlink" href="#options" title="Permalink to this headline">¶</a></h2>

-<dl class="docutils">

-<dt><strong>-r</strong> <em>realm</em></dt>

-<dd>Specifies the realm of the primary server.</dd>

-<dt><strong>-A</strong> <em>admin_server</em></dt>

-<dd>Specifies the server to be contacted for incremental updates; by

-default, the primary admin server is contacted.</dd>

-<dt><strong>-f</strong> <em>file</em></dt>

-<dd>Specifies the filename where the dumped principal database file is

-to be stored; by default the dumped database file is <a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">LOCALSTATEDIR</span></a><code class="docutils literal"><span class="pre">/krb5kdc</span></code><code class="docutils literal"><span class="pre">/from_master</span></code>.</dd>

-<dt><strong>-F</strong> <em>kerberos_db</em></dt>

-<dd>Path to the Kerberos database file, if not the default.</dd>

-<dt><strong>-p</strong></dt>

-<dd>Allows the user to specify the pathname to the <a class="reference internal" href="kdb5_util.html#kdb5-util-8"><span class="std std-ref">kdb5_util</span></a>

-program; by default the pathname used is <a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">SBINDIR</span></a><code class="docutils literal"><span class="pre">/kdb5_util</span></code>.</dd>

-<dt><strong>-D</strong></dt>

-<dd>In this mode, kpropd will not detach itself from the current job

+<dl class="simple">

+<dt><strong>-r</strong> <em>realm</em></dt><dd><p>Specifies the realm of the primary server.</p>

+</dd>

+<dt><strong>-A</strong> <em>admin_server</em></dt><dd><p>Specifies the server to be contacted for incremental updates; by

+default, the primary admin server is contacted.</p>

+</dd>

+<dt><strong>-f</strong> <em>file</em></dt><dd><p>Specifies the filename where the dumped principal database file is

+to be stored; by default the dumped database file is <a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">LOCALSTATEDIR</span></a><code class="docutils literal notranslate"><span class="pre">/krb5kdc</span></code><code class="docutils literal notranslate"><span class="pre">/from_master</span></code>.</p>

+</dd>

+<dt><strong>-F</strong> <em>kerberos_db</em></dt><dd><p>Path to the Kerberos database file, if not the default.</p>

+</dd>

+<dt><strong>-p</strong></dt><dd><p>Allows the user to specify the pathname to the <a class="reference internal" href="kdb5_util.html#kdb5-util-8"><span class="std std-ref">kdb5_util</span></a>

+program; by default the pathname used is <a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">SBINDIR</span></a><code class="docutils literal notranslate"><span class="pre">/kdb5_util</span></code>.</p>

+</dd>

+<dt><strong>-D</strong></dt><dd><p>In this mode, kpropd will not detach itself from the current job

and run in the background. Instead, it will run in the

-foreground.</dd>

-<dt><strong>-d</strong></dt>

-<dd>Turn on debug mode. kpropd will print out debugging messages

+foreground.</p>

+</dd>

+<dt><strong>-d</strong></dt><dd><p>Turn on debug mode. kpropd will print out debugging messages

during the database propogation and will run in the foreground

-(implies <strong>-D</strong>).</dd>

-<dt><strong>-P</strong></dt>

-<dd>Allow for an alternate port number for kpropd to listen on. This

-is only useful in combination with the <strong>-S</strong> option.</dd>

-<dt><strong>-a</strong> <em>acl_file</em></dt>

-<dd>Allows the user to specify the path to the kpropd.acl file; by

-default the path used is <a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">LOCALSTATEDIR</span></a><code class="docutils literal"><span class="pre">/krb5kdc</span></code><code class="docutils literal"><span class="pre">/kpropd.acl</span></code>.</dd>

-<dt><strong>–pid-file</strong>=<em>pid_file</em></dt>

-<dd>In standalone mode, write the process ID of the daemon into

-<em>pid_file</em>.</dd>

-<dt><strong>-s</strong> <em>keytab_file</em></dt>

-<dd>Path to a keytab to use for acquiring acceptor credentials.</dd>

-<dt><strong>-x</strong> <em>db_args</em></dt>

-<dd>Database-specific arguments. See <a class="reference internal" href="kadmin_local.html#dboptions"><span class="std std-ref">Database Options</span></a> in <a class="reference internal" href="kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> for supported arguments.</dd>

+(implies <strong>-D</strong>).</p>

+</dd>

+<dt><strong>-P</strong></dt><dd><p>Allow for an alternate port number for kpropd to listen on. This

+is only useful in combination with the <strong>-S</strong> option.</p>

+</dd>

+<dt><strong>-a</strong> <em>acl_file</em></dt><dd><p>Allows the user to specify the path to the kpropd.acl file; by

+default the path used is <a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">LOCALSTATEDIR</span></a><code class="docutils literal notranslate"><span class="pre">/krb5kdc</span></code><code class="docutils literal notranslate"><span class="pre">/kpropd.acl</span></code>.</p>

+</dd>

+<dt><strong>–pid-file</strong>=<em>pid_file</em></dt><dd><p>In standalone mode, write the process ID of the daemon into

+<em>pid_file</em>.</p>

+</dd>

+<dt><strong>-s</strong> <em>keytab_file</em></dt><dd><p>Path to a keytab to use for acquiring acceptor credentials.</p>

+</dd>

+<dt><strong>-x</strong> <em>db_args</em></dt><dd><p>Database-specific arguments. See <a class="reference internal" href="kadmin_local.html#dboptions"><span class="std std-ref">Database Options</span></a> in <a class="reference internal" href="kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> for supported arguments.</p>

+</dd>

</dl>

-</div>

-<div class="section" id="files">

+</section>

+<section id="files">

<h2>FILES<a class="headerlink" href="#files" title="Permalink to this headline">¶</a></h2>

-<dl class="docutils">

-<dt>kpropd.acl</dt>

-<dd>Access file for kpropd; the default location is

-<code class="docutils literal"><span class="pre">/usr/local/var/krb5kdc/kpropd.acl</span></code>. Each entry is a line

+<dl class="simple">

+<dt>kpropd.acl</dt><dd><p>Access file for kpropd; the default location is

+<code class="docutils literal notranslate"><span class="pre">/usr/local/var/krb5kdc/kpropd.acl</span></code>. Each entry is a line

containing the principal of a host from which the local machine

-will allow Kerberos database propagation via <a class="reference internal" href="kprop.html#kprop-8"><span class="std std-ref">kprop</span></a>.</dd>

+will allow Kerberos database propagation via <a class="reference internal" href="kprop.html#kprop-8"><span class="std std-ref">kprop</span></a>.</p>

+</dd>

</dl>

-</div>

-<div class="section" id="environment">

+</section>

+<section id="environment">

<h2>ENVIRONMENT<a class="headerlink" href="#environment" title="Permalink to this headline">¶</a></h2>

<p>See <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a> for a description of Kerberos environment

variables.</p>

-</div>

-<div class="section" id="see-also">

+</section>

+<section id="see-also">

<p><a class="reference internal" href="kprop.html#kprop-8"><span class="std std-ref">kprop</span></a>, <a class="reference internal" href="kdb5_util.html#kdb5-util-8"><span class="std std-ref">kdb5_util</span></a>, <a class="reference internal" href="krb5kdc.html#krb5kdc-8"><span class="std std-ref">krb5kdc</span></a>,

<a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a>, inetd(8)</p>

-</div>

+</section>

+ <div class="clearer"></div>

</div>

<ul>

<li><a class="reference internal" href="#">kpropd</a><ul>

@@ -264,6 +257,7 @@ variables.</p>

</form>

</div>

</div>

@@ -271,8 +265,8 @@ variables.</p>

- <div class="right" ><i>Release: 1.21.2</i><br />

+ <div class="right" ><i>Release: 1.21.3</i><br />

</div>

diff --git a/doc/html/admin/admin_commands/kproplog.html b/doc/html/admin/admin_commands/kproplog.html
index 158a6ae7de72..498e58141ff2 100644
--- a/doc/html/admin/admin_commands/kproplog.html
+++ b/doc/html/admin/admin_commands/kproplog.html

@@ -1,35 +1,26 @@

-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"

- "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

+<!DOCTYPE html>

-<html xmlns="http://www.w3.org/1999/xhtml">

+<html>

<head>

- <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

+ <meta charset="utf-8" />

+ <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="generator" content="Docutils 0.17.1: http://docutils.sourceforge.net/" />

<title>kproplog — MIT Kerberos Documentation</title>

- <link rel="stylesheet" href="../../_static/agogo.css" type="text/css" />

- <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" />

- <link rel="stylesheet" href="../../_static/kerb.css" type="text/css" />

- <script type="text/javascript">

- var DOCUMENTATION_OPTIONS = {

- URL_ROOT: '../../',

- VERSION: '1.21.2',

- COLLAPSE_INDEX: false,

- FILE_SUFFIX: '.html',

- HAS_SOURCE: true,

- SOURCELINK_SUFFIX: '.txt'

- };

- </script>

- <script type="text/javascript" src="../../_static/jquery.js"></script>

- <script type="text/javascript" src="../../_static/underscore.js"></script>

- <script type="text/javascript" src="../../_static/doctools.js"></script>

+ <link rel="stylesheet" type="text/css" href="../../_static/pygments.css" />

+ <link rel="stylesheet" type="text/css" href="../../_static/agogo.css" />

+ <link rel="stylesheet" type="text/css" href="../../_static/kerb.css" />

+ <script data-url_root="../../" id="documentation_options" src="../../_static/documentation_options.js"></script>

+ <script src="../../_static/jquery.js"></script>

+ <script src="../../_static/underscore.js"></script>

+ <script src="../../_static/doctools.js"></script>

- </head>

- <body>

+ </head><body>

@@ -61,14 +52,14 @@

- <div class="section" id="kproplog">

+ <section id="kproplog">

<span id="kproplog-8"></span><h1>kproplog<a class="headerlink" href="#kproplog" title="Permalink to this headline">¶</a></h1>

-<div class="section" id="synopsis">

+<section id="synopsis">

<h2>SYNOPSIS<a class="headerlink" href="#synopsis" title="Permalink to this headline">¶</a></h2>

<p><strong>kproplog</strong> [<strong>-h</strong>] [<strong>-e</strong> <em>num</em>] [-v]

<strong>kproplog</strong> [-R]</p>

-</div>

-<div class="section" id="description">

+</section>

+<section id="description">

<h2>DESCRIPTION<a class="headerlink" href="#description" title="Permalink to this headline">¶</a></h2>

<p>The kproplog command displays the contents of the KDC database update

log to standard output. It can be used to keep track of incremental

@@ -86,27 +77,26 @@ log. If invoked on the primary, kproplog also displays all of the

update entries. If invoked on a replica KDC server, kproplog displays

only a summary of the updates, which includes the serial number of the

last update received and the associated time stamp of the last update.</p>

-</div>

-<div class="section" id="options">

+</section>

+<section id="options">

<h2>OPTIONS<a class="headerlink" href="#options" title="Permalink to this headline">¶</a></h2>

-<dl class="docutils">

-<dt><strong>-R</strong></dt>

-<dd>Reset the update log. This forces full resynchronization. If

+<dl>

+<dt><strong>-R</strong></dt><dd><p>Reset the update log. This forces full resynchronization. If

used on a replica then that replica will request a full resync.

If used on the primary then all replicas will request full

-resyncs.</dd>

-<dt><strong>-h</strong></dt>

-<dd>Display a summary of the update log. This information includes

+resyncs.</p>

+</dd>

+<dt><strong>-h</strong></dt><dd><p>Display a summary of the update log. This information includes

the database version number, state of the database, the number of

updates in the log, the time stamp of the first and last update,

-and the version number of the first and last update entry.</dd>

-<dt><strong>-e</strong> <em>num</em></dt>

-<dd>Display the last <em>num</em> update entries in the log. This is useful

-when debugging synchronization between KDC servers.</dd>

-<dt><strong>-v</strong></dt>

-<dd><p class="first">Display individual attributes per update. An example of the

+and the version number of the first and last update entry.</p>

+</dd>

+<dt><strong>-e</strong> <em>num</em></dt><dd><p>Display the last <em>num</em> update entries in the log. This is useful

+when debugging synchronization between KDC servers.</p>

+</dd>

+<dt><strong>-v</strong></dt><dd><p>Display individual attributes per update. An example of the

output generated for one entry:</p>

-<div class="last highlight-default"><div class="highlight"><pre><span></span><span class="n">Update</span> <span class="n">Entry</span>

+<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">Update</span> <span class="n">Entry</span>

<span class="n">Update</span> <span class="n">serial</span> <span class="c1"># : 4</span>

<span class="n">Update</span> <span class="n">operation</span> <span class="p">:</span> <span class="n">Add</span>

<span class="n">Update</span> <span class="n">principal</span> <span class="p">:</span> <span class="n">test</span><span class="nd">@EXAMPLE</span><span class="o">.</span><span class="n">COM</span>

@@ -124,24 +114,26 @@ output generated for one entry:</p>

</div>

</dd>

</dl>

-</div>

-<div class="section" id="environment">

+</section>

+<section id="environment">

<h2>ENVIRONMENT<a class="headerlink" href="#environment" title="Permalink to this headline">¶</a></h2>

<p>See <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a> for a description of Kerberos environment

variables.</p>

-</div>

-<div class="section" id="see-also">

+</section>

+<section id="see-also">

<p><a class="reference internal" href="kpropd.html#kpropd-8"><span class="std std-ref">kpropd</span></a>, <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a></p>

-</div>

+</section>

+ <div class="clearer"></div>

</div>

<ul>

<li><a class="reference internal" href="#">kproplog</a><ul>

@@ -218,6 +210,7 @@ variables.</p>

</form>

</div>

</div>

@@ -225,8 +218,8 @@ variables.</p>

- <div class="right" ><i>Release: 1.21.2</i><br />

+ <div class="right" ><i>Release: 1.21.3</i><br />

</div>

diff --git a/doc/html/admin/admin_commands/krb5kdc.html b/doc/html/admin/admin_commands/krb5kdc.html
index df31c441be84..b7c6d993d7a9 100644
--- a/doc/html/admin/admin_commands/krb5kdc.html
+++ b/doc/html/admin/admin_commands/krb5kdc.html

@@ -1,35 +1,26 @@

-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"

- "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

+<!DOCTYPE html>

-<html xmlns="http://www.w3.org/1999/xhtml">

+<html>

<head>

- <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

+ <meta charset="utf-8" />

+ <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="generator" content="Docutils 0.17.1: http://docutils.sourceforge.net/" />

<title>krb5kdc — MIT Kerberos Documentation</title>

- <link rel="stylesheet" href="../../_static/agogo.css" type="text/css" />

- <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" />

- <link rel="stylesheet" href="../../_static/kerb.css" type="text/css" />

- <script type="text/javascript">

- var DOCUMENTATION_OPTIONS = {

- URL_ROOT: '../../',

- VERSION: '1.21.2',

- COLLAPSE_INDEX: false,

- FILE_SUFFIX: '.html',

- HAS_SOURCE: true,

- SOURCELINK_SUFFIX: '.txt'

- };

- </script>

- <script type="text/javascript" src="../../_static/jquery.js"></script>

- <script type="text/javascript" src="../../_static/underscore.js"></script>

- <script type="text/javascript" src="../../_static/doctools.js"></script>

+ <link rel="stylesheet" type="text/css" href="../../_static/pygments.css" />

+ <link rel="stylesheet" type="text/css" href="../../_static/agogo.css" />

+ <link rel="stylesheet" type="text/css" href="../../_static/kerb.css" />

+ <script data-url_root="../../" id="documentation_options" src="../../_static/documentation_options.js"></script>

+ <script src="../../_static/jquery.js"></script>

+ <script src="../../_static/underscore.js"></script>

+ <script src="../../_static/doctools.js"></script>

- </head>

- <body>

+ </head><body>

@@ -61,9 +52,9 @@

- <div class="section" id="krb5kdc">

+ <section id="krb5kdc">

-<div class="section" id="synopsis">

+<section id="synopsis">

<h2>SYNOPSIS<a class="headerlink" href="#synopsis" title="Permalink to this headline">¶</a></h2>

[<strong>-x</strong> <em>db_args</em>]

@@ -77,13 +68,13 @@

[<strong>-w</strong> <em>numworkers</em>]

[<strong>-P</strong> <em>pid_file</em>]

[<strong>-T</strong> <em>time_offset</em>]</p>

-</div>

-<div class="section" id="description">

+</section>

+<section id="description">

<h2>DESCRIPTION<a class="headerlink" href="#description" title="Permalink to this headline">¶</a></h2>

<p>krb5kdc is the Kerberos version 5 Authentication Service and Key

Distribution Center (AS/KDC).</p>

-</div>

-<div class="section" id="options">

+</section>

+<section id="options">

<h2>OPTIONS<a class="headerlink" href="#options" title="Permalink to this headline">¶</a></h2>

<p>The <strong>-r</strong> <em>realm</em> option specifies the realm for which the server

should provide service. This option may be specified multiple times

@@ -94,9 +85,9 @@ principal database can be found. This option does not apply to the

LDAP database.</p>

<p>The <strong>-k</strong> <em>keytype</em> option specifies the key type of the master key

to be entered manually as a password when <strong>-m</strong> is given; the default

-is <code class="docutils literal"><span class="pre">aes256-cts-hmac-sha1-96</span></code>.</p>

+is <code class="docutils literal notranslate"><span class="pre">aes256-cts-hmac-sha1-96</span></code>.</p>

<p>The <strong>-M</strong> <em>mkeyname</em> option specifies the principal name for the

-master key in the database (usually <code class="docutils literal"><span class="pre">K/M</span></code> in the KDC’s realm).</p>

+master key in the database (usually <code class="docutils literal notranslate"><span class="pre">K/M</span></code> in the KDC’s realm).</p>

<p>The <strong>-m</strong> option specifies that the master database password should

be fetched from the keyboard rather than from a stash file.</p>

<p>The <strong>-n</strong> option specifies that the KDC does not put itself in the

@@ -123,15 +114,15 @@ See <a class="reference internal" href="kadmin_local.html#dboptions"><span class

supported arguments.</p>

<p>The <strong>-T</strong> <em>offset</em> option specifies a time offset, in seconds, which

the KDC will operate under. It is intended only for testing purposes.</p>

-</div>

-<div class="section" id="example">

+</section>

+<section id="example">

<h2>EXAMPLE<a class="headerlink" href="#example" title="Permalink to this headline">¶</a></h2>

<p>The KDC may service requests for multiple realms (maximum 32 realms).

The realms are listed on the command line. Per-realm options that can

be specified on the command line pertain for each realm that follows

it and are superseded by subsequent definitions of the same option.</p>

<p>For example:</p>

-<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">krb5kdc</span> <span class="o">-</span><span class="n">p</span> <span class="mi">2001</span> <span class="o">-</span><span class="n">r</span> <span class="n">REALM1</span> <span class="o">-</span><span class="n">p</span> <span class="mi">2002</span> <span class="o">-</span><span class="n">r</span> <span class="n">REALM2</span> <span class="o">-</span><span class="n">r</span> <span class="n">REALM3</span>

+<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">krb5kdc</span> <span class="o">-</span><span class="n">p</span> <span class="mi">2001</span> <span class="o">-</span><span class="n">r</span> <span class="n">REALM1</span> <span class="o">-</span><span class="n">p</span> <span class="mi">2002</span> <span class="o">-</span><span class="n">r</span> <span class="n">REALM2</span> <span class="o">-</span><span class="n">r</span> <span class="n">REALM3</span>

</pre></div>

</div>

<p>specifies that the KDC listen on port 2001 for REALM1 and on port 2002

@@ -141,25 +132,27 @@ may be specified by the <strong>KRB5_KDC_PROFILE</strong> environment variable.

Per-realm parameters specified in this file take precedence over

options specified on the command line. See the <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>

description for further details.</p>

-</div>

-<div class="section" id="environment">

+</section>

+<section id="environment">

<h2>ENVIRONMENT<a class="headerlink" href="#environment" title="Permalink to this headline">¶</a></h2>

<p>See <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a> for a description of Kerberos environment

variables.</p>

-</div>

-<div class="section" id="see-also">

+</section>

+<section id="see-also">

<p><a class="reference internal" href="kdb5_util.html#kdb5-util-8"><span class="std std-ref">kdb5_util</span></a>, <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>, <a class="reference internal" href="../conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a>,

-</div>

+</section>

+ <div class="clearer"></div>

</div>

<ul>

@@ -237,6 +230,7 @@ variables.</p>

</form>

</div>

</div>

@@ -244,8 +238,8 @@ variables.</p>

- <div class="right" ><i>Release: 1.21.2</i><br />

+ <div class="right" ><i>Release: 1.21.3</i><br />

</div>

diff --git a/doc/html/admin/admin_commands/ktutil.html b/doc/html/admin/admin_commands/ktutil.html
index 76663a80ee2f..93e66f84ad2c 100644
--- a/doc/html/admin/admin_commands/ktutil.html
+++ b/doc/html/admin/admin_commands/ktutil.html

@@ -1,35 +1,26 @@

-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"

- "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

+<!DOCTYPE html>

-<html xmlns="http://www.w3.org/1999/xhtml">

+<html>

<head>

- <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

+ <meta charset="utf-8" />

+ <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="generator" content="Docutils 0.17.1: http://docutils.sourceforge.net/" />

<title>ktutil — MIT Kerberos Documentation</title>

- <link rel="stylesheet" href="../../_static/agogo.css" type="text/css" />

- <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" />

- <link rel="stylesheet" href="../../_static/kerb.css" type="text/css" />

- <script type="text/javascript">

- var DOCUMENTATION_OPTIONS = {

- URL_ROOT: '../../',

- VERSION: '1.21.2',

- COLLAPSE_INDEX: false,

- FILE_SUFFIX: '.html',

- HAS_SOURCE: true,

- SOURCELINK_SUFFIX: '.txt'

- };

- </script>

- <script type="text/javascript" src="../../_static/jquery.js"></script>

- <script type="text/javascript" src="../../_static/underscore.js"></script>

- <script type="text/javascript" src="../../_static/doctools.js"></script>

+ <link rel="stylesheet" type="text/css" href="../../_static/pygments.css" />

+ <link rel="stylesheet" type="text/css" href="../../_static/agogo.css" />

+ <link rel="stylesheet" type="text/css" href="../../_static/kerb.css" />

+ <script data-url_root="../../" id="documentation_options" src="../../_static/documentation_options.js"></script>

+ <script src="../../_static/jquery.js"></script>

+ <script src="../../_static/underscore.js"></script>

+ <script src="../../_static/doctools.js"></script>

- </head>

- <body>

+ </head><body>

@@ -61,62 +52,68 @@

- <div class="section" id="ktutil">

+ <section id="ktutil">

<span id="ktutil-1"></span><h1>ktutil<a class="headerlink" href="#ktutil" title="Permalink to this headline">¶</a></h1>

-<div class="section" id="synopsis">

+<section id="synopsis">

<h2>SYNOPSIS<a class="headerlink" href="#synopsis" title="Permalink to this headline">¶</a></h2>

<p><strong>ktutil</strong></p>

-</div>

-<div class="section" id="description">

+</section>

+<section id="description">

<h2>DESCRIPTION<a class="headerlink" href="#description" title="Permalink to this headline">¶</a></h2>

<p>The ktutil command invokes a command interface from which an

administrator can read, write, or edit entries in a keytab. (Kerberos

V4 srvtab files are no longer supported.)</p>

-</div>

-<div class="section" id="commands">

+</section>

+<section id="commands">

<h2>COMMANDS<a class="headerlink" href="#commands" title="Permalink to this headline">¶</a></h2>

-<div class="section" id="list">

+<section id="list">

-<div><strong>list</strong> [<strong>-t</strong>] [<strong>-k</strong>] [<strong>-e</strong>]</div></blockquote>

+<div><p><strong>list</strong> [<strong>-t</strong>] [<strong>-k</strong>] [<strong>-e</strong>]</p>

+</div></blockquote>

<p>Displays the current keylist. If <strong>-t</strong>, <strong>-k</strong>, and/or <strong>-e</strong> are

specified, also display the timestamp, key contents, or enctype

(respectively).</p>

<p>Alias: <strong>l</strong></p>

-</div>

-<div class="section" id="read-kt">

+</section>

+<section id="read-kt">

-<div><strong>read_kt</strong> <em>keytab</em></div></blockquote>

+<div><p><strong>read_kt</strong> <em>keytab</em></p>

+</div></blockquote>

<p>Read the Kerberos V5 keytab file <em>keytab</em> into the current keylist.</p>

<p>Alias: <strong>rkt</strong></p>

-</div>

-<div class="section" id="write-kt">

+</section>

+<section id="write-kt">

<h3>write_kt<a class="headerlink" href="#write-kt" title="Permalink to this headline">¶</a></h3>

-<div><strong>write_kt</strong> <em>keytab</em></div></blockquote>

+<div><p><strong>write_kt</strong> <em>keytab</em></p>

+</div></blockquote>

<p>Write the current keylist into the Kerberos V5 keytab file <em>keytab</em>.</p>

<p>Alias: <strong>wkt</strong></p>

-</div>

-<div class="section" id="clear-list">

+</section>

+<section id="clear-list">

<h3>clear_list<a class="headerlink" href="#clear-list" title="Permalink to this headline">¶</a></h3>

-<div><strong>clear_list</strong></div></blockquote>

+<div><p><strong>clear_list</strong></p>

+</div></blockquote>

<p>Clear the current keylist.</p>

<p>Alias: <strong>clear</strong></p>

-</div>

-<div class="section" id="delete-entry">

+</section>

+<section id="delete-entry">

<h3>delete_entry<a class="headerlink" href="#delete-entry" title="Permalink to this headline">¶</a></h3>

-<div><strong>delete_entry</strong> <em>slot</em></div></blockquote>

+<div><p><strong>delete_entry</strong> <em>slot</em></p>

+</div></blockquote>

<p>Delete the entry in slot number <em>slot</em> from the current keylist.</p>

<p>Alias: <strong>delent</strong></p>

-</div>

-<div class="section" id="add-entry">

+</section>

+<section id="add-entry">

<h3>add_entry<a class="headerlink" href="#add-entry" title="Permalink to this headline">¶</a></h3>

-<div><strong>add_entry</strong> {<strong>-key</strong>|<strong>-password</strong>} <strong>-p</strong> <em>principal</em>

-<strong>-k</strong> <em>kvno</em> [<strong>-e</strong> <em>enctype</em>] [<strong>-f</strong>|<strong>-s</strong> <em>salt</em>]</div></blockquote>

+<div><p><strong>add_entry</strong> {<strong>-key</strong>|<strong>-password</strong>} <strong>-p</strong> <em>principal</em>

+<strong>-k</strong> <em>kvno</em> [<strong>-e</strong> <em>enctype</em>] [<strong>-f</strong>|<strong>-s</strong> <em>salt</em>]</p>

+</div></blockquote>

<p>Add <em>principal</em> to keylist using key or password. If the <strong>-f</strong> flag

is specified, salt information will be fetched from the KDC; in this

case the <strong>-e</strong> flag may be omitted, or it may be supplied to force a

@@ -124,26 +121,28 @@ particular enctype. If the <strong>-f</strong> flag is not specified, the <stro

flag must be specified, and the default salt will be used unless

overridden with the <strong>-s</strong> option.</p>

<p>Alias: <strong>addent</strong></p>

-</div>

-<div class="section" id="list-requests">

+</section>

+<section id="list-requests">

<h3>list_requests<a class="headerlink" href="#list-requests" title="Permalink to this headline">¶</a></h3>

-<div><strong>list_requests</strong></div></blockquote>

+<div><p><strong>list_requests</strong></p>

+</div></blockquote>

<p>Displays a listing of available commands.</p>

<p>Aliases: <strong>lr</strong>, <strong>?</strong></p>

-</div>

-<div class="section" id="quit">

+</section>

+<section id="quit">

-<div><strong>quit</strong></div></blockquote>

+<div><p><strong>quit</strong></p>

+</div></blockquote>

<p>Quits ktutil.</p>

<p>Aliases: <strong>exit</strong>, <strong>q</strong></p>

-</div>

-<div class="section" id="example">

+</section>

+<section id="example">

<h2>EXAMPLE<a class="headerlink" href="#example" title="Permalink to this headline">¶</a></h2>

-<div><div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">ktutil</span><span class="p">:</span> <span class="n">add_entry</span> <span class="o">-</span><span class="n">password</span> <span class="o">-</span><span class="n">p</span> <span class="n">alice</span><span class="nd">@BLEEP</span><span class="o">.</span><span class="n">COM</span> <span class="o">-</span><span class="n">k</span> <span class="mi">1</span> <span class="o">-</span><span class="n">e</span>

+<div><div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">ktutil</span><span class="p">:</span> <span class="n">add_entry</span> <span class="o">-</span><span class="n">password</span> <span class="o">-</span><span class="n">p</span> <span class="n">alice</span><span class="nd">@BLEEP</span><span class="o">.</span><span class="n">COM</span> <span class="o">-</span><span class="n">k</span> <span class="mi">1</span> <span class="o">-</span><span class="n">e</span>

<span class="n">Password</span> <span class="k">for</span> <span class="n">alice</span><span class="nd">@BLEEP</span><span class="o">.</span><span class="n">COM</span><span class="p">:</span>

<span class="n">ktutil</span><span class="p">:</span> <span class="n">add_entry</span> <span class="o">-</span><span class="n">password</span> <span class="o">-</span><span class="n">p</span> <span class="n">alice</span><span class="nd">@BLEEP</span><span class="o">.</span><span class="n">COM</span> <span class="o">-</span><span class="n">k</span> <span class="mi">1</span> <span class="o">-</span><span class="n">e</span>

@@ -154,24 +153,26 @@ overridden with the <strong>-s</strong> option.</p>

</pre></div>

</div>

</div></blockquote>

-</div>

-<div class="section" id="environment">

+</section>

+<section id="environment">

<h2>ENVIRONMENT<a class="headerlink" href="#environment" title="Permalink to this headline">¶</a></h2>

<p>See <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a> for a description of Kerberos environment

variables.</p>

-</div>

-<div class="section" id="see-also">

+</section>

+<section id="see-also">

<p><a class="reference internal" href="kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a>, <a class="reference internal" href="kdb5_util.html#kdb5-util-8"><span class="std std-ref">kdb5_util</span></a>, <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a></p>

-</div>

+</section>

+ <div class="clearer"></div>

</div>

<ul>

<li><a class="reference internal" href="#">ktutil</a><ul>

@@ -259,6 +260,7 @@ variables.</p>

</form>

</div>

</div>

@@ -266,8 +268,8 @@ variables.</p>

- <div class="right" ><i>Release: 1.21.2</i><br />

+ <div class="right" ><i>Release: 1.21.3</i><br />

</div>

diff --git a/doc/html/admin/admin_commands/sserver.html b/doc/html/admin/admin_commands/sserver.html
index 64d3580a246f..b8db93f55852 100644
--- a/doc/html/admin/admin_commands/sserver.html
+++ b/doc/html/admin/admin_commands/sserver.html

@@ -1,35 +1,26 @@

-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"

- "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

+<!DOCTYPE html>

-<html xmlns="http://www.w3.org/1999/xhtml">

+<html>

<head>

- <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

+ <meta charset="utf-8" />

+ <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="generator" content="Docutils 0.17.1: http://docutils.sourceforge.net/" />

<title>sserver — MIT Kerberos Documentation</title>

- <link rel="stylesheet" href="../../_static/agogo.css" type="text/css" />

- <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" />

- <link rel="stylesheet" href="../../_static/kerb.css" type="text/css" />

- <script type="text/javascript">

- var DOCUMENTATION_OPTIONS = {

- URL_ROOT: '../../',

- VERSION: '1.21.2',

- COLLAPSE_INDEX: false,

- FILE_SUFFIX: '.html',

- HAS_SOURCE: true,

- SOURCELINK_SUFFIX: '.txt'

- };

- </script>

- <script type="text/javascript" src="../../_static/jquery.js"></script>

- <script type="text/javascript" src="../../_static/underscore.js"></script>

- <script type="text/javascript" src="../../_static/doctools.js"></script>

+ <link rel="stylesheet" type="text/css" href="../../_static/pygments.css" />

+ <link rel="stylesheet" type="text/css" href="../../_static/agogo.css" />

+ <link rel="stylesheet" type="text/css" href="../../_static/kerb.css" />

+ <script data-url_root="../../" id="documentation_options" src="../../_static/documentation_options.js"></script>

+ <script src="../../_static/jquery.js"></script>

+ <script src="../../_static/underscore.js"></script>

+ <script src="../../_static/doctools.js"></script>

- </head>

- <body>

+ </head><body>

@@ -61,16 +52,16 @@

- <div class="section" id="sserver">

+ <section id="sserver">

<span id="sserver-8"></span><h1>sserver<a class="headerlink" href="#sserver" title="Permalink to this headline">¶</a></h1>

-<div class="section" id="synopsis">

+<section id="synopsis">

<h2>SYNOPSIS<a class="headerlink" href="#synopsis" title="Permalink to this headline">¶</a></h2>

<p><strong>sserver</strong>

[ <strong>-p</strong> <em>port</em> ]

[ <strong>-S</strong> <em>keytab</em> ]

[ <em>server_port</em> ]</p>

-</div>

-<div class="section" id="description">

+</section>

+<section id="description">

<h2>DESCRIPTION<a class="headerlink" href="#description" title="Permalink to this headline">¶</a></h2>

<p>sserver and <a class="reference internal" href="../../user/user_commands/sclient.html#sclient-1"><span class="std std-ref">sclient</span></a> are a simple demonstration client/server

application. When sclient connects to sserver, it performs a Kerberos

@@ -79,19 +70,19 @@ principal which was used for the Kerberos authentication. It makes a

good test that Kerberos has been successfully installed on a machine.</p>

<p>The service name used by sserver and sclient is sample. Hence,

sserver will require that there be a keytab entry for the service

-<code class="docutils literal"><span class="pre">sample/hostname.domain.name@REALM.NAME</span></code>. This keytab is generated

+<code class="docutils literal notranslate"><span class="pre">sample/hostname.domain.name@REALM.NAME</span></code>. This keytab is generated

using the <a class="reference internal" href="kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> program. The keytab file is usually

installed as <a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">DEFKTNAME</span></a>.</p>

<p>The <strong>-S</strong> option allows for a different keytab than the default.</p>

<p>sserver is normally invoked out of inetd(8), using a line in

-<code class="docutils literal"><span class="pre">/etc/inetd.conf</span></code> that looks like this:</p>

-<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">sample</span> <span class="n">stream</span> <span class="n">tcp</span> <span class="n">nowait</span> <span class="n">root</span> <span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">local</span><span class="o">/</span><span class="n">sbin</span><span class="o">/</span><span class="n">sserver</span> <span class="n">sserver</span>

+<code class="docutils literal notranslate"><span class="pre">/etc/inetd.conf</span></code> that looks like this:</p>

+<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">sample</span> <span class="n">stream</span> <span class="n">tcp</span> <span class="n">nowait</span> <span class="n">root</span> <span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">local</span><span class="o">/</span><span class="n">sbin</span><span class="o">/</span><span class="n">sserver</span> <span class="n">sserver</span>

</pre></div>

</div>

-<p>Since <code class="docutils literal"><span class="pre">sample</span></code> is normally not a port defined in <code class="docutils literal"><span class="pre">/etc/services</span></code>,

-you will usually have to add a line to <code class="docutils literal"><span class="pre">/etc/services</span></code> which looks

+<p>Since <code class="docutils literal notranslate"><span class="pre">sample</span></code> is normally not a port defined in <code class="docutils literal notranslate"><span class="pre">/etc/services</span></code>,

+you will usually have to add a line to <code class="docutils literal notranslate"><span class="pre">/etc/services</span></code> which looks

like this:</p>

-<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">sample</span> <span class="mi">13135</span><span class="o">/</span><span class="n">tcp</span>

+<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">sample</span> <span class="mi">13135</span><span class="o">/</span><span class="n">tcp</span>

</pre></div>

</div>

<p>When using sclient, you will first have to have an entry in the

@@ -102,49 +93,49 @@ connecting to, be sure that both hosts have an entry in /etc/services

for the sample tcp port, and that the same port number is in both

files.</p>

<p>When you run sclient you should see something like this:</p>

-<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">sendauth</span> <span class="n">succeeded</span><span class="p">,</span> <span class="n">reply</span> <span class="ow">is</span><span class="p">:</span>

+<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">sendauth</span> <span class="n">succeeded</span><span class="p">,</span> <span class="n">reply</span> <span class="ow">is</span><span class="p">:</span>

<span class="n">reply</span> <span class="nb">len</span> <span class="mi">32</span><span class="p">,</span> <span class="n">contents</span><span class="p">:</span>

<span class="n">You</span> <span class="n">are</span> <span class="n">nlgilman</span><span class="nd">@JIMI</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span>

</pre></div>

</div>

-</div>

-<div class="section" id="common-error-messages">

+</section>

+<section id="common-error-messages">

<h2>COMMON ERROR MESSAGES<a class="headerlink" href="#common-error-messages" title="Permalink to this headline">¶</a></h2>

-<li><p class="first">kinit returns the error:</p>

-<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">kinit</span><span class="p">:</span> <span class="n">Client</span> <span class="ow">not</span> <span class="n">found</span> <span class="ow">in</span> <span class="n">Kerberos</span> <span class="n">database</span> <span class="k">while</span> <span class="n">getting</span>

+<li><p>kinit returns the error:</p>

+<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">kinit</span><span class="p">:</span> <span class="n">Client</span> <span class="ow">not</span> <span class="n">found</span> <span class="ow">in</span> <span class="n">Kerberos</span> <span class="n">database</span> <span class="k">while</span> <span class="n">getting</span>

<span class="n">initial</span> <span class="n">credentials</span>

</pre></div>

</div>

<p>This means that you didn’t create an entry for your username in the

Kerberos database.</p>

</li>

-<li><p class="first">sclient returns the error:</p>

-<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">unknown</span> <span class="n">service</span> <span class="n">sample</span><span class="o">/</span><span class="n">tcp</span><span class="p">;</span> <span class="n">check</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">services</span>

+<li><p>sclient returns the error:</p>

+<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">unknown</span> <span class="n">service</span> <span class="n">sample</span><span class="o">/</span><span class="n">tcp</span><span class="p">;</span> <span class="n">check</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">services</span>

</pre></div>

</div>

<p>This means that you don’t have an entry in /etc/services for the

sample tcp port.</p>

</li>

-<li><p class="first">sclient returns the error:</p>

-<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">connect</span><span class="p">:</span> <span class="n">Connection</span> <span class="n">refused</span>

+<li><p>sclient returns the error:</p>

+<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">connect</span><span class="p">:</span> <span class="n">Connection</span> <span class="n">refused</span>

</pre></div>

</div>

<p>This probably means you didn’t edit /etc/inetd.conf correctly, or

you didn’t restart inetd after editing inetd.conf.</p>

</li>

-<li><p class="first">sclient returns the error:</p>

-<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">sclient</span><span class="p">:</span> <span class="n">Server</span> <span class="ow">not</span> <span class="n">found</span> <span class="ow">in</span> <span class="n">Kerberos</span> <span class="n">database</span> <span class="k">while</span> <span class="n">using</span>

+<li><p>sclient returns the error:</p>

+<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">sclient</span><span class="p">:</span> <span class="n">Server</span> <span class="ow">not</span> <span class="n">found</span> <span class="ow">in</span> <span class="n">Kerberos</span> <span class="n">database</span> <span class="k">while</span> <span class="n">using</span>

<span class="n">sendauth</span>

</pre></div>

</div>

-<p>This means that the <code class="docutils literal"><span class="pre">sample/hostname@LOCAL.REALM</span></code> service was not

+<p>This means that the <code class="docutils literal notranslate"><span class="pre">sample/hostname@LOCAL.REALM</span></code> service was not

defined in the Kerberos database; it should be created using

<a class="reference internal" href="kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a>, and a keytab file needs to be generated to make

the key for that service principal available for sclient.</p>

</li>

-<li><p class="first">sclient returns the error:</p>

-<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">sendauth</span> <span class="n">rejected</span><span class="p">,</span> <span class="n">error</span> <span class="n">reply</span> <span class="ow">is</span><span class="p">:</span>

+<li><p>sclient returns the error:</p>

+<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">sendauth</span> <span class="n">rejected</span><span class="p">,</span> <span class="n">error</span> <span class="n">reply</span> <span class="ow">is</span><span class="p">:</span>

<span class="s2">"No such file or directory"</span>

</pre></div>

</div>

@@ -152,24 +143,26 @@ the key for that service principal available for sclient.</p>

probably not installed in the proper directory.</p>

</li>

</ol>

-</div>

-<div class="section" id="environment">

+</section>

+<section id="environment">

<h2>ENVIRONMENT<a class="headerlink" href="#environment" title="Permalink to this headline">¶</a></h2>

<p>See <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a> for a description of Kerberos environment

variables.</p>

-</div>

-<div class="section" id="see-also">

+</section>

+<section id="see-also">

<p><a class="reference internal" href="../../user/user_commands/sclient.html#sclient-1"><span class="std std-ref">sclient</span></a>, <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a>, services(5), inetd(8)</p>

-</div>

+</section>

+ <div class="clearer"></div>

</div>

<ul>

<li><a class="reference internal" href="#">sserver</a><ul>

@@ -246,6 +239,7 @@ variables.</p>

</form>

</div>

</div>

@@ -253,8 +247,8 @@ variables.</p>

- <div class="right" ><i>Release: 1.21.2</i><br />

+ <div class="right" ><i>Release: 1.21.3</i><br />

</div>