diff options
| author | Cy Schubert <cy@FreeBSD.org> | 2023-08-04 17:53:10 +0000 |
|---|---|---|
| committer | Cy Schubert <cy@FreeBSD.org> | 2023-08-04 17:53:10 +0000 |
| commit | 0320e0d5bb9fbb5da53478b3fd80ad79b110191d (patch) | |
| tree | e1185f75bd2d3f87b0c17f787debc3ee8648214b /doc/html/admin/admin_commands | |
| parent | b0e4d68d5124581ae353493d69bea352de4cff8a (diff) | |
Diffstat (limited to 'doc/html/admin/admin_commands')
| -rw-r--r-- | doc/html/admin/admin_commands/index.html | 27 | ||||
| -rw-r--r-- | doc/html/admin/admin_commands/k5srvutil.html | 41 | ||||
| -rw-r--r-- | doc/html/admin/admin_commands/kadmin_local.html | 374 | ||||
| -rw-r--r-- | doc/html/admin/admin_commands/kadmind.html | 94 | ||||
| -rw-r--r-- | doc/html/admin/admin_commands/kdb5_ldap_util.html | 246 | ||||
| -rw-r--r-- | doc/html/admin/admin_commands/kdb5_util.html | 147 | ||||
| -rw-r--r-- | doc/html/admin/admin_commands/kprop.html | 50 | ||||
| -rw-r--r-- | doc/html/admin/admin_commands/kpropd.html | 137 | ||||
| -rw-r--r-- | doc/html/admin/admin_commands/kproplog.html | 86 | ||||
| -rw-r--r-- | doc/html/admin/admin_commands/krb5kdc.html | 77 | ||||
| -rw-r--r-- | doc/html/admin/admin_commands/ktutil.html | 86 | ||||
| -rw-r--r-- | doc/html/admin/admin_commands/sserver.html | 93 |
12 files changed, 743 insertions, 715 deletions
diff --git a/doc/html/admin/admin_commands/index.html b/doc/html/admin/admin_commands/index.html index 70300c8e3886..804e7e7568ae 100644 --- a/doc/html/admin/admin_commands/index.html +++ b/doc/html/admin/admin_commands/index.html @@ -1,33 +1,31 @@ + <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> - <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> - - <title>Administration programs — MIT Kerberos Documentation</title> - + <title>Administration programs — MIT Kerberos Documentation</title> <link rel="stylesheet" href="../../_static/agogo.css" type="text/css" /> <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" /> <link rel="stylesheet" href="../../_static/kerb.css" type="text/css" /> - <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../../', - VERSION: '1.16', + VERSION: '1.21.1', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', - HAS_SOURCE: true + HAS_SOURCE: true, + SOURCELINK_SUFFIX: '.txt' }; </script> <script type="text/javascript" src="../../_static/jquery.js"></script> <script type="text/javascript" src="../../_static/underscore.js"></script> <script type="text/javascript" src="../../_static/doctools.js"></script> <link rel="author" title="About these documents" href="../../about.html" /> + <link rel="index" title="Index" href="../../genindex.html" /> + <link rel="search" title="Search" href="../../search.html" /> <link rel="copyright" title="Copyright" href="../../copyright.html" /> - <link rel="top" title="MIT Kerberos Documentation" href="../../index.html" /> - <link rel="up" title="For administrators" href="../index.html" /> <link rel="next" title="kadmin" href="kadmin_local.html" /> <link rel="prev" title="Authentication indicators" href="../auth_indicator.html" /> </head> @@ -61,7 +59,7 @@ <div class="documentwrapper"> <div class="bodywrapper"> - <div class="body"> + <div class="body" role="main"> <div class="section" id="administration-programs"> <h1>Administration programs<a class="headerlink" href="#administration-programs" title="Permalink to this headline">¶</a></h1> @@ -102,6 +100,7 @@ <li class="toctree-l2"><a class="reference internal" href="../conf_files/index.html">Configuration Files</a></li> <li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li> <li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li> +<li class="toctree-l2"><a class="reference internal" href="../dbtypes.html">Database types</a></li> <li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li> <li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> <li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li> @@ -109,11 +108,13 @@ <li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li> <li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li> <li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="../spake.html">SPAKE Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="../dictionary.html">Addressing dictionary attack risks</a></li> <li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li> <li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li> <li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li> <li class="toctree-l2"><a class="reference internal" href="../auth_indicator.html">Authentication indicators</a></li> -<li class="toctree-l2 current"><a class="current reference internal" href="">Administration programs</a><ul> +<li class="toctree-l2 current"><a class="current reference internal" href="#">Administration programs</a><ul> <li class="toctree-l3"><a class="reference internal" href="kadmin_local.html">kadmin</a></li> <li class="toctree-l3"><a class="reference internal" href="kadmind.html">kadmind</a></li> <li class="toctree-l3"><a class="reference internal" href="kdb5_util.html">kdb5_util</a></li> @@ -161,8 +162,8 @@ <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.16</i><br /> - © <a href="../../copyright.html">Copyright</a> 1985-2017, MIT. + <div class="right" ><i>Release: 1.21.1</i><br /> + © <a href="../../copyright.html">Copyright</a> 1985-2023, MIT. </div> <div class="left"> diff --git a/doc/html/admin/admin_commands/k5srvutil.html b/doc/html/admin/admin_commands/k5srvutil.html index 6b2b3304c936..d43e43b16bec 100644 --- a/doc/html/admin/admin_commands/k5srvutil.html +++ b/doc/html/admin/admin_commands/k5srvutil.html @@ -1,33 +1,31 @@ + <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> - <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> - - <title>k5srvutil — MIT Kerberos Documentation</title> - + <title>k5srvutil — MIT Kerberos Documentation</title> <link rel="stylesheet" href="../../_static/agogo.css" type="text/css" /> <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" /> <link rel="stylesheet" href="../../_static/kerb.css" type="text/css" /> - <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../../', - VERSION: '1.16', + VERSION: '1.21.1', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', - HAS_SOURCE: true + HAS_SOURCE: true, + SOURCELINK_SUFFIX: '.txt' }; </script> <script type="text/javascript" src="../../_static/jquery.js"></script> <script type="text/javascript" src="../../_static/underscore.js"></script> <script type="text/javascript" src="../../_static/doctools.js"></script> <link rel="author" title="About these documents" href="../../about.html" /> + <link rel="index" title="Index" href="../../genindex.html" /> + <link rel="search" title="Search" href="../../search.html" /> <link rel="copyright" title="Copyright" href="../../copyright.html" /> - <link rel="top" title="MIT Kerberos Documentation" href="../../index.html" /> - <link rel="up" title="Administration programs" href="index.html" /> <link rel="next" title="sserver" href="sserver.html" /> <link rel="prev" title="ktutil" href="ktutil.html" /> </head> @@ -61,7 +59,7 @@ <div class="documentwrapper"> <div class="bodywrapper"> - <div class="body"> + <div class="body" role="main"> <div class="section" id="k5srvutil"> <span id="k5srvutil-1"></span><h1>k5srvutil<a class="headerlink" href="#k5srvutil" title="Permalink to this headline">¶</a></h1> @@ -85,8 +83,8 @@ name.</dd> <dt><strong>change</strong></dt> <dd>Uses the kadmin protocol to update the keys in the Kerberos database to new randomly-generated keys, and updates the keys in -the keytab to match. If a key’s version number doesn’t match the -version number stored in the Kerberos server’s database, then the +the keytab to match. If a key’s version number doesn’t match the +version number stored in the Kerberos server’s database, then the operation will fail. If the <strong>-i</strong> flag is given, k5srvutil will prompt for confirmation before changing each key. If the <strong>-k</strong> option is given, the old and new keys will be displayed. @@ -107,12 +105,17 @@ each key.</dd> </dl> <p>In all cases, the default keytab is used unless this is overridden by the <strong>-f</strong> option.</p> -<p>k5srvutil uses the <a class="reference internal" href="kadmin_local.html#kadmin-1"><em>kadmin</em></a> program to edit the keytab in +<p>k5srvutil uses the <a class="reference internal" href="kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> program to edit the keytab in place.</p> </div> +<div class="section" id="environment"> +<h2>ENVIRONMENT<a class="headerlink" href="#environment" title="Permalink to this headline">¶</a></h2> +<p>See <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a> for a description of Kerberos environment +variables.</p> +</div> <div class="section" id="see-also"> <h2>SEE ALSO<a class="headerlink" href="#see-also" title="Permalink to this headline">¶</a></h2> -<p><a class="reference internal" href="kadmin_local.html#kadmin-1"><em>kadmin</em></a>, <a class="reference internal" href="ktutil.html#ktutil-1"><em>ktutil</em></a></p> +<p><a class="reference internal" href="kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a>, <a class="reference internal" href="ktutil.html#ktutil-1"><span class="std std-ref">ktutil</span></a>, <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a></p> </div> </div> @@ -127,6 +130,7 @@ place.</p> <li><a class="reference internal" href="#">k5srvutil</a><ul> <li><a class="reference internal" href="#synopsis">SYNOPSIS</a></li> <li><a class="reference internal" href="#description">DESCRIPTION</a></li> +<li><a class="reference internal" href="#environment">ENVIRONMENT</a></li> <li><a class="reference internal" href="#see-also">SEE ALSO</a></li> </ul> </li> @@ -141,6 +145,7 @@ place.</p> <li class="toctree-l2"><a class="reference internal" href="../conf_files/index.html">Configuration Files</a></li> <li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li> <li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li> +<li class="toctree-l2"><a class="reference internal" href="../dbtypes.html">Database types</a></li> <li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li> <li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> <li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li> @@ -148,6 +153,8 @@ place.</p> <li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li> <li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li> <li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="../spake.html">SPAKE Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="../dictionary.html">Addressing dictionary attack risks</a></li> <li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li> <li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li> <li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li> @@ -162,7 +169,7 @@ place.</p> <li class="toctree-l3"><a class="reference internal" href="kpropd.html">kpropd</a></li> <li class="toctree-l3"><a class="reference internal" href="kproplog.html">kproplog</a></li> <li class="toctree-l3"><a class="reference internal" href="ktutil.html">ktutil</a></li> -<li class="toctree-l3 current"><a class="current reference internal" href="">k5srvutil</a></li> +<li class="toctree-l3 current"><a class="current reference internal" href="#">k5srvutil</a></li> <li class="toctree-l3"><a class="reference internal" href="sserver.html">sserver</a></li> </ul> </li> @@ -200,8 +207,8 @@ place.</p> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.16</i><br /> - © <a href="../../copyright.html">Copyright</a> 1985-2017, MIT. + <div class="right" ><i>Release: 1.21.1</i><br /> + © <a href="../../copyright.html">Copyright</a> 1985-2023, MIT. </div> <div class="left"> diff --git a/doc/html/admin/admin_commands/kadmin_local.html b/doc/html/admin/admin_commands/kadmin_local.html index 270fc9376f04..6cca1815ffd9 100644 --- a/doc/html/admin/admin_commands/kadmin_local.html +++ b/doc/html/admin/admin_commands/kadmin_local.html @@ -1,33 +1,31 @@ + <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> - <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> - - <title>kadmin — MIT Kerberos Documentation</title> - + <title>kadmin — MIT Kerberos Documentation</title> <link rel="stylesheet" href="../../_static/agogo.css" type="text/css" /> <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" /> <link rel="stylesheet" href="../../_static/kerb.css" type="text/css" /> - <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../../', - VERSION: '1.16', + VERSION: '1.21.1', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', - HAS_SOURCE: true + HAS_SOURCE: true, + SOURCELINK_SUFFIX: '.txt' }; </script> <script type="text/javascript" src="../../_static/jquery.js"></script> <script type="text/javascript" src="../../_static/underscore.js"></script> <script type="text/javascript" src="../../_static/doctools.js"></script> <link rel="author" title="About these documents" href="../../about.html" /> + <link rel="index" title="Index" href="../../genindex.html" /> + <link rel="search" title="Search" href="../../search.html" /> <link rel="copyright" title="Copyright" href="../../copyright.html" /> - <link rel="top" title="MIT Kerberos Documentation" href="../../index.html" /> - <link rel="up" title="Administration programs" href="index.html" /> <link rel="next" title="kadmind" href="kadmind.html" /> <link rel="prev" title="Administration programs" href="index.html" /> </head> @@ -61,7 +59,7 @@ <div class="documentwrapper"> <div class="bodywrapper"> - <div class="body"> + <div class="body" role="main"> <div class="section" id="kadmin"> <span id="kadmin-1"></span><h1>kadmin<a class="headerlink" href="#kadmin" title="Permalink to this headline">¶</a></h1> @@ -75,31 +73,31 @@ [[<strong>-c</strong> <em>cache_name</em>]|[<strong>-k</strong> [<strong>-t</strong> <em>keytab</em>]]|<strong>-n</strong>] [<strong>-w</strong> <em>password</em>] [<strong>-s</strong> <em>admin_server</em>[:<em>port</em>]] -[command args...]</p> +[command args…]</p> <p><strong>kadmin.local</strong> [<strong>-r</strong> <em>realm</em>] [<strong>-p</strong> <em>principal</em>] [<strong>-q</strong> <em>query</em>] [<strong>-d</strong> <em>dbname</em>] -[<strong>-e</strong> <em>enc</em>:<em>salt</em> ...] +[<strong>-e</strong> <em>enc</em>:<em>salt</em> …] [<strong>-m</strong>] [<strong>-x</strong> <em>db_args</em>] -[command args...]</p> +[command args…]</p> </div> <div class="section" id="description"> -<span id="kadmin-synopsis-end"></span><h2>DESCRIPTION<a class="headerlink" href="#description" title="Permalink to this headline">¶</a></h2> +<h2>DESCRIPTION<a class="headerlink" href="#description" title="Permalink to this headline">¶</a></h2> <p>kadmin and kadmin.local are command-line interfaces to the Kerberos V5 administration system. They provide nearly identical functionalities; the difference is that kadmin.local directly accesses the KDC -database, while kadmin performs operations using <a class="reference internal" href="kadmind.html#kadmind-8"><em>kadmind</em></a>. -Except as explicitly noted otherwise, this man page will use “kadmin” +database, while kadmin performs operations using <a class="reference internal" href="kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a>. +Except as explicitly noted otherwise, this man page will use “kadmin” to refer to both versions. kadmin provides for the maintenance of Kerberos principals, password policies, and service key tables (keytabs).</p> <p>The remote kadmin client uses Kerberos to authenticate to kadmind -using the service principal <tt class="docutils literal"><span class="pre">kadmin/ADMINHOST</span></tt> (where <em>ADMINHOST</em> is -the fully-qualified hostname of the admin server) or <tt class="docutils literal"><span class="pre">kadmin/admin</span></tt>. -If the credentials cache contains a ticket for one of these +using the service principal <code class="docutils literal"><span class="pre">kadmin/admin</span></code> or <code class="docutils literal"><span class="pre">kadmin/ADMINHOST</span></code> +(where <em>ADMINHOST</em> is the fully-qualified hostname of the admin +server). If the credentials cache contains a ticket for one of these principals, and the <strong>-c</strong> credentials_cache option is specified, that ticket is used to authenticate to kadmind. Otherwise, the <strong>-p</strong> and <strong>-k</strong> options are used to specify the client Kerberos principal name @@ -107,7 +105,7 @@ used to authenticate. Once kadmin has determined the principal name, it requests a service ticket from the KDC, and uses that service ticket to authenticate to kadmind.</p> <p>Since kadmin.local directly accesses the KDC database, it usually must -be run directly on the master KDC with sufficient permissions to read +be run directly on the primary KDC with sufficient permissions to read the KDC database. If the KDC database uses the LDAP database module, kadmin.local can be run on any host which can access the LDAP server.</p> </div> @@ -118,13 +116,13 @@ kadmin.local can be run on any host which can access the LDAP server.</p> <dd>Use <em>realm</em> as the default database realm.</dd> <dt><strong>-p</strong> <em>principal</em></dt> <dd>Use <em>principal</em> to authenticate. Otherwise, kadmin will append -<tt class="docutils literal"><span class="pre">/admin</span></tt> to the primary principal name of the default ccache, +<code class="docutils literal"><span class="pre">/admin</span></code> to the primary principal name of the default ccache, the value of the <strong>USER</strong> environment variable, or the username as obtained with getpwuid, in order of preference.</dd> <dt><strong>-k</strong></dt> <dd>Use a keytab to decrypt the KDC response instead of prompting for a password. In this case, the default principal will be -<tt class="docutils literal"><span class="pre">host/hostname</span></tt>. If there is no keytab specified with the +<code class="docutils literal"><span class="pre">host/hostname</span></code>. If there is no keytab specified with the <strong>-t</strong> option, then the default keytab will be used.</dd> <dt><strong>-t</strong> <em>keytab</em></dt> <dd>Use <em>keytab</em> to decrypt the KDC response. This can only be used @@ -132,23 +130,23 @@ with the <strong>-k</strong> option.</dd> <dt><strong>-n</strong></dt> <dd>Requests anonymous processing. Two types of anonymous principals are supported. For fully anonymous Kerberos, configure PKINIT on -the KDC and configure <strong>pkinit_anchors</strong> in the client’s -<a class="reference internal" href="../conf_files/krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a>. Then use the <strong>-n</strong> option with a principal -of the form <tt class="docutils literal"><span class="pre">@REALM</span></tt> (an empty principal name followed by the +the KDC and configure <strong>pkinit_anchors</strong> in the client’s +<a class="reference internal" href="../conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a>. Then use the <strong>-n</strong> option with a principal +of the form <code class="docutils literal"><span class="pre">@REALM</span></code> (an empty principal name followed by the at-sign and a realm name). If permitted by the KDC, an anonymous ticket will be returned. A second form of anonymous tickets is supported; these realm-exposed tickets hide the identity of the -client but not the client’s realm. For this mode, use <tt class="docutils literal"><span class="pre">kinit</span> -<span class="pre">-n</span></tt> with a normal principal name. If supported by the KDC, the +client but not the client’s realm. For this mode, use <code class="docutils literal"><span class="pre">kinit</span> +<span class="pre">-n</span></code> with a normal principal name. If supported by the KDC, the principal (but not realm) will be replaced by the anonymous principal. As of release 1.8, the MIT Kerberos KDC only supports fully anonymous operation.</dd> <dt><strong>-c</strong> <em>credentials_cache</em></dt> -<dd>Use <em>credentials_cache</em> as the credentials cache. The -cache should contain a service ticket for the <tt class="docutils literal"><span class="pre">kadmin/ADMINHOST</span></tt> -(where <em>ADMINHOST</em> is the fully-qualified hostname of the admin -server) or <tt class="docutils literal"><span class="pre">kadmin/admin</span></tt> service; it can be acquired with the -<a class="reference internal" href="../../user/user_commands/kinit.html#kinit-1"><em>kinit</em></a> program. If this option is not specified, kadmin +<dd>Use <em>credentials_cache</em> as the credentials cache. The cache +should contain a service ticket for the <code class="docutils literal"><span class="pre">kadmin/admin</span></code> or +<code class="docutils literal"><span class="pre">kadmin/ADMINHOST</span></code> (where <em>ADMINHOST</em> is the fully-qualified +hostname of the admin server) service; it can be acquired with the +<a class="reference internal" href="../../user/user_commands/kinit.html#kinit-1"><span class="std std-ref">kinit</span></a> program. If this option is not specified, kadmin requests a new service ticket from the KDC, and stores it in its own temporary ccache.</dd> <dt><strong>-w</strong> <em>password</em></dt> @@ -165,9 +163,9 @@ apply to the LDAP database module.</dd> <dt><strong>-m</strong></dt> <dd>If using kadmin.local, prompt for the database master password instead of reading it from a stash file.</dd> -<dt><strong>-e</strong> “<em>enc</em>:<em>salt</em> ...”</dt> +<dt><strong>-e</strong> “<em>enc</em>:<em>salt</em> …”</dt> <dd>Sets the keysalt list to be used for any new keys created. See -<a class="reference internal" href="../conf_files/kdc_conf.html#keysalt-lists"><em>Keysalt lists</em></a> in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> for a list of possible +<a class="reference internal" href="../conf_files/kdc_conf.html#keysalt-lists"><span class="std std-ref">Keysalt lists</span></a> in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a> for a list of possible values.</dd> <dt><strong>-O</strong></dt> <dd>Force use of old AUTH_GSSAPI authentication flavor.</dd> @@ -177,7 +175,7 @@ values.</dd> <dd>Specifies the database specific arguments. See the next section for supported options.</dd> </dl> -<p id="kadmin-options-end">Starting with release 1.14, if any command-line arguments remain after +<p>Starting with release 1.14, if any command-line arguments remain after the options, they will be treated as a single query to be executed. This mode of operation is intended for scripts and behaves differently from the interactive mode in several respects:</p> @@ -228,7 +226,7 @@ entire operation. First introduced in release 1.13.</dd> server. Using this option may expose the password to other users on the system via the process list; to avoid this, instead stash the password using the <strong>stashsrvpw</strong> command of -<a class="reference internal" href="kdb5_ldap_util.html#kdb5-ldap-util-8"><em>kdb5_ldap_util</em></a>.</dd> +<a class="reference internal" href="kdb5_ldap_util.html#kdb5-ldap-util-8"><span class="std std-ref">kdb5_ldap_util</span></a>.</dd> <dt><strong>-x sasl_mech=</strong><em>mechanism</em></dt> <dd>Specifies the SASL mechanism used to bind to the LDAP server. The bind DN is ignored if a SASL mechanism is used. New in @@ -254,7 +252,7 @@ are printed to standard error. New in release 1.12.</dd> <div class="section" id="commands"> <h2>COMMANDS<a class="headerlink" href="#commands" title="Permalink to this headline">¶</a></h2> <p>When using the remote client, available commands may be restricted -according to the privileges specified in the <a class="reference internal" href="../conf_files/kadm5_acl.html#kadm5-acl-5"><em>kadm5.acl</em></a> file +according to the privileges specified in the <a class="reference internal" href="../conf_files/kadm5_acl.html#kadm5-acl-5"><span class="std std-ref">kadm5.acl</span></a> file on the admin server.</p> <div class="section" id="add-principal"> <span id="id1"></span><h3>add_principal<a class="headerlink" href="#add-principal" title="Permalink to this headline">¶</a></h3> @@ -262,8 +260,8 @@ on the admin server.</p> <div><strong>add_principal</strong> [<em>options</em>] <em>newprinc</em></div></blockquote> <p>Creates the principal <em>newprinc</em>, prompting twice for a password. If no password policy is specified with the <strong>-policy</strong> option, and the -policy named <tt class="docutils literal"><span class="pre">default</span></tt> is assigned to the principal if it exists. -However, creating a policy named <tt class="docutils literal"><span class="pre">default</span></tt> will not automatically +policy named <code class="docutils literal"><span class="pre">default</span></code> is assigned to the principal if it exists. +However, creating a policy named <code class="docutils literal"><span class="pre">default</span></code> will not automatically assign this policy to previously existing principals. This policy assignment can be suppressed with the <strong>-clearpolicy</strong> option.</p> <p>This command requires the <strong>add</strong> privilege.</p> @@ -271,20 +269,20 @@ assignment can be suppressed with the <strong>-clearpolicy</strong> option.</p> <p>Options:</p> <dl class="docutils"> <dt><strong>-expire</strong> <em>expdate</em></dt> -<dd>(<a class="reference internal" href="../../basic/date_format.html#getdate"><em>getdate time</em></a> string) The expiration date of the principal.</dd> +<dd>(<a class="reference internal" href="../../basic/date_format.html#getdate"><span class="std std-ref">getdate time</span></a> string) The expiration date of the principal.</dd> <dt><strong>-pwexpire</strong> <em>pwexpdate</em></dt> -<dd>(<a class="reference internal" href="../../basic/date_format.html#getdate"><em>getdate time</em></a> string) The password expiration date.</dd> +<dd>(<a class="reference internal" href="../../basic/date_format.html#getdate"><span class="std std-ref">getdate time</span></a> string) The password expiration date.</dd> <dt><strong>-maxlife</strong> <em>maxlife</em></dt> -<dd>(<a class="reference internal" href="../../basic/date_format.html#duration"><em>Time duration</em></a> or <a class="reference internal" href="../../basic/date_format.html#getdate"><em>getdate time</em></a> string) The maximum ticket life +<dd>(<a class="reference internal" href="../../basic/date_format.html#duration"><span class="std std-ref">Time duration</span></a> or <a class="reference internal" href="../../basic/date_format.html#getdate"><span class="std std-ref">getdate time</span></a> string) The maximum ticket life for the principal.</dd> <dt><strong>-maxrenewlife</strong> <em>maxrenewlife</em></dt> -<dd>(<a class="reference internal" href="../../basic/date_format.html#duration"><em>Time duration</em></a> or <a class="reference internal" href="../../basic/date_format.html#getdate"><em>getdate time</em></a> string) The maximum renewable +<dd>(<a class="reference internal" href="../../basic/date_format.html#duration"><span class="std std-ref">Time duration</span></a> or <a class="reference internal" href="../../basic/date_format.html#getdate"><span class="std std-ref">getdate time</span></a> string) The maximum renewable life of tickets for the principal.</dd> <dt><strong>-kvno</strong> <em>kvno</em></dt> <dd>The initial key version number.</dd> <dt><strong>-policy</strong> <em>policy</em></dt> <dd>The password policy used by this principal. If not specified, the -policy <tt class="docutils literal"><span class="pre">default</span></tt> is used if it exists (unless <strong>-clearpolicy</strong> +policy <code class="docutils literal"><span class="pre">default</span></code> is used if it exists (unless <strong>-clearpolicy</strong> is specified).</dd> <dt><strong>-clearpolicy</strong></dt> <dd>Prevents any policy from being assigned when <strong>-policy</strong> is not @@ -303,21 +301,22 @@ renewable tickets. <strong>+allow_renewable</strong> clears this flag.</dd> proxiable tickets. <strong>+allow_proxiable</strong> clears this flag.</dd> <dt>{-|+}<strong>allow_dup_skey</strong></dt> <dd><strong>-allow_dup_skey</strong> disables user-to-user authentication for this -principal by prohibiting this principal from obtaining a session -key for another user. <strong>+allow_dup_skey</strong> clears this flag.</dd> +principal by prohibiting others from obtaining a service ticket +encrypted in this principal’s TGT session key. +<strong>+allow_dup_skey</strong> clears this flag.</dd> <dt>{-|+}<strong>requires_preauth</strong></dt> <dd><strong>+requires_preauth</strong> requires this principal to preauthenticate before being allowed to kinit. <strong>-requires_preauth</strong> clears this flag. When <strong>+requires_preauth</strong> is set on a service principal, the KDC will only issue service tickets for that service principal -if the client’s initial authentication was performed using +if the client’s initial authentication was performed using preauthentication.</dd> <dt>{-|+}<strong>requires_hwauth</strong></dt> <dd><strong>+requires_hwauth</strong> requires this principal to preauthenticate using a hardware device before being allowed to kinit. <strong>-requires_hwauth</strong> clears this flag. When <strong>+requires_hwauth</strong> is set on a service principal, the KDC will only issue service tickets -for that service principal if the client’s initial authentication was +for that service principal if the client’s initial authentication was performed using a hardware device to preauthenticate.</dd> <dt>{-|+}<strong>ok_as_delegate</strong></dt> <dd><strong>+ok_as_delegate</strong> sets the <strong>okay as delegate</strong> flag on tickets @@ -327,7 +326,9 @@ authenticating to the service. <strong>-ok_as_delegate</strong> clears this flag.</dd> <dt>{-|+}<strong>allow_svr</strong></dt> <dd><strong>-allow_svr</strong> prohibits the issuance of service tickets for this -principal. <strong>+allow_svr</strong> clears this flag.</dd> +principal. In release 1.17 and later, user-to-user service +tickets are still allowed unless the <strong>-allow_dup_skey</strong> flag is +also set. <strong>+allow_svr</strong> clears this flag.</dd> <dt>{-|+}<strong>allow_tgs_req</strong></dt> <dd><strong>-allow_tgs_req</strong> specifies that a Ticket-Granting Service (TGS) request for a service ticket for this principal is not permitted. @@ -369,9 +370,9 @@ be removed using kadmin.local.</dd> does not prompt for a password. Note: using this option in a shell script may expose the password to other users on the system via the process list.</dd> -<dt><strong>-e</strong> <em>enc</em>:<em>salt</em>,...</dt> +<dt><strong>-e</strong> <em>enc</em>:<em>salt</em>,…</dt> <dd>Uses the specified keysalt list for setting the keys of the -principal. See <a class="reference internal" href="../conf_files/kdc_conf.html#keysalt-lists"><em>Keysalt lists</em></a> in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> for a +principal. See <a class="reference internal" href="../conf_files/kdc_conf.html#keysalt-lists"><span class="std std-ref">Keysalt lists</span></a> in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a> for a list of possible values.</dd> <dt><strong>-x</strong> <em>db_princ_args</em></dt> <dd><p class="first">Indicates database-specific options. The options for the LDAP @@ -405,18 +406,18 @@ principal container configured in the realm.</li> </dd> </dl> <p>Example:</p> -<div class="highlight-python"><div class="highlight"><pre>kadmin: addprinc jennifer -WARNING: no policy specified for "jennifer@ATHENA.MIT.EDU"; -defaulting to no policy. -Enter password for principal jennifer@ATHENA.MIT.EDU: -Re-enter password for principal jennifer@ATHENA.MIT.EDU: -Principal "jennifer@ATHENA.MIT.EDU" created. -kadmin: +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">addprinc</span> <span class="n">jennifer</span> +<span class="n">No</span> <span class="n">policy</span> <span class="n">specified</span> <span class="k">for</span> <span class="s2">"jennifer@ATHENA.MIT.EDU"</span><span class="p">;</span> +<span class="n">defaulting</span> <span class="n">to</span> <span class="n">no</span> <span class="n">policy</span><span class="o">.</span> +<span class="n">Enter</span> <span class="n">password</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">jennifer</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span><span class="p">:</span> +<span class="n">Re</span><span class="o">-</span><span class="n">enter</span> <span class="n">password</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">jennifer</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span><span class="p">:</span> +<span class="n">Principal</span> <span class="s2">"jennifer@ATHENA.MIT.EDU"</span> <span class="n">created</span><span class="o">.</span> +<span class="n">kadmin</span><span class="p">:</span> </pre></div> </div> </div> <div class="section" id="modify-principal"> -<span id="add-principal-end"></span><span id="id2"></span><h3>modify_principal<a class="headerlink" href="#modify-principal" title="Permalink to this headline">¶</a></h3> +<span id="id2"></span><h3>modify_principal<a class="headerlink" href="#modify-principal" title="Permalink to this headline">¶</a></h3> <blockquote> <div><strong>modify_principal</strong> [<em>options</em>] <em>principal</em></div></blockquote> <p>Modifies the specified principal, changing the fields as specified. @@ -434,7 +435,7 @@ to its password policy) so that it can successfully authenticate.</dd> </dl> </div> <div class="section" id="rename-principal"> -<span id="modify-principal-end"></span><span id="id3"></span><h3>rename_principal<a class="headerlink" href="#rename-principal" title="Permalink to this headline">¶</a></h3> +<span id="id3"></span><h3>rename_principal<a class="headerlink" href="#rename-principal" title="Permalink to this headline">¶</a></h3> <blockquote> <div><strong>rename_principal</strong> [<strong>-force</strong>] <em>old_principal</em> <em>new_principal</em></div></blockquote> <p>Renames the specified <em>old_principal</em> to <em>new_principal</em>. This @@ -444,7 +445,7 @@ given.</p> <p>Alias: <strong>renprinc</strong></p> </div> <div class="section" id="delete-principal"> -<span id="rename-principal-end"></span><span id="id4"></span><h3>delete_principal<a class="headerlink" href="#delete-principal" title="Permalink to this headline">¶</a></h3> +<span id="id4"></span><h3>delete_principal<a class="headerlink" href="#delete-principal" title="Permalink to this headline">¶</a></h3> <blockquote> <div><strong>delete_principal</strong> [<strong>-force</strong>] <em>principal</em></div></blockquote> <p>Deletes the specified <em>principal</em> from the database. This command @@ -453,7 +454,7 @@ prompts for deletion, unless the <strong>-force</strong> option is given.</p> <p>Alias: <strong>delprinc</strong></p> </div> <div class="section" id="change-password"> -<span id="delete-principal-end"></span><span id="id5"></span><h3>change_password<a class="headerlink" href="#change-password" title="Permalink to this headline">¶</a></h3> +<span id="id5"></span><h3>change_password<a class="headerlink" href="#change-password" title="Permalink to this headline">¶</a></h3> <blockquote> <div><strong>change_password</strong> [<em>options</em>] <em>principal</em></div></blockquote> <p>Changes the password of <em>principal</em>. Prompts for a new password if @@ -470,25 +471,25 @@ changed.</p> <dd>Set the password to the specified string. Using this option in a script may expose the password to other users on the system via the process list.</dd> -<dt><strong>-e</strong> <em>enc</em>:<em>salt</em>,...</dt> +<dt><strong>-e</strong> <em>enc</em>:<em>salt</em>,…</dt> <dd>Uses the specified keysalt list for setting the keys of the -principal. See <a class="reference internal" href="../conf_files/kdc_conf.html#keysalt-lists"><em>Keysalt lists</em></a> in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> for a +principal. See <a class="reference internal" href="../conf_files/kdc_conf.html#keysalt-lists"><span class="std std-ref">Keysalt lists</span></a> in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a> for a list of possible values.</dd> <dt><strong>-keepold</strong></dt> <dd>Keeps the existing keys in the database. This flag is usually not -necessary except perhaps for <tt class="docutils literal"><span class="pre">krbtgt</span></tt> principals.</dd> +necessary except perhaps for <code class="docutils literal"><span class="pre">krbtgt</span></code> principals.</dd> </dl> <p>Example:</p> -<div class="highlight-python"><div class="highlight"><pre>kadmin: cpw systest -Enter password for principal systest@BLEEP.COM: -Re-enter password for principal systest@BLEEP.COM: -Password for systest@BLEEP.COM changed. -kadmin: +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">cpw</span> <span class="n">systest</span> +<span class="n">Enter</span> <span class="n">password</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">systest</span><span class="nd">@BLEEP</span><span class="o">.</span><span class="n">COM</span><span class="p">:</span> +<span class="n">Re</span><span class="o">-</span><span class="n">enter</span> <span class="n">password</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">systest</span><span class="nd">@BLEEP</span><span class="o">.</span><span class="n">COM</span><span class="p">:</span> +<span class="n">Password</span> <span class="k">for</span> <span class="n">systest</span><span class="nd">@BLEEP</span><span class="o">.</span><span class="n">COM</span> <span class="n">changed</span><span class="o">.</span> +<span class="n">kadmin</span><span class="p">:</span> </pre></div> </div> </div> <div class="section" id="purgekeys"> -<span id="change-password-end"></span><span id="id6"></span><h3>purgekeys<a class="headerlink" href="#purgekeys" title="Permalink to this headline">¶</a></h3> +<span id="id6"></span><h3>purgekeys<a class="headerlink" href="#purgekeys" title="Permalink to this headline">¶</a></h3> <blockquote> <div><strong>purgekeys</strong> [<strong>-all</strong>|<strong>-keepkvno</strong> <em>oldest_kvno_to_keep</em>] <em>principal</em></div></blockquote> <p>Purges previously retained old keys (e.g., from <strong>change_password @@ -499,7 +500,7 @@ is new in release 1.12.</p> <p>This command requires the <strong>modify</strong> privilege.</p> </div> <div class="section" id="get-principal"> -<span id="purgekeys-end"></span><span id="id7"></span><h3>get_principal<a class="headerlink" href="#get-principal" title="Permalink to this headline">¶</a></h3> +<span id="id7"></span><h3>get_principal<a class="headerlink" href="#get-principal" title="Permalink to this headline">¶</a></h3> <blockquote> <div><strong>get_principal</strong> [<strong>-terse</strong>] <em>principal</em></div></blockquote> <p>Gets the attributes of principal. With the <strong>-terse</strong> option, outputs @@ -508,64 +509,64 @@ fields as quoted tab-separated strings.</p> running the the program to be the same as the one being listed.</p> <p>Alias: <strong>getprinc</strong></p> <p>Examples:</p> -<div class="highlight-python"><div class="highlight"><pre>kadmin: getprinc tlyu/admin -Principal: tlyu/admin@BLEEP.COM -Expiration date: [never] -Last password change: Mon Aug 12 14:16:47 EDT 1996 -Password expiration date: [none] -Maximum ticket life: 0 days 10:00:00 -Maximum renewable life: 7 days 00:00:00 -Last modified: Mon Aug 12 14:16:47 EDT 1996 (bjaspan/admin@BLEEP.COM) -Last successful authentication: [never] -Last failed authentication: [never] -Failed password attempts: 0 -Number of keys: 2 -Key: vno 1, des-cbc-crc -Key: vno 1, des-cbc-crc:v4 -Attributes: -Policy: [none] +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">getprinc</span> <span class="n">tlyu</span><span class="o">/</span><span class="n">admin</span> +<span class="n">Principal</span><span class="p">:</span> <span class="n">tlyu</span><span class="o">/</span><span class="n">admin</span><span class="nd">@BLEEP</span><span class="o">.</span><span class="n">COM</span> +<span class="n">Expiration</span> <span class="n">date</span><span class="p">:</span> <span class="p">[</span><span class="n">never</span><span class="p">]</span> +<span class="n">Last</span> <span class="n">password</span> <span class="n">change</span><span class="p">:</span> <span class="n">Mon</span> <span class="n">Aug</span> <span class="mi">12</span> <span class="mi">14</span><span class="p">:</span><span class="mi">16</span><span class="p">:</span><span class="mi">47</span> <span class="n">EDT</span> <span class="mi">1996</span> +<span class="n">Password</span> <span class="n">expiration</span> <span class="n">date</span><span class="p">:</span> <span class="p">[</span><span class="n">never</span><span class="p">]</span> +<span class="n">Maximum</span> <span class="n">ticket</span> <span class="n">life</span><span class="p">:</span> <span class="mi">0</span> <span class="n">days</span> <span class="mi">10</span><span class="p">:</span><span class="mi">00</span><span class="p">:</span><span class="mi">00</span> +<span class="n">Maximum</span> <span class="n">renewable</span> <span class="n">life</span><span class="p">:</span> <span class="mi">7</span> <span class="n">days</span> <span class="mi">00</span><span class="p">:</span><span class="mi">00</span><span class="p">:</span><span class="mi">00</span> +<span class="n">Last</span> <span class="n">modified</span><span class="p">:</span> <span class="n">Mon</span> <span class="n">Aug</span> <span class="mi">12</span> <span class="mi">14</span><span class="p">:</span><span class="mi">16</span><span class="p">:</span><span class="mi">47</span> <span class="n">EDT</span> <span class="mi">1996</span> <span class="p">(</span><span class="n">bjaspan</span><span class="o">/</span><span class="n">admin</span><span class="nd">@BLEEP</span><span class="o">.</span><span class="n">COM</span><span class="p">)</span> +<span class="n">Last</span> <span class="n">successful</span> <span class="n">authentication</span><span class="p">:</span> <span class="p">[</span><span class="n">never</span><span class="p">]</span> +<span class="n">Last</span> <span class="n">failed</span> <span class="n">authentication</span><span class="p">:</span> <span class="p">[</span><span class="n">never</span><span class="p">]</span> +<span class="n">Failed</span> <span class="n">password</span> <span class="n">attempts</span><span class="p">:</span> <span class="mi">0</span> +<span class="n">Number</span> <span class="n">of</span> <span class="n">keys</span><span class="p">:</span> <span class="mi">1</span> +<span class="n">Key</span><span class="p">:</span> <span class="n">vno</span> <span class="mi">1</span><span class="p">,</span> <span class="n">aes256</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha384</span><span class="o">-</span><span class="mi">192</span> +<span class="n">MKey</span><span class="p">:</span> <span class="n">vno</span> <span class="mi">1</span> +<span class="n">Attributes</span><span class="p">:</span> +<span class="n">Policy</span><span class="p">:</span> <span class="p">[</span><span class="n">none</span><span class="p">]</span> -kadmin: getprinc -terse systest -systest@BLEEP.COM 3 86400 604800 1 -785926535 753241234 785900000 -tlyu/admin@BLEEP.COM 786100034 0 0 -kadmin: +<span class="n">kadmin</span><span class="p">:</span> <span class="n">getprinc</span> <span class="o">-</span><span class="n">terse</span> <span class="n">systest</span> +<span class="n">systest</span><span class="nd">@BLEEP</span><span class="o">.</span><span class="n">COM</span> <span class="mi">3</span> <span class="mi">86400</span> <span class="mi">604800</span> <span class="mi">1</span> +<span class="mi">785926535</span> <span class="mi">753241234</span> <span class="mi">785900000</span> +<span class="n">tlyu</span><span class="o">/</span><span class="n">admin</span><span class="nd">@BLEEP</span><span class="o">.</span><span class="n">COM</span> <span class="mi">786100034</span> <span class="mi">0</span> <span class="mi">0</span> +<span class="n">kadmin</span><span class="p">:</span> </pre></div> </div> </div> <div class="section" id="list-principals"> -<span id="get-principal-end"></span><span id="id8"></span><h3>list_principals<a class="headerlink" href="#list-principals" title="Permalink to this headline">¶</a></h3> +<span id="id8"></span><h3>list_principals<a class="headerlink" href="#list-principals" title="Permalink to this headline">¶</a></h3> <blockquote> <div><strong>list_principals</strong> [<em>expression</em>]</div></blockquote> <p>Retrieves all or some principal names. <em>expression</em> is a shell-style -glob expression that can contain the wild-card characters <tt class="docutils literal"><span class="pre">?</span></tt>, -<tt class="docutils literal"><span class="pre">*</span></tt>, and <tt class="docutils literal"><span class="pre">[]</span></tt>. All principal names matching the expression are +glob expression that can contain the wild-card characters <code class="docutils literal"><span class="pre">?</span></code>, +<code class="docutils literal"><span class="pre">*</span></code>, and <code class="docutils literal"><span class="pre">[]</span></code>. All principal names matching the expression are printed. If no expression is provided, all principal names are -printed. If the expression does not contain an <tt class="docutils literal"><span class="pre">@</span></tt> character, an -<tt class="docutils literal"><span class="pre">@</span></tt> character followed by the local realm is appended to the +printed. If the expression does not contain an <code class="docutils literal"><span class="pre">@</span></code> character, an +<code class="docutils literal"><span class="pre">@</span></code> character followed by the local realm is appended to the expression.</p> <p>This command requires the <strong>list</strong> privilege.</p> -<p>Alias: <strong>listprincs</strong>, <strong>get_principals</strong>, <strong>get_princs</strong></p> +<p>Alias: <strong>listprincs</strong>, <strong>get_principals</strong>, <strong>getprincs</strong></p> <p>Example:</p> -<div class="highlight-python"><div class="highlight"><pre>kadmin: listprincs test* -test3@SECURE-TEST.OV.COM -test2@SECURE-TEST.OV.COM -test1@SECURE-TEST.OV.COM -testuser@SECURE-TEST.OV.COM -kadmin: +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">listprincs</span> <span class="n">test</span><span class="o">*</span> +<span class="n">test3</span><span class="nd">@SECURE</span><span class="o">-</span><span class="n">TEST</span><span class="o">.</span><span class="n">OV</span><span class="o">.</span><span class="n">COM</span> +<span class="n">test2</span><span class="nd">@SECURE</span><span class="o">-</span><span class="n">TEST</span><span class="o">.</span><span class="n">OV</span><span class="o">.</span><span class="n">COM</span> +<span class="n">test1</span><span class="nd">@SECURE</span><span class="o">-</span><span class="n">TEST</span><span class="o">.</span><span class="n">OV</span><span class="o">.</span><span class="n">COM</span> +<span class="n">testuser</span><span class="nd">@SECURE</span><span class="o">-</span><span class="n">TEST</span><span class="o">.</span><span class="n">OV</span><span class="o">.</span><span class="n">COM</span> +<span class="n">kadmin</span><span class="p">:</span> </pre></div> </div> </div> <div class="section" id="get-strings"> -<span id="list-principals-end"></span><span id="id9"></span><h3>get_strings<a class="headerlink" href="#get-strings" title="Permalink to this headline">¶</a></h3> +<span id="id9"></span><h3>get_strings<a class="headerlink" href="#get-strings" title="Permalink to this headline">¶</a></h3> <blockquote> <div><strong>get_strings</strong> <em>principal</em></div></blockquote> <p>Displays string attributes on <em>principal</em>.</p> <p>This command requires the <strong>inquire</strong> privilege.</p> -<p>Alias: <strong>getstr</strong></p> +<p>Alias: <strong>getstrs</strong></p> </div> <div class="section" id="set-string"> -<span id="get-strings-end"></span><span id="id10"></span><h3>set_string<a class="headerlink" href="#set-string" title="Permalink to this headline">¶</a></h3> +<span id="id10"></span><h3>set_string<a class="headerlink" href="#set-string" title="Permalink to this headline">¶</a></h3> <blockquote> <div><strong>set_string</strong> <em>principal</em> <em>name</em> <em>value</em></div></blockquote> <p>Sets a string attribute on <em>principal</em>. String attributes are used to @@ -581,29 +582,37 @@ specified indicators will be accepted. (New in release 1.14.)</dd> <dt><strong>session_enctypes</strong></dt> <dd>Specifies the encryption types supported for session keys when the principal is authenticated to as a server. See -<a class="reference internal" href="../conf_files/kdc_conf.html#encryption-types"><em>Encryption types</em></a> in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> for a list of the +<a class="reference internal" href="../conf_files/kdc_conf.html#encryption-types"><span class="std std-ref">Encryption types</span></a> in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a> for a list of the accepted values.</dd> <dt><strong>otp</strong></dt> <dd>Enables One Time Passwords (OTP) preauthentication for a client <em>principal</em>. The <em>value</em> is a JSON string representing an array -of objects, each having optional <tt class="docutils literal"><span class="pre">type</span></tt> and <tt class="docutils literal"><span class="pre">username</span></tt> fields.</dd> +of objects, each having optional <code class="docutils literal"><span class="pre">type</span></code> and <code class="docutils literal"><span class="pre">username</span></code> fields.</dd> <dt><strong>pkinit_cert_match</strong></dt> <dd>Specifies a matching expression that defines the certificate attributes required for the client certificate used by the principal during PKINIT authentication. The matching expression is in the same format as those used by the <strong>pkinit_cert_match</strong> -option in <a class="reference internal" href="../conf_files/krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a>. (New in release 1.16.)</dd> +option in <a class="reference internal" href="../conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a>. (New in release 1.16.)</dd> +<dt><strong>pac_privsvr_enctype</strong></dt> +<dd>Forces the encryption type of the PAC KDC checksum buffers to the +specified encryption type for tickets issued to this server, by +deriving a key from the local krbtgt key if it is of a different +encryption type. It may be necessary to set this value to +“aes256-sha1” on the cross-realm krbtgt entry for an Active +Directory realm when using aes-sha2 keys on the local krbtgt +entry.</dd> </dl> <p>This command requires the <strong>modify</strong> privilege.</p> <p>Alias: <strong>setstr</strong></p> <p>Example:</p> -<div class="highlight-python"><div class="highlight"><pre>set_string host/foo.mit.edu session_enctypes aes128-cts -set_string user@FOO.COM otp "[{""type"":""hotp"",""username"":""al""}]" +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">set_string</span> <span class="n">host</span><span class="o">/</span><span class="n">foo</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> <span class="n">session_enctypes</span> <span class="n">aes128</span><span class="o">-</span><span class="n">cts</span> +<span class="n">set_string</span> <span class="n">user</span><span class="nd">@FOO</span><span class="o">.</span><span class="n">COM</span> <span class="n">otp</span> <span class="s2">"[{""type"":""hotp"",""username"":""al""}]"</span> </pre></div> </div> </div> <div class="section" id="del-string"> -<span id="set-string-end"></span><span id="id11"></span><h3>del_string<a class="headerlink" href="#del-string" title="Permalink to this headline">¶</a></h3> +<span id="id11"></span><h3>del_string<a class="headerlink" href="#del-string" title="Permalink to this headline">¶</a></h3> <blockquote> <div><strong>del_string</strong> <em>principal</em> <em>key</em></div></blockquote> <p>Deletes a string attribute from <em>principal</em>.</p> @@ -611,7 +620,7 @@ set_string user@FOO.COM otp "[{""type"":""hot <p>Alias: <strong>delstr</strong></p> </div> <div class="section" id="add-policy"> -<span id="del-string-end"></span><span id="id12"></span><h3>add_policy<a class="headerlink" href="#add-policy" title="Permalink to this headline">¶</a></h3> +<span id="id12"></span><h3>add_policy<a class="headerlink" href="#add-policy" title="Permalink to this headline">¶</a></h3> <blockquote> <div><strong>add_policy</strong> [<em>options</em>] <em>policy</em></div></blockquote> <p>Adds a password policy named <em>policy</em> to the database.</p> @@ -620,10 +629,10 @@ set_string user@FOO.COM otp "[{""type"":""hot <p>The following options are available:</p> <dl class="docutils"> <dt><strong>-maxlife</strong> <em>time</em></dt> -<dd>(<a class="reference internal" href="../../basic/date_format.html#duration"><em>Time duration</em></a> or <a class="reference internal" href="../../basic/date_format.html#getdate"><em>getdate time</em></a> string) Sets the maximum +<dd>(<a class="reference internal" href="../../basic/date_format.html#duration"><span class="std std-ref">Time duration</span></a> or <a class="reference internal" href="../../basic/date_format.html#getdate"><span class="std std-ref">getdate time</span></a> string) Sets the maximum lifetime of a password.</dd> <dt><strong>-minlife</strong> <em>time</em></dt> -<dd>(<a class="reference internal" href="../../basic/date_format.html#duration"><em>Time duration</em></a> or <a class="reference internal" href="../../basic/date_format.html#getdate"><em>getdate time</em></a> string) Sets the minimum +<dd>(<a class="reference internal" href="../../basic/date_format.html#duration"><span class="std std-ref">Time duration</span></a> or <a class="reference internal" href="../../basic/date_format.html#getdate"><span class="std std-ref">getdate time</span></a> string) Sets the minimum lifetime of a password.</dd> <dt><strong>-minlength</strong> <em>length</em></dt> <dd>Sets the minimum length of a password.</dd> @@ -645,7 +654,7 @@ resets to 0 after a successful attempt to authenticate. A </dl> <dl class="docutils" id="policy-failurecountinterval"> <dt><strong>-failurecountinterval</strong> <em>failuretime</em></dt> -<dd>(<a class="reference internal" href="../../basic/date_format.html#duration"><em>Time duration</em></a> or <a class="reference internal" href="../../basic/date_format.html#getdate"><em>getdate time</em></a> string) Sets the allowable time +<dd>(<a class="reference internal" href="../../basic/date_format.html#duration"><span class="std std-ref">Time duration</span></a> or <a class="reference internal" href="../../basic/date_format.html#getdate"><span class="std std-ref">getdate time</span></a> string) Sets the allowable time between authentication failures. If an authentication failure happens after <em>failuretime</em> has elapsed since the previous failure, the number of authentication failures is reset to 1. A @@ -653,28 +662,28 @@ failure, the number of authentication failures is reset to 1. A </dl> <dl class="docutils" id="policy-lockoutduration"> <dt><strong>-lockoutduration</strong> <em>lockouttime</em></dt> -<dd>(<a class="reference internal" href="../../basic/date_format.html#duration"><em>Time duration</em></a> or <a class="reference internal" href="../../basic/date_format.html#getdate"><em>getdate time</em></a> string) Sets the duration for +<dd>(<a class="reference internal" href="../../basic/date_format.html#duration"><span class="std std-ref">Time duration</span></a> or <a class="reference internal" href="../../basic/date_format.html#getdate"><span class="std std-ref">getdate time</span></a> string) Sets the duration for which the principal is locked from authenticating if too many authentication failures occur without the specified failure count interval elapsing. A duration of 0 (the default) means the principal remains locked out until it is administratively unlocked -with <tt class="docutils literal"><span class="pre">modprinc</span> <span class="pre">-unlock</span></tt>.</dd> +with <code class="docutils literal"><span class="pre">modprinc</span> <span class="pre">-unlock</span></code>.</dd> <dt><strong>-allowedkeysalts</strong></dt> <dd>Specifies the key/salt tuples supported for long-term keys when -setting or changing a principal’s password/keys. See -<a class="reference internal" href="../conf_files/kdc_conf.html#keysalt-lists"><em>Keysalt lists</em></a> in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> for a list of the +setting or changing a principal’s password/keys. See +<a class="reference internal" href="../conf_files/kdc_conf.html#keysalt-lists"><span class="std std-ref">Keysalt lists</span></a> in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a> for a list of the accepted values, but note that key/salt tuples must be separated -with commas (‘,’) only. To clear the allowed key/salt policy use -a value of ‘-‘.</dd> +with commas (‘,’) only. To clear the allowed key/salt policy use +a value of ‘-‘.</dd> </dl> <p>Example:</p> -<div class="highlight-python"><div class="highlight"><pre>kadmin: add_policy -maxlife "2 days" -minlength 5 guests -kadmin: +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">add_policy</span> <span class="o">-</span><span class="n">maxlife</span> <span class="s2">"2 days"</span> <span class="o">-</span><span class="n">minlength</span> <span class="mi">5</span> <span class="n">guests</span> +<span class="n">kadmin</span><span class="p">:</span> </pre></div> </div> </div> <div class="section" id="modify-policy"> -<span id="add-policy-end"></span><span id="id13"></span><h3>modify_policy<a class="headerlink" href="#modify-policy" title="Permalink to this headline">¶</a></h3> +<span id="id13"></span><h3>modify_policy<a class="headerlink" href="#modify-policy" title="Permalink to this headline">¶</a></h3> <blockquote> <div><strong>modify_policy</strong> [<em>options</em>] <em>policy</em></div></blockquote> <p>Modifies the password policy named <em>policy</em>. Options are as described @@ -683,7 +692,7 @@ for <strong>add_policy</strong>.</p> <p>Alias: <strong>modpol</strong></p> </div> <div class="section" id="delete-policy"> -<span id="modify-policy-end"></span><span id="id14"></span><h3>delete_policy<a class="headerlink" href="#delete-policy" title="Permalink to this headline">¶</a></h3> +<span id="id14"></span><h3>delete_policy<a class="headerlink" href="#delete-policy" title="Permalink to this headline">¶</a></h3> <blockquote> <div><strong>delete_policy</strong> [<strong>-force</strong>] <em>policy</em></div></blockquote> <p>Deletes the password policy named <em>policy</em>. Prompts for confirmation @@ -692,7 +701,7 @@ principals.</p> <p>This command requires the <strong>delete</strong> privilege.</p> <p>Alias: <strong>delpol</strong></p> <p>Example:</p> -<div class="highlight-python"><div class="highlight"><pre>kadmin: del_policy guests +<div class="highlight-default"><div class="highlight"><pre><span></span>kadmin: del_policy guests Are you sure you want to delete the policy "guests"? (yes/no): yes kadmin: @@ -700,60 +709,60 @@ kadmin: </div> </div> <div class="section" id="get-policy"> -<span id="delete-policy-end"></span><span id="id15"></span><h3>get_policy<a class="headerlink" href="#get-policy" title="Permalink to this headline">¶</a></h3> +<span id="id15"></span><h3>get_policy<a class="headerlink" href="#get-policy" title="Permalink to this headline">¶</a></h3> <blockquote> <div><strong>get_policy</strong> [ <strong>-terse</strong> ] <em>policy</em></div></blockquote> <p>Displays the values of the password policy named <em>policy</em>. With the <strong>-terse</strong> flag, outputs the fields as quoted strings separated by tabs.</p> <p>This command requires the <strong>inquire</strong> privilege.</p> -<p>Alias: getpol</p> +<p>Alias: <strong>getpol</strong></p> <p>Examples:</p> -<div class="highlight-python"><div class="highlight"><pre>kadmin: get_policy admin -Policy: admin -Maximum password life: 180 days 00:00:00 -Minimum password life: 00:00:00 -Minimum password length: 6 -Minimum number of password character classes: 2 -Number of old keys kept: 5 -Reference count: 17 +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">get_policy</span> <span class="n">admin</span> +<span class="n">Policy</span><span class="p">:</span> <span class="n">admin</span> +<span class="n">Maximum</span> <span class="n">password</span> <span class="n">life</span><span class="p">:</span> <span class="mi">180</span> <span class="n">days</span> <span class="mi">00</span><span class="p">:</span><span class="mi">00</span><span class="p">:</span><span class="mi">00</span> +<span class="n">Minimum</span> <span class="n">password</span> <span class="n">life</span><span class="p">:</span> <span class="mi">00</span><span class="p">:</span><span class="mi">00</span><span class="p">:</span><span class="mi">00</span> +<span class="n">Minimum</span> <span class="n">password</span> <span class="n">length</span><span class="p">:</span> <span class="mi">6</span> +<span class="n">Minimum</span> <span class="n">number</span> <span class="n">of</span> <span class="n">password</span> <span class="n">character</span> <span class="n">classes</span><span class="p">:</span> <span class="mi">2</span> +<span class="n">Number</span> <span class="n">of</span> <span class="n">old</span> <span class="n">keys</span> <span class="n">kept</span><span class="p">:</span> <span class="mi">5</span> +<span class="n">Reference</span> <span class="n">count</span><span class="p">:</span> <span class="mi">17</span> -kadmin: get_policy -terse admin -admin 15552000 0 6 2 5 17 -kadmin: +<span class="n">kadmin</span><span class="p">:</span> <span class="n">get_policy</span> <span class="o">-</span><span class="n">terse</span> <span class="n">admin</span> +<span class="n">admin</span> <span class="mi">15552000</span> <span class="mi">0</span> <span class="mi">6</span> <span class="mi">2</span> <span class="mi">5</span> <span class="mi">17</span> +<span class="n">kadmin</span><span class="p">:</span> </pre></div> </div> -<p>The “Reference count” is the number of principals using that policy. +<p>The “Reference count” is the number of principals using that policy. With the LDAP KDC database module, the reference count field is not meaningful.</p> </div> <div class="section" id="list-policies"> -<span id="get-policy-end"></span><span id="id16"></span><h3>list_policies<a class="headerlink" href="#list-policies" title="Permalink to this headline">¶</a></h3> +<span id="id16"></span><h3>list_policies<a class="headerlink" href="#list-policies" title="Permalink to this headline">¶</a></h3> <blockquote> <div><strong>list_policies</strong> [<em>expression</em>]</div></blockquote> <p>Retrieves all or some policy names. <em>expression</em> is a shell-style -glob expression that can contain the wild-card characters <tt class="docutils literal"><span class="pre">?</span></tt>, -<tt class="docutils literal"><span class="pre">*</span></tt>, and <tt class="docutils literal"><span class="pre">[]</span></tt>. All policy names matching the expression are +glob expression that can contain the wild-card characters <code class="docutils literal"><span class="pre">?</span></code>, +<code class="docutils literal"><span class="pre">*</span></code>, and <code class="docutils literal"><span class="pre">[]</span></code>. All policy names matching the expression are printed. If no expression is provided, all existing policy names are printed.</p> <p>This command requires the <strong>list</strong> privilege.</p> <p>Aliases: <strong>listpols</strong>, <strong>get_policies</strong>, <strong>getpols</strong>.</p> <p>Examples:</p> -<div class="highlight-python"><div class="highlight"><pre>kadmin: listpols -test-pol -dict-only -once-a-min -test-pol-nopw +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">listpols</span> +<span class="n">test</span><span class="o">-</span><span class="n">pol</span> +<span class="nb">dict</span><span class="o">-</span><span class="n">only</span> +<span class="n">once</span><span class="o">-</span><span class="n">a</span><span class="o">-</span><span class="nb">min</span> +<span class="n">test</span><span class="o">-</span><span class="n">pol</span><span class="o">-</span><span class="n">nopw</span> -kadmin: listpols t* -test-pol -test-pol-nopw -kadmin: +<span class="n">kadmin</span><span class="p">:</span> <span class="n">listpols</span> <span class="n">t</span><span class="o">*</span> +<span class="n">test</span><span class="o">-</span><span class="n">pol</span> +<span class="n">test</span><span class="o">-</span><span class="n">pol</span><span class="o">-</span><span class="n">nopw</span> +<span class="n">kadmin</span><span class="p">:</span> </pre></div> </div> </div> <div class="section" id="ktadd"> -<span id="list-policies-end"></span><span id="id17"></span><h3>ktadd<a class="headerlink" href="#ktadd" title="Permalink to this headline">¶</a></h3> +<span id="id17"></span><h3>ktadd<a class="headerlink" href="#ktadd" title="Permalink to this headline">¶</a></h3> <blockquote> <div><div class="line-block"> <div class="line"><strong>ktadd</strong> [options] <em>principal</em></div> @@ -761,7 +770,7 @@ kadmin: </div> </div></blockquote> <p>Adds a <em>principal</em>, or all principals matching <em>princ-exp</em>, to a -keytab file. Each principal’s keys are randomized in the process. +keytab file. Each principal’s keys are randomized in the process. The rules for <em>princ-exp</em> are described in the <strong>list_principals</strong> command.</p> <p>This command requires the <strong>inquire</strong> and <strong>changepw</strong> privileges. @@ -771,9 +780,9 @@ With the <strong>-glob</strong> form, it also requires the <strong>list</strong> <dt><strong>-k[eytab]</strong> <em>keytab</em></dt> <dd>Use <em>keytab</em> as the keytab file. Otherwise, the default keytab is used.</dd> -<dt><strong>-e</strong> <em>enc</em>:<em>salt</em>,...</dt> +<dt><strong>-e</strong> <em>enc</em>:<em>salt</em>,…</dt> <dd>Uses the specified keysalt list for setting the new keys of the -principal. See <a class="reference internal" href="../conf_files/kdc_conf.html#keysalt-lists"><em>Keysalt lists</em></a> in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> for a +principal. See <a class="reference internal" href="../conf_files/kdc_conf.html#keysalt-lists"><span class="std std-ref">Keysalt lists</span></a> in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a> for a list of possible values.</dd> <dt><strong>-q</strong></dt> <dd>Display less verbose information.</dd> @@ -782,26 +791,27 @@ list of possible values.</dd> unchanged. This option cannot be specified in combination with the <strong>-e</strong> option.</dd> </dl> -<p>An entry for each of the principal’s unique encryption types is added, +<p>An entry for each of the principal’s unique encryption types is added, ignoring multiple keys with the same encryption type but different salt types.</p> +<p>Alias: <strong>xst</strong></p> <p>Example:</p> -<div class="highlight-python"><div class="highlight"><pre>kadmin: ktadd -k /tmp/foo-new-keytab host/foo.mit.edu -Entry for principal host/foo.mit.edu@ATHENA.MIT.EDU with kvno 3, - encryption type aes256-cts-hmac-sha1-96 added to keytab - FILE:/tmp/foo-new-keytab -kadmin: +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">ktadd</span> <span class="o">-</span><span class="n">k</span> <span class="o">/</span><span class="n">tmp</span><span class="o">/</span><span class="n">foo</span><span class="o">-</span><span class="n">new</span><span class="o">-</span><span class="n">keytab</span> <span class="n">host</span><span class="o">/</span><span class="n">foo</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> +<span class="n">Entry</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">host</span><span class="o">/</span><span class="n">foo</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="k">with</span> <span class="n">kvno</span> <span class="mi">3</span><span class="p">,</span> + <span class="n">encryption</span> <span class="nb">type</span> <span class="n">aes256</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="o">-</span><span class="mi">96</span> <span class="n">added</span> <span class="n">to</span> <span class="n">keytab</span> + <span class="n">FILE</span><span class="p">:</span><span class="o">/</span><span class="n">tmp</span><span class="o">/</span><span class="n">foo</span><span class="o">-</span><span class="n">new</span><span class="o">-</span><span class="n">keytab</span> +<span class="n">kadmin</span><span class="p">:</span> </pre></div> </div> </div> <div class="section" id="ktremove"> -<span id="ktadd-end"></span><span id="id18"></span><h3>ktremove<a class="headerlink" href="#ktremove" title="Permalink to this headline">¶</a></h3> +<span id="id18"></span><h3>ktremove<a class="headerlink" href="#ktremove" title="Permalink to this headline">¶</a></h3> <blockquote> <div><strong>ktremove</strong> [options] <em>principal</em> [<em>kvno</em> | <em>all</em> | <em>old</em>]</div></blockquote> <p>Removes entries for the specified <em>principal</em> from a keytab. Requires no permissions, since this does not require database access.</p> -<p>If the string “all” is specified, all entries for that principal are -removed; if the string “old” is specified, all entries for that +<p>If the string “all” is specified, all entries for that principal are +removed; if the string “old” is specified, all entries for that principal except those with the highest kvno are removed. Otherwise, the value specified is parsed as an integer, and all entries whose kvno match that integer are removed.</p> @@ -813,16 +823,17 @@ used.</dd> <dt><strong>-q</strong></dt> <dd>Display less verbose information.</dd> </dl> +<p>Alias: <strong>ktrem</strong></p> <p>Example:</p> -<div class="highlight-python"><div class="highlight"><pre>kadmin: ktremove kadmin/admin all -Entry for principal kadmin/admin with kvno 3 removed from keytab - FILE:/etc/krb5.keytab -kadmin: +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">ktremove</span> <span class="n">kadmin</span><span class="o">/</span><span class="n">admin</span> <span class="nb">all</span> +<span class="n">Entry</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">kadmin</span><span class="o">/</span><span class="n">admin</span> <span class="k">with</span> <span class="n">kvno</span> <span class="mi">3</span> <span class="n">removed</span> <span class="kn">from</span> <span class="nn">keytab</span> + <span class="n">FILE</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">krb5</span><span class="o">.</span><span class="n">keytab</span> +<span class="n">kadmin</span><span class="p">:</span> </pre></div> </div> </div> <div class="section" id="lock"> -<span id="ktremove-end"></span><h3>lock<a class="headerlink" href="#lock" title="Permalink to this headline">¶</a></h3> +<h3>lock<a class="headerlink" href="#lock" title="Permalink to this headline">¶</a></h3> <p>Lock database exclusively. Use with extreme caution! This command only works with the DB2 KDC database module.</p> </div> @@ -846,9 +857,14 @@ only works with the DB2 KDC database module.</p> <p>The kadmin program was originally written by Tom Yu at MIT, as an interface to the OpenVision Kerberos administration program.</p> </div> +<div class="section" id="environment"> +<h2>ENVIRONMENT<a class="headerlink" href="#environment" title="Permalink to this headline">¶</a></h2> +<p>See <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a> for a description of Kerberos environment +variables.</p> +</div> <div class="section" id="see-also"> <h2>SEE ALSO<a class="headerlink" href="#see-also" title="Permalink to this headline">¶</a></h2> -<p><a class="reference internal" href="../../user/user_commands/kpasswd.html#kpasswd-1"><em>kpasswd</em></a>, <a class="reference internal" href="kadmind.html#kadmind-8"><em>kadmind</em></a></p> +<p><a class="reference internal" href="../../user/user_commands/kpasswd.html#kpasswd-1"><span class="std std-ref">kpasswd</span></a>, <a class="reference internal" href="kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a>, <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a></p> </div> </div> @@ -891,6 +907,7 @@ interface to the OpenVision Kerberos administration program.</p> </ul> </li> <li><a class="reference internal" href="#history">HISTORY</a></li> +<li><a class="reference internal" href="#environment">ENVIRONMENT</a></li> <li><a class="reference internal" href="#see-also">SEE ALSO</a></li> </ul> </li> @@ -905,6 +922,7 @@ interface to the OpenVision Kerberos administration program.</p> <li class="toctree-l2"><a class="reference internal" href="../conf_files/index.html">Configuration Files</a></li> <li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li> <li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li> +<li class="toctree-l2"><a class="reference internal" href="../dbtypes.html">Database types</a></li> <li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li> <li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> <li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li> @@ -912,12 +930,14 @@ interface to the OpenVision Kerberos administration program.</p> <li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li> <li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li> <li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="../spake.html">SPAKE Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="../dictionary.html">Addressing dictionary attack risks</a></li> <li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li> <li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li> <li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li> <li class="toctree-l2"><a class="reference internal" href="../auth_indicator.html">Authentication indicators</a></li> <li class="toctree-l2 current"><a class="reference internal" href="index.html">Administration programs</a><ul class="current"> -<li class="toctree-l3 current"><a class="current reference internal" href="">kadmin</a></li> +<li class="toctree-l3 current"><a class="current reference internal" href="#">kadmin</a></li> <li class="toctree-l3"><a class="reference internal" href="kadmind.html">kadmind</a></li> <li class="toctree-l3"><a class="reference internal" href="kdb5_util.html">kdb5_util</a></li> <li class="toctree-l3"><a class="reference internal" href="kdb5_ldap_util.html">kdb5_ldap_util</a></li> @@ -964,8 +984,8 @@ interface to the OpenVision Kerberos administration program.</p> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.16</i><br /> - © <a href="../../copyright.html">Copyright</a> 1985-2017, MIT. + <div class="right" ><i>Release: 1.21.1</i><br /> + © <a href="../../copyright.html">Copyright</a> 1985-2023, MIT. </div> <div class="left"> diff --git a/doc/html/admin/admin_commands/kadmind.html b/doc/html/admin/admin_commands/kadmind.html index d30f4cede9e9..7d66d2b83bf3 100644 --- a/doc/html/admin/admin_commands/kadmind.html +++ b/doc/html/admin/admin_commands/kadmind.html @@ -1,33 +1,31 @@ + <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> - <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> - - <title>kadmind — MIT Kerberos Documentation</title> - + <title>kadmind — MIT Kerberos Documentation</title> <link rel="stylesheet" href="../../_static/agogo.css" type="text/css" /> <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" /> <link rel="stylesheet" href="../../_static/kerb.css" type="text/css" /> - <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../../', - VERSION: '1.16', + VERSION: '1.21.1', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', - HAS_SOURCE: true + HAS_SOURCE: true, + SOURCELINK_SUFFIX: '.txt' }; </script> <script type="text/javascript" src="../../_static/jquery.js"></script> <script type="text/javascript" src="../../_static/underscore.js"></script> <script type="text/javascript" src="../../_static/doctools.js"></script> <link rel="author" title="About these documents" href="../../about.html" /> + <link rel="index" title="Index" href="../../genindex.html" /> + <link rel="search" title="Search" href="../../search.html" /> <link rel="copyright" title="Copyright" href="../../copyright.html" /> - <link rel="top" title="MIT Kerberos Documentation" href="../../index.html" /> - <link rel="up" title="Administration programs" href="index.html" /> <link rel="next" title="kdb5_util" href="kdb5_util.html" /> <link rel="prev" title="kadmin" href="kadmin_local.html" /> </head> @@ -61,7 +59,7 @@ <div class="documentwrapper"> <div class="bodywrapper"> - <div class="body"> + <div class="body" role="main"> <div class="section" id="kadmind"> <span id="kadmind-8"></span><h1>kadmind<a class="headerlink" href="#kadmind" title="Permalink to this headline">¶</a></h1> @@ -83,37 +81,37 @@ <div class="section" id="description"> <h2>DESCRIPTION<a class="headerlink" href="#description" title="Permalink to this headline">¶</a></h2> <p>kadmind starts the Kerberos administration server. kadmind typically -runs on the master Kerberos server, which stores the KDC database. If -the KDC database uses the LDAP module, the administration server and -the KDC server need not run on the same machine. kadmind accepts -remote requests from programs such as <a class="reference internal" href="kadmin_local.html#kadmin-1"><em>kadmin</em></a> and -<a class="reference internal" href="../../user/user_commands/kpasswd.html#kpasswd-1"><em>kpasswd</em></a> to administer the information in these database.</p> +runs on the primary Kerberos server, which stores the KDC database. +If the KDC database uses the LDAP module, the administration server +and the KDC server need not run on the same machine. kadmind accepts +remote requests from programs such as <a class="reference internal" href="kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> and +<a class="reference internal" href="../../user/user_commands/kpasswd.html#kpasswd-1"><span class="std std-ref">kpasswd</span></a> to administer the information in these database.</p> <p>kadmind requires a number of configuration files to be set up in order for it to work:</p> <dl class="docutils"> -<dt><a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a></dt> +<dt><a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a></dt> <dd>The KDC configuration file contains configuration information for the KDC and admin servers. kadmind uses settings in this file to locate the Kerberos database, and is also affected by the <strong>acl_file</strong>, <strong>dict_file</strong>, <strong>kadmind_port</strong>, and iprop-related settings.</dd> -<dt><a class="reference internal" href="../conf_files/kadm5_acl.html#kadm5-acl-5"><em>kadm5.acl</em></a></dt> -<dd>kadmind’s ACL (access control list) tells it which principals are +<dt><a class="reference internal" href="../conf_files/kadm5_acl.html#kadm5-acl-5"><span class="std std-ref">kadm5.acl</span></a></dt> +<dd>kadmind’s ACL (access control list) tells it which principals are allowed to perform administration actions. The pathname to the -ACL file can be specified with the <strong>acl_file</strong> <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> -variable; by default, it is <a class="reference internal" href="../../mitK5defaults.html#paths"><em>LOCALSTATEDIR</em></a><tt class="docutils literal"><span class="pre">/krb5kdc</span></tt><tt class="docutils literal"><span class="pre">/kadm5.acl</span></tt>.</dd> +ACL file can be specified with the <strong>acl_file</strong> <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a> +variable; by default, it is <a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">LOCALSTATEDIR</span></a><code class="docutils literal"><span class="pre">/krb5kdc</span></code><code class="docutils literal"><span class="pre">/kadm5.acl</span></code>.</dd> </dl> <p>After the server begins running, it puts itself in the background and disassociates itself from its controlling terminal.</p> <p>kadmind can be configured for incremental database propagation. -Incremental propagation allows slave KDC servers to receive principal -and policy updates incrementally instead of receiving full dumps of -the database. This facility can be enabled in the <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> -file with the <strong>iprop_enable</strong> option. Incremental propagation -requires the principal <tt class="docutils literal"><span class="pre">kiprop/MASTER\@REALM</span></tt> (where MASTER is the -master KDC’s canonical host name, and REALM the realm name). In -release 1.13, this principal is automatically created and registered -into the datebase.</p> +Incremental propagation allows replica KDC servers to receive +principal and policy updates incrementally instead of receiving full +dumps of the database. This facility can be enabled in the +<a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a> file with the <strong>iprop_enable</strong> option. Incremental +propagation requires the principal <code class="docutils literal"><span class="pre">kiprop/PRIMARY\@REALM</span></code> (where +PRIMARY is the primary KDC’s canonical host name, and REALM the realm +name). In release 1.13, this principal is automatically created and +registered into the datebase.</p> </div> <div class="section" id="options"> <h2>OPTIONS<a class="headerlink" href="#options" title="Permalink to this headline">¶</a></h2> @@ -128,17 +126,16 @@ invoked with the <strong>-nofork</strong> option) rather than from a file on disk.</dd> <dt><strong>-nofork</strong></dt> <dd>causes the server to remain in the foreground and remain -associated to the terminal. In normal operation, you should allow -the server to place itself in the background.</dd> +associated to the terminal.</dd> <dt><strong>-proponly</strong></dt> -<dd>causes the server to only listen and respond to Kerberos slave +<dd>causes the server to only listen and respond to Kerberos replica incremental propagation polling requests. This option can be used -to set up a hierarchical propagation topology where a slave KDC -provides incremental updates to other Kerberos slaves.</dd> +to set up a hierarchical propagation topology where a replica KDC +provides incremental updates to other Kerberos replicas.</dd> <dt><strong>-port</strong> <em>port-number</em></dt> <dd>specifies the port on which the administration server listens for connections. The default port is determined by the -<strong>kadmind_port</strong> configuration variable in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>.</dd> +<strong>kadmind_port</strong> configuration variable in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>.</dd> <dt><strong>-P</strong> <em>pid_file</em></dt> <dd>specifies the file to which the PID of kadmind process should be written after it starts up. This file can be used to identify @@ -149,22 +146,27 @@ the correct process.</dd> KDB in response to full resync requests when iprop is enabled.</dd> <dt><strong>-K</strong> <em>kprop_path</em></dt> <dd>specifies the path to the kprop command to use to send full dumps -to slaves in response to full resync requests.</dd> +to replicas in response to full resync requests.</dd> <dt><strong>-k</strong> <em>kprop_port</em></dt> -<dd>specifies the port by which the kprop process that is spawned by kadmind -connects to the slave kpropd, in order to transfer the dump file during -an iprop full resync request.</dd> +<dd>specifies the port by which the kprop process that is spawned by +kadmind connects to the replica kpropd, in order to transfer the +dump file during an iprop full resync request.</dd> <dt><strong>-F</strong> <em>dump_file</em></dt> <dd>specifies the file path to be used for dumping the KDB in response to full resync requests when iprop is enabled.</dd> <dt><strong>-x</strong> <em>db_args</em></dt> -<dd>specifies database-specific arguments. See <a class="reference internal" href="kadmin_local.html#dboptions"><em>Database Options</em></a> in <a class="reference internal" href="kadmin_local.html#kadmin-1"><em>kadmin</em></a> for supported arguments.</dd> +<dd>specifies database-specific arguments. See <a class="reference internal" href="kadmin_local.html#dboptions"><span class="std std-ref">Database Options</span></a> in <a class="reference internal" href="kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> for supported arguments.</dd> </dl> </div> +<div class="section" id="environment"> +<h2>ENVIRONMENT<a class="headerlink" href="#environment" title="Permalink to this headline">¶</a></h2> +<p>See <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a> for a description of Kerberos environment +variables.</p> +</div> <div class="section" id="see-also"> <h2>SEE ALSO<a class="headerlink" href="#see-also" title="Permalink to this headline">¶</a></h2> -<p><a class="reference internal" href="../../user/user_commands/kpasswd.html#kpasswd-1"><em>kpasswd</em></a>, <a class="reference internal" href="kadmin_local.html#kadmin-1"><em>kadmin</em></a>, <a class="reference internal" href="kdb5_util.html#kdb5-util-8"><em>kdb5_util</em></a>, -<a class="reference internal" href="kdb5_ldap_util.html#kdb5-ldap-util-8"><em>kdb5_ldap_util</em></a>, <a class="reference internal" href="../conf_files/kadm5_acl.html#kadm5-acl-5"><em>kadm5.acl</em></a></p> +<p><a class="reference internal" href="../../user/user_commands/kpasswd.html#kpasswd-1"><span class="std std-ref">kpasswd</span></a>, <a class="reference internal" href="kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a>, <a class="reference internal" href="kdb5_util.html#kdb5-util-8"><span class="std std-ref">kdb5_util</span></a>, +<a class="reference internal" href="kdb5_ldap_util.html#kdb5-ldap-util-8"><span class="std std-ref">kdb5_ldap_util</span></a>, <a class="reference internal" href="../conf_files/kadm5_acl.html#kadm5-acl-5"><span class="std std-ref">kadm5.acl</span></a>, <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a></p> </div> </div> @@ -180,6 +182,7 @@ to full resync requests when iprop is enabled.</dd> <li><a class="reference internal" href="#synopsis">SYNOPSIS</a></li> <li><a class="reference internal" href="#description">DESCRIPTION</a></li> <li><a class="reference internal" href="#options">OPTIONS</a></li> +<li><a class="reference internal" href="#environment">ENVIRONMENT</a></li> <li><a class="reference internal" href="#see-also">SEE ALSO</a></li> </ul> </li> @@ -194,6 +197,7 @@ to full resync requests when iprop is enabled.</dd> <li class="toctree-l2"><a class="reference internal" href="../conf_files/index.html">Configuration Files</a></li> <li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li> <li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li> +<li class="toctree-l2"><a class="reference internal" href="../dbtypes.html">Database types</a></li> <li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li> <li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> <li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li> @@ -201,13 +205,15 @@ to full resync requests when iprop is enabled.</dd> <li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li> <li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li> <li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="../spake.html">SPAKE Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="../dictionary.html">Addressing dictionary attack risks</a></li> <li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li> <li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li> <li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li> <li class="toctree-l2"><a class="reference internal" href="../auth_indicator.html">Authentication indicators</a></li> <li class="toctree-l2 current"><a class="reference internal" href="index.html">Administration programs</a><ul class="current"> <li class="toctree-l3"><a class="reference internal" href="kadmin_local.html">kadmin</a></li> -<li class="toctree-l3 current"><a class="current reference internal" href="">kadmind</a></li> +<li class="toctree-l3 current"><a class="current reference internal" href="#">kadmind</a></li> <li class="toctree-l3"><a class="reference internal" href="kdb5_util.html">kdb5_util</a></li> <li class="toctree-l3"><a class="reference internal" href="kdb5_ldap_util.html">kdb5_ldap_util</a></li> <li class="toctree-l3"><a class="reference internal" href="krb5kdc.html">krb5kdc</a></li> @@ -253,8 +259,8 @@ to full resync requests when iprop is enabled.</dd> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.16</i><br /> - © <a href="../../copyright.html">Copyright</a> 1985-2017, MIT. + <div class="right" ><i>Release: 1.21.1</i><br /> + © <a href="../../copyright.html">Copyright</a> 1985-2023, MIT. </div> <div class="left"> diff --git a/doc/html/admin/admin_commands/kdb5_ldap_util.html b/doc/html/admin/admin_commands/kdb5_ldap_util.html index b47450502a01..90632d0a66a6 100644 --- a/doc/html/admin/admin_commands/kdb5_ldap_util.html +++ b/doc/html/admin/admin_commands/kdb5_ldap_util.html @@ -1,33 +1,31 @@ + <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> - <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> - - <title>kdb5_ldap_util — MIT Kerberos Documentation</title> - + <title>kdb5_ldap_util — MIT Kerberos Documentation</title> <link rel="stylesheet" href="../../_static/agogo.css" type="text/css" /> <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" /> <link rel="stylesheet" href="../../_static/kerb.css" type="text/css" /> - <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../../', - VERSION: '1.16', + VERSION: '1.21.1', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', - HAS_SOURCE: true + HAS_SOURCE: true, + SOURCELINK_SUFFIX: '.txt' }; </script> <script type="text/javascript" src="../../_static/jquery.js"></script> <script type="text/javascript" src="../../_static/underscore.js"></script> <script type="text/javascript" src="../../_static/doctools.js"></script> <link rel="author" title="About these documents" href="../../about.html" /> + <link rel="index" title="Index" href="../../genindex.html" /> + <link rel="search" title="Search" href="../../search.html" /> <link rel="copyright" title="Copyright" href="../../copyright.html" /> - <link rel="top" title="MIT Kerberos Documentation" href="../../index.html" /> - <link rel="up" title="Administration programs" href="index.html" /> <link rel="next" title="krb5kdc" href="krb5kdc.html" /> <link rel="prev" title="kdb5_util" href="kdb5_util.html" /> </head> @@ -61,7 +59,7 @@ <div class="documentwrapper"> <div class="bodywrapper"> - <div class="body"> + <div class="body" role="main"> <div class="section" id="kdb5-ldap-util"> <span id="kdb5-ldap-util-8"></span><h1>kdb5_ldap_util<a class="headerlink" href="#kdb5-ldap-util" title="Permalink to this headline">¶</a></h1> @@ -81,6 +79,8 @@ services and ticket policies.</p> <div class="section" id="command-line-options"> <h2>COMMAND-LINE OPTIONS<a class="headerlink" href="#command-line-options" title="Permalink to this headline">¶</a></h2> <dl class="docutils" id="kdb5-ldap-util-options"> +<dt><strong>-r</strong> <em>realm</em></dt> +<dd>Specifies the realm to be operated on.</dd> <dt><strong>-D</strong> <em>user_dn</em></dt> <dd>Specifies the Distinguished Name (DN) of the user who has sufficient rights to perform the operation on the LDAP server.</dd> @@ -88,9 +88,12 @@ sufficient rights to perform the operation on the LDAP server.</dd> <dd>Specifies the password of <em>user_dn</em>. This option is not recommended.</dd> <dt><strong>-H</strong> <em>ldapuri</em></dt> -<dd>Specifies the URI of the LDAP server. It is recommended to use -<tt class="docutils literal"><span class="pre">ldapi://</span></tt> or <tt class="docutils literal"><span class="pre">ldaps://</span></tt> to connect to the LDAP server.</dd> +<dd>Specifies the URI of the LDAP server.</dd> </dl> +<p>By default, kdb5_ldap_util operates on the default realm (as specified +in <a class="reference internal" href="../conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a>) and connects and authenticates to the LDAP +server in the same manner as :ref:kadmind(8)` would given the +parameters in <a class="reference internal" href="../conf_files/kdc_conf.html#dbdefaults"><span class="std std-ref">[dbdefaults]</span></a> in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>.</p> </div> <div class="section" id="commands"> <span id="kdb5-ldap-util-options-end"></span><h2>COMMANDS<a class="headerlink" href="#commands" title="Permalink to this headline">¶</a></h2> @@ -103,9 +106,9 @@ recommended.</dd> [<strong>-containerref</strong> <em>container_reference_dn</em>] [<strong>-k</strong> <em>mkeytype</em>] [<strong>-kv</strong> <em>mkeyVNO</em>] +[<strong>-M</strong> <em>mkeyname</em>] [<strong>-m|-P</strong> <em>password</em>|<strong>-sf</strong> <em>stashfilename</em>] [<strong>-s</strong>] -[<strong>-r</strong> <em>realm</em>] [<strong>-maxtktlife</strong> <em>max_ticket_life</em>] [<strong>-maxrenewlife</strong> <em>max_renewable_ticket_life</em>] [<em>ticket_flags</em>]</div></blockquote> @@ -114,7 +117,7 @@ recommended.</dd> <dt><strong>-subtrees</strong> <em>subtree_dn_list</em></dt> <dd>Specifies the list of subtrees containing the principals of a realm. The list contains the DNs of the subtree objects separated -by colon (<tt class="docutils literal"><span class="pre">:</span></tt>).</dd> +by colon (<code class="docutils literal"><span class="pre">:</span></code>).</dd> <dt><strong>-sscope</strong> <em>search_scope</em></dt> <dd>Specifies the scope for searching the principals under the subtree. The possible values are 1 or one (one level), 2 or sub @@ -127,42 +130,44 @@ realm container.</dd> <dt><strong>-k</strong> <em>mkeytype</em></dt> <dd>Specifies the key type of the master key in the database. The default is given by the <strong>master_key_type</strong> variable in -<a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>.</dd> +<a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>.</dd> <dt><strong>-kv</strong> <em>mkeyVNO</em></dt> <dd>Specifies the version number of the master key in the database; the default is 1. Note that 0 is not allowed.</dd> +<dt><strong>-M</strong> <em>mkeyname</em></dt> +<dd>Specifies the principal name for the master key in the database. +If not specified, the name is determined by the +<strong>master_key_name</strong> variable in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>.</dd> <dt><strong>-m</strong></dt> <dd>Specifies that the master database password should be read from the TTY rather than fetched from a file on the disk.</dd> <dt><strong>-P</strong> <em>password</em></dt> <dd>Specifies the master database password. This option is not recommended.</dd> -<dt><strong>-r</strong> <em>realm</em></dt> -<dd>Specifies the Kerberos realm of the database.</dd> <dt><strong>-sf</strong> <em>stashfilename</em></dt> <dd>Specifies the stash file of the master database password.</dd> <dt><strong>-s</strong></dt> <dd>Specifies that the stash file is to be created.</dd> <dt><strong>-maxtktlife</strong> <em>max_ticket_life</em></dt> -<dd>(<a class="reference internal" href="../../basic/date_format.html#getdate"><em>getdate time</em></a> string) Specifies maximum ticket life for +<dd>(<a class="reference internal" href="../../basic/date_format.html#getdate"><span class="std std-ref">getdate time</span></a> string) Specifies maximum ticket life for principals in this realm.</dd> <dt><strong>-maxrenewlife</strong> <em>max_renewable_ticket_life</em></dt> -<dd>(<a class="reference internal" href="../../basic/date_format.html#getdate"><em>getdate time</em></a> string) Specifies maximum renewable life of +<dd>(<a class="reference internal" href="../../basic/date_format.html#getdate"><span class="std std-ref">getdate time</span></a> string) Specifies maximum renewable life of tickets for principals in this realm.</dd> <dt><em>ticket_flags</em></dt> <dd>Specifies global ticket flags for the realm. Allowable flags are documented in the description of the <strong>add_principal</strong> command in -<a class="reference internal" href="kadmin_local.html#kadmin-1"><em>kadmin</em></a>.</dd> +<a class="reference internal" href="kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a>.</dd> </dl> <p>Example:</p> -<div class="highlight-python"><div class="highlight"><pre>kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu - create -subtrees o=org -sscope SUB -r ATHENA.MIT.EDU -Password for "cn=admin,o=org": -Initializing database for realm 'ATHENA.MIT.EDU' -You will be prompted for the database Master Password. -It is important that you NOT FORGET this password. -Enter KDC database master key: -Re-enter KDC database master key to verify: +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">kdb5_ldap_util</span> <span class="o">-</span><span class="n">D</span> <span class="n">cn</span><span class="o">=</span><span class="n">admin</span><span class="p">,</span><span class="n">o</span><span class="o">=</span><span class="n">org</span> <span class="o">-</span><span class="n">H</span> <span class="n">ldaps</span><span class="p">:</span><span class="o">//</span><span class="n">ldap</span><span class="o">-</span><span class="n">server1</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> + <span class="o">-</span><span class="n">r</span> <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="n">create</span> <span class="o">-</span><span class="n">subtrees</span> <span class="n">o</span><span class="o">=</span><span class="n">org</span> <span class="o">-</span><span class="n">sscope</span> <span class="n">SUB</span> +<span class="n">Password</span> <span class="k">for</span> <span class="s2">"cn=admin,o=org"</span><span class="p">:</span> +<span class="n">Initializing</span> <span class="n">database</span> <span class="k">for</span> <span class="n">realm</span> <span class="s1">'ATHENA.MIT.EDU'</span> +<span class="n">You</span> <span class="n">will</span> <span class="n">be</span> <span class="n">prompted</span> <span class="k">for</span> <span class="n">the</span> <span class="n">database</span> <span class="n">Master</span> <span class="n">Password</span><span class="o">.</span> +<span class="n">It</span> <span class="ow">is</span> <span class="n">important</span> <span class="n">that</span> <span class="n">you</span> <span class="n">NOT</span> <span class="n">FORGET</span> <span class="n">this</span> <span class="n">password</span><span class="o">.</span> +<span class="n">Enter</span> <span class="n">KDC</span> <span class="n">database</span> <span class="n">master</span> <span class="n">key</span><span class="p">:</span> +<span class="n">Re</span><span class="o">-</span><span class="n">enter</span> <span class="n">KDC</span> <span class="n">database</span> <span class="n">master</span> <span class="n">key</span> <span class="n">to</span> <span class="n">verify</span><span class="p">:</span> </pre></div> </div> </div> @@ -173,7 +178,6 @@ Re-enter KDC database master key to verify: [<strong>-subtrees</strong> <em>subtree_dn_list</em>] [<strong>-sscope</strong> <em>search_scope</em>] [<strong>-containerref</strong> <em>container_reference_dn</em>] -[<strong>-r</strong> <em>realm</em>] [<strong>-maxtktlife</strong> <em>max_ticket_life</em>] [<strong>-maxrenewlife</strong> <em>max_renewable_ticket_life</em>] [<em>ticket_flags</em>]</div></blockquote> @@ -182,7 +186,7 @@ Re-enter KDC database master key to verify: <dt><strong>-subtrees</strong> <em>subtree_dn_list</em></dt> <dd>Specifies the list of subtrees containing the principals of a realm. The list contains the DNs of the subtree objects separated -by colon (<tt class="docutils literal"><span class="pre">:</span></tt>). This list replaces the existing list.</dd> +by colon (<code class="docutils literal"><span class="pre">:</span></code>). This list replaces the existing list.</dd> <dt><strong>-sscope</strong> <em>search_scope</em></dt> <dd>Specifies the scope for searching the principals under the subtrees. The possible values are 1 or one (one level), 2 or sub @@ -190,65 +194,56 @@ subtrees. The possible values are 1 or one (one level), 2 or sub <dt><strong>-containerref</strong> <em>container_reference_dn</em> Specifies the DN of the</dt> <dd>container object in which the principals of a realm will be created.</dd> -<dt><strong>-r</strong> <em>realm</em></dt> -<dd>Specifies the Kerberos realm of the database.</dd> <dt><strong>-maxtktlife</strong> <em>max_ticket_life</em></dt> -<dd>(<a class="reference internal" href="../../basic/date_format.html#getdate"><em>getdate time</em></a> string) Specifies maximum ticket life for +<dd>(<a class="reference internal" href="../../basic/date_format.html#getdate"><span class="std std-ref">getdate time</span></a> string) Specifies maximum ticket life for principals in this realm.</dd> <dt><strong>-maxrenewlife</strong> <em>max_renewable_ticket_life</em></dt> -<dd>(<a class="reference internal" href="../../basic/date_format.html#getdate"><em>getdate time</em></a> string) Specifies maximum renewable life of +<dd>(<a class="reference internal" href="../../basic/date_format.html#getdate"><span class="std std-ref">getdate time</span></a> string) Specifies maximum renewable life of tickets for principals in this realm.</dd> <dt><em>ticket_flags</em></dt> <dd>Specifies global ticket flags for the realm. Allowable flags are documented in the description of the <strong>add_principal</strong> command in -<a class="reference internal" href="kadmin_local.html#kadmin-1"><em>kadmin</em></a>.</dd> +<a class="reference internal" href="kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a>.</dd> </dl> <p>Example:</p> -<div class="highlight-python"><div class="highlight"><pre>shell% kdb5_ldap_util -D cn=admin,o=org -H - ldaps://ldap-server1.mit.edu modify +requires_preauth -r - ATHENA.MIT.EDU -Password for "cn=admin,o=org": -shell% +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">shell</span><span class="o">%</span> <span class="n">kdb5_ldap_util</span> <span class="o">-</span><span class="n">r</span> <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="o">-</span><span class="n">D</span> <span class="n">cn</span><span class="o">=</span><span class="n">admin</span><span class="p">,</span><span class="n">o</span><span class="o">=</span><span class="n">org</span> <span class="o">-</span><span class="n">H</span> + <span class="n">ldaps</span><span class="p">:</span><span class="o">//</span><span class="n">ldap</span><span class="o">-</span><span class="n">server1</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> <span class="n">modify</span> <span class="o">+</span><span class="n">requires_preauth</span> +<span class="n">Password</span> <span class="k">for</span> <span class="s2">"cn=admin,o=org"</span><span class="p">:</span> +<span class="n">shell</span><span class="o">%</span> </pre></div> </div> </div> <div class="section" id="view"> <span id="kdb5-ldap-util-modify-end"></span><h3>view<a class="headerlink" href="#view" title="Permalink to this headline">¶</a></h3> <blockquote id="kdb5-ldap-util-view"> -<div><strong>view</strong> [<strong>-r</strong> <em>realm</em>]</div></blockquote> -<p>Displays the attributes of a realm. Options:</p> -<dl class="docutils"> -<dt><strong>-r</strong> <em>realm</em></dt> -<dd>Specifies the Kerberos realm of the database.</dd> -</dl> +<div><strong>view</strong></div></blockquote> +<p>Displays the attributes of a realm.</p> <p>Example:</p> -<div class="highlight-python"><div class="highlight"><pre>kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu - view -r ATHENA.MIT.EDU -Password for "cn=admin,o=org": -Realm Name: ATHENA.MIT.EDU -Subtree: ou=users,o=org -Subtree: ou=servers,o=org -SearchScope: ONE -Maximum ticket life: 0 days 01:00:00 -Maximum renewable life: 0 days 10:00:00 -Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">kdb5_ldap_util</span> <span class="o">-</span><span class="n">D</span> <span class="n">cn</span><span class="o">=</span><span class="n">admin</span><span class="p">,</span><span class="n">o</span><span class="o">=</span><span class="n">org</span> <span class="o">-</span><span class="n">H</span> <span class="n">ldaps</span><span class="p">:</span><span class="o">//</span><span class="n">ldap</span><span class="o">-</span><span class="n">server1</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> + <span class="o">-</span><span class="n">r</span> <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="n">view</span> +<span class="n">Password</span> <span class="k">for</span> <span class="s2">"cn=admin,o=org"</span><span class="p">:</span> +<span class="n">Realm</span> <span class="n">Name</span><span class="p">:</span> <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> +<span class="n">Subtree</span><span class="p">:</span> <span class="n">ou</span><span class="o">=</span><span class="n">users</span><span class="p">,</span><span class="n">o</span><span class="o">=</span><span class="n">org</span> +<span class="n">Subtree</span><span class="p">:</span> <span class="n">ou</span><span class="o">=</span><span class="n">servers</span><span class="p">,</span><span class="n">o</span><span class="o">=</span><span class="n">org</span> +<span class="n">SearchScope</span><span class="p">:</span> <span class="n">ONE</span> +<span class="n">Maximum</span> <span class="n">ticket</span> <span class="n">life</span><span class="p">:</span> <span class="mi">0</span> <span class="n">days</span> <span class="mi">01</span><span class="p">:</span><span class="mi">00</span><span class="p">:</span><span class="mi">00</span> +<span class="n">Maximum</span> <span class="n">renewable</span> <span class="n">life</span><span class="p">:</span> <span class="mi">0</span> <span class="n">days</span> <span class="mi">10</span><span class="p">:</span><span class="mi">00</span><span class="p">:</span><span class="mi">00</span> +<span class="n">Ticket</span> <span class="n">flags</span><span class="p">:</span> <span class="n">DISALLOW_FORWARDABLE</span> <span class="n">REQUIRES_PWCHANGE</span> </pre></div> </div> </div> <div class="section" id="destroy"> <span id="kdb5-ldap-util-view-end"></span><h3>destroy<a class="headerlink" href="#destroy" title="Permalink to this headline">¶</a></h3> <blockquote id="kdb5-ldap-util-destroy"> -<div><strong>destroy</strong> [<strong>-f</strong>] [<strong>-r</strong> <em>realm</em>]</div></blockquote> +<div><strong>destroy</strong> [<strong>-f</strong>]</div></blockquote> <p>Destroys an existing realm. Options:</p> <dl class="docutils"> <dt><strong>-f</strong></dt> <dd>If specified, will not prompt the user for confirmation.</dd> -<dt><strong>-r</strong> <em>realm</em></dt> -<dd>Specifies the Kerberos realm of the database.</dd> </dl> <p>Example:</p> -<div class="highlight-python"><div class="highlight"><pre>shell% kdb5_ldap_util -D cn=admin,o=org -H - ldaps://ldap-server1.mit.edu destroy -r ATHENA.MIT.EDU +<div class="highlight-default"><div class="highlight"><pre><span></span>shell% kdb5_ldap_util -r ATHENA.MIT.EDU -D cn=admin,o=org -H + ldaps://ldap-server1.mit.edu destroy Password for "cn=admin,o=org": Deleting KDC database of 'ATHENA.MIT.EDU', are you sure? (type 'yes' to confirm)? yes @@ -261,15 +256,15 @@ shell% <span id="kdb5-ldap-util-destroy-end"></span><h3>list<a class="headerlink" href="#list" title="Permalink to this headline">¶</a></h3> <blockquote id="kdb5-ldap-util-list"> <div><strong>list</strong></div></blockquote> -<p>Lists the name of realms.</p> +<p>Lists the names of realms under the container.</p> <p>Example:</p> -<div class="highlight-python"><div class="highlight"><pre>shell% kdb5_ldap_util -D cn=admin,o=org -H - ldaps://ldap-server1.mit.edu list -Password for "cn=admin,o=org": -ATHENA.MIT.EDU -OPENLDAP.MIT.EDU -MEDIA-LAB.MIT.EDU -shell% +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">shell</span><span class="o">%</span> <span class="n">kdb5_ldap_util</span> <span class="o">-</span><span class="n">D</span> <span class="n">cn</span><span class="o">=</span><span class="n">admin</span><span class="p">,</span><span class="n">o</span><span class="o">=</span><span class="n">org</span> <span class="o">-</span><span class="n">H</span> + <span class="n">ldaps</span><span class="p">:</span><span class="o">//</span><span class="n">ldap</span><span class="o">-</span><span class="n">server1</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> <span class="nb">list</span> +<span class="n">Password</span> <span class="k">for</span> <span class="s2">"cn=admin,o=org"</span><span class="p">:</span> +<span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> +<span class="n">OPENLDAP</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> +<span class="n">MEDIA</span><span class="o">-</span><span class="n">LAB</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> +<span class="n">shell</span><span class="o">%</span> </pre></div> </div> </div> @@ -285,22 +280,22 @@ to the LDAP server. Options:</p> <dl class="docutils"> <dt><strong>-f</strong> <em>filename</em></dt> <dd>Specifies the complete path of the service password file. By -default, <tt class="docutils literal"><span class="pre">/usr/local/var/service_passwd</span></tt> is used.</dd> +default, <code class="docutils literal"><span class="pre">/usr/local/var/service_passwd</span></code> is used.</dd> <dt><em>name</em></dt> <dd>Specifies the name of the object whose password is to be stored. -If <a class="reference internal" href="krb5kdc.html#krb5kdc-8"><em>krb5kdc</em></a> or <a class="reference internal" href="kadmind.html#kadmind-8"><em>kadmind</em></a> are configured for +If <a class="reference internal" href="krb5kdc.html#krb5kdc-8"><span class="std std-ref">krb5kdc</span></a> or <a class="reference internal" href="kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> are configured for simple binding, this should be the distinguished name it will use as given by the <strong>ldap_kdc_dn</strong> or <strong>ldap_kadmind_dn</strong> -variable in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>. If the KDC or kadmind is +variable in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>. If the KDC or kadmind is configured for SASL binding, this should be the authentication name it will use as given by the <strong>ldap_kdc_sasl_authcid</strong> or <strong>ldap_kadmind_sasl_authcid</strong> variable.</dd> </dl> <p>Example:</p> -<div class="highlight-python"><div class="highlight"><pre>kdb5_ldap_util stashsrvpw -f /home/andrew/conf_keyfile - cn=service-kdc,o=org -Password for "cn=service-kdc,o=org": -Re-enter password for "cn=service-kdc,o=org": +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">kdb5_ldap_util</span> <span class="n">stashsrvpw</span> <span class="o">-</span><span class="n">f</span> <span class="o">/</span><span class="n">home</span><span class="o">/</span><span class="n">andrew</span><span class="o">/</span><span class="n">conf_keyfile</span> + <span class="n">cn</span><span class="o">=</span><span class="n">service</span><span class="o">-</span><span class="n">kdc</span><span class="p">,</span><span class="n">o</span><span class="o">=</span><span class="n">org</span> +<span class="n">Password</span> <span class="k">for</span> <span class="s2">"cn=service-kdc,o=org"</span><span class="p">:</span> +<span class="n">Re</span><span class="o">-</span><span class="n">enter</span> <span class="n">password</span> <span class="k">for</span> <span class="s2">"cn=service-kdc,o=org"</span><span class="p">:</span> </pre></div> </div> </div> @@ -308,35 +303,32 @@ Re-enter password for "cn=service-kdc,o=org": <span id="kdb5-ldap-util-stashsrvpw-end"></span><h3>create_policy<a class="headerlink" href="#create-policy" title="Permalink to this headline">¶</a></h3> <blockquote id="kdb5-ldap-util-create-policy"> <div><strong>create_policy</strong> -[<strong>-r</strong> <em>realm</em>] [<strong>-maxtktlife</strong> <em>max_ticket_life</em>] [<strong>-maxrenewlife</strong> <em>max_renewable_ticket_life</em>] [<em>ticket_flags</em>] <em>policy_name</em></div></blockquote> <p>Creates a ticket policy in the directory. Options:</p> <dl class="docutils"> -<dt><strong>-r</strong> <em>realm</em></dt> -<dd>Specifies the Kerberos realm of the database.</dd> <dt><strong>-maxtktlife</strong> <em>max_ticket_life</em></dt> -<dd>(<a class="reference internal" href="../../basic/date_format.html#getdate"><em>getdate time</em></a> string) Specifies maximum ticket life for +<dd>(<a class="reference internal" href="../../basic/date_format.html#getdate"><span class="std std-ref">getdate time</span></a> string) Specifies maximum ticket life for principals.</dd> <dt><strong>-maxrenewlife</strong> <em>max_renewable_ticket_life</em></dt> -<dd>(<a class="reference internal" href="../../basic/date_format.html#getdate"><em>getdate time</em></a> string) Specifies maximum renewable life of +<dd>(<a class="reference internal" href="../../basic/date_format.html#getdate"><span class="std std-ref">getdate time</span></a> string) Specifies maximum renewable life of tickets for principals.</dd> <dt><em>ticket_flags</em></dt> <dd>Specifies the ticket flags. If this option is not specified, by default, no restriction will be set by the policy. Allowable flags are documented in the description of the <strong>add_principal</strong> -command in <a class="reference internal" href="kadmin_local.html#kadmin-1"><em>kadmin</em></a>.</dd> +command in <a class="reference internal" href="kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a>.</dd> <dt><em>policy_name</em></dt> <dd>Specifies the name of the ticket policy.</dd> </dl> <p>Example:</p> -<div class="highlight-python"><div class="highlight"><pre>kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu - create_policy -r ATHENA.MIT.EDU -maxtktlife "1 day" - -maxrenewlife "1 week" -allow_postdated +needchange - -allow_forwardable tktpolicy -Password for "cn=admin,o=org": +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">kdb5_ldap_util</span> <span class="o">-</span><span class="n">D</span> <span class="n">cn</span><span class="o">=</span><span class="n">admin</span><span class="p">,</span><span class="n">o</span><span class="o">=</span><span class="n">org</span> <span class="o">-</span><span class="n">H</span> <span class="n">ldaps</span><span class="p">:</span><span class="o">//</span><span class="n">ldap</span><span class="o">-</span><span class="n">server1</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> + <span class="o">-</span><span class="n">r</span> <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="n">create_policy</span> <span class="o">-</span><span class="n">maxtktlife</span> <span class="s2">"1 day"</span> + <span class="o">-</span><span class="n">maxrenewlife</span> <span class="s2">"1 week"</span> <span class="o">-</span><span class="n">allow_postdated</span> <span class="o">+</span><span class="n">needchange</span> + <span class="o">-</span><span class="n">allow_forwardable</span> <span class="n">tktpolicy</span> +<span class="n">Password</span> <span class="k">for</span> <span class="s2">"cn=admin,o=org"</span><span class="p">:</span> </pre></div> </div> </div> @@ -344,7 +336,6 @@ Password for "cn=admin,o=org": <span id="kdb5-ldap-util-create-policy-end"></span><h3>modify_policy<a class="headerlink" href="#modify-policy" title="Permalink to this headline">¶</a></h3> <blockquote id="kdb5-ldap-util-modify-policy"> <div><strong>modify_policy</strong> -[<strong>-r</strong> <em>realm</em>] [<strong>-maxtktlife</strong> <em>max_ticket_life</em>] [<strong>-maxrenewlife</strong> <em>max_renewable_ticket_life</em>] [<em>ticket_flags</em>] @@ -352,11 +343,11 @@ Password for "cn=admin,o=org": <p>Modifies the attributes of a ticket policy. Options are same as for <strong>create_policy</strong>.</p> <p>Example:</p> -<div class="highlight-python"><div class="highlight"><pre>kdb5_ldap_util -D cn=admin,o=org -H - ldaps://ldap-server1.mit.edu modify_policy -r ATHENA.MIT.EDU - -maxtktlife "60 minutes" -maxrenewlife "10 hours" - +allow_postdated -requires_preauth tktpolicy -Password for "cn=admin,o=org": +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">kdb5_ldap_util</span> <span class="o">-</span><span class="n">D</span> <span class="n">cn</span><span class="o">=</span><span class="n">admin</span><span class="p">,</span><span class="n">o</span><span class="o">=</span><span class="n">org</span> <span class="o">-</span><span class="n">H</span> + <span class="n">ldaps</span><span class="p">:</span><span class="o">//</span><span class="n">ldap</span><span class="o">-</span><span class="n">server1</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> <span class="o">-</span><span class="n">r</span> <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="n">modify_policy</span> + <span class="o">-</span><span class="n">maxtktlife</span> <span class="s2">"60 minutes"</span> <span class="o">-</span><span class="n">maxrenewlife</span> <span class="s2">"10 hours"</span> + <span class="o">+</span><span class="n">allow_postdated</span> <span class="o">-</span><span class="n">requires_preauth</span> <span class="n">tktpolicy</span> +<span class="n">Password</span> <span class="k">for</span> <span class="s2">"cn=admin,o=org"</span><span class="p">:</span> </pre></div> </div> </div> @@ -364,21 +355,16 @@ Password for "cn=admin,o=org": <span id="kdb5-ldap-util-modify-policy-end"></span><h3>view_policy<a class="headerlink" href="#view-policy" title="Permalink to this headline">¶</a></h3> <blockquote id="kdb5-ldap-util-view-policy"> <div><strong>view_policy</strong> -[<strong>-r</strong> <em>realm</em>] <em>policy_name</em></div></blockquote> -<p>Displays the attributes of a ticket policy. Options:</p> -<dl class="docutils"> -<dt><em>policy_name</em></dt> -<dd>Specifies the name of the ticket policy.</dd> -</dl> +<p>Displays the attributes of the named ticket policy.</p> <p>Example:</p> -<div class="highlight-python"><div class="highlight"><pre>kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu - view_policy -r ATHENA.MIT.EDU tktpolicy -Password for "cn=admin,o=org": -Ticket policy: tktpolicy -Maximum ticket life: 0 days 01:00:00 -Maximum renewable life: 0 days 10:00:00 -Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">kdb5_ldap_util</span> <span class="o">-</span><span class="n">D</span> <span class="n">cn</span><span class="o">=</span><span class="n">admin</span><span class="p">,</span><span class="n">o</span><span class="o">=</span><span class="n">org</span> <span class="o">-</span><span class="n">H</span> <span class="n">ldaps</span><span class="p">:</span><span class="o">//</span><span class="n">ldap</span><span class="o">-</span><span class="n">server1</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> + <span class="o">-</span><span class="n">r</span> <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="n">view_policy</span> <span class="n">tktpolicy</span> +<span class="n">Password</span> <span class="k">for</span> <span class="s2">"cn=admin,o=org"</span><span class="p">:</span> +<span class="n">Ticket</span> <span class="n">policy</span><span class="p">:</span> <span class="n">tktpolicy</span> +<span class="n">Maximum</span> <span class="n">ticket</span> <span class="n">life</span><span class="p">:</span> <span class="mi">0</span> <span class="n">days</span> <span class="mi">01</span><span class="p">:</span><span class="mi">00</span><span class="p">:</span><span class="mi">00</span> +<span class="n">Maximum</span> <span class="n">renewable</span> <span class="n">life</span><span class="p">:</span> <span class="mi">0</span> <span class="n">days</span> <span class="mi">10</span><span class="p">:</span><span class="mi">00</span><span class="p">:</span><span class="mi">00</span> +<span class="n">Ticket</span> <span class="n">flags</span><span class="p">:</span> <span class="n">DISALLOW_FORWARDABLE</span> <span class="n">REQUIRES_PWCHANGE</span> </pre></div> </div> </div> @@ -386,13 +372,10 @@ Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE <span id="kdb5-ldap-util-view-policy-end"></span><h3>destroy_policy<a class="headerlink" href="#destroy-policy" title="Permalink to this headline">¶</a></h3> <blockquote id="kdb5-ldap-util-destroy-policy"> <div><strong>destroy_policy</strong> -[<strong>-r</strong> <em>realm</em>] [<strong>-force</strong>] <em>policy_name</em></div></blockquote> <p>Destroys an existing ticket policy. Options:</p> <dl class="docutils"> -<dt><strong>-r</strong> <em>realm</em></dt> -<dd>Specifies the Kerberos realm of the database.</dd> <dt><strong>-force</strong></dt> <dd>Forces the deletion of the policy object. If not specified, the user will be prompted for confirmation before deleting the policy.</dd> @@ -400,8 +383,8 @@ user will be prompted for confirmation before deleting the policy.</dd> <dd>Specifies the name of the ticket policy.</dd> </dl> <p>Example:</p> -<div class="highlight-python"><div class="highlight"><pre>kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu - destroy_policy -r ATHENA.MIT.EDU tktpolicy +<div class="highlight-default"><div class="highlight"><pre><span></span>kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu + -r ATHENA.MIT.EDU destroy_policy tktpolicy Password for "cn=admin,o=org": This will delete the policy object 'tktpolicy', are you sure? (type 'yes' to confirm)? yes @@ -412,28 +395,27 @@ This will delete the policy object 'tktpolicy', are you sure? <div class="section" id="list-policy"> <span id="kdb5-ldap-util-destroy-policy-end"></span><h3>list_policy<a class="headerlink" href="#list-policy" title="Permalink to this headline">¶</a></h3> <blockquote id="kdb5-ldap-util-list-policy"> -<div><strong>list_policy</strong> -[<strong>-r</strong> <em>realm</em>]</div></blockquote> -<p>Lists the ticket policies in realm if specified or in the default -realm. Options:</p> -<dl class="docutils"> -<dt><strong>-r</strong> <em>realm</em></dt> -<dd>Specifies the Kerberos realm of the database.</dd> -</dl> +<div><strong>list_policy</strong></div></blockquote> +<p>Lists ticket policies.</p> <p>Example:</p> -<div class="highlight-python"><div class="highlight"><pre>kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu - list_policy -r ATHENA.MIT.EDU -Password for "cn=admin,o=org": -tktpolicy -tmppolicy -userpolicy +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">kdb5_ldap_util</span> <span class="o">-</span><span class="n">D</span> <span class="n">cn</span><span class="o">=</span><span class="n">admin</span><span class="p">,</span><span class="n">o</span><span class="o">=</span><span class="n">org</span> <span class="o">-</span><span class="n">H</span> <span class="n">ldaps</span><span class="p">:</span><span class="o">//</span><span class="n">ldap</span><span class="o">-</span><span class="n">server1</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> + <span class="o">-</span><span class="n">r</span> <span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> <span class="n">list_policy</span> +<span class="n">Password</span> <span class="k">for</span> <span class="s2">"cn=admin,o=org"</span><span class="p">:</span> +<span class="n">tktpolicy</span> +<span class="n">tmppolicy</span> +<span class="n">userpolicy</span> </pre></div> </div> </div> </div> +<div class="section" id="environment"> +<span id="kdb5-ldap-util-list-policy-end"></span><h2>ENVIRONMENT<a class="headerlink" href="#environment" title="Permalink to this headline">¶</a></h2> +<p>See <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a> for a description of Kerberos environment +variables.</p> +</div> <div class="section" id="see-also"> -<span id="kdb5-ldap-util-list-policy-end"></span><h2>SEE ALSO<a class="headerlink" href="#see-also" title="Permalink to this headline">¶</a></h2> -<p><a class="reference internal" href="kadmin_local.html#kadmin-1"><em>kadmin</em></a></p> +<h2>SEE ALSO<a class="headerlink" href="#see-also" title="Permalink to this headline">¶</a></h2> +<p><a class="reference internal" href="kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a>, <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a></p> </div> </div> @@ -463,6 +445,7 @@ userpolicy <li><a class="reference internal" href="#list-policy">list_policy</a></li> </ul> </li> +<li><a class="reference internal" href="#environment">ENVIRONMENT</a></li> <li><a class="reference internal" href="#see-also">SEE ALSO</a></li> </ul> </li> @@ -477,6 +460,7 @@ userpolicy <li class="toctree-l2"><a class="reference internal" href="../conf_files/index.html">Configuration Files</a></li> <li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li> <li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li> +<li class="toctree-l2"><a class="reference internal" href="../dbtypes.html">Database types</a></li> <li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li> <li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> <li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li> @@ -484,6 +468,8 @@ userpolicy <li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li> <li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li> <li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="../spake.html">SPAKE Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="../dictionary.html">Addressing dictionary attack risks</a></li> <li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li> <li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li> <li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li> @@ -492,7 +478,7 @@ userpolicy <li class="toctree-l3"><a class="reference internal" href="kadmin_local.html">kadmin</a></li> <li class="toctree-l3"><a class="reference internal" href="kadmind.html">kadmind</a></li> <li class="toctree-l3"><a class="reference internal" href="kdb5_util.html">kdb5_util</a></li> -<li class="toctree-l3 current"><a class="current reference internal" href="">kdb5_ldap_util</a></li> +<li class="toctree-l3 current"><a class="current reference internal" href="#">kdb5_ldap_util</a></li> <li class="toctree-l3"><a class="reference internal" href="krb5kdc.html">krb5kdc</a></li> <li class="toctree-l3"><a class="reference internal" href="kprop.html">kprop</a></li> <li class="toctree-l3"><a class="reference internal" href="kpropd.html">kpropd</a></li> @@ -536,8 +522,8 @@ userpolicy <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.16</i><br /> - © <a href="../../copyright.html">Copyright</a> 1985-2017, MIT. + <div class="right" ><i>Release: 1.21.1</i><br /> + © <a href="../../copyright.html">Copyright</a> 1985-2023, MIT. </div> <div class="left"> diff --git a/doc/html/admin/admin_commands/kdb5_util.html b/doc/html/admin/admin_commands/kdb5_util.html index 87493732a708..dcd33e4f9fe4 100644 --- a/doc/html/admin/admin_commands/kdb5_util.html +++ b/doc/html/admin/admin_commands/kdb5_util.html @@ -1,33 +1,31 @@ + <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> - <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> - - <title>kdb5_util — MIT Kerberos Documentation</title> - + <title>kdb5_util — MIT Kerberos Documentation</title> <link rel="stylesheet" href="../../_static/agogo.css" type="text/css" /> <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" /> <link rel="stylesheet" href="../../_static/kerb.css" type="text/css" /> - <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../../', - VERSION: '1.16', + VERSION: '1.21.1', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', - HAS_SOURCE: true + HAS_SOURCE: true, + SOURCELINK_SUFFIX: '.txt' }; </script> <script type="text/javascript" src="../../_static/jquery.js"></script> <script type="text/javascript" src="../../_static/underscore.js"></script> <script type="text/javascript" src="../../_static/doctools.js"></script> <link rel="author" title="About these documents" href="../../about.html" /> + <link rel="index" title="Index" href="../../genindex.html" /> + <link rel="search" title="Search" href="../../search.html" /> <link rel="copyright" title="Copyright" href="../../copyright.html" /> - <link rel="top" title="MIT Kerberos Documentation" href="../../index.html" /> - <link rel="up" title="Administration programs" href="index.html" /> <link rel="next" title="kdb5_ldap_util" href="kdb5_ldap_util.html" /> <link rel="prev" title="kadmind" href="kadmind.html" /> </head> @@ -61,7 +59,7 @@ <div class="documentwrapper"> <div class="bodywrapper"> - <div class="body"> + <div class="body" role="main"> <div class="section" id="kdb5-util"> <span id="kdb5-util-8"></span><h1>kdb5_util<a class="headerlink" href="#kdb5-util" title="Permalink to this headline">¶</a></h1> @@ -71,10 +69,12 @@ [<strong>-r</strong> <em>realm</em>] [<strong>-d</strong> <em>dbname</em>] [<strong>-k</strong> <em>mkeytype</em>] -[<strong>-M</strong> <em>mkeyname</em>] [<strong>-kv</strong> <em>mkeyVNO</em>] -[<strong>-sf</strong> <em>stashfilename</em>] +[<strong>-M</strong> <em>mkeyname</em>] [<strong>-m</strong>] +[<strong>-sf</strong> <em>stashfilename</em>] +[<strong>-P</strong> <em>password</em>] +[<strong>-x</strong> <em>db_args</em>] <em>command</em> [<em>command_options</em>]</p> </div> <div class="section" id="description"> @@ -97,31 +97,34 @@ commands.</p> <dd>specifies the Kerberos realm of the database.</dd> <dt><strong>-d</strong> <em>dbname</em></dt> <dd>specifies the name under which the principal database is stored; -by default the database is that listed in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>. The +by default the database is that listed in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>. The password policy database and lock files are also derived from this value.</dd> <dt><strong>-k</strong> <em>mkeytype</em></dt> <dd>specifies the key type of the master key in the database. The default is given by the <strong>master_key_type</strong> variable in -<a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>.</dd> +<a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>.</dd> <dt><strong>-kv</strong> <em>mkeyVNO</em></dt> <dd>Specifies the version number of the master key in the database; the default is 1. Note that 0 is not allowed.</dd> <dt><strong>-M</strong> <em>mkeyname</em></dt> <dd>principal name for the master key in the database. If not specified, the name is determined by the <strong>master_key_name</strong> -variable in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>.</dd> +variable in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>.</dd> <dt><strong>-m</strong></dt> <dd>specifies that the master database password should be read from the keyboard rather than fetched from a file on disk.</dd> <dt><strong>-sf</strong> <em>stash_file</em></dt> <dd>specifies the stash filename of the master database password. If not specified, the filename is determined by the -<strong>key_stash_file</strong> variable in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>.</dd> +<strong>key_stash_file</strong> variable in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>.</dd> <dt><strong>-P</strong> <em>password</em></dt> <dd>specifies the master database password. Using this option may expose the password to other users on the system via the process list.</dd> +<dt><strong>-x</strong> <em>db_args</em></dt> +<dd>specifies database-specific options. See <a class="reference internal" href="kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> for +supported options.</dd> </dl> </div> <div class="section" id="commands"> @@ -147,34 +150,33 @@ the <strong>-f</strong> argument, does not prompt the user.</p> <span id="kdb5-util-destroy-end"></span><h3>stash<a class="headerlink" href="#stash" title="Permalink to this headline">¶</a></h3> <blockquote id="kdb5-util-stash"> <div><strong>stash</strong> [<strong>-f</strong> <em>keyfile</em>]</div></blockquote> -<p>Stores the master principal’s keys in a stash file. The <strong>-f</strong> +<p>Stores the master principal’s keys in a stash file. The <strong>-f</strong> argument can be used to override the <em>keyfile</em> specified in -<a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>.</p> +<a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>.</p> </div> <div class="section" id="dump"> <span id="kdb5-util-stash-end"></span><h3>dump<a class="headerlink" href="#dump" title="Permalink to this headline">¶</a></h3> <blockquote id="kdb5-util-dump"> -<div><strong>dump</strong> [<strong>-b7</strong>|<strong>-ov</strong>|<strong>-r13</strong>] [<strong>-verbose</strong>] -[<strong>-mkey_convert</strong>] [<strong>-new_mkey_file</strong> <em>mkey_file</em>] [<strong>-rev</strong>] -[<strong>-recurse</strong>] [<em>filename</em> [<em>principals</em>...]]</div></blockquote> +<div><strong>dump</strong> [<strong>-b7</strong>|<strong>-r13</strong>|<strong>-r18</strong>] +[<strong>-verbose</strong>] [<strong>-mkey_convert</strong>] [<strong>-new_mkey_file</strong> +<em>mkey_file</em>] [<strong>-rev</strong>] [<strong>-recurse</strong>] [<em>filename</em> +[<em>principals</em>…]]</div></blockquote> <p>Dumps the current Kerberos and KADM5 database into an ASCII file. By -default, the database is dumped in current format, “kdb5_util -load_dump version 7”. If filename is not specified, or is the string -“-”, the dump is sent to standard output. Options:</p> +default, the database is dumped in current format, “kdb5_util +load_dump version 7”. If filename is not specified, or is the string +“-“, the dump is sent to standard output. Options:</p> <dl class="docutils"> <dt><strong>-b7</strong></dt> -<dd>causes the dump to be in the Kerberos 5 Beta 7 format (“kdb5_util -load_dump version 4”). This was the dump format produced on +<dd>causes the dump to be in the Kerberos 5 Beta 7 format (“kdb5_util +load_dump version 4”). This was the dump format produced on releases prior to 1.2.2.</dd> -<dt><strong>-ov</strong></dt> -<dd>causes the dump to be in “ovsec_adm_export” format.</dd> <dt><strong>-r13</strong></dt> -<dd>causes the dump to be in the Kerberos 5 1.3 format (“kdb5_util -load_dump version 5”). This was the dump format produced on +<dd>causes the dump to be in the Kerberos 5 1.3 format (“kdb5_util +load_dump version 5”). This was the dump format produced on releases prior to 1.8.</dd> <dt><strong>-r18</strong></dt> -<dd>causes the dump to be in the Kerberos 5 1.8 format (“kdb5_util -load_dump version 6”). This was the dump format produced on +<dd>causes the dump to be in the Kerberos 5 1.8 format (“kdb5_util +load_dump version 6”). This was the dump format produced on releases prior to 1.11.</dd> <dt><strong>-verbose</strong></dt> <dd>causes the name of each principal and policy to be printed as it @@ -210,8 +212,8 @@ doing a normal dump instead of a recursive traversal.</p> <div class="section" id="load"> <span id="kdb5-util-dump-end"></span><h3>load<a class="headerlink" href="#load" title="Permalink to this headline">¶</a></h3> <blockquote id="kdb5-util-load"> -<div><strong>load</strong> [<strong>-b7</strong>|<strong>-ov</strong>|<strong>-r13</strong>] [<strong>-hash</strong>] -[<strong>-verbose</strong>] [<strong>-update</strong>] <em>filename</em> [<em>dbname</em>]</div></blockquote> +<div><strong>load</strong> [<strong>-b7</strong>|<strong>-r13</strong>|<strong>-r18</strong>] [<strong>-hash</strong>] +[<strong>-verbose</strong>] [<strong>-update</strong>] <em>filename</em></div></blockquote> <p>Loads a database dump from the named file into the named database. If no option is given to determine the format of the dump file, the format is detected automatically and handled as appropriate. Unless @@ -223,24 +225,22 @@ database module, the <strong>-update</strong> flag is required.</p> <dl class="docutils"> <dt><strong>-b7</strong></dt> <dd>requires the database to be in the Kerberos 5 Beta 7 format -(“kdb5_util load_dump version 4”). This was the dump format +(“kdb5_util load_dump version 4”). This was the dump format produced on releases prior to 1.2.2.</dd> -<dt><strong>-ov</strong></dt> -<dd>requires the database to be in “ovsec_adm_import” format. Must be -used with the <strong>-update</strong> option.</dd> <dt><strong>-r13</strong></dt> -<dd>requires the database to be in Kerberos 5 1.3 format (“kdb5_util -load_dump version 5”). This was the dump format produced on +<dd>requires the database to be in Kerberos 5 1.3 format (“kdb5_util +load_dump version 5”). This was the dump format produced on releases prior to 1.8.</dd> <dt><strong>-r18</strong></dt> -<dd>requires the database to be in Kerberos 5 1.8 format (“kdb5_util -load_dump version 6”). This was the dump format produced on +<dd>requires the database to be in Kerberos 5 1.8 format (“kdb5_util +load_dump version 6”). This was the dump format produced on releases prior to 1.11.</dd> <dt><strong>-hash</strong></dt> -<dd>requires the database to be stored as a hash. If this option is -not specified, the database will be stored as a btree. This -option is not recommended, as databases stored in hash format are -known to corrupt data and lose principals.</dd> +<dd>stores the database in hash format, if using the DB2 database +type. If this option is not specified, the database will be +stored in btree format. This option is not recommended, as +databases stored in hash format are known to corrupt data and lose +principals.</dd> <dt><strong>-verbose</strong></dt> <dd>causes the name of each principal and policy to be printed as it is dumped.</dd> @@ -250,13 +250,11 @@ database. Otherwise, a new database is created containing only what is in the dump file and the old one destroyed upon successful completion.</dd> </dl> -<p>If specified, <em>dbname</em> overrides the value specified on the command -line or the default.</p> </div> <div class="section" id="ark"> <span id="kdb5-util-load-end"></span><h3>ark<a class="headerlink" href="#ark" title="Permalink to this headline">¶</a></h3> <blockquote> -<div><strong>ark</strong> [<strong>-e</strong> <em>enc</em>:<em>salt</em>,...] <em>principal</em></div></blockquote> +<div><strong>ark</strong> [<strong>-e</strong> <em>enc</em>:<em>salt</em>,…] <em>principal</em></div></blockquote> <p>Adds new random keys to <em>principal</em> at the next available key version number. Keys for the current highest key version number will be preserved. The <strong>-e</strong> option specifies the list of encryption and @@ -269,12 +267,12 @@ salt types to be used for the new keys.</p> <p>Adds a new master key to the master key principal, but does not mark it as active. Existing master keys will remain. The <strong>-e</strong> option specifies the encryption type of the new master key; see -<a class="reference internal" href="../conf_files/kdc_conf.html#encryption-types"><em>Encryption types</em></a> in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> for a list of possible +<a class="reference internal" href="../conf_files/kdc_conf.html#encryption-types"><span class="std std-ref">Encryption types</span></a> in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a> for a list of possible values. The <strong>-s</strong> option stashes the new master key in the stash -file, which will be created if it doesn’t already exist.</p> -<p>After a new master key is added, it should be propagated to slave -servers via a manual or periodic invocation of <a class="reference internal" href="kprop.html#kprop-8"><em>kprop</em></a>. Then, -the stash files on the slave servers should be updated with the +file, which will be created if it doesn’t already exist.</p> +<p>After a new master key is added, it should be propagated to replica +servers via a manual or periodic invocation of <a class="reference internal" href="kprop.html#kprop-8"><span class="std std-ref">kprop</span></a>. Then, +the stash files on the replica servers should be updated with the kdb5_util <strong>stash</strong> command. Once those steps are complete, the key is ready to be marked active with the kdb5_util <strong>use_mkey</strong> command.</p> </div> @@ -286,7 +284,7 @@ is ready to be marked active with the kdb5_util <strong>use_mkey</strong> comman Once a master key becomes active, it will be used to encrypt newly created principal keys. If no <em>time</em> argument is given, the current time is used, causing the specified master key version to become -active immediately. The format for <em>time</em> is <a class="reference internal" href="../../basic/date_format.html#getdate"><em>getdate time</em></a> string.</p> +active immediately. The format for <em>time</em> is <a class="reference internal" href="../../basic/date_format.html#getdate"><span class="std std-ref">getdate time</span></a> string.</p> <p>After a new master key becomes active, the kdb5_util <strong>update_princ_encryption</strong> command can be used to update all principal keys to be encrypted in the new master key.</p> @@ -297,8 +295,8 @@ principal keys to be encrypted in the new master key.</p> <div><strong>list_mkeys</strong></div></blockquote> <p>List all master keys, from most recent to earliest, in the master key principal. The output will show the kvno, enctype, and salt type for -each mkey, similar to the output of <a class="reference internal" href="kadmin_local.html#kadmin-1"><em>kadmin</em></a> <strong>getprinc</strong>. A -<tt class="docutils literal"><span class="pre">*</span></tt> following an mkey denotes the currently active master key.</p> +each mkey, similar to the output of <a class="reference internal" href="kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> <strong>getprinc</strong>. A +<code class="docutils literal"><span class="pre">*</span></code> following an mkey denotes the currently active master key.</p> </div> <div class="section" id="purge-mkeys"> <h3>purge_mkeys<a class="headerlink" href="#purge-mkeys" title="Permalink to this headline">¶</a></h3> @@ -354,7 +352,7 @@ below).</p> instead of the default tab-separated (unquoted, unescaped) format</dd> <dt><strong>-e</strong></dt> <dd>write empty hexadecimal string fields as empty fields instead of -as “-1”.</dd> +as “-1”.</dd> <dt><strong>-n</strong></dt> <dd>produce numeric output for fields that normally have symbolic output, such as enctypes and flag names. Also requests output of @@ -372,7 +370,7 @@ output</dd> <dt><strong>name</strong></dt> <dd>principal name</dd> <dt><strong>keyindex</strong></dt> -<dd>index of this key in the principal’s key list</dd> +<dd>index of this key in the principal’s key list</dd> <dt><strong>kvno</strong></dt> <dd>key version number</dd> <dt><strong>enctype</strong></dt> @@ -432,7 +430,7 @@ set.</p> <dd>policy object name</dd> <dt><strong>mkvno</strong></dt> <dd>key version number of the master key that encrypts this -principal’s key data</dd> +principal’s key data</dd> <dt><strong>hist_kvno</strong></dt> <dd>key version number of the history key that encrypts the key history data for this principal</dd> @@ -467,27 +465,32 @@ lifetimes</p> </dd> </dl> <p>Examples:</p> -<div class="highlight-python"><div class="highlight"><pre>$ kdb5_util tabdump -o keyinfo.txt keyinfo +<div class="highlight-default"><div class="highlight"><pre><span></span>$ kdb5_util tabdump -o keyinfo.txt keyinfo $ cat keyinfo.txt name keyindex kvno enctype salttype salt +K/M@EXAMPLE.COM 0 1 aes256-cts-hmac-sha384-192 normal -1 foo@EXAMPLE.COM 0 1 aes128-cts-hmac-sha1-96 normal -1 bar@EXAMPLE.COM 0 1 aes128-cts-hmac-sha1-96 normal -1 -bar@EXAMPLE.COM 1 1 des-cbc-crc normal -1 $ sqlite3 sqlite> .mode tabs sqlite> .import keyinfo.txt keyinfo -sqlite> select * from keyinfo where enctype like 'des-cbc-%'; -bar@EXAMPLE.COM 1 1 des-cbc-crc normal -1 +sqlite> select * from keyinfo where enctype like 'aes256-%'; +K/M@EXAMPLE.COM 1 1 aes256-cts-hmac-sha384-192 normal -1 sqlite> .quit -$ awk -F'\t' '$4 ~ /des-cbc-/ { print }' keyinfo.txt -bar@EXAMPLE.COM 1 1 des-cbc-crc normal -1 +$ awk -F'\t' '$4 ~ /aes256-/ { print }' keyinfo.txt +K/M@EXAMPLE.COM 1 1 aes256-cts-hmac-sha384-192 normal -1 </pre></div> </div> </div> </div> +<div class="section" id="environment"> +<h2>ENVIRONMENT<a class="headerlink" href="#environment" title="Permalink to this headline">¶</a></h2> +<p>See <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a> for a description of Kerberos environment +variables.</p> +</div> <div class="section" id="see-also"> <h2>SEE ALSO<a class="headerlink" href="#see-also" title="Permalink to this headline">¶</a></h2> -<p><a class="reference internal" href="kadmin_local.html#kadmin-1"><em>kadmin</em></a></p> +<p><a class="reference internal" href="kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a>, <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a></p> </div> </div> @@ -518,6 +521,7 @@ bar@EXAMPLE.COM 1 1 des-cbc-crc normal -1 <li><a class="reference internal" href="#tabdump">tabdump</a></li> </ul> </li> +<li><a class="reference internal" href="#environment">ENVIRONMENT</a></li> <li><a class="reference internal" href="#see-also">SEE ALSO</a></li> </ul> </li> @@ -532,6 +536,7 @@ bar@EXAMPLE.COM 1 1 des-cbc-crc normal -1 <li class="toctree-l2"><a class="reference internal" href="../conf_files/index.html">Configuration Files</a></li> <li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li> <li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li> +<li class="toctree-l2"><a class="reference internal" href="../dbtypes.html">Database types</a></li> <li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li> <li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> <li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li> @@ -539,6 +544,8 @@ bar@EXAMPLE.COM 1 1 des-cbc-crc normal -1 <li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li> <li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li> <li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="../spake.html">SPAKE Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="../dictionary.html">Addressing dictionary attack risks</a></li> <li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li> <li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li> <li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li> @@ -546,7 +553,7 @@ bar@EXAMPLE.COM 1 1 des-cbc-crc normal -1 <li class="toctree-l2 current"><a class="reference internal" href="index.html">Administration programs</a><ul class="current"> <li class="toctree-l3"><a class="reference internal" href="kadmin_local.html">kadmin</a></li> <li class="toctree-l3"><a class="reference internal" href="kadmind.html">kadmind</a></li> -<li class="toctree-l3 current"><a class="current reference internal" href="">kdb5_util</a></li> +<li class="toctree-l3 current"><a class="current reference internal" href="#">kdb5_util</a></li> <li class="toctree-l3"><a class="reference internal" href="kdb5_ldap_util.html">kdb5_ldap_util</a></li> <li class="toctree-l3"><a class="reference internal" href="krb5kdc.html">krb5kdc</a></li> <li class="toctree-l3"><a class="reference internal" href="kprop.html">kprop</a></li> @@ -591,8 +598,8 @@ bar@EXAMPLE.COM 1 1 des-cbc-crc normal -1 <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.16</i><br /> - © <a href="../../copyright.html">Copyright</a> 1985-2017, MIT. + <div class="right" ><i>Release: 1.21.1</i><br /> + © <a href="../../copyright.html">Copyright</a> 1985-2023, MIT. </div> <div class="left"> diff --git a/doc/html/admin/admin_commands/kprop.html b/doc/html/admin/admin_commands/kprop.html index 73939b48421a..a4fe1a8fef3b 100644 --- a/doc/html/admin/admin_commands/kprop.html +++ b/doc/html/admin/admin_commands/kprop.html @@ -1,33 +1,31 @@ + <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> - <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> - - <title>kprop — MIT Kerberos Documentation</title> - + <title>kprop — MIT Kerberos Documentation</title> <link rel="stylesheet" href="../../_static/agogo.css" type="text/css" /> <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" /> <link rel="stylesheet" href="../../_static/kerb.css" type="text/css" /> - <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../../', - VERSION: '1.16', + VERSION: '1.21.1', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', - HAS_SOURCE: true + HAS_SOURCE: true, + SOURCELINK_SUFFIX: '.txt' }; </script> <script type="text/javascript" src="../../_static/jquery.js"></script> <script type="text/javascript" src="../../_static/underscore.js"></script> <script type="text/javascript" src="../../_static/doctools.js"></script> <link rel="author" title="About these documents" href="../../about.html" /> + <link rel="index" title="Index" href="../../genindex.html" /> + <link rel="search" title="Search" href="../../search.html" /> <link rel="copyright" title="Copyright" href="../../copyright.html" /> - <link rel="top" title="MIT Kerberos Documentation" href="../../index.html" /> - <link rel="up" title="Administration programs" href="index.html" /> <link rel="next" title="kpropd" href="kpropd.html" /> <link rel="prev" title="krb5kdc" href="krb5kdc.html" /> </head> @@ -61,7 +59,7 @@ <div class="documentwrapper"> <div class="bodywrapper"> - <div class="body"> + <div class="body" role="main"> <div class="section" id="kprop"> <span id="kprop-8"></span><h1>kprop<a class="headerlink" href="#kprop" title="Permalink to this headline">¶</a></h1> @@ -73,26 +71,26 @@ [<strong>-d</strong>] [<strong>-P</strong> <em>port</em>] [<strong>-s</strong> <em>keytab</em>] -<em>slave_host</em></p> +<em>replica_host</em></p> </div> <div class="section" id="description"> <h2>DESCRIPTION<a class="headerlink" href="#description" title="Permalink to this headline">¶</a></h2> <p>kprop is used to securely propagate a Kerberos V5 database dump file -from the master Kerberos server to a slave Kerberos server, which is -specified by <em>slave_host</em>. The dump file must be created by -<a class="reference internal" href="kdb5_util.html#kdb5-util-8"><em>kdb5_util</em></a>.</p> +from the primary Kerberos server to a replica Kerberos server, which is +specified by <em>replica_host</em>. The dump file must be created by +<a class="reference internal" href="kdb5_util.html#kdb5-util-8"><span class="std std-ref">kdb5_util</span></a>.</p> </div> <div class="section" id="options"> <h2>OPTIONS<a class="headerlink" href="#options" title="Permalink to this headline">¶</a></h2> <dl class="docutils"> <dt><strong>-r</strong> <em>realm</em></dt> -<dd>Specifies the realm of the master server.</dd> +<dd>Specifies the realm of the primary server.</dd> <dt><strong>-f</strong> <em>file</em></dt> <dd>Specifies the filename where the dumped principal database file is to be found; by default the dumped database file is normally -<a class="reference internal" href="../../mitK5defaults.html#paths"><em>LOCALSTATEDIR</em></a><tt class="docutils literal"><span class="pre">/krb5kdc</span></tt><tt class="docutils literal"><span class="pre">/slave_datatrans</span></tt>.</dd> +<a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">LOCALSTATEDIR</span></a><code class="docutils literal"><span class="pre">/krb5kdc</span></code><code class="docutils literal"><span class="pre">/replica_datatrans</span></code>.</dd> <dt><strong>-P</strong> <em>port</em></dt> -<dd>Specifies the port to use to contact the <a class="reference internal" href="kpropd.html#kpropd-8"><em>kpropd</em></a> server +<dd>Specifies the port to use to contact the <a class="reference internal" href="kpropd.html#kpropd-8"><span class="std std-ref">kpropd</span></a> server on the remote host.</dd> <dt><strong>-d</strong></dt> <dd>Prints debugging information.</dd> @@ -102,14 +100,13 @@ on the remote host.</dd> </div> <div class="section" id="environment"> <h2>ENVIRONMENT<a class="headerlink" href="#environment" title="Permalink to this headline">¶</a></h2> -<p><em>kprop</em> uses the following environment variable:</p> -<ul class="simple"> -<li><strong>KRB5_CONFIG</strong></li> -</ul> +<p>See <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a> for a description of Kerberos environment +variables.</p> </div> <div class="section" id="see-also"> <h2>SEE ALSO<a class="headerlink" href="#see-also" title="Permalink to this headline">¶</a></h2> -<p><a class="reference internal" href="kpropd.html#kpropd-8"><em>kpropd</em></a>, <a class="reference internal" href="kdb5_util.html#kdb5-util-8"><em>kdb5_util</em></a>, <a class="reference internal" href="krb5kdc.html#krb5kdc-8"><em>krb5kdc</em></a></p> +<p><a class="reference internal" href="kpropd.html#kpropd-8"><span class="std std-ref">kpropd</span></a>, <a class="reference internal" href="kdb5_util.html#kdb5-util-8"><span class="std std-ref">kdb5_util</span></a>, <a class="reference internal" href="krb5kdc.html#krb5kdc-8"><span class="std std-ref">krb5kdc</span></a>, +<a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a></p> </div> </div> @@ -140,6 +137,7 @@ on the remote host.</dd> <li class="toctree-l2"><a class="reference internal" href="../conf_files/index.html">Configuration Files</a></li> <li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li> <li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li> +<li class="toctree-l2"><a class="reference internal" href="../dbtypes.html">Database types</a></li> <li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li> <li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> <li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li> @@ -147,6 +145,8 @@ on the remote host.</dd> <li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li> <li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li> <li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="../spake.html">SPAKE Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="../dictionary.html">Addressing dictionary attack risks</a></li> <li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li> <li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li> <li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li> @@ -157,7 +157,7 @@ on the remote host.</dd> <li class="toctree-l3"><a class="reference internal" href="kdb5_util.html">kdb5_util</a></li> <li class="toctree-l3"><a class="reference internal" href="kdb5_ldap_util.html">kdb5_ldap_util</a></li> <li class="toctree-l3"><a class="reference internal" href="krb5kdc.html">krb5kdc</a></li> -<li class="toctree-l3 current"><a class="current reference internal" href="">kprop</a></li> +<li class="toctree-l3 current"><a class="current reference internal" href="#">kprop</a></li> <li class="toctree-l3"><a class="reference internal" href="kpropd.html">kpropd</a></li> <li class="toctree-l3"><a class="reference internal" href="kproplog.html">kproplog</a></li> <li class="toctree-l3"><a class="reference internal" href="ktutil.html">ktutil</a></li> @@ -199,8 +199,8 @@ on the remote host.</dd> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.16</i><br /> - © <a href="../../copyright.html">Copyright</a> 1985-2017, MIT. + <div class="right" ><i>Release: 1.21.1</i><br /> + © <a href="../../copyright.html">Copyright</a> 1985-2023, MIT. </div> <div class="left"> diff --git a/doc/html/admin/admin_commands/kpropd.html b/doc/html/admin/admin_commands/kpropd.html index 163f4ac8cd75..2bd16d7d043b 100644 --- a/doc/html/admin/admin_commands/kpropd.html +++ b/doc/html/admin/admin_commands/kpropd.html @@ -1,33 +1,31 @@ + <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> - <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> - - <title>kpropd — MIT Kerberos Documentation</title> - + <title>kpropd — MIT Kerberos Documentation</title> <link rel="stylesheet" href="../../_static/agogo.css" type="text/css" /> <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" /> <link rel="stylesheet" href="../../_static/kerb.css" type="text/css" /> - <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../../', - VERSION: '1.16', + VERSION: '1.21.1', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', - HAS_SOURCE: true + HAS_SOURCE: true, + SOURCELINK_SUFFIX: '.txt' }; </script> <script type="text/javascript" src="../../_static/jquery.js"></script> <script type="text/javascript" src="../../_static/underscore.js"></script> <script type="text/javascript" src="../../_static/doctools.js"></script> <link rel="author" title="About these documents" href="../../about.html" /> + <link rel="index" title="Index" href="../../genindex.html" /> + <link rel="search" title="Search" href="../../search.html" /> <link rel="copyright" title="Copyright" href="../../copyright.html" /> - <link rel="top" title="MIT Kerberos Documentation" href="../../index.html" /> - <link rel="up" title="Administration programs" href="index.html" /> <link rel="next" title="kproplog" href="kproplog.html" /> <link rel="prev" title="kprop" href="kprop.html" /> </head> @@ -61,7 +59,7 @@ <div class="documentwrapper"> <div class="bodywrapper"> - <div class="body"> + <div class="body" role="main"> <div class="section" id="kpropd"> <span id="kpropd-8"></span><h1>kpropd<a class="headerlink" href="#kpropd" title="Permalink to this headline">¶</a></h1> @@ -71,31 +69,33 @@ [<strong>-r</strong> <em>realm</em>] [<strong>-A</strong> <em>admin_server</em>] [<strong>-a</strong> <em>acl_file</em>] -[<strong>-f</strong> <em>slave_dumpfile</em>] +[<strong>-f</strong> <em>replica_dumpfile</em>] [<strong>-F</strong> <em>principal_database</em>] [<strong>-p</strong> <em>kdb5_util_prog</em>] [<strong>-P</strong> <em>port</em>] -[<strong>–pid-file</strong>=<em>pid_file</em>] +[<strong>–pid-file</strong>=<em>pid_file</em>] +[<strong>-D</strong>] [<strong>-d</strong>] -[<strong>-t</strong>]</p> +[<strong>-s</strong> <em>keytab_file</em>]</p> </div> <div class="section" id="description"> <h2>DESCRIPTION<a class="headerlink" href="#description" title="Permalink to this headline">¶</a></h2> -<p>The <em>kpropd</em> command runs on the slave KDC server. It listens for -update requests made by the <a class="reference internal" href="kprop.html#kprop-8"><em>kprop</em></a> program. If incremental +<p>The <em>kpropd</em> command runs on the replica KDC server. It listens for +update requests made by the <a class="reference internal" href="kprop.html#kprop-8"><span class="std std-ref">kprop</span></a> program. If incremental propagation is enabled, it periodically requests incremental updates -from the master KDC.</p> -<p>When the slave receives a kprop request from the master, kpropd +from the primary KDC.</p> +<p>When the replica receives a kprop request from the primary, kpropd accepts the dumped KDC database and places it in a file, and then runs -<a class="reference internal" href="kdb5_util.html#kdb5-util-8"><em>kdb5_util</em></a> to load the dumped database into the active -database which is used by <a class="reference internal" href="krb5kdc.html#krb5kdc-8"><em>krb5kdc</em></a>. This allows the master -Kerberos server to use <a class="reference internal" href="kprop.html#kprop-8"><em>kprop</em></a> to propagate its database to -the slave servers. Upon a successful download of the KDC database -file, the slave Kerberos server will have an up-to-date KDC database.</p> +<a class="reference internal" href="kdb5_util.html#kdb5-util-8"><span class="std std-ref">kdb5_util</span></a> to load the dumped database into the active +database which is used by <a class="reference internal" href="krb5kdc.html#krb5kdc-8"><span class="std std-ref">krb5kdc</span></a>. This allows the primary +Kerberos server to use <a class="reference internal" href="kprop.html#kprop-8"><span class="std std-ref">kprop</span></a> to propagate its database to +the replica servers. Upon a successful download of the KDC database +file, the replica Kerberos server will have an up-to-date KDC +database.</p> <p>Where incremental propagation is not used, kpropd is commonly invoked out of inetd(8) as a nowait service. This is done by adding a line to -the <tt class="docutils literal"><span class="pre">/etc/inetd.conf</span></tt> file which looks like this:</p> -<div class="highlight-python"><div class="highlight"><pre>kprop stream tcp nowait root /usr/local/sbin/kpropd kpropd +the <code class="docutils literal"><span class="pre">/etc/inetd.conf</span></code> file which looks like this:</p> +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">kprop</span> <span class="n">stream</span> <span class="n">tcp</span> <span class="n">nowait</span> <span class="n">root</span> <span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">local</span><span class="o">/</span><span class="n">sbin</span><span class="o">/</span><span class="n">kpropd</span> <span class="n">kpropd</span> </pre></div> </div> <p>kpropd can also run as a standalone daemon, backgrounding itself and @@ -107,75 +107,77 @@ not. Prior to release 1.11, the <strong>-S</strong> option is required to run kpropd in standalone mode; this option is now accepted for backward compatibility but does nothing.</p> <p>Incremental propagation may be enabled with the <strong>iprop_enable</strong> -variable in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>. If incremental propagation is -enabled, the slave periodically polls the master KDC for updates, at -an interval determined by the <strong>iprop_slave_poll</strong> variable. If the -slave receives updates, kpropd updates its log file with any updates -from the master. <a class="reference internal" href="kproplog.html#kproplog-8"><em>kproplog</em></a> can be used to view a summary of -the update entry log on the slave KDC. If incremental propagation is -enabled, the principal <tt class="docutils literal"><span class="pre">kiprop/slavehostname@REALM</span></tt> (where -<em>slavehostname</em> is the name of the slave KDC host, and <em>REALM</em> is the -name of the Kerberos realm) must be present in the slave’s keytab -file.</p> -<p><a class="reference internal" href="kproplog.html#kproplog-8"><em>kproplog</em></a> can be used to force full replication when iprop is +variable in <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>. If incremental propagation is +enabled, the replica periodically polls the primary KDC for updates, at +an interval determined by the <strong>iprop_replica_poll</strong> variable. If the +replica receives updates, kpropd updates its log file with any updates +from the primary. <a class="reference internal" href="kproplog.html#kproplog-8"><span class="std std-ref">kproplog</span></a> can be used to view a summary of +the update entry log on the replica KDC. If incremental propagation +is enabled, the principal <code class="docutils literal"><span class="pre">kiprop/replicahostname@REALM</span></code> (where +<em>replicahostname</em> is the name of the replica KDC host, and <em>REALM</em> is +the name of the Kerberos realm) must be present in the replica’s +keytab file.</p> +<p><a class="reference internal" href="kproplog.html#kproplog-8"><span class="std std-ref">kproplog</span></a> can be used to force full replication when iprop is enabled.</p> </div> <div class="section" id="options"> <h2>OPTIONS<a class="headerlink" href="#options" title="Permalink to this headline">¶</a></h2> <dl class="docutils"> <dt><strong>-r</strong> <em>realm</em></dt> -<dd>Specifies the realm of the master server.</dd> +<dd>Specifies the realm of the primary server.</dd> <dt><strong>-A</strong> <em>admin_server</em></dt> <dd>Specifies the server to be contacted for incremental updates; by -default, the master admin server is contacted.</dd> +default, the primary admin server is contacted.</dd> <dt><strong>-f</strong> <em>file</em></dt> <dd>Specifies the filename where the dumped principal database file is -to be stored; by default the dumped database file is <a class="reference internal" href="../../mitK5defaults.html#paths"><em>LOCALSTATEDIR</em></a><tt class="docutils literal"><span class="pre">/krb5kdc</span></tt><tt class="docutils literal"><span class="pre">/from_master</span></tt>.</dd> +to be stored; by default the dumped database file is <a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">LOCALSTATEDIR</span></a><code class="docutils literal"><span class="pre">/krb5kdc</span></code><code class="docutils literal"><span class="pre">/from_master</span></code>.</dd> +<dt><strong>-F</strong> <em>kerberos_db</em></dt> +<dd>Path to the Kerberos database file, if not the default.</dd> <dt><strong>-p</strong></dt> -<dd>Allows the user to specify the pathname to the <a class="reference internal" href="kdb5_util.html#kdb5-util-8"><em>kdb5_util</em></a> -program; by default the pathname used is <a class="reference internal" href="../../mitK5defaults.html#paths"><em>SBINDIR</em></a><tt class="docutils literal"><span class="pre">/kdb5_util</span></tt>.</dd> +<dd>Allows the user to specify the pathname to the <a class="reference internal" href="kdb5_util.html#kdb5-util-8"><span class="std std-ref">kdb5_util</span></a> +program; by default the pathname used is <a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">SBINDIR</span></a><code class="docutils literal"><span class="pre">/kdb5_util</span></code>.</dd> +<dt><strong>-D</strong></dt> +<dd>In this mode, kpropd will not detach itself from the current job +and run in the background. Instead, it will run in the +foreground.</dd> <dt><strong>-d</strong></dt> -<dd>Turn on debug mode. In this mode, kpropd will not detach -itself from the current job and run in the background. Instead, -it will run in the foreground and print out debugging messages -during the database propagation.</dd> -<dt><strong>-t</strong></dt> -<dd>In standalone mode without incremental propagation, exit after one -dump file is received. In incremental propagation mode, exit as -soon as the database is up to date, or if the master returns an -error.</dd> +<dd>Turn on debug mode. kpropd will print out debugging messages +during the database propogation and will run in the foreground +(implies <strong>-D</strong>).</dd> <dt><strong>-P</strong></dt> <dd>Allow for an alternate port number for kpropd to listen on. This is only useful in combination with the <strong>-S</strong> option.</dd> <dt><strong>-a</strong> <em>acl_file</em></dt> <dd>Allows the user to specify the path to the kpropd.acl file; by -default the path used is <a class="reference internal" href="../../mitK5defaults.html#paths"><em>LOCALSTATEDIR</em></a><tt class="docutils literal"><span class="pre">/krb5kdc</span></tt><tt class="docutils literal"><span class="pre">/kpropd.acl</span></tt>.</dd> -<dt><strong>–pid-file</strong>=<em>pid_file</em></dt> +default the path used is <a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">LOCALSTATEDIR</span></a><code class="docutils literal"><span class="pre">/krb5kdc</span></code><code class="docutils literal"><span class="pre">/kpropd.acl</span></code>.</dd> +<dt><strong>–pid-file</strong>=<em>pid_file</em></dt> <dd>In standalone mode, write the process ID of the daemon into <em>pid_file</em>.</dd> +<dt><strong>-s</strong> <em>keytab_file</em></dt> +<dd>Path to a keytab to use for acquiring acceptor credentials.</dd> +<dt><strong>-x</strong> <em>db_args</em></dt> +<dd>Database-specific arguments. See <a class="reference internal" href="kadmin_local.html#dboptions"><span class="std std-ref">Database Options</span></a> in <a class="reference internal" href="kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> for supported arguments.</dd> </dl> </div> -<div class="section" id="environment"> -<h2>ENVIRONMENT<a class="headerlink" href="#environment" title="Permalink to this headline">¶</a></h2> -<p>kpropd uses the following environment variables:</p> -<ul class="simple"> -<li><strong>KRB5_CONFIG</strong></li> -<li><strong>KRB5_KDC_PROFILE</strong></li> -</ul> -</div> <div class="section" id="files"> <h2>FILES<a class="headerlink" href="#files" title="Permalink to this headline">¶</a></h2> <dl class="docutils"> <dt>kpropd.acl</dt> <dd>Access file for kpropd; the default location is -<tt class="docutils literal"><span class="pre">/usr/local/var/krb5kdc/kpropd.acl</span></tt>. Each entry is a line +<code class="docutils literal"><span class="pre">/usr/local/var/krb5kdc/kpropd.acl</span></code>. Each entry is a line containing the principal of a host from which the local machine -will allow Kerberos database propagation via <a class="reference internal" href="kprop.html#kprop-8"><em>kprop</em></a>.</dd> +will allow Kerberos database propagation via <a class="reference internal" href="kprop.html#kprop-8"><span class="std std-ref">kprop</span></a>.</dd> </dl> </div> +<div class="section" id="environment"> +<h2>ENVIRONMENT<a class="headerlink" href="#environment" title="Permalink to this headline">¶</a></h2> +<p>See <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a> for a description of Kerberos environment +variables.</p> +</div> <div class="section" id="see-also"> <h2>SEE ALSO<a class="headerlink" href="#see-also" title="Permalink to this headline">¶</a></h2> -<p><a class="reference internal" href="kprop.html#kprop-8"><em>kprop</em></a>, <a class="reference internal" href="kdb5_util.html#kdb5-util-8"><em>kdb5_util</em></a>, <a class="reference internal" href="krb5kdc.html#krb5kdc-8"><em>krb5kdc</em></a>, inetd(8)</p> +<p><a class="reference internal" href="kprop.html#kprop-8"><span class="std std-ref">kprop</span></a>, <a class="reference internal" href="kdb5_util.html#kdb5-util-8"><span class="std std-ref">kdb5_util</span></a>, <a class="reference internal" href="krb5kdc.html#krb5kdc-8"><span class="std std-ref">krb5kdc</span></a>, +<a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a>, inetd(8)</p> </div> </div> @@ -191,8 +193,8 @@ will allow Kerberos database propagation via <a class="reference internal" href= <li><a class="reference internal" href="#synopsis">SYNOPSIS</a></li> <li><a class="reference internal" href="#description">DESCRIPTION</a></li> <li><a class="reference internal" href="#options">OPTIONS</a></li> -<li><a class="reference internal" href="#environment">ENVIRONMENT</a></li> <li><a class="reference internal" href="#files">FILES</a></li> +<li><a class="reference internal" href="#environment">ENVIRONMENT</a></li> <li><a class="reference internal" href="#see-also">SEE ALSO</a></li> </ul> </li> @@ -207,6 +209,7 @@ will allow Kerberos database propagation via <a class="reference internal" href= <li class="toctree-l2"><a class="reference internal" href="../conf_files/index.html">Configuration Files</a></li> <li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li> <li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li> +<li class="toctree-l2"><a class="reference internal" href="../dbtypes.html">Database types</a></li> <li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li> <li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> <li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li> @@ -214,6 +217,8 @@ will allow Kerberos database propagation via <a class="reference internal" href= <li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li> <li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li> <li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="../spake.html">SPAKE Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="../dictionary.html">Addressing dictionary attack risks</a></li> <li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li> <li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li> <li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li> @@ -225,7 +230,7 @@ will allow Kerberos database propagation via <a class="reference internal" href= <li class="toctree-l3"><a class="reference internal" href="kdb5_ldap_util.html">kdb5_ldap_util</a></li> <li class="toctree-l3"><a class="reference internal" href="krb5kdc.html">krb5kdc</a></li> <li class="toctree-l3"><a class="reference internal" href="kprop.html">kprop</a></li> -<li class="toctree-l3 current"><a class="current reference internal" href="">kpropd</a></li> +<li class="toctree-l3 current"><a class="current reference internal" href="#">kpropd</a></li> <li class="toctree-l3"><a class="reference internal" href="kproplog.html">kproplog</a></li> <li class="toctree-l3"><a class="reference internal" href="ktutil.html">ktutil</a></li> <li class="toctree-l3"><a class="reference internal" href="k5srvutil.html">k5srvutil</a></li> @@ -266,8 +271,8 @@ will allow Kerberos database propagation via <a class="reference internal" href= <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.16</i><br /> - © <a href="../../copyright.html">Copyright</a> 1985-2017, MIT. + <div class="right" ><i>Release: 1.21.1</i><br /> + © <a href="../../copyright.html">Copyright</a> 1985-2023, MIT. </div> <div class="left"> diff --git a/doc/html/admin/admin_commands/kproplog.html b/doc/html/admin/admin_commands/kproplog.html index 50b7c7e4d35a..b3785e701002 100644 --- a/doc/html/admin/admin_commands/kproplog.html +++ b/doc/html/admin/admin_commands/kproplog.html @@ -1,33 +1,31 @@ + <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> - <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> - - <title>kproplog — MIT Kerberos Documentation</title> - + <title>kproplog — MIT Kerberos Documentation</title> <link rel="stylesheet" href="../../_static/agogo.css" type="text/css" /> <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" /> <link rel="stylesheet" href="../../_static/kerb.css" type="text/css" /> - <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../../', - VERSION: '1.16', + VERSION: '1.21.1', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', - HAS_SOURCE: true + HAS_SOURCE: true, + SOURCELINK_SUFFIX: '.txt' }; </script> <script type="text/javascript" src="../../_static/jquery.js"></script> <script type="text/javascript" src="../../_static/underscore.js"></script> <script type="text/javascript" src="../../_static/doctools.js"></script> <link rel="author" title="About these documents" href="../../about.html" /> + <link rel="index" title="Index" href="../../genindex.html" /> + <link rel="search" title="Search" href="../../search.html" /> <link rel="copyright" title="Copyright" href="../../copyright.html" /> - <link rel="top" title="MIT Kerberos Documentation" href="../../index.html" /> - <link rel="up" title="Administration programs" href="index.html" /> <link rel="next" title="ktutil" href="ktutil.html" /> <link rel="prev" title="kpropd" href="kpropd.html" /> </head> @@ -61,7 +59,7 @@ <div class="documentwrapper"> <div class="bodywrapper"> - <div class="body"> + <div class="body" role="main"> <div class="section" id="kproplog"> <span id="kproplog-8"></span><h1>kproplog<a class="headerlink" href="#kproplog" title="Permalink to this headline">¶</a></h1> @@ -75,17 +73,17 @@ <p>The kproplog command displays the contents of the KDC database update log to standard output. It can be used to keep track of incremental updates to the principal database. The update log file contains the -update log maintained by the <a class="reference internal" href="kadmind.html#kadmind-8"><em>kadmind</em></a> process on the master -KDC server and the <a class="reference internal" href="kpropd.html#kpropd-8"><em>kpropd</em></a> process on the slave KDC servers. -When updates occur, they are logged to this file. Subsequently any -KDC slave configured for incremental updates will request the current -data from the master KDC and update their log file with any updates -returned.</p> +update log maintained by the <a class="reference internal" href="kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> process on the primary +KDC server and the <a class="reference internal" href="kpropd.html#kpropd-8"><span class="std std-ref">kpropd</span></a> process on the replica KDC +servers. When updates occur, they are logged to this file. +Subsequently any KDC replica configured for incremental updates will +request the current data from the primary KDC and update their log +file with any updates returned.</p> <p>The kproplog command requires read access to the update log file. It will display update entries only for the KDC it runs on.</p> <p>If no options are specified, kproplog displays a summary of the update -log. If invoked on the master, kproplog also displays all of the -update entries. If invoked on a slave KDC server, kproplog displays +log. If invoked on the primary, kproplog also displays all of the +update entries. If invoked on a replica KDC server, kproplog displays only a summary of the updates, which includes the serial number of the last update received and the associated time stamp of the last update.</p> </div> @@ -93,9 +91,10 @@ last update received and the associated time stamp of the last update.</p> <h2>OPTIONS<a class="headerlink" href="#options" title="Permalink to this headline">¶</a></h2> <dl class="docutils"> <dt><strong>-R</strong></dt> -<dd>Reset the update log. This forces full resynchronization. If used -on a slave then that slave will request a full resync. If used on -the master then all slaves will request full resyncs.</dd> +<dd>Reset the update log. This forces full resynchronization. If +used on a replica then that replica will request a full resync. +If used on the primary then all replicas will request full +resyncs.</dd> <dt><strong>-h</strong></dt> <dd>Display a summary of the update log. This information includes the database version number, state of the database, the number of @@ -107,20 +106,20 @@ when debugging synchronization between KDC servers.</dd> <dt><strong>-v</strong></dt> <dd><p class="first">Display individual attributes per update. An example of the output generated for one entry:</p> -<div class="last highlight-python"><div class="highlight"><pre>Update Entry - Update serial # : 4 - Update operation : Add - Update principal : test@EXAMPLE.COM - Update size : 424 - Update committed : True - Update time stamp : Fri Feb 20 23:37:42 2004 - Attributes changed : 6 - Principal - Key data - Password last changed - Modifying principal - Modification time - TL data +<div class="last highlight-default"><div class="highlight"><pre><span></span><span class="n">Update</span> <span class="n">Entry</span> + <span class="n">Update</span> <span class="n">serial</span> <span class="c1"># : 4</span> + <span class="n">Update</span> <span class="n">operation</span> <span class="p">:</span> <span class="n">Add</span> + <span class="n">Update</span> <span class="n">principal</span> <span class="p">:</span> <span class="n">test</span><span class="nd">@EXAMPLE</span><span class="o">.</span><span class="n">COM</span> + <span class="n">Update</span> <span class="n">size</span> <span class="p">:</span> <span class="mi">424</span> + <span class="n">Update</span> <span class="n">committed</span> <span class="p">:</span> <span class="kc">True</span> + <span class="n">Update</span> <span class="n">time</span> <span class="n">stamp</span> <span class="p">:</span> <span class="n">Fri</span> <span class="n">Feb</span> <span class="mi">20</span> <span class="mi">23</span><span class="p">:</span><span class="mi">37</span><span class="p">:</span><span class="mi">42</span> <span class="mi">2004</span> + <span class="n">Attributes</span> <span class="n">changed</span> <span class="p">:</span> <span class="mi">6</span> + <span class="n">Principal</span> + <span class="n">Key</span> <span class="n">data</span> + <span class="n">Password</span> <span class="n">last</span> <span class="n">changed</span> + <span class="n">Modifying</span> <span class="n">principal</span> + <span class="n">Modification</span> <span class="n">time</span> + <span class="n">TL</span> <span class="n">data</span> </pre></div> </div> </dd> @@ -128,14 +127,12 @@ output generated for one entry:</p> </div> <div class="section" id="environment"> <h2>ENVIRONMENT<a class="headerlink" href="#environment" title="Permalink to this headline">¶</a></h2> -<p>kproplog uses the following environment variables:</p> -<ul class="simple"> -<li><strong>KRB5_KDC_PROFILE</strong></li> -</ul> +<p>See <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a> for a description of Kerberos environment +variables.</p> </div> <div class="section" id="see-also"> <h2>SEE ALSO<a class="headerlink" href="#see-also" title="Permalink to this headline">¶</a></h2> -<p><a class="reference internal" href="kpropd.html#kpropd-8"><em>kpropd</em></a></p> +<p><a class="reference internal" href="kpropd.html#kpropd-8"><span class="std std-ref">kpropd</span></a>, <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a></p> </div> </div> @@ -166,6 +163,7 @@ output generated for one entry:</p> <li class="toctree-l2"><a class="reference internal" href="../conf_files/index.html">Configuration Files</a></li> <li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li> <li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li> +<li class="toctree-l2"><a class="reference internal" href="../dbtypes.html">Database types</a></li> <li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li> <li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> <li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li> @@ -173,6 +171,8 @@ output generated for one entry:</p> <li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li> <li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li> <li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="../spake.html">SPAKE Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="../dictionary.html">Addressing dictionary attack risks</a></li> <li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li> <li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li> <li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li> @@ -185,7 +185,7 @@ output generated for one entry:</p> <li class="toctree-l3"><a class="reference internal" href="krb5kdc.html">krb5kdc</a></li> <li class="toctree-l3"><a class="reference internal" href="kprop.html">kprop</a></li> <li class="toctree-l3"><a class="reference internal" href="kpropd.html">kpropd</a></li> -<li class="toctree-l3 current"><a class="current reference internal" href="">kproplog</a></li> +<li class="toctree-l3 current"><a class="current reference internal" href="#">kproplog</a></li> <li class="toctree-l3"><a class="reference internal" href="ktutil.html">ktutil</a></li> <li class="toctree-l3"><a class="reference internal" href="k5srvutil.html">k5srvutil</a></li> <li class="toctree-l3"><a class="reference internal" href="sserver.html">sserver</a></li> @@ -225,8 +225,8 @@ output generated for one entry:</p> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.16</i><br /> - © <a href="../../copyright.html">Copyright</a> 1985-2017, MIT. + <div class="right" ><i>Release: 1.21.1</i><br /> + © <a href="../../copyright.html">Copyright</a> 1985-2023, MIT. </div> <div class="left"> diff --git a/doc/html/admin/admin_commands/krb5kdc.html b/doc/html/admin/admin_commands/krb5kdc.html index f39779bf4f0e..5cf520b145bf 100644 --- a/doc/html/admin/admin_commands/krb5kdc.html +++ b/doc/html/admin/admin_commands/krb5kdc.html @@ -1,33 +1,31 @@ + <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> - <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> - - <title>krb5kdc — MIT Kerberos Documentation</title> - + <title>krb5kdc — MIT Kerberos Documentation</title> <link rel="stylesheet" href="../../_static/agogo.css" type="text/css" /> <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" /> <link rel="stylesheet" href="../../_static/kerb.css" type="text/css" /> - <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../../', - VERSION: '1.16', + VERSION: '1.21.1', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', - HAS_SOURCE: true + HAS_SOURCE: true, + SOURCELINK_SUFFIX: '.txt' }; </script> <script type="text/javascript" src="../../_static/jquery.js"></script> <script type="text/javascript" src="../../_static/underscore.js"></script> <script type="text/javascript" src="../../_static/doctools.js"></script> <link rel="author" title="About these documents" href="../../about.html" /> + <link rel="index" title="Index" href="../../genindex.html" /> + <link rel="search" title="Search" href="../../search.html" /> <link rel="copyright" title="Copyright" href="../../copyright.html" /> - <link rel="top" title="MIT Kerberos Documentation" href="../../index.html" /> - <link rel="up" title="Administration programs" href="index.html" /> <link rel="next" title="kprop" href="kprop.html" /> <link rel="prev" title="kdb5_ldap_util" href="kdb5_ldap_util.html" /> </head> @@ -61,7 +59,7 @@ <div class="documentwrapper"> <div class="bodywrapper"> - <div class="body"> + <div class="body" role="main"> <div class="section" id="krb5kdc"> <span id="krb5kdc-8"></span><h1>krb5kdc<a class="headerlink" href="#krb5kdc" title="Permalink to this headline">¶</a></h1> @@ -88,31 +86,31 @@ Distribution Center (AS/KDC).</p> <div class="section" id="options"> <h2>OPTIONS<a class="headerlink" href="#options" title="Permalink to this headline">¶</a></h2> <p>The <strong>-r</strong> <em>realm</em> option specifies the realm for which the server -should provide service.</p> +should provide service. This option may be specified multiple times +to serve multiple realms. If no <strong>-r</strong> option is given, the default +realm (as specified in <a class="reference internal" href="../conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a>) will be served.</p> <p>The <strong>-d</strong> <em>dbname</em> option specifies the name under which the principal database can be found. This option does not apply to the LDAP database.</p> <p>The <strong>-k</strong> <em>keytype</em> option specifies the key type of the master key to be entered manually as a password when <strong>-m</strong> is given; the default -is <tt class="docutils literal"><span class="pre">des-cbc-crc</span></tt>.</p> +is <code class="docutils literal"><span class="pre">aes256-cts-hmac-sha1-96</span></code>.</p> <p>The <strong>-M</strong> <em>mkeyname</em> option specifies the principal name for the -master key in the database (usually <tt class="docutils literal"><span class="pre">K/M</span></tt> in the KDC’s realm).</p> +master key in the database (usually <code class="docutils literal"><span class="pre">K/M</span></code> in the KDC’s realm).</p> <p>The <strong>-m</strong> option specifies that the master database password should be fetched from the keyboard rather than from a stash file.</p> <p>The <strong>-n</strong> option specifies that the KDC does not put itself in the -background and does not disassociate itself from the terminal. In -normal operation, you should always allow the KDC to place itself in -the background.</p> +background and does not disassociate itself from the terminal.</p> <p>The <strong>-P</strong> <em>pid_file</em> option tells the KDC to write its PID into <em>pid_file</em> after it starts up. This can be used to identify whether the KDC is still running and to allow init scripts to stop the correct process.</p> -<p>The <strong>-p</strong> <em>portnum</em> option specifies the default UDP port numbers -which the KDC should listen on for Kerberos version 5 requests, as a -comma-separated list. This value overrides the UDP port numbers -specified in the <a class="reference internal" href="../conf_files/kdc_conf.html#kdcdefaults"><em>[kdcdefaults]</em></a> section of <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>, but -may be overridden by realm-specific values. If no value is given from -any source, the default port is 88.</p> +<p>The <strong>-p</strong> <em>portnum</em> option specifies the default UDP and TCP port +numbers which the KDC should listen on for Kerberos version 5 +requests, as a comma-separated list. This value overrides the port +numbers specified in the <a class="reference internal" href="../conf_files/kdc_conf.html#kdcdefaults"><span class="std std-ref">[kdcdefaults]</span></a> section of +<a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>, but may be overridden by realm-specific values. +If no value is given from any source, the default port is 88.</p> <p>The <strong>-w</strong> <em>numworkers</em> option tells the KDC to fork <em>numworkers</em> processes to listen to the KDC ports and process requests in parallel. The top level KDC process (whose pid is recorded in the pid file if @@ -120,15 +118,8 @@ the <strong>-P</strong> option is also given) acts as a supervisor. The supervi will relay SIGHUP signals to the worker subprocesses, and will terminate the worker subprocess if the it is itself terminated or if any other worker process exits.</p> -<div class="admonition note"> -<p class="first admonition-title">Note</p> -<p class="last">On operating systems which do not have <em>pktinfo</em> support, -using worker processes will prevent the KDC from listening -for UDP packets on network interfaces created after the KDC -starts.</p> -</div> <p>The <strong>-x</strong> <em>db_args</em> option specifies database-specific arguments. -See <a class="reference internal" href="kadmin_local.html#dboptions"><em>Database Options</em></a> in <a class="reference internal" href="kadmin_local.html#kadmin-1"><em>kadmin</em></a> for +See <a class="reference internal" href="kadmin_local.html#dboptions"><span class="std std-ref">Database Options</span></a> in <a class="reference internal" href="kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> for supported arguments.</p> <p>The <strong>-T</strong> <em>offset</em> option specifies a time offset, in seconds, which the KDC will operate under. It is intended only for testing purposes.</p> @@ -140,29 +131,26 @@ The realms are listed on the command line. Per-realm options that can be specified on the command line pertain for each realm that follows it and are superseded by subsequent definitions of the same option.</p> <p>For example:</p> -<div class="highlight-python"><div class="highlight"><pre>krb5kdc -p 2001 -r REALM1 -p 2002 -r REALM2 -r REALM3 +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">krb5kdc</span> <span class="o">-</span><span class="n">p</span> <span class="mi">2001</span> <span class="o">-</span><span class="n">r</span> <span class="n">REALM1</span> <span class="o">-</span><span class="n">p</span> <span class="mi">2002</span> <span class="o">-</span><span class="n">r</span> <span class="n">REALM2</span> <span class="o">-</span><span class="n">r</span> <span class="n">REALM3</span> </pre></div> </div> <p>specifies that the KDC listen on port 2001 for REALM1 and on port 2002 for REALM2 and REALM3. Additionally, per-realm parameters may be -specified in the <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> file. The location of this file +specified in the <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a> file. The location of this file may be specified by the <strong>KRB5_KDC_PROFILE</strong> environment variable. Per-realm parameters specified in this file take precedence over -options specified on the command line. See the <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> +options specified on the command line. See the <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a> description for further details.</p> </div> <div class="section" id="environment"> <h2>ENVIRONMENT<a class="headerlink" href="#environment" title="Permalink to this headline">¶</a></h2> -<p>krb5kdc uses the following environment variables:</p> -<ul class="simple"> -<li><strong>KRB5_CONFIG</strong></li> -<li><strong>KRB5_KDC_PROFILE</strong></li> -</ul> +<p>See <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a> for a description of Kerberos environment +variables.</p> </div> <div class="section" id="see-also"> <h2>SEE ALSO<a class="headerlink" href="#see-also" title="Permalink to this headline">¶</a></h2> -<p><a class="reference internal" href="kdb5_util.html#kdb5-util-8"><em>kdb5_util</em></a>, <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>, <a class="reference internal" href="../conf_files/krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a>, -<a class="reference internal" href="kdb5_ldap_util.html#kdb5-ldap-util-8"><em>kdb5_ldap_util</em></a></p> +<p><a class="reference internal" href="kdb5_util.html#kdb5-util-8"><span class="std std-ref">kdb5_util</span></a>, <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>, <a class="reference internal" href="../conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a>, +<a class="reference internal" href="kdb5_ldap_util.html#kdb5-ldap-util-8"><span class="std std-ref">kdb5_ldap_util</span></a>, <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a></p> </div> </div> @@ -194,6 +182,7 @@ description for further details.</p> <li class="toctree-l2"><a class="reference internal" href="../conf_files/index.html">Configuration Files</a></li> <li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li> <li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li> +<li class="toctree-l2"><a class="reference internal" href="../dbtypes.html">Database types</a></li> <li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li> <li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> <li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li> @@ -201,6 +190,8 @@ description for further details.</p> <li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li> <li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li> <li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="../spake.html">SPAKE Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="../dictionary.html">Addressing dictionary attack risks</a></li> <li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li> <li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li> <li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li> @@ -210,7 +201,7 @@ description for further details.</p> <li class="toctree-l3"><a class="reference internal" href="kadmind.html">kadmind</a></li> <li class="toctree-l3"><a class="reference internal" href="kdb5_util.html">kdb5_util</a></li> <li class="toctree-l3"><a class="reference internal" href="kdb5_ldap_util.html">kdb5_ldap_util</a></li> -<li class="toctree-l3 current"><a class="current reference internal" href="">krb5kdc</a></li> +<li class="toctree-l3 current"><a class="current reference internal" href="#">krb5kdc</a></li> <li class="toctree-l3"><a class="reference internal" href="kprop.html">kprop</a></li> <li class="toctree-l3"><a class="reference internal" href="kpropd.html">kpropd</a></li> <li class="toctree-l3"><a class="reference internal" href="kproplog.html">kproplog</a></li> @@ -253,8 +244,8 @@ description for further details.</p> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.16</i><br /> - © <a href="../../copyright.html">Copyright</a> 1985-2017, MIT. + <div class="right" ><i>Release: 1.21.1</i><br /> + © <a href="../../copyright.html">Copyright</a> 1985-2023, MIT. </div> <div class="left"> diff --git a/doc/html/admin/admin_commands/ktutil.html b/doc/html/admin/admin_commands/ktutil.html index ba95ebbe71ff..03d052c15b88 100644 --- a/doc/html/admin/admin_commands/ktutil.html +++ b/doc/html/admin/admin_commands/ktutil.html @@ -1,33 +1,31 @@ + <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> - <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> - - <title>ktutil — MIT Kerberos Documentation</title> - + <title>ktutil — MIT Kerberos Documentation</title> <link rel="stylesheet" href="../../_static/agogo.css" type="text/css" /> <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" /> <link rel="stylesheet" href="../../_static/kerb.css" type="text/css" /> - <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../../', - VERSION: '1.16', + VERSION: '1.21.1', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', - HAS_SOURCE: true + HAS_SOURCE: true, + SOURCELINK_SUFFIX: '.txt' }; </script> <script type="text/javascript" src="../../_static/jquery.js"></script> <script type="text/javascript" src="../../_static/underscore.js"></script> <script type="text/javascript" src="../../_static/doctools.js"></script> <link rel="author" title="About these documents" href="../../about.html" /> + <link rel="index" title="Index" href="../../genindex.html" /> + <link rel="search" title="Search" href="../../search.html" /> <link rel="copyright" title="Copyright" href="../../copyright.html" /> - <link rel="top" title="MIT Kerberos Documentation" href="../../index.html" /> - <link rel="up" title="Administration programs" href="index.html" /> <link rel="next" title="k5srvutil" href="k5srvutil.html" /> <link rel="prev" title="kproplog" href="kproplog.html" /> </head> @@ -61,7 +59,7 @@ <div class="documentwrapper"> <div class="bodywrapper"> - <div class="body"> + <div class="body" role="main"> <div class="section" id="ktutil"> <span id="ktutil-1"></span><h1>ktutil<a class="headerlink" href="#ktutil" title="Permalink to this headline">¶</a></h1> @@ -72,16 +70,18 @@ <div class="section" id="description"> <h2>DESCRIPTION<a class="headerlink" href="#description" title="Permalink to this headline">¶</a></h2> <p>The ktutil command invokes a command interface from which an -administrator can read, write, or edit entries in a keytab or Kerberos -V4 srvtab file.</p> +administrator can read, write, or edit entries in a keytab. (Kerberos +V4 srvtab files are no longer supported.)</p> </div> <div class="section" id="commands"> <h2>COMMANDS<a class="headerlink" href="#commands" title="Permalink to this headline">¶</a></h2> <div class="section" id="list"> <h3>list<a class="headerlink" href="#list" title="Permalink to this headline">¶</a></h3> <blockquote> -<div><strong>list</strong></div></blockquote> -<p>Displays the current keylist.</p> +<div><strong>list</strong> [<strong>-t</strong>] [<strong>-k</strong>] [<strong>-e</strong>]</div></blockquote> +<p>Displays the current keylist. If <strong>-t</strong>, <strong>-k</strong>, and/or <strong>-e</strong> are +specified, also display the timestamp, key contents, or enctype +(respectively).</p> <p>Alias: <strong>l</strong></p> </div> <div class="section" id="read-kt"> @@ -91,13 +91,6 @@ V4 srvtab file.</p> <p>Read the Kerberos V5 keytab file <em>keytab</em> into the current keylist.</p> <p>Alias: <strong>rkt</strong></p> </div> -<div class="section" id="read-st"> -<h3>read_st<a class="headerlink" href="#read-st" title="Permalink to this headline">¶</a></h3> -<blockquote> -<div><strong>read_st</strong> <em>srvtab</em></div></blockquote> -<p>Read the Kerberos V4 srvtab file <em>srvtab</em> into the current keylist.</p> -<p>Alias: <strong>rst</strong></p> -</div> <div class="section" id="write-kt"> <h3>write_kt<a class="headerlink" href="#write-kt" title="Permalink to this headline">¶</a></h3> <blockquote> @@ -105,13 +98,6 @@ V4 srvtab file.</p> <p>Write the current keylist into the Kerberos V5 keytab file <em>keytab</em>.</p> <p>Alias: <strong>wkt</strong></p> </div> -<div class="section" id="write-st"> -<h3>write_st<a class="headerlink" href="#write-st" title="Permalink to this headline">¶</a></h3> -<blockquote> -<div><strong>write_st</strong> <em>srvtab</em></div></blockquote> -<p>Write the current keylist into the Kerberos V4 srvtab file <em>srvtab</em>.</p> -<p>Alias: <strong>wst</strong></p> -</div> <div class="section" id="clear-list"> <h3>clear_list<a class="headerlink" href="#clear-list" title="Permalink to this headline">¶</a></h3> <blockquote> @@ -130,8 +116,13 @@ V4 srvtab file.</p> <h3>add_entry<a class="headerlink" href="#add-entry" title="Permalink to this headline">¶</a></h3> <blockquote> <div><strong>add_entry</strong> {<strong>-key</strong>|<strong>-password</strong>} <strong>-p</strong> <em>principal</em> -<strong>-k</strong> <em>kvno</em> <strong>-e</strong> <em>enctype</em> [<strong>-s</strong> <em>salt</em>]</div></blockquote> -<p>Add <em>principal</em> to keylist using key or password.</p> +<strong>-k</strong> <em>kvno</em> [<strong>-e</strong> <em>enctype</em>] [<strong>-f</strong>|<strong>-s</strong> <em>salt</em>]</div></blockquote> +<p>Add <em>principal</em> to keylist using key or password. If the <strong>-f</strong> flag +is specified, salt information will be fetched from the KDC; in this +case the <strong>-e</strong> flag may be omitted, or it may be supplied to force a +particular enctype. If the <strong>-f</strong> flag is not specified, the <strong>-e</strong> +flag must be specified, and the default salt will be used unless +overridden with the <strong>-s</strong> option.</p> <p>Alias: <strong>addent</strong></p> </div> <div class="section" id="list-requests"> @@ -152,21 +143,26 @@ V4 srvtab file.</p> <div class="section" id="example"> <h2>EXAMPLE<a class="headerlink" href="#example" title="Permalink to this headline">¶</a></h2> <blockquote> -<div><div class="highlight-python"><div class="highlight"><pre>ktutil: add_entry -password -p alice@BLEEP.COM -k 1 -e - aes128-cts-hmac-sha1-96 -Password for alice@BLEEP.COM: -ktutil: add_entry -password -p alice@BLEEP.COM -k 1 -e - aes256-cts-hmac-sha1-96 -Password for alice@BLEEP.COM: -ktutil: write_kt keytab -ktutil: +<div><div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">ktutil</span><span class="p">:</span> <span class="n">add_entry</span> <span class="o">-</span><span class="n">password</span> <span class="o">-</span><span class="n">p</span> <span class="n">alice</span><span class="nd">@BLEEP</span><span class="o">.</span><span class="n">COM</span> <span class="o">-</span><span class="n">k</span> <span class="mi">1</span> <span class="o">-</span><span class="n">e</span> + <span class="n">aes128</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="o">-</span><span class="mi">96</span> +<span class="n">Password</span> <span class="k">for</span> <span class="n">alice</span><span class="nd">@BLEEP</span><span class="o">.</span><span class="n">COM</span><span class="p">:</span> +<span class="n">ktutil</span><span class="p">:</span> <span class="n">add_entry</span> <span class="o">-</span><span class="n">password</span> <span class="o">-</span><span class="n">p</span> <span class="n">alice</span><span class="nd">@BLEEP</span><span class="o">.</span><span class="n">COM</span> <span class="o">-</span><span class="n">k</span> <span class="mi">1</span> <span class="o">-</span><span class="n">e</span> + <span class="n">aes256</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="o">-</span><span class="mi">96</span> +<span class="n">Password</span> <span class="k">for</span> <span class="n">alice</span><span class="nd">@BLEEP</span><span class="o">.</span><span class="n">COM</span><span class="p">:</span> +<span class="n">ktutil</span><span class="p">:</span> <span class="n">write_kt</span> <span class="n">alice</span><span class="o">.</span><span class="n">keytab</span> +<span class="n">ktutil</span><span class="p">:</span> </pre></div> </div> </div></blockquote> </div> +<div class="section" id="environment"> +<h2>ENVIRONMENT<a class="headerlink" href="#environment" title="Permalink to this headline">¶</a></h2> +<p>See <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a> for a description of Kerberos environment +variables.</p> +</div> <div class="section" id="see-also"> <h2>SEE ALSO<a class="headerlink" href="#see-also" title="Permalink to this headline">¶</a></h2> -<p><a class="reference internal" href="kadmin_local.html#kadmin-1"><em>kadmin</em></a>, <a class="reference internal" href="kdb5_util.html#kdb5-util-8"><em>kdb5_util</em></a></p> +<p><a class="reference internal" href="kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a>, <a class="reference internal" href="kdb5_util.html#kdb5-util-8"><span class="std std-ref">kdb5_util</span></a>, <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a></p> </div> </div> @@ -184,9 +180,7 @@ ktutil: <li><a class="reference internal" href="#commands">COMMANDS</a><ul> <li><a class="reference internal" href="#list">list</a></li> <li><a class="reference internal" href="#read-kt">read_kt</a></li> -<li><a class="reference internal" href="#read-st">read_st</a></li> <li><a class="reference internal" href="#write-kt">write_kt</a></li> -<li><a class="reference internal" href="#write-st">write_st</a></li> <li><a class="reference internal" href="#clear-list">clear_list</a></li> <li><a class="reference internal" href="#delete-entry">delete_entry</a></li> <li><a class="reference internal" href="#add-entry">add_entry</a></li> @@ -195,6 +189,7 @@ ktutil: </ul> </li> <li><a class="reference internal" href="#example">EXAMPLE</a></li> +<li><a class="reference internal" href="#environment">ENVIRONMENT</a></li> <li><a class="reference internal" href="#see-also">SEE ALSO</a></li> </ul> </li> @@ -209,6 +204,7 @@ ktutil: <li class="toctree-l2"><a class="reference internal" href="../conf_files/index.html">Configuration Files</a></li> <li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li> <li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li> +<li class="toctree-l2"><a class="reference internal" href="../dbtypes.html">Database types</a></li> <li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li> <li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> <li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li> @@ -216,6 +212,8 @@ ktutil: <li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li> <li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li> <li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="../spake.html">SPAKE Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="../dictionary.html">Addressing dictionary attack risks</a></li> <li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li> <li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li> <li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li> @@ -229,7 +227,7 @@ ktutil: <li class="toctree-l3"><a class="reference internal" href="kprop.html">kprop</a></li> <li class="toctree-l3"><a class="reference internal" href="kpropd.html">kpropd</a></li> <li class="toctree-l3"><a class="reference internal" href="kproplog.html">kproplog</a></li> -<li class="toctree-l3 current"><a class="current reference internal" href="">ktutil</a></li> +<li class="toctree-l3 current"><a class="current reference internal" href="#">ktutil</a></li> <li class="toctree-l3"><a class="reference internal" href="k5srvutil.html">k5srvutil</a></li> <li class="toctree-l3"><a class="reference internal" href="sserver.html">sserver</a></li> </ul> @@ -268,8 +266,8 @@ ktutil: <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.16</i><br /> - © <a href="../../copyright.html">Copyright</a> 1985-2017, MIT. + <div class="right" ><i>Release: 1.21.1</i><br /> + © <a href="../../copyright.html">Copyright</a> 1985-2023, MIT. </div> <div class="left"> diff --git a/doc/html/admin/admin_commands/sserver.html b/doc/html/admin/admin_commands/sserver.html index 1e5e1941f991..0d7ba0aa6c74 100644 --- a/doc/html/admin/admin_commands/sserver.html +++ b/doc/html/admin/admin_commands/sserver.html @@ -1,33 +1,31 @@ + <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> - <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> - - <title>sserver — MIT Kerberos Documentation</title> - + <title>sserver — MIT Kerberos Documentation</title> <link rel="stylesheet" href="../../_static/agogo.css" type="text/css" /> <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" /> <link rel="stylesheet" href="../../_static/kerb.css" type="text/css" /> - <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../../', - VERSION: '1.16', + VERSION: '1.21.1', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', - HAS_SOURCE: true + HAS_SOURCE: true, + SOURCELINK_SUFFIX: '.txt' }; </script> <script type="text/javascript" src="../../_static/jquery.js"></script> <script type="text/javascript" src="../../_static/underscore.js"></script> <script type="text/javascript" src="../../_static/doctools.js"></script> <link rel="author" title="About these documents" href="../../about.html" /> + <link rel="index" title="Index" href="../../genindex.html" /> + <link rel="search" title="Search" href="../../search.html" /> <link rel="copyright" title="Copyright" href="../../copyright.html" /> - <link rel="top" title="MIT Kerberos Documentation" href="../../index.html" /> - <link rel="up" title="Administration programs" href="index.html" /> <link rel="next" title="MIT Kerberos defaults" href="../../mitK5defaults.html" /> <link rel="prev" title="k5srvutil" href="k5srvutil.html" /> </head> @@ -61,7 +59,7 @@ <div class="documentwrapper"> <div class="bodywrapper"> - <div class="body"> + <div class="body" role="main"> <div class="section" id="sserver"> <span id="sserver-8"></span><h1>sserver<a class="headerlink" href="#sserver" title="Permalink to this headline">¶</a></h1> @@ -74,39 +72,39 @@ </div> <div class="section" id="description"> <h2>DESCRIPTION<a class="headerlink" href="#description" title="Permalink to this headline">¶</a></h2> -<p>sserver and <a class="reference internal" href="../../user/user_commands/sclient.html#sclient-1"><em>sclient</em></a> are a simple demonstration client/server +<p>sserver and <a class="reference internal" href="../../user/user_commands/sclient.html#sclient-1"><span class="std std-ref">sclient</span></a> are a simple demonstration client/server application. When sclient connects to sserver, it performs a Kerberos authentication, and then sserver returns to sclient the Kerberos principal which was used for the Kerberos authentication. It makes a good test that Kerberos has been successfully installed on a machine.</p> <p>The service name used by sserver and sclient is sample. Hence, sserver will require that there be a keytab entry for the service -<tt class="docutils literal"><span class="pre">sample/hostname.domain.name@REALM.NAME</span></tt>. This keytab is generated -using the <a class="reference internal" href="kadmin_local.html#kadmin-1"><em>kadmin</em></a> program. The keytab file is usually -installed as <a class="reference internal" href="../../mitK5defaults.html#paths"><em>DEFKTNAME</em></a>.</p> +<code class="docutils literal"><span class="pre">sample/hostname.domain.name@REALM.NAME</span></code>. This keytab is generated +using the <a class="reference internal" href="kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> program. The keytab file is usually +installed as <a class="reference internal" href="../../mitK5defaults.html#paths"><span class="std std-ref">DEFKTNAME</span></a>.</p> <p>The <strong>-S</strong> option allows for a different keytab than the default.</p> <p>sserver is normally invoked out of inetd(8), using a line in -<tt class="docutils literal"><span class="pre">/etc/inetd.conf</span></tt> that looks like this:</p> -<div class="highlight-python"><div class="highlight"><pre>sample stream tcp nowait root /usr/local/sbin/sserver sserver +<code class="docutils literal"><span class="pre">/etc/inetd.conf</span></code> that looks like this:</p> +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">sample</span> <span class="n">stream</span> <span class="n">tcp</span> <span class="n">nowait</span> <span class="n">root</span> <span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">local</span><span class="o">/</span><span class="n">sbin</span><span class="o">/</span><span class="n">sserver</span> <span class="n">sserver</span> </pre></div> </div> -<p>Since <tt class="docutils literal"><span class="pre">sample</span></tt> is normally not a port defined in <tt class="docutils literal"><span class="pre">/etc/services</span></tt>, -you will usually have to add a line to <tt class="docutils literal"><span class="pre">/etc/services</span></tt> which looks +<p>Since <code class="docutils literal"><span class="pre">sample</span></code> is normally not a port defined in <code class="docutils literal"><span class="pre">/etc/services</span></code>, +you will usually have to add a line to <code class="docutils literal"><span class="pre">/etc/services</span></code> which looks like this:</p> -<div class="highlight-python"><div class="highlight"><pre>sample 13135/tcp +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">sample</span> <span class="mi">13135</span><span class="o">/</span><span class="n">tcp</span> </pre></div> </div> <p>When using sclient, you will first have to have an entry in the -Kerberos database, by using <a class="reference internal" href="kadmin_local.html#kadmin-1"><em>kadmin</em></a>, and then you have to get -Kerberos tickets, by using <a class="reference internal" href="../../user/user_commands/kinit.html#kinit-1"><em>kinit</em></a>. Also, if you are running +Kerberos database, by using <a class="reference internal" href="kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a>, and then you have to get +Kerberos tickets, by using <a class="reference internal" href="../../user/user_commands/kinit.html#kinit-1"><span class="std std-ref">kinit</span></a>. Also, if you are running the sclient program on a different host than the sserver it will be connecting to, be sure that both hosts have an entry in /etc/services for the sample tcp port, and that the same port number is in both files.</p> <p>When you run sclient you should see something like this:</p> -<div class="highlight-python"><div class="highlight"><pre>sendauth succeeded, reply is: -reply len 32, contents: -You are nlgilman@JIMI.MIT.EDU +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">sendauth</span> <span class="n">succeeded</span><span class="p">,</span> <span class="n">reply</span> <span class="ow">is</span><span class="p">:</span> +<span class="n">reply</span> <span class="nb">len</span> <span class="mi">32</span><span class="p">,</span> <span class="n">contents</span><span class="p">:</span> +<span class="n">You</span> <span class="n">are</span> <span class="n">nlgilman</span><span class="nd">@JIMI</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> </pre></div> </div> </div> @@ -114,50 +112,55 @@ You are nlgilman@JIMI.MIT.EDU <h2>COMMON ERROR MESSAGES<a class="headerlink" href="#common-error-messages" title="Permalink to this headline">¶</a></h2> <ol class="arabic"> <li><p class="first">kinit returns the error:</p> -<div class="highlight-python"><div class="highlight"><pre>kinit: Client not found in Kerberos database while getting - initial credentials +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">kinit</span><span class="p">:</span> <span class="n">Client</span> <span class="ow">not</span> <span class="n">found</span> <span class="ow">in</span> <span class="n">Kerberos</span> <span class="n">database</span> <span class="k">while</span> <span class="n">getting</span> + <span class="n">initial</span> <span class="n">credentials</span> </pre></div> </div> -<p>This means that you didn’t create an entry for your username in the +<p>This means that you didn’t create an entry for your username in the Kerberos database.</p> </li> <li><p class="first">sclient returns the error:</p> -<div class="highlight-python"><div class="highlight"><pre>unknown service sample/tcp; check /etc/services +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">unknown</span> <span class="n">service</span> <span class="n">sample</span><span class="o">/</span><span class="n">tcp</span><span class="p">;</span> <span class="n">check</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">services</span> </pre></div> </div> -<p>This means that you don’t have an entry in /etc/services for the +<p>This means that you don’t have an entry in /etc/services for the sample tcp port.</p> </li> <li><p class="first">sclient returns the error:</p> -<div class="highlight-python"><div class="highlight"><pre>connect: Connection refused +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">connect</span><span class="p">:</span> <span class="n">Connection</span> <span class="n">refused</span> </pre></div> </div> -<p>This probably means you didn’t edit /etc/inetd.conf correctly, or -you didn’t restart inetd after editing inetd.conf.</p> +<p>This probably means you didn’t edit /etc/inetd.conf correctly, or +you didn’t restart inetd after editing inetd.conf.</p> </li> <li><p class="first">sclient returns the error:</p> -<div class="highlight-python"><div class="highlight"><pre>sclient: Server not found in Kerberos database while using - sendauth +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">sclient</span><span class="p">:</span> <span class="n">Server</span> <span class="ow">not</span> <span class="n">found</span> <span class="ow">in</span> <span class="n">Kerberos</span> <span class="n">database</span> <span class="k">while</span> <span class="n">using</span> + <span class="n">sendauth</span> </pre></div> </div> -<p>This means that the <tt class="docutils literal"><span class="pre">sample/hostname@LOCAL.REALM</span></tt> service was not +<p>This means that the <code class="docutils literal"><span class="pre">sample/hostname@LOCAL.REALM</span></code> service was not defined in the Kerberos database; it should be created using -<a class="reference internal" href="kadmin_local.html#kadmin-1"><em>kadmin</em></a>, and a keytab file needs to be generated to make +<a class="reference internal" href="kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a>, and a keytab file needs to be generated to make the key for that service principal available for sclient.</p> </li> <li><p class="first">sclient returns the error:</p> -<div class="highlight-python"><div class="highlight"><pre>sendauth rejected, error reply is: - "No such file or directory" +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">sendauth</span> <span class="n">rejected</span><span class="p">,</span> <span class="n">error</span> <span class="n">reply</span> <span class="ow">is</span><span class="p">:</span> + <span class="s2">"No such file or directory"</span> </pre></div> </div> -<p>This probably means sserver couldn’t find the keytab file. It was +<p>This probably means sserver couldn’t find the keytab file. It was probably not installed in the proper directory.</p> </li> </ol> </div> +<div class="section" id="environment"> +<h2>ENVIRONMENT<a class="headerlink" href="#environment" title="Permalink to this headline">¶</a></h2> +<p>See <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a> for a description of Kerberos environment +variables.</p> +</div> <div class="section" id="see-also"> <h2>SEE ALSO<a class="headerlink" href="#see-also" title="Permalink to this headline">¶</a></h2> -<p><a class="reference internal" href="../../user/user_commands/sclient.html#sclient-1"><em>sclient</em></a>, services(5), inetd(8)</p> +<p><a class="reference internal" href="../../user/user_commands/sclient.html#sclient-1"><span class="std std-ref">sclient</span></a>, <a class="reference internal" href="../../user/user_config/kerberos.html#kerberos-7"><span class="std std-ref">kerberos</span></a>, services(5), inetd(8)</p> </div> </div> @@ -173,6 +176,7 @@ probably not installed in the proper directory.</p> <li><a class="reference internal" href="#synopsis">SYNOPSIS</a></li> <li><a class="reference internal" href="#description">DESCRIPTION</a></li> <li><a class="reference internal" href="#common-error-messages">COMMON ERROR MESSAGES</a></li> +<li><a class="reference internal" href="#environment">ENVIRONMENT</a></li> <li><a class="reference internal" href="#see-also">SEE ALSO</a></li> </ul> </li> @@ -187,6 +191,7 @@ probably not installed in the proper directory.</p> <li class="toctree-l2"><a class="reference internal" href="../conf_files/index.html">Configuration Files</a></li> <li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li> <li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li> +<li class="toctree-l2"><a class="reference internal" href="../dbtypes.html">Database types</a></li> <li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li> <li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> <li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li> @@ -194,6 +199,8 @@ probably not installed in the proper directory.</p> <li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li> <li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li> <li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="../spake.html">SPAKE Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="../dictionary.html">Addressing dictionary attack risks</a></li> <li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li> <li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li> <li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li> @@ -209,7 +216,7 @@ probably not installed in the proper directory.</p> <li class="toctree-l3"><a class="reference internal" href="kproplog.html">kproplog</a></li> <li class="toctree-l3"><a class="reference internal" href="ktutil.html">ktutil</a></li> <li class="toctree-l3"><a class="reference internal" href="k5srvutil.html">k5srvutil</a></li> -<li class="toctree-l3 current"><a class="current reference internal" href="">sserver</a></li> +<li class="toctree-l3 current"><a class="current reference internal" href="#">sserver</a></li> </ul> </li> <li class="toctree-l2"><a class="reference internal" href="../../mitK5defaults.html">MIT Kerberos defaults</a></li> @@ -246,8 +253,8 @@ probably not installed in the proper directory.</p> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.16</i><br /> - © <a href="../../copyright.html">Copyright</a> 1985-2017, MIT. + <div class="right" ><i>Release: 1.21.1</i><br /> + © <a href="../../copyright.html">Copyright</a> 1985-2023, MIT. </div> <div class="left"> |