| KADMIN(8) | System Manager's Manual | KADMIN(8) | 
kadmin —
| kadmin | [ -pstring |--principal=string]
      [-Kstring |--keytab=string]
      [-cfile |--config-file=file]
      [-kfile |--key-file=file]
      [-rrealm |--realm=realm]
      [-ahost |--admin-server=host]
      [-sport number |--server-port=port number]
      [-l|--local]
      [-h|--help]
      [-v|--version]
      [command] | 
kadmin program is used to make modifications to the
  Kerberos database, either remotely via the
  kadmind(8) daemon, or locally
  (with the -l option).
Supported options:
-p
    string,
    --principal=string-K
    string,
    --keytab=string-c
    file,
    --config-file=file-k
    file,
    --key-file=file-r
    realm,
    --realm=realm-a
    host,
    --admin-server=host-s
    port number,
    --server-port=port
    number-l,
    --localIf no command is given on the command line,
    kadmin will prompt for commands to process. Some of
    the commands that take one or more principals as argument
    (delete, ext_keytab,
    get, modify, and
    passwd) will accept a glob style wildcard, and
    perform the operation on all matching principals.
Commands include:
add [-r |
    --random-key]
    [--random-password]
    [-p string |
    --password=string]
    [--key=string]
    [--max-ticket-life=lifetime]
    [--max-renewable-life=lifetime]
    [--attributes=attributes]
    [--expiration-time=time]
    [--pw-expiration-time=time]
    [--policy=policy-name]
    principal...
default’.add_enctype [-r |
    --random-key]
    principal enctypes...
delete
  principal...
del_enctype principal
    enctypes...
ext_keytab [-k
    string |
    --keytab=string]
    principal...
get [-l |
    --long]
    [-s |
    --short]
    [-t |
    --terse]
    [-o string |
    --column-info=string]
    principal...
-o option.
  The argument is a comma separated list of column names optionally appended
  with an equal sign (‘=’) and a column header. Which columns are
  printed by default differ slightly between short and long output.
The default terse output format is similar to
    -s -o
    principal=, just printing the names of matched
    principals.
Possible column names include: principal,
    princ_expire_time,
    pw_expiration,
    last_pwd_change, max_life,
    max_rlife, mod_time,
    mod_name, attributes,
    kvno, mkvno,
    last_success, last_failed,
    fail_auth_count, policy, and
    keytypes.
modify [-a
    attributes |
    --attributes=attributes]
    [--max-ticket-life=lifetime]
    [--max-renewable-life=lifetime]
    [--expiration-time=time]
    [--pw-expiration-time=time]
    [--kvno=number]
    [--policy=policy-name]
    principal...
Only policy supported by Heimdal is
    ‘default’.
Possible attributes are: new-princ,
    support-desmd5,
    pwchange-service,
    disallow-svr,
    requires-pw-change,
    requires-hw-auth,
    requires-pre-auth,
    disallow-all-tix,
    disallow-dup-skey,
    disallow-proxiable,
    disallow-renewable,
    disallow-tgt-based,
    disallow-forwardable,
    disallow-postdated
Attributes may be negated with a "-", e.g.,
kadmin -l modify -a -disallow-proxiable user
passwd
    [--keepold]
    [-r |
    --random-key]
    [--random-password]
    [-p string |
    --password=string]
    [--key=string]
    principal...
password-quality
    principal password
privileges
add,
  add_enctype, change-password,
  delete, del_enctype,
  get, get-keys,
  list, and modify.rename from to
check [realm]
When running in local mode, the following commands can also be used:
dump [-d |
    --decrypt]
    [-fformat |
    -
    -format=format]
    [dump-file]
- -decrypt is used. If
  --format=MIT is used then the
  dump will be in MIT format. Otherwise it will be in Heimdal format.init
    [--realm-max-ticket-life=string]
    [--realm-max-renewable-life=string]
    realm
load file
merge file
load but just
  modifies the database with the entries in the dump file.stash [-e
    enctype |
    --enctype=enctype]
    [-k keyfile |
    --key-file=keyfile]
    [--convert-file]
    [--master-key-fd=fd]
| Feb 22, 2007 | NetBSD 9.4 |