KADMIN(8) MidnightBSD System Manager’s Manual KADMIN(8)


kadmin — Kerberos administration utility


kadmin [

−p string |
string ] [
string |
string ] [
file |
file ] [
file |
file ] [
realm |
realm ] [
host |
host ] [
port number |
port number ] [−l −-local] [−h −-help] [−v −-version] [command]


The kadmin program is used to make modifications to the Kerberos database, either remotely via the kadmind(8) daemon, or locally (with the −l option).

Supported options:

−p string, −-principal=string

principal to authenticate as

−K string, −-keytab=string

keytab for authentication principal

−c file, −-config-file=file

location of config file

−k file, −-key-file=file

location of master key file

−r realm, −-realm=realm

realm to use

−a host, −-admin-server=host

server to contact

−s port number, −-server-port=port number

port to use

−l, −-local

local admin mode

If no command is given on the command line, kadmin will prompt for commands to process. Commands include:

add [−r | −-random-key] [−-random-password] [

−p string |
string ] [−-key=string] [−-max-ticket-life=lifetime] [−-max-renewable-life=lifetime] [−-attributes=attributes] [−-expiration-time=time] [−-pw-expiration-time=time] principal...

creates a new principal

passwd [−r | −-random-key] [−-random-password] [

−p string |
string ] [−-key=string] principal...

changes the password of an existing principal

delete principal...

removes a principal

del_enctype principal enctypes...

removes some enctypes from a principal. This can be useful the service belonging to the principal is known to not handle certain enctypes

ext_keytab [

−k string |
string ] principal...

creates a keytab with the keys of the specified principals

get [−l | −-long] [−s | −-short] [−t | −-terse] expression...

lists the principals that match the expressions (which are shell glob like), long format gives more information, and terse just prints the names

rename from to

renames a principal

modify [

−a attributes |
attributes ] [−-max-ticket-life=lifetime] [−-max-renewable-life=lifetime] [−-expiration-time=time] [−-pw-expiration-time=time] [−-kvno=number] principal

modifies certain attributes of a principal


lists the operations you are allowed to perform

When running in local mode, the following commands can also be used:

dump [−d | −-decrypt] [dump-file]

writes the database in ‘‘human readable’’ form to the specified file, or standard out

init [−-realm-max-ticket-life=string] [−-realm-max-renewable-life=string] realm

initializes the Kerberos database with entries for a new realm. It’s possible to have more than one realm served by one server

load file

reads a previously dumped database, and re-creates that database from scratch

merge file

similar to list but just modifies the database with the entries in the dump file


kadmind(8), kdc(8)

HEIMDAL September 10, 2000 HEIMDAL