Configuration and Administration Utilities
The kdb5_util utility helps you manage realms, Kerberos services, and ticket policies.
The kadmin utility helps you manage principals, password policies, and keytab entries.
You can also use iManager to configure and administer Novell Kerberos KDC.
The kdb5_util Utility
The syntax is as follows:
kdb5_util [-D user_dn [-w passwd]] [-h ldap_server] [-p ldap_port]
[-t trusted_cert] cmd [cmd_options]
The kdb5_util parameters are described below:
Table 14. kdb5_util Parameter Description
-D |
Distinguished name of the user who has sufficient rights to authenticate to the LDAP server. |
-w |
Userdn password. We do not recommend you to use this option as the password is visible when you enter it through command line. |
-h |
Hostname or IP address of the server hosting the LDAP service for a Kerberos realm. |
-p |
SSL port number of the LDAP server. |
-t |
Specifies the filename that contains Trusted Root Certificate of the LDAP server. |
The command options include the following:
Table 15. kdb5_util Command Options
The kadmin Utility
You can use the kadmin or kadmin.local utilities to manage principals, keys, and password policies. In Novell Kerberos KDC, kadmin.local is used to access the database (eDirectory) remotely, unlike MIT Kerberos.
kadmin is a client utility and contacts the Administration server, which in turn contacts eDirectory for any administration request.
kadmin.local directly contacts eDirectory for completing the administration request.
The syntax is as follows:
kadmin [-r realm] [-p principal] [-q query] [-s admin_server[:port]]
[-w password] [[-c ccache]|[-k [-t keytab]]]
kadmin.local [-r realm] [-p principal] [-q query] [-x db_args] [-d dbname] [-e "enc:salt ..."] [-m]
cmd [cmd_options]
The kadmin and kadmin.local parameters are described below:
Table 16. kadmin and kadmin.local Parameter Description
-r |
Specifies the Kerberos realm. By default, the default_realm parameter of the krb.conf file is used. |
-p |
Specifies the principal you will authenticate to. |
-q |
Passes query directly to kadmin, which will perform query and then exit. |
-s |
Specifies the admin server which kadmin should contact. |
-c |
Specifies to use credentials_cache as the credentials cache. The credentials_cache should contain a service ticket for the kadmin/admin service; it can be acquired with the kinit(1) program. If this option is not specified, kadmin requests a new service ticket from the KDC, and stores it in its own temporary ccache. |
-k |
Uses a keytab to decrypt the KDC response instead of prompting for a password on the keyboard. In this case, the default principal will be host/hostname. If there is not a keytab specified with the t option, then the default keytab will be used. |
-t |
Uses keytab to decrypt the KDC response. This can only be used with the -k option. |
-x |
Specifies database-specific paramters. - -x nconns=<number_of_connections>
Same as the ldap_conns_per_server parameter in the configuration file. - -x port=<port_number>
Same as the ldap_ssl_port parameter in the configuration file. - -x host=<hostname>
Same as the ldap_servers parameter in the configuration file.. This option is a multivalued option. - -x binddn=<bind_dn>
Equates to ldap_kdc_dn, ldap_kadmind_dn depending on the services that is being invoked. For example, if the service is KDC, then binddn equates to ldap_kdc_dn - -x bindpwd=<bind_password>
There is no corresponding option in the conf file. This option overrides the password that will read from the ldap_service_password_file. - -x cert=<certificate_file>
Same as ldap_root_certificate_file parameter from the conf file. This option is a multivalued option. - -x dbname=<database_name>
Specifies the name of the Kerberos database. This is applicable only while using the local database (DB2) as the database backend and not LDAP. <<rephrase>>
|
-d |
Specifies the name of the Kerberos database. |
-e |
Sets the list of encryption types and salt types to be used for any new keys created. NOTE: If universal password integration is enabled, refer to . |
-m |
Do not authenticate using a keytab. This option will cause kadmin to prompt for the master database password. |
-w |
Uses the password specified and does not prompt for it. NOTE: Placing the password for a Kerberos principal with administration access into a shell script can be dangerous if unauthorized users get read access to the script. |
The command options include the following:
Table 17. kadmin and kadmin.local Command Options
add_principal, addprinc, ank |
Adds a principal. |
delete_principal, delprinc |
Deletes a principal. |
modify_principal, modprinc |
Modifies a principal. |
change_password, cpw |
Sets the principal password. |
get_principal, getprinc |
Displays the attributes of a principal. |
list_principals, listprincs, get_principals, getprincs |
Lists all the principals. |
add_policy, addpol |
Adds a password policy. |
modify_policy, modpol |
Modifies a password policy. |
delete_policy, delpol |
Deletes a password policy. |
get_policy, getpol |
Displays the attributes of a password policy. |
list_policies, listpols, get_policies, getpols |
Lists the password policies. |
ktadd, xst |
Adds entries to a keytab. |
ktremove, ktrem |
Removes entries from a keytab. |
The -x db_args specifies the following database-specific parameters: