KDB5_UTIL(8) KDB5_UTIL(8)
NAME
kdb5_util - Kerberos database maintainance utility
SYNOPSIS
kdb5_util [-r realm] [-d dbname] [-k mkeytype] [-M mkeyname] [-sf stashfilename] [-m] command [com-mand_options] [command_options]
mand_options]
DESCRIPTION
kdb5_util allows an administrator to perform low-level maintainance procedures on the Kerberos and
KADM5 database. Databases can be created, destroyed, and dumped to and loaded from ASCII files.
Additionally, kdb5_util can create a Kerberos master key stash file. kdb5_util subsumes the func-tionality functionality
tionality of and makes obsolete the previous database maintainance programs kdb5_create, kdb5_edit,
kdb5_destroy, and kdb5_stash.
When kdb5_util is run, it attempts to acquire the master key and open the database. However, execu-tion execution
tion continues regardless of whether or not kdb5_util successfully opens the database, because the
database may not exist yet or the stash file may be corrupt.
Note that some KDB plugins may not support all kdb5_util commands.
COMMAND-LINE OPTIONS
-r realm
specifies the Kerberos realm of the database; by default the realm returned by
krb5_default_local_realm(3) is used.
-d dbname
specifies the name under which the principal database is stored; by default the database is
that listed in kdc.conf(5). The KADM5 policy database and lock file are also derived from
this value.
-k mkeytype
specifies the key type of the master key in the database; the default is that given in
kdc.conf.
-M mkeyname
principal name for the master key in the database; the default is that given in kdc.conf.
-m specifies that the master database password should be read from the TTY rather than fetched
from a file on disk.
-sf stash_file
specifies the stash file of the master database password.
-P password
specifies the master database password. This option is not recommended.
COMMANDS
create [-s]
Creates a new database. If the -s option is specified, the stash file is also created. This
command fails if the database already exists. If the command is successful, the database is
opened just as if it had already existed when the program was first run.
destroy [-f]
Destroys the database, first overwriting the disk sectors and then unlinking the files, after
prompting the user for confirmation. With the -f argument, does not prompt the user.
stash [-f keyfile]
Stores the master principal's keys in a stash file. The -f argument can be used to override
the keyfile specified at startup.
dump [-old] [-b6] [-b7] [-ov]
[-verbose] [-mkey_convert] [-new_mkey_file mkey_file] [-rev] [-recurse] [filename [princi-pals...]] [principals...]]
pals...]]
Dumps the current Kerberos and KADM5 database into an ASCII file. By default, the database is
dumped in current format, "kdb5_util load_dumpversion 5". If filename is not specified, or is
the string "-", the dump is sent to standard output. Options:
-old causes the dump to be in the Kerberos 5 Beta 5 and earlier dump format ("kdb5_edit
load_dump version 2.0").
-b6 causes the dump to be in the Kerberos 5 Beta 6 format ("kdb5_edit load_dump version
3.0").
-b7 causes the dump to be in the Kerberos 5 Beta 7 format ("kdb5_util load_dump version
4"). This was the dump format produced on releases prior to 1.2.2.
-ov causes the dump to be in ovsec_adm_export format.
-verbose
causes the name of each principal and policy to be printed as it is dumped.
-mkey_convert
prompts for a new master key. This new master key will be used to re-encrypt the key
data in the dumpfile. The key data in the database will not be changed.
-new_mkey_file mkey_file
the filename of a stash file. The master key in this stash file will be used to re-encrypt reencrypt
encrypt the key data in the dumpfile. The key data in the database will not be
changed.
-rev dumps in reverse order. This may recover principals that do not dump normally, in
cases where database corruption has occured.
-recurse
causes the dump to walk the database recursively (btree only). This may recover prin-cipals principals
cipals that do not dump normally, in cases where database corruption has occured. In
cases of such corruption, this option will probably retrieve more principals than the
-rev option will.
load [-old] [-b6] [-b7] [-ov] [-hash]
[-verbose] [-update] filename [dbname] [admin_dbname]
Loads a database dump from the named file into the named database. Unless the -old or -b6
option is given, the format of the dump file is detected automatically and handled as appro-priate. appropriate.
priate. Unless the -update option is given, load creates a new database containing only the
principals in the dump file, overwriting the contents of any previously existing database.
Note that when using the LDAP KDB plugin the -update must be given. Options:
-old requires the database to be in the Kerberos 5 Beta 5 and earlier format ("kdb5_edit
load_dump version 2.0").
-b6 requires the database to be in the Kerberos 5 Beta 6 format ("kdb5_edit load_dump ver-sion version
sion 3.0").
-b7 requires the database to be in the Kerberos 5 Beta 7 format ("kdb5_util load_dump ver-sion version
sion 4").
-ov requires the database to be in ovsec_adm_import format. Must be used with the -update
option.
-hash requires the database to be stored as a hash. If this option is not specified, the
database will be stored as a btree. This option is not recommended, as databases
stored in hash format are known to corrupt data and lose principals.
-verbose
causes the name of each principal and policy to be printed as it is dumped.
-update
records from the dump file are added to or updated in the existing database; otherwise,
a new database is created containing only what is in the dump file and the old one
destroyed upon successful completion.
dbname is optional and, when provided, overrides the value specified on the command line or
the default.
admin_dbname
is optional and is derived from dbname if not specified.
dump_v4 [-S] [filename]
Dumps the current database into the Kerberos 4 database dump format. The -S option specifies
the short lifetime algorithm.
load_v4 [-T] [-v] [-h] [-S]
[-t] [-n] [-K] [-s stashfile] inputfile
Loads a Kerberos 4 database dump file. Options:
-K prompts for the V5 master key instead of using the stashed version.
-n prompts for the V4 master key, instead of reading from the stash file.
-s stashfile
gets the V4 master key out of stashfile instead of /.k
-T creates a new krbtgt instead of converting the V4 one. The V5 server will thus not
recognize outstanding tickets, so this should be used with caution.
-v lists each principal as it is converted or ignored.
-t uses a temporary database, then moves that into place, instead of adding the keys to
the current database.
-S Uses the short lifetime algorithm for conversion.
-h Stores the database as a hash instead of a btree. This option is not recommended, as
databases stored in hash format are known to corrupt data and lose principals.
Note: if the Kerberos 4 database had a default expiration date of 12/31/1999 or 12/31/2009
(the compiled in defaults for older or newer Kerberos releases) then any entries which have
the same expiration date will be converted to "never" expire in the version 5 database. If
the default did not match either value, all expiration dates will be preserved.
Also, Kerberos 4 stored a single modification time for any change to a record; Version 5
stores a seperate modification time and last password change time. In practice, Version 4
"modifications" were always password changes. load_v4 copies the value into both fields.
ark Adds a random key.
SEE ALSO
kadmin(8)
KDB5_UTIL(8)
|