5.1 Kadmin Options
You can invoke kadmin
or kadmin.local
with any of the
following options:
- -r REALM
- Use REALM as the default Kerberos realm for the database.
- -p principal
- Use the Kerberos principal principal to authenticate to Kerberos.
If this option is not given,
kadmin
will append admin
to
either the primary principal name, the environment variable USER, or to
the username obtained from getpwuid
, in order of preference.
- -q query
- Pass query directly to
kadmin
. This is useful for writing
scripts that pass specific queries to kadmin
.
You can invoke kadmin
with any of the following options:
- -k [-t keytab]
- Use the keytab keytab to decrypt the KDC response instead of
prompting for a password on the TTY. In this case, the principal will
be host/hostname. If -t is not used to specify a keytab,
then the default keytab will be used.
- -c credentials cache
- Use credentials_cache as the credentials cache. The credentials
cache should contain a service ticket for the
kadmin/admin
service, which can be acquired with the kinit
program. If this
option is not specified, kadmin
requests a new service ticket
from the KDC, and stores it in its own temporary ccache.
- -w password
- Use password as the password instead of prompting for one on the
TTY. Note: placing the password for a Kerberos principal with
administration access into a shell script can be dangerous if
unauthorized users gain read access to the script.
- -s admin_server[:port]
- Specifies the admin server that kadmin should contact.
You can invoke kadmin.local
with an of the follwing options:
- -d_ dbname
- Specifies the name of the Kerberos database.
- -e "enctypes ..."
- Sets the list of cryptosystem and salt types to be used for any new
keys created. See Supported Encryption Types and Salts for
available types.
- -m
- Do not authenticate using a keytab. This option will cause kadmin to
prompt for the master database password.