Next: , Previous: Administrating the Kerberos Database, Up: Administrating the Kerberos Database

5.1 Kadmin Options

You can invoke kadmin or kadmin.local with any of the following options:

Use REALM as the default Kerberos realm for the database.
-p principal
Use the Kerberos principal principal to authenticate to Kerberos. If this option is not given, kadmin will append admin to either the primary principal name, the environment variable USER, or to the username obtained from getpwuid, in order of preference.
-q query
Pass query directly to kadmin. This is useful for writing scripts that pass specific queries to kadmin.

You can invoke kadmin with any of the following options:

-k [-t keytab]
Use the keytab keytab to decrypt the KDC response instead of prompting for a password on the TTY. In this case, the principal will be host/hostname. If -t is not used to specify a keytab, then the default keytab will be used.
-c credentials cache
Use credentials_cache as the credentials cache. The credentials cache should contain a service ticket for the kadmin/admin service, which can be acquired with the kinit program. If this option is not specified, kadmin requests a new service ticket from the KDC, and stores it in its own temporary ccache.
-w password
Use password as the password instead of prompting for one on the TTY. Note: placing the password for a Kerberos principal with administration access into a shell script can be dangerous if unauthorized users gain read access to the script.
-s admin_server[:port]
Specifies the admin server that kadmin should contact.

You can invoke kadmin.local with an of the follwing options:

-d_ dbname
Specifies the name of the Kerberos database.
-e "enctypes ..."
Sets the list of cryptosystem and salt types to be used for any new keys created. See Supported Encryption Types and Salts for available types.
Do not authenticate using a keytab. This option will cause kadmin to prompt for the master database password.