kdb5_util(1M) System Administration Commands kdb5_util(1M)NAMEkdb5_util - Kerberos Database maintenance utility
SYNOPSIS
/usr/sbin/kdb5_util [-d dbname] [-f stashfile_name]
[-k mkeytype] [-m ] [-M mkeyname] [-P password] [-r realm]
[-x db_args]... cmd
DESCRIPTION
The kdb5_util utility enables you to create, dump, load, and destroy
the Kerberos V5 database. You can also use kdb5_util to create a stash
file containing the Kerberos database master key.
OPTIONS
The following options are supported:
-d dbname
Specify the database name. .db is appended to whatever name is
specified. You can specify an absolute path. If you do not specify
the -d option, the default database name is /var/krb5/principal.
-f stashfile_name
Specify the stash file name. You can specify an absolute path.
-k mkeytype
Specify the master key type. Valid values are des3-cbc-sha1, des-
cbc-crc, des-cbc-md5, des-cbc-raw, arcfour-hmac-md5, arcfour-hmac-
md5-exp, aes128-cts-hmac-sha1-96, and aes256-cts-hmac-sha1-96.
-m
Enter the master key manually.
-M mkeyname
Specify the master key name.
-P password
Use the specified password instead of the stash file.
-r realm
Use realm as the default database realm.
-x db_args
Pass database-specific arguments to kadmin. Supported arguments are
for LDAP and the Berkeley-db2 plug-in. These arguments are:
binddn=binddn
LDAP simple bind DN for authorization on the directory server.
Overrides the ldap_kadmind_dn parameter setting in
krb5.conf(4).
bindpwd=bindpwd
Bind password.
dbname=name
For the Berkeley-db2 plug-in, specifies a name for the Kerberos
database.
nconns=num
Maximum number of server connections.
port=num
Directory server connection port.
OPERANDS
The following operands are supported:
cmd
Specifies whether to create, destroy, dump, or load the database,
or to create a stash file.
You can specify the following commands:
create -s
Creates the database specified by the -d option. You will be
prompted for the database master password. If you specify -s, a
stash file is created as specified by the -f option. If you did
not specify -f, the default stash file name is
/var/krb5/.k5.realm. If you use the -f, -k, or -M options when
you create a database, then you must use the same options when
modifying or destroying the database.
destroy
Destroys the database specified by the -d option.
stash
Creates a stash file. If -f was not specified, the default
stash file name is /var/krb5/.k5.realm. You will be prompted
for the master database password. This command is useful when
you want to generate the stash file from the password.
dump [-old] [-b6] [-b7] [-ov] [-verbose] [-mkey_convert]
[-new_mkey_file mkey_file] [-rev] [-recurse] [filename [princi‐
pals...]]
Dumps the current Kerberos and KADM5 database into an ASCII
file. By default, the database is dumped in current format,
"kdb5_util load_dumpversion 5". If filename is not specified or
is the string "-", the dump is sent to standard output. Options
are as follows:
-old
Causes the dump to be in the Kerberos 5 Beta 5 and earlier
dump format ("kdb5_edit load_dump version 2.0").
-b6
Causes the dump to be in the Kerberos 5 Beta 6 format
("kdb5_edit load_dump version 3.0").
-b7
Causes the dump to be in the Kerberos 5 Beta 7 format
("kdb5_util load_dump version 4"). This was the dump format
produced on releases prior to 1.2.2.
-ov
Causes the dump to be in ovsec_adm_export format.
-verbose
Causes the name of each principal and policy to be dis‐
played as it is dumped.
-mkey_convert
Prompts for a new master key. This new master key will be
used to re-encrypt the key data in the dumpfile. The key
data in the database will not be changed.
-new_mkey_file mkey_file
The filename of a stash file. The master key in this stash
file will be used to re-encrypt the key data in the dump‐
file. The key data in the database will not be changed.
-rev
Dumps in reverse order. This might recover principals that
do not dump normally, in cases where database corruption
has occured.
-recurse
Causes the dump to walk the database recursively (btree
only). This might recover principals that do not dump nor‐
mally, in cases where database corruption has occurred. In
cases of such corruption, this option will probably
retrieve more principals than will the -rev option.
load [-old] [-b6] [-b7] [-ov] [-hash] [-verbose] [-update] filename
dbname [admin_dbname]
Loads a database dump from filename into dbname. Unless the
-old or -b6 option is specified, the format of the dump file is
detected automatically and handled appropriately. Unless the
-update option is specified, load creates a new database con‐
taining only the principals in the dump file, overwriting the
contents of any existing database. The -old option requires the
database to be in the Kerberos 5 Beta 5 or earlier format
("kdb5_edit load_dump version 2.0").
-b6
Requires the database to be in the Kerberos 5 Beta 6 format
("kdb5_edit load_dump version 3.0").
-b7
Requires the database to be in the Kerberos 5 Beta 7 format
("kdb5_util load_dump version 4").
-ov
Requires the database to be in ovsec_adm_import format.
Must be used with the -update option.
-hash
Requires the database to be stored as a hash. If this
option is not specified, the database will be stored as a
btree. This option is not recommended, as databases stored
in hash format are known to corrupt data and lose princi‐
pals.
-verbose
Causes the name of each principal and policy to be dis‐
played as it is dumped.
-update
Records from the dump file are added to or updated in the
existing database. Otherwise, a new database is created
containing only what is in the dump file and the old one is
destroyed upon successful completion.
filename
Required argument that specifies a path to a file contain‐
ing database dump.
dbname
Required argument that overrides the value specified on the
command line or overrides the default.
admin_dbname
Optional argument that is derived from dbname if not speci‐
fied.
EXAMPLES
Example 1 Creating File that Contains Information about Two Principals
The following example creates a file named slavedata that contains the
information about two principals, jdb@ACME.COM and pak@ACME.COM.
# /usr/krb5/bin/kdb5_util dump -verbose slavedata
jdb@ACME.COM pak@ACME.COM
FILES
/var/krb5/principal
Kerberos principal database.
/var/krb5/principal.kadm5
Kerberos administrative database. Contains policy information.
/var/krb5/principal.kadm5.lock
Lock file for the Kerberos administrative database. This file works
backwards from most other lock files (that is, kadmin exits with an
error if this file does not exist).
/var/krb5/principal.ulog
The update log file for incremental propagation.
ATTRIBUTES
See attributes(5) for descriptions of the following attributes:
┌─────────────────────────────┬─────────────────────────────┐
│ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
├─────────────────────────────┼─────────────────────────────┤
│Availability │system/security/kerberos-5 │
├─────────────────────────────┼─────────────────────────────┤
│Interface Stability │Committed │
└─────────────────────────────┴─────────────────────────────┘
SEE ALSOkpasswd(1), gkadmin(1M), kadmin(1M), kadmind(1M), kadmin.local(1M),
kdb5_ldap_util(1M), kproplog(1M), kadm5.acl(4), kdc.conf(4),
attributes(5), kerberos(5)SunOS 5.11 29 Feb 2008 kdb5_util(1M)
