Administration RPC functions

  • CHPASS_PRINCIPAL - Change the password for a principal.

    This function requires CHANGEPW authority or the principal entry must be the authenticated client entry. The new password is subject to the minimum password lifetime, minimum password classes, and minimum password length rules in effect for the Kerberos database. Depending upon the database implementation, existing keys are deleted when the password is changed.

  • CHPASS_PRINCIPAL3 - Change the password for a principal.

    This function is the same as the CHPASS_PRINCIPAL function with the addition that the key types and salt types can be specified. Depending upon the database implementation, existing keys can either be retained or deleted when the password is changed.

  • CHRAND_PRINCIPAL - Generate random keys for a principal.

    This function requires CHANGEPW authority or the principal entry must be the authenticated client entry. The password change is subject to the minimum password lifetime rule in effect for the Kerberos database. Depending upon the database implementation, existing keys are deleted when the random keys are generated.

  • CHRAND_PRINCIPAL3 - Generate random keys for a principal.

    This function is the same as the CHRAND_PRINCIPAL function with the addition that the key types and salt types can be specified. Depending upon the database implementation, existing keys can either be retained or deleted when the random keys are generated.

  • CREATE_POLICY - Create an administration policy.

    This function requires ADD authority. The maximum length of a policy name is 128 characters. The name must consist of displayable graphic characters as determined by the locale in effect for the administration server. The name may not contain the backslash character.

    The following mask flags are supported:
    • KADM5_POLICY - Policy name supplied (required)
    • KADM5_PW_MIN_LIFE - Minimum password lifetime supplied
    • KADM5_PW_MAX_LIFE - Maximum password lifetime supplied
    • KADM5_PW_MIN_LENGTH - Minimum password length supplied
    • KADM5_PW_MIN_CLASSES - Minimum number of password classes supplied
    • KADM5_PW_HISTORY_NUM - Number of password history entries supplied
  • CREATE_PRINCIPAL - Create a principal.

    This function requires ADD authority. The maximum length of a principal name is 235 characters, including the realm name and separator. The name must consist of displayable graphic characters as determined by the locale in effect for the administration server. The name may not contain the backslash or commercial at-sign characters.

    The following principal attributes are supported:
    • KRB5_KDB_DISALLOW_POSTDATED - Disallow post-dated tickets
    • KRB5_KDB_DISALLOW_FORWARDABLE - Disallow forwardable tickets
    • KRB5_KDB_DISALLOW_TGT_BASED - Disallow TGT-based tickets
    • KRB5_KDB_DISALLOW_RENEWABLE - Disallow renewable tickets
    • KRB5_KDB_DISALLOW_PROXIABLE - Disallow proxiable tickets
    • KRB5_KDB_DISALLOW_DUP_SKEY - Disallow duplicate session keys
    • KRB5_KDB_DISALLOW_ALL_TIX - Disallow all tickets
    • KRB5_KDB_REQUIRES_PRE_AUTH - Requires preauthentication
    • KRB5_KDB_REQUIRES_HW_AUTH - Requires hardware authentication
    • KRB5_KDB_REQUIRES_PWCHANGE - Requires password change
    • KRB5_KDB_DISALLOW_SVR - Disallow service tickets
    • KRB5_KDB_PWCHANGE_SERVICE - This is a password change service
    The following mask flags are supported:
    • KADM5_ATTRIBUTES - Principal attributes supplied
    • KADM5_KVNO - Initial key version number supplied
    • KADM5_MAX_LIFE - Maximum ticket lifetime supplied
    • KADM5_MAX_RLIFE - Maximum renewable ticket lifetime supplied
    • KADM5_POLICY - Policy name supplied
    • KADM5_PRINC_EXPIRE_TIME - Account expiration time supplied
    • KADM5_PRINCIPAL - Principal name supplied (required)
    • KADM5_PW_EXPIRATION - Password expiration time supplied
    • KADM5_TL_DATA - Tagged data supplied (the tagged data type must be greater than 255)
  • CREATE_PRINCIPAL3 - Create a principal.

    This function is the same as the CREATE_PRINCIPAL function with the addition that the key types and salt types can be specified.

  • DELETE_POLICY - Delete an administration policy.

    This function requires DELETE authority. An error is returned if the policy is still refered to by Kerberos principals.

  • DELETE_PRINCIPAL - Delete a principal.

    This function requires DELETE authority.

  • GET_POLICY - Get an administration policy.

    This function requires GET authority.

  • GET_POLS - List the administration policy names.

    This function requires LIST authority. An error is returned if there are more than 1000 matches for the search expression.

  • GET_PRINCIPAL - Get a principal.

    This function requires GET authority.

  • GET_PRINCS - List the principal names.

    This function requires LIST authority. An error is returned if there are more than 1000 matches for the search expression.

  • GET_PRIVS - Get administration privileges for the authenticated client.

    This function can be issued by any client. The privileges are obtained by matching the authenticated client name to entries in the /etc/skrb/home/kdc/kadm5.acl control file.

  • MODIFY_POLICY - Modify an administration policy.

    This function requires MODIFY authority.

    The following mask flags are supported:
    • KADM5_PW_MIN_LIFE - Minimum password lifetime supplied
    • KADM5_PW_MAX_LIFE - Maximum password lifetime supplied
    • KADM5_PW_MIN_LENGTH - Minimum password length supplied
    • KADM5_PW_MIN_CLASSES - Minimum number of password classes supplied
    • KADM5_PW_HISTORY_NUM - Number of password history entries supplied
  • MODIFY_PRINCIPAL - Modify a principal.

    This function requires MODIFY authority. Only the maximum ticket lifetime and the maximum renewable ticket lifetime values can be modified for protected principals (the architected Kerberos principals for the realm).

    The following principal attributes are supported:
    • KRB5_KDB_DISALLOW_POSTDATED - Disallow post-dated tickets
    • KRB5_KDB_DISALLOW_FORWARDABLE - Disallow forwardable tickets
    • KRB5_KDB_DISALLOW_TGT_BASED - Disallow TGT-based tickets
    • KRB5_KDB_DISALLOW_RENEWABLE - Disallow renewable tickets
    • KRB5_KDB_DISALLOW_PROXIABLE - Disallow proxiable tickets
    • KRB5_KDB_DISALLOW_DUP_SKEY - Disallow duplicate session keys
    • KRB5_KDB_DISALLOW_ALL_TIX - Disallow all tickets
    • KRB5_KDB_REQUIRES_PRE_AUTH - Requires preauthentication
    • KRB5_KDB_REQUIRES_HW_AUTH - Requires hardware authentication
    • KRB5_KDB_REQUIRES_PWCHANGE - Requires password change
    • KRB5_KDB_DISALLOW_SVR - Disallow service tickets
    • KRB5_KDB_PWCHANGE_SERVICE - This is a password change service
    The following mask flags are supported:
    • KADM5_ATTRIBUTES - Principal attributes supplied
    • KADM5_FAIL_AUTH_COUNT - Failed authentication count supplied
    • KADM5_KVNO - Key version number supplied
    • KADM5_MAX_LIFE - Maximum ticket lifetime supplied
    • KADM5_MAX_RLIFE - Maximum renewable ticket lifetime supplied
    • KADM5_POLICY - Policy name supplied
    • KADM5_POLICY_CLR - No policy is associated with the principal
    • KADM5_PRINC_EXPIRE_TIME - Account expiration time supplied
    • KADM5_PW_EXPIRATION - Password expiration time supplied
    • KADM5_TL_DATA - Tagged data supplied (the tagged data type must be greater than 255)
  • RENAME_PRINCIPAL - Rename a principal.

    This function requires ADD and DELETE authority.

  • SETKEY_PRINCIPAL - Set the encryption keys for a principal.

    This function requires SETKEY authority. The password change is subject to the minimum password lifetime rule in effect for the Kerberos database. Depending upon the database implementation, existing keys are deleted when the new keys are set.

  • SETKEY_PRINCIPAL3 - Set the encryption keys for a principal.

    This function is the same as the SETKEY_PRINCIPAL function with the addition that the salt types can be specified. Depending upon the database implementation, existing keys can either be retained or deleted when the new keys are set.