kdb5_util enables you to create, dump, load, and destroy the Kerberos V5 database. You can also use kdb5_util to create a stash file containing the Kerberos database master key.

The following options are supported:

-d dbname

Specify the database name. .db is appended to whatever name is specified. You can specify an absolute path. If you do not specify the -d option, the default database name is /var/krb5/principal, which becomes /var/krb5/principal.db.

-f stashfile_name

Specify the stash file name. You can specify an absolute path.

-k mkeytype

Specify the master key type. Valid values are des-cbc-crc, des-cbc-md5, and des-cbc-raw.

-m

Enter the master key manually.

-M mkeyname

Specify the master key name.

-P password

Use the specified password instead of the stash file.

-r realm

Use realm as the default database realm.

The following operands are supported:

cmd

Specifies whether to create, destroy, dump, or load the database, or to create a stash file.

You can specify the following commands:

create -s

Creates the database specified by the -d option. You will be prompted for the database master password. If you specify -s, a stash file is created as specified by the -f option. If you did not specify -f, the default stash file name is /var/krb5/.k5.realm. If you use the -f, -k, or -M options when you create a database, then you must use the same options when modifying or destroying the database.

destroy

Destroys the database specified by the -d option.

stash

Creates a stash file. If -f was not specified, the default stash file name is /var/krb5/.k5.realm. You will be prompted for the master database password. This command is useful when you want to generate the stash file from the password.

dump [-verbose] [filename] [principals]

Dumps the Kerberos database to a flat file that can be used for loading or propagating to a slave KDC. See kprop(1M). Specify file name for a location to dump the Kerberos database. If filename is not specified, the principal data is printed to standard error. Specify -verbose to print out the principal names to standard error in addition to being dumping into the file. Use principals to specify the list of principals that should be dumped.

load [-verbose] [-update] filename

Loads the database specified by dbname (see -d option, above) with data from the file specified by filename, which must be a file created by the dump command. Use -update to specify that the existing database should be updated; otherwise, a new database is created. Specify -verbose to print out the principal names to standard error, in addition to being loaded.

/var/krb5/principal.db

Kerberos principal database.

/var/krb5/principal.kadm5

Kerberos administrative database. Contains policy information.

/var/krb5/principal.kadm5.lock

Lock file for the Kerberos administrative database. This file works backwards from most other lock files (that is, kadmin exits with an error if this file does not exist).

See attributes(5) for descriptions of the following attributes:

kpasswd(1), gkadmin(1M), kadmin(1M), kadmind(1M), kadmin.local(1M), kadm5.acl(4), kdc.conf(4), attributes(5), SEAM(5)