Date: Sun, 5 Oct 2025 21:09:24 GMT From: Rick Macklem <rmacklem@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: 03da141d59ae - main - kadmin.8: Document the new dump -f flag Message-ID: <202510052109.595L9O2p063884@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by rmacklem: URL: https://cgit.FreeBSD.org/src/commit/?id=03da141d59ae1da4e66974c466e2cb26f296e6df commit 03da141d59ae1da4e66974c466e2cb26f296e6df Author: Rick Macklem <rmacklem@FreeBSD.org> AuthorDate: 2025-10-05 21:06:26 +0000 Commit: Rick Macklem <rmacklem@FreeBSD.org> CommitDate: 2025-10-05 21:06:26 +0000 kadmin.8: Document the new dump -f flag Commit 5000d023a446 added a new flag to the dump option. This patch documents this new flag. This is a content change. MFC after: 3 days Fixes: 5000d023a446 ("heimdal-kadmin: Add support for the -f dump option") --- crypto/heimdal/kadmin/kadmin.8 | 29 +++++++++++++++++++++++++++-- 1 file changed, 27 insertions(+), 2 deletions(-) diff --git a/crypto/heimdal/kadmin/kadmin.8 b/crypto/heimdal/kadmin/kadmin.8 index bd2fd4e7363f..e4555cd529f4 100644 --- a/crypto/heimdal/kadmin/kadmin.8 +++ b/crypto/heimdal/kadmin/kadmin.8 @@ -31,7 +31,7 @@ .\" .\" $Id$ .\" -.Dd Feb 22, 2007 +.Dd October 5, 2025 .Dt KADMIN 8 .Os HEIMDAL .Sh NAME @@ -286,14 +286,39 @@ When running in local mode, the following commands can also be used: .Pp .Nm dump .Op Fl d | Fl Fl decrypt +.Op Fl f Ns Ar format | Fl Fl format= Ns Ar format .Op Ar dump-file .Bd -ragged -offset indent Writes the database in -.Dq human readable +.Dq machine readable text form to the specified file, or standard out. If the database is encrypted, the dump will also have encrypted keys, unless .Fl Fl decrypt is used. +.Pp +If +.Fl Fl format=MIT +is used then the dump will be in MIT format. +This option may be used if you require that all principal +passwords be changed after loading the dump into an MIT KDC database. +.Pp +If +.Fl Fl format=<keytab-file> +is used, the +.Dq <keytab-file> +should hold the master key for the +MIT KDC (usually a file called /var/db/krb5kdc/.k5.YOUR.REALM). +This will cause the keys to be re-encrypted in the MIT master +key as well as doing the dump in MIT format. +When this dump is loaded into the MIT KDC's database, +the principals that had at least one strong encryption type +key should work and any keytabs for those principals should still work. +The principcals with only weak encryption keys will require a +.Dq change_password +be done on the MIT KDC to get them working. +The +.Fl Fl decrypt +flag is meaningless for this case. .Ed .Pp .Nm init
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202510052109.595L9O2p063884>