|
This manual page is for Mac OS X Server version 10.6.3If you are running Mac OS X (client), this command is not available. If you are running a different version of Mac OS X Server, view the documentation locally:
Reading manual pagesManual pages are intended as a quick reference for people who already understand a technology.
|
mkpassdb(8) BSD System Manager's Manual mkpassdb(8) NAME mkpassdb -- Mac OS X Server Password Server database creation tool SYNOPSIS mkpassdb -backupdb path mkpassdb -changelist mkpassdb -deleteslot slot-ID mkpassdb -dump [-v] mkpassdb -dump [slot-ID] mkpassdb -getstats [sample-count] mkpassdb -header mkpassdb -kerberize mkpassdb -key mkpassdb -list mkpassdb -mergedb path mkpassdb -mergeparent path omitfile mkpassdb -setadmin slot-ID [admin-class (0-7)] mkpassdb -setglobalpolicy "policy1=value1 policy2=value2 etc." mkpassdb -setkerberos slot-ID KerberosRealm mkpassdb -setkeyagent slot-ID mkpassdb -setcomputeraccount [off] mkpassdb -setpassword slot-ID mkpassdb -setuserpassword slot-ID mkpassdb -setrealm realm mkpassdb -getreplicationinterval mkpassdb -setreplicationinterval seconds [policy] mkpassdb -rekeydb [key-size-in-bits] mkpassdb [-u user] [-m mech] [-a] [-b] [-e count] [-n replica-name] [-o] [-p] [-q] DESCRIPTION mkpassdb creates or modifies the password server database directly. mkpassdb must be run as root; it will exit otherwise. The -list command is the only exception. This tool's purpose is to create and manage the password server database. It performs operations that are not supported by the password server protocol because of security concerns. These operations include the creation and destruction of the database itself, the creation of the RSA security keys that establish the identity of the password server, the trusted mechanism list, and the genesis of adminis-trator administrator trator accounts. It also allows the root account to make some password server changes on the local sys-tem. system. tem. -backupdb This command is a low-level command that is invoked by a higher-level tool in normal usage. Refer to the slapconfig man page. This command safely creates a snapshot of the password server database whether or not the daemon is run-ning. running. ning. -changelist Outputs the password server's list of changed slots that need to be repli-cated. replicated. cated. -deleteslot Invalidates a slot ID in the database. -dump Outputs all of the User IDs and their corresponding user names. If a slot-ID is specified, it prints out more detailed information for a single slot. If the [-v] option is used, additional columns are included. -getstats Outputs statistical information about the password server activity. If a sample-count is specified, the output is an array of samples in XML plist format. The sample count is a positive integer. -header Outputs the database header information. -kerberize Attempts to add kerberos principals for all non-kerberos accounts in password server. -key Outputs the RSA public key stored in the database. -list Outputs all of the SASL mechanisms available to the password server. -mergedb This command is a low-level command that is invoked by a higher-level tool in normal usage. Refer to the restoredb command in the slapconfig man page. This command merges a snapshot of the password server database into the cur-rent current rent database whether or not the daemon is running. The identity elements of the password server, including RSA keys and replica name, are changed to the snapshot's contents. -mergeparent This command is a low-level command that is invoked by a higher-level tool in normal usage. Refer to the mergedb command in the slapconfig man page. This command merges a snapshot of the password server database into the current database whether or not the daemon is running. The current identity of the password server is preserved. -setadmin Promotes a slot-ID to have administrator privileges for the password server. By default, administrators set with mkpassdb receive the most priveleged rank (0). -setglobalpolicy Sets the default policies for all users. -setkerberos Assigns a Kerberos realm to a password server account. -setkeyagent Promotes a slot-ID to have enough administrator privileges to retrieve ses-sion session sion keys on behalf of other accounts. -setcomputeraccount Informs the password server that the account belongs to a computer rather than a user. Computer accounts are not subject to policies and do not expire. Using the optional "off" argument changes the state back to a user account. -setpassword Sets an account password. This assumes the password is being set by an administrator. -setuserpassword Sets an account password. This assumes the user is changing their own pass-word password word for purposes of policy enforcement. -setrealm Sets the password server's SASL realm. -getreplicationinterval Gets the number of seconds between replication attempts. -setreplicationinterval Sets the number of seconds between replication attempts. -rekeydb Generates a new RSA public/private key pair for the database. Valid sizes are 1024, 2048, or 3072. This command should be invoked by a higher-level tool. If run from the command line, existing users will not be able to authenti-cate. authenticate. cate. The PasswordService daemon must be turned off with, "NeST -stoppass-wordserver" -stoppasswordserver" wordserver" before this command can be used. OPTIONS The following options are available: -a add a new administrator to an existing database. -b add a new non-administrative user to an existing database. -e expand the database to a fixed number of records. If the number is greater than the current size of the database, then the database is expanded; otherwise, no action is performed. This option is used by other setup tools when establishing a replica database. There is no reason to use it from the command line. -m mech establishes a mechanism as weak. If a mechanism is considered weak, then it can be used to verify passwords but the password server will not allow write operations to its database. The mechanisms SMB-NT, SMB-LAN-MANAGER, CRYPT, and APOP are always in the weak list. Directory Services uses DHX to perform write operations to the password server. -n name Assign a name to a replica -o overwrite an existing database. Replacing an existing database is extremely destructive and should not be done unless all password server users have been removed from the directory system. -p prompt for a password -q quiet -u user Add this user name to the database. USAGE In typical usage, mkpassdb is invoked by another tool. It is used directly on rare occasion. FILES & FOLDERS /Library/Preferences/com.apple.passwordserver.plist - the PasswordService preferences file /usr/sbin/PasswordService - the password service daemon /var/db/authserver/authservermain - password database (guard this) /var/db/authserver/authserverfree - list of free (reusable) slots in the database /var/db/authserver/authserverreplicas - table of password server replicas SEE ALSO NeST(8) PasswordService(8) slapconfig(8) Mac OS X Server 21 February 2002 Mac OS X Server |
The way to report a problem with this manual page depends on the type of problem: