mkpassdb(8) BSD System Manager's Manual mkpassdb(8)
NAME
mkpassdb -- Mac OS X Server Password Server database creation tool
SYNOPSIS
mkpassdb -backupdb path
mkpassdb -changelist
mkpassdb -deleteslot slot-ID
mkpassdb -dump [-v]
mkpassdb -dump [slot-ID]
mkpassdb -getstats [sample-count]
mkpassdb -header
mkpassdb -kerberize
mkpassdb -key
mkpassdb -list
mkpassdb -mergedb path
mkpassdb -mergeparent path omitfile
mkpassdb -setadmin slot-ID [admin-class (0-7)]
mkpassdb -setglobalpolicy "policy1=value1 policy2=value2 etc."
mkpassdb -setkerberos slot-ID KerberosRealm
mkpassdb -setkeyagent slot-ID
mkpassdb -setcomputeraccount [off]
mkpassdb -setpassword slot-ID
mkpassdb -setuserpassword slot-ID
mkpassdb -setrealm realm
mkpassdb -getreplicationinterval
mkpassdb -setreplicationinterval seconds [policy]
mkpassdb -rekeydb [key-size-in-bits]
mkpassdb [-u user] [-m mech] [-a] [-b] [-e count] [-n replica-name] [-o]
[-p] [-q]
DESCRIPTION
mkpassdb creates or modifies the password server database directly.
mkpassdb must be run as root; it will exit otherwise. The -list command
is the only exception.
This tool's purpose is to create and manage the password server database.
It performs operations that are not supported by the password server pro-
tocol because of security concerns. These operations include the creation
and destruction of the database itself, the creation of the RSA security
keys that establish the identity of the password server, the trusted
mechanism list, and the genesis of administrator accounts. It also allows
the root account to make some password server changes on the local sys-
tem.
-backupdb This command is a low-level command that is
invoked by a higher-level tool in normal usage.
Refer to the slapconfig man page. This command
safely creates a snapshot of the password
server database whether or not the daemon is
running.
-changelist Outputs the password server's list of changed
slots that need to be replicated.
-deleteslot Invalidates a slot ID in the database.
-dump Outputs all of the User IDs and their corre-
sponding user names. If a slot-ID is specified,
it prints out more detailed information for a
single slot. If the [-v] option is used, addi-
tional columns are included.
-getstats Outputs statistical information about the pass-
word server activity. If a sample-count is
specified, the output is an array of samples in
XML plist format. The sample count is a posi-
tive integer.
-header Outputs the database header information.
-kerberize Attempts to add kerberos principals for all
non-kerberos accounts in password server.
-key Outputs the RSA public key stored in the data-
base.
-list Outputs all of the SASL mechanisms available to
the password server.
-mergedb This command is a low-level command that is
invoked by a higher-level tool in normal usage.
Refer to the restoredb command in the slapcon-
fig man page. This command merges a snapshot
of the password server database into the cur-
rent database whether or not the daemon is run-
ning. The identity elements of the password
server, including RSA keys and replica name,
are changed to the snapshot's contents.
-mergeparent This command is a low-level command that is
invoked by a higher-level tool in normal usage.
Refer to the mergedb command in the slapconfig
man page. This command merges a snapshot of
the password server database into the current
database whether or not the daemon is running.
The current identity of the password server is
preserved.
-setadmin Promotes a slot-ID to have administrator privi-
leges for the password server. By default,
administrators set with mkpassdb receive the
most priveleged rank (0).
-setglobalpolicy Sets the default policies for all users.
-setkerberos Assigns a Kerberos realm to a password server
account.
-setkeyagent Promotes a slot-ID to have enough administrator
privileges to retrieve session keys on behalf
of other accounts.
-setcomputeraccount Informs the password server that the account
belongs to a computer rather than a user. Com-
puter accounts are not subject to policies and
do not expire. Using the optional "off" argu-
ment changes the state back to a user account.
-setpassword Sets an account password. This assumes the
password is being set by an administrator.
-setuserpassword Sets an account password. This assumes the
user is changing their own password for pur-
poses of policy enforcement.
-setrealm Sets the password server's SASL realm.
-getreplicationinterval Gets the number of seconds between replication
attempts.
-setreplicationinterval Sets the number of seconds between replication
attempts.
-rekeydb Generates a new RSA public/private key pair for
the database. Valid sizes are 1024, 2048, or
3072. This command should be invoked by a
higher-level tool. If run from the command
line, existing users will not be able to
authenticate. The PasswordService daemon must
be turned off with, "NeST -stoppasswordserver"
before this command can be used.
OPTIONS
The following options are available:
-a add a new administrator to an existing database.
-b add a new non-administrative user to an existing database.
-e expand the database to a fixed number of records. If the number is
greater than the current size of the database, then the database is
expanded; otherwise, no action is performed. This option is used by
other setup tools when establishing a replica database. There is no
reason to use it from the command line.
-m mech
establishes a mechanism as weak. If a mechanism is considered weak,
then it can be used to verify passwords but the password server
will not allow write operations to its database. The mechanisms
SMB-NT, SMB-LAN-MANAGER, CRYPT, and APOP are always in the weak
list. Directory Services uses DHX to perform write operations to
the password server.
-n name
Assign a name to a replica
-o overwrite an existing database. Replacing an existing database is
extremely destructive and should not be done unless all password
server users have been removed from the directory system.
-p prompt for a password
-q quiet
-u user
Add this user name to the database.
USAGE
In typical usage, mkpassdb is invoked by another tool. It is used
directly on rare occasion.
FILES & FOLDERS
/Library/Preferences/com.apple.passwordserver.plist - the PasswordService preferences file
/usr/sbin/PasswordService - the password service daemon
/var/db/authserver/authservermain - password database (guard this)
/var/db/authserver/authserverfree - list of free (reusable) slots in the database
/var/db/authserver/authserverreplicas - table of password server replicas
SEE ALSO
NeST(8) PasswordService(8) slapconfig(8)
Mac OS X Server 21 February 2002 Mac OS X Server
Mac OS X 10.6Server - Generated Thu Apr 15 07:13:09 CDT 2010