Kerberos Database Auditing/Querying

John Devitofranceschi jdvf at
Fri May 25 08:29:09 EDT 2012

Yes, I thought about doing it that way. But I thought I would check if anything that didn't depend on parsing the output of kadmin[.local] was available first.



On May 25, 2012, at 8:21, Oliver Loch <o.loch at> wrote:

> Hi,
> it can be done pretty easy, like this:
> ======== SNIP ======= 8< =============
> #!/usr/bin/env bash
> # kadmin tool to use
> kadmin="/usr/bin/env kadmin.local"
> # local date in seconds since 1970
> ldate="$(date "+%s")"
> # list all principals available
> $kadmin -q getprincs | grep -v -E '^Authenticating.*' | while read line; do
>        # get the expired date of the principal
>        expdate="$($kadmin -q "getprinc ${line}" | grep -E '^Expiration date.*' | awk '{ $1=""; $2=""
> ; print $0}')";
>        # if the principal doesn't expire ...
>        if [[ "$expdate" =~ .*never.* ]]; then
>                # output the principal
>                echo "$line will never expire"
>                # next round please
>                continue;
>        fi
>        # transform date to seconds since 1970
>        pedate=$(date -d "$expdate" "+%s");
>        # if the principals expire date is less than the local date...
>        if [ $pedate -lt $ldate ]; then
>                # output that the principal is expired
>                echo "$line is expired on $expdate";
>        else
>                # output that the principal will expire on $expdate
>                echo "$line is valid till $expdate";
>        fi
> done
> =======>8======= SNAP ==============
> You get the idea?
> KR,
> Oliver
> Am 25.05.2012 um 13:01 schrieb John Devitofranceschi:
>> Are there any tools that would allow someone to generate reports from the KDC (or the local principal file) which answer questions like:
>> Which principals are expired?
>> Which principals have expired passwords?
>> Which principals have passwords that will expire in N days?
>> Which principals have policy "xyzzy"?
>> You get the idea...
>> Any pointers or pointers to pointers appreciated!
>> jd
>> ________________________________________________
>> Kerberos mailing list           Kerberos at

More information about the Kerberos mailing list