NAME
kadmind
- server for administrative access to Kerberos database
SYNOPSIS
kadmind
file=file
[-c file Xo --config-]
--key-file=file
[-k file Xo]
[--keytab=keytab]
--realm=realm
[-r realm Xo]
[-d | --debug]
--ports=port
[-p port Xo]
DESCRIPTION
kadmind
listens for requests for changes to the Kerberos database and performs
these, subject to permissions. When starting, if stdin is a socket it
assumes that it has been started by
inetd(8),
otherwise it behaves as a daemon, forking processes for each new
connection. The
--debug
option causes
kadmind
to accept exactly one connection, which is useful for debugging.
The
kpasswdd(8)
daemon is responsible for the Kerberos 5 password changing protocol
(used by
kpasswd(1))
This daemon should only be run on the master server, and not on any
slaves.
Principals are always allowed to change their own password and list
their own principal. Apart from that, doing any operation requires
permission explicitly added in the ACL file
/var/heimdal/kadmind.acl
.
The format of this file is:
principal
rights
[principal-pattern]
Where rights is any (comma separated) combination of:
-
change-password or cpw
-
list
-
delete
-
modify
-
add
-
get
-
all
And the optional
principal-pattern
restricts the rights to operations on principals that match the
glob-style pattern.
Supported options:
- Xo
-
-c file,
--config-file=file
location of config file
- Xo
-
-k file,
--key-file=file
location of master key file
- Xo
-
--keytab=keytab
what keytab to use
- Xo
-
-r realm,
--realm=realm
realm to use
- Xo
-
-d,
--debug
enable debugging
- Xo
-
-p port,
--ports=port
ports to listen to. By default, if run as a daemon, it listens to port
749, but you can add any number of ports with this option. The port
string is a whitespace separated list of port specifications, with the
special string
``+''
representing the default port.
FILES
/var/heimdal/kadmind.acl
EXAMPLES
This will cause
kadmind
to listen to port 4711 in addition to any
compiled in defaults:
Fl-ports
="+ 4711" &
This acl file will grant Joe all rights, and allow Mallory to view and
add host principals.
-
joe/admin@EXAMPLE.COM all
mallory/admin@EXAMPLE.COM add,get host/*@EXAMPLE.COM
SEE ALSO
kpasswd(1),
kadmin(8),
kdc(8),
kpasswdd(8)