Updated: 2022/Sep/29

Please read Privacy Policy. It's for your privacy.


KADMIND(8)                  System Manager's Manual                 KADMIND(8)

NAME
     kadmind - server for administrative access to Kerberos database

SYNOPSIS
     kadmind [-c file | --config-file=file] [-k file | --key-file=file]
             [--keytab=keytab] [-r realm | --realm=realm] [-d | --debug]
             [-p port | --ports=port]

DESCRIPTION
     kadmind listens for requests for changes to the Kerberos database and
     performs these, subject to permissions.  When starting, if stdin is a
     socket it assumes that it has been started by inetd(8), otherwise it
     behaves as a daemon, forking processes for each new connection. The
     --debug option causes kadmind to accept exactly one connection, which is
     useful for debugging.

     The kpasswdd(8) daemon is responsible for the Kerberos 5 password
     changing protocol (used by kpasswd(1)).

     This daemon should only be run on the master server, and not on any
     slaves.

     Principals are always allowed to change their own password and list their
     own principal.  Apart from that, doing any operation requires permission
     explicitly added in the ACL file /var/heimdal/kadmind.acl.  The format of
     this file is:

     principal rights [principal-pattern]

     Where rights is any (comma separated) combination of:
        change-password or cpw
        list
        delete
        modify
        add
        get
        get-keys
        all (everything except get-keys)

     And the optional principal-pattern restricts the rights to operations on
     principals that match the glob-style pattern.

     Supported options:

     -c file, --config-file=file
             location of config file

     -k file, --key-file=file
             location of master key file

     --keytab=keytab
             what keytab to use

     -r realm, --realm=realm
             realm to use

     -d, --debug
             enable debugging

     -p port, --ports=port
             ports to listen to. By default, if run as a daemon, it listens to
             port 749, but you can add any number of ports with this option.
             The port string is a whitespace separated list of port
             specifications, with the special string "+" representing the
             default port.

FILES
     /var/heimdal/kadmind.acl

EXAMPLES
     This will cause kadmind to listen to port 4711 in addition to any
     compiled in defaults:

           kadmind --ports="+ 4711" &

     This acl file will grant Joe all rights, and allow Mallory to view and
     add host principals, as well as extract host principal keys (e.g., into
     keytabs).

           joe/admin@EXAMPLE.COM      all
           mallory/admin@EXAMPLE.COM  add,get-keys  host/*@EXAMPLE.COM

SEE ALSO
     kpasswd(1), kadmin(1), kdc(8), kpasswdd(8)

NetBSD 10.99                   December 8, 2004                   NetBSD 10.99