| 1 |
|
|---|
| 2 | KADMIND(8) BSD System Manager's Manual KADMIND(8)
|
|---|
| 3 |
|
|---|
| 4 | NNAAMMEE
|
|---|
| 5 | kkaaddmmiinndd -- server for administrative access to Kerberos database
|
|---|
| 6 |
|
|---|
| 7 | SSYYNNOOPPSSIISS
|
|---|
| 8 | kkaaddmmiinndd [--cc _f_i_l_e | ----ccoonnffiigg--ffiillee==_f_i_l_e] [--kk _f_i_l_e | ----kkeeyy--ffiillee==_f_i_l_e]
|
|---|
| 9 | [----kkeeyyttaabb==_k_e_y_t_a_b] [--rr _r_e_a_l_m | ----rreeaallmm==_r_e_a_l_m] [--dd | ----ddeebbuugg] [--pp
|
|---|
| 10 | _p_o_r_t | ----ppoorrttss==_p_o_r_t]
|
|---|
| 11 |
|
|---|
| 12 | DDEESSCCRRIIPPTTIIOONN
|
|---|
| 13 | kkaaddmmiinndd listens for requests for changes to the Kerberos database and
|
|---|
| 14 | performs these, subject to permissions. When starting, if stdin is a
|
|---|
| 15 | socket it assumes that it has been started by inetd(8), otherwise it
|
|---|
| 16 | behaves as a daemon, forking processes for each new connection. The
|
|---|
| 17 | ----ddeebbuugg option causes kkaaddmmiinndd to accept exactly one connection, which is
|
|---|
| 18 | useful for debugging.
|
|---|
| 19 |
|
|---|
| 20 | The kpasswdd(8) daemon is responsible for the Kerberos 5 password chang-
|
|---|
| 21 | ing protocol (used by kpasswd(1)).
|
|---|
| 22 |
|
|---|
| 23 | This daemon should only be run on the master server, and not on any
|
|---|
| 24 | slaves.
|
|---|
| 25 |
|
|---|
| 26 | Principals are always allowed to change their own password and list their
|
|---|
| 27 | own principal. Apart from that, doing any operation requires permission
|
|---|
| 28 | explicitly added in the ACL file _/_v_a_r_/_h_e_i_m_d_a_l_/_k_a_d_m_i_n_d_._a_c_l. The format of
|
|---|
| 29 | this file is:
|
|---|
| 30 |
|
|---|
| 31 | _p_r_i_n_c_i_p_a_l _r_i_g_h_t_s [_p_r_i_n_c_i_p_a_l_-_p_a_t_t_e_r_n]
|
|---|
| 32 |
|
|---|
| 33 | Where rights is any (comma separated) combination of:
|
|---|
| 34 | ++oo change-password or cpw
|
|---|
| 35 | ++oo list
|
|---|
| 36 | ++oo delete
|
|---|
| 37 | ++oo modify
|
|---|
| 38 | ++oo add
|
|---|
| 39 | ++oo get
|
|---|
| 40 | ++oo all
|
|---|
| 41 |
|
|---|
| 42 | And the optional _p_r_i_n_c_i_p_a_l_-_p_a_t_t_e_r_n restricts the rights to operations on
|
|---|
| 43 | principals that match the glob-style pattern.
|
|---|
| 44 |
|
|---|
| 45 | Supported options:
|
|---|
| 46 |
|
|---|
| 47 | --cc _f_i_l_e, ----ccoonnffiigg--ffiillee==_f_i_l_e
|
|---|
| 48 | location of config file
|
|---|
| 49 |
|
|---|
| 50 | --kk _f_i_l_e, ----kkeeyy--ffiillee==_f_i_l_e
|
|---|
| 51 | location of master key file
|
|---|
| 52 |
|
|---|
| 53 | ----kkeeyyttaabb==_k_e_y_t_a_b
|
|---|
| 54 | what keytab to use
|
|---|
| 55 |
|
|---|
| 56 | --rr _r_e_a_l_m, ----rreeaallmm==_r_e_a_l_m
|
|---|
| 57 | realm to use
|
|---|
| 58 |
|
|---|
| 59 | --dd, ----ddeebbuugg
|
|---|
| 60 | enable debugging
|
|---|
| 61 |
|
|---|
| 62 | --pp _p_o_r_t, ----ppoorrttss==_p_o_r_t
|
|---|
| 63 | ports to listen to. By default, if run as a daemon, it listens to
|
|---|
| 64 | port 749, but you can add any number of ports with this option.
|
|---|
| 65 | The port string is a whitespace separated list of port specifica-
|
|---|
| 66 | tions, with the special string ``+'' representing the default
|
|---|
| 67 | port.
|
|---|
| 68 |
|
|---|
| 69 | FFIILLEESS
|
|---|
| 70 | _/_v_a_r_/_h_e_i_m_d_a_l_/_k_a_d_m_i_n_d_._a_c_l
|
|---|
| 71 |
|
|---|
| 72 | EEXXAAMMPPLLEESS
|
|---|
| 73 | This will cause kkaaddmmiinndd to listen to port 4711 in addition to any com-
|
|---|
| 74 | piled in defaults:
|
|---|
| 75 |
|
|---|
| 76 | kkaaddmmiinndd ----ppoorrttss="+ 4711" &
|
|---|
| 77 |
|
|---|
| 78 | This acl file will grant Joe all rights, and allow Mallory to view and
|
|---|
| 79 | add host principals.
|
|---|
| 80 |
|
|---|
| 81 | joe/admin@EXAMPLE.COM all
|
|---|
| 82 | mallory/admin@EXAMPLE.COM add,get host/*@EXAMPLE.COM
|
|---|
| 83 |
|
|---|
| 84 | SSEEEE AALLSSOO
|
|---|
| 85 | kpasswd(1), kadmin(8), kdc(8), kpasswdd(8)
|
|---|
| 86 |
|
|---|
| 87 | HEIMDAL December 8, 2004 HEIMDAL
|
|---|
