Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
KADMIND(8)		    System Manager's Manual		    KADMIND(8)

       kadmind - KADM5 administration server

       kadmind [-r realm] [-m] [-nofork] [-port	port-number]

       This  command  starts the KADM5 administration server.  The administra-
       tion server runs	on the master Kerberos server, which  stores  the  KDC
       principal  database and the KADM5 policy	database.  Kadmind accepts re-
       mote requests to	administer the information in these databases.	Remote
       requests	 are  sent,  for example, by kadmin(8) and the kpasswd(1) com-
       mand, both of which are clients of kadmind.

       kadmind requires	a number of configuration files	to be set up in	 order
       for it to work:

       kdc.conf	 The  KDC configuration	file contains configuration informatin
		 for the KDC and the KADM5 system.  Kadmind understands	a num-
		 ber  of  variable  settings  in  this	file, some of whch are
		 mandatory and some of which are optional.  See	the CONFIGURA-
		 TION VALUES section below.

       keytab	 Kadmind  requires a keytab containing correct entries for the
		 kadmin/admin and kadmin/changepw principals for  every	 realm
		 that  kadmind	will  answer  requests for.  The keytab	can be
		 created with the  kadmin(8)  client.	The  location  of  the
		 keytab	 is determined by the admin_keytab configuration vari-

       ACL file	 Kadmind's ACL (access control list) tells it which principals
		 are  allowed  to  perform  KADM5 administration actions.  The
		 path of the ACL file is specified via the acl_file configura-
		 tion  variable	(see CONFIGURATION VALUES).  The syntax	of the
		 ACL file is specified in the ACL FILE SYNTAX section below.

       After the server	begins running,	it puts	itself in the  background  and
       disassociates itself from its controlling terminal.

       -r realm
	      specifies	 the  default  realm that kadmind will serve; if it is
	      not specified, the default realm of the host is  used.   kadmind
	      will  answer requests for	any realm that exists in the local KDC
	      database and for which the appropriate  principals  are  in  its

       -m     specifies	 that  the  master database password should be fetched
	      from the keyboard	rather than from a file	on  disk.   Note  that
	      the  server  gets	 the  password	prior to putting itself	in the
	      background; in combination with the  -nofork  option,  you  must
	      place it in the background by hand.

	      specifies	 that the server does not put itself in	the background
	      and does not disassociate	itself from the	terminal.   In	normal
	      operation,  you  should  always allow the	server place itself in
	      the background.

       -port port-number
	      specifies	the port on which the  administration  server  listens
	      for  connections.	  The  default	is  is	controlled by the kad-
	      mind_port	configuration variable (see below).

       In addition to the relations defined  in	 kdc.conf(5),  kadmind	under-
       stands  the  following  relations,  all	of  which should appear	in the
       [realms]	section:

	      The path of kadmind's ACL	file.  Mandatory.  No default.

	      The path of kadmind's password dictionary.  A principal with any
	      password	policy	will  not be allowed to	select any password in
	      the dictionary.  Optional.  No default.

	      The name of the keytab containing	 entries  for  the  principals
	      kadmin/admin and kadmin/changepw in each realm that kadmind will
	      serve.  The default is the value of the KRB5_KTNAME  environment
	      variable,	if defined.  Mandatory.

	      The TCP port on which kadmind will listen.  The default is 749.

       The  ACL	file controls which principals can or cannot perform which ad-
       ministrative functions.	For operations that affect principals, the ACL
       file  also controls which principals can	operate	on which other princi-
       pals.  This file	can contain comment lines, null	lines or  lines	 which
       contain	ACL  entries.  Comment lines start with	the sharp sign (#) and
       continue	until the end of the line.  Lines containing ACL entries  have
       the  format  of	principal whitespace operation-mask [whitespace	opera-

       Ordering	is important.  The first matching entry	is the one which  will
       control access for a particular principal on a particular principal.

	      may  specify  a  partially or fully qualified Kerberos version 5
	      principal	name.  Each component of the name  may	be  wildcarded
	      using the	asterisk ( * ) character.

	      [Optional]  may  specify a partially or fully qualified Kerberos
	      version 5	principal name.	 Each component	of  the	 name  may  be
	      wildcarded using the asterisk ( *	) character.

	      Specifies	 what operations may or	may not	be peformed by a prin-
	      cipal matching a particular entry.  This is a string of  one  or
	      more  of	the  following	list of	characters or their upper-case
	      counterparts.  If	the character is upper-case, then  the	opera-
	      tion  is	disallowed.   If the character is lower-case, then the
	      operation	is permitted.

	      a	   [Dis]allows the addition of principals or policies  in  the
	      d	   [Dis]allows	the  deletion of principals or policies	in the
	      m	   [Dis]allows the modification	of principals or  policies  in
		   the database.
	      c	   [Dis]allows the changing of passwords for principals	in the
	      i	   [Dis]allows inquiries to the	database.
	      l	   [Dis]allows the listing of principals or  policies  in  the

	      x	   Short for admcil.
	      *	   Same	as x.
       Some examples of	valid entries here are:

       user/instance@realm adm
	      A	 standard  fully  qualified name.  The operation-mask only ap-
	      plies to this principal and specifies that [s]he may add,	delete
	      or modify	principals and policies, but not change	anybody	else's

       user/instance@realm cim service/instance@realm
	      A	standard fully qualified name and a standard  fully  qualified
	      target.  The operation-mask only applies to this principal oper-
	      ating on this target and specifies that  [s]he  may  change  the
	      target's password, request information about the target and mod-
	      ify it.

       user/*@realm ac
	      A	wildcarded name.  The operation-mask applies to	all principals
	      in  realm	 "realm" whose first component is "user" and specifies
	      that [s]he may add principals and	change anybody's password.

       user/*@realm i */instance@realm
	      A	wildcarded name	and target.  The operation-mask	applies	to all
	      principals  in realm "realm" whose first component is "user" and
	      specifies	that [s]he may perform inquiries on  principals	 whose
	      second component is "instance" and realm is "realm".

       principal.db	   default name	for Kerberos principal database

       <dbname>.kadm5	   KADM5  administrative  database.   (This  would  be
			   "principal.kadm5", if you use the default  database
			   name.)  Contains policy information.

       <dbname>.kadm5.lock lock	 file  for  the	KADM5 administrative database.
			   This	file works  backwards  from  most  other  lock
			   files.   I.e.,  kadmin  will	 exit with an error if
			   this	file does not exist.

       kadm5.acl	   file	containing list	of principals and their	kadmin
			   administrative  privileges.	 See  above  for a de-

       kadm5.keytab	   keytab file for kadmin/admin	principal.

       kadm5.dict	   file	containing dictionary  of  strings  explicitly
			   disallowed as passwords.

       kpasswd(1), kadmin(8), kdb5_util(8), kadm5_export(8), kadm5_import(8)



Want to link to this manual page? Use this URL:

home | help