Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
KADMIND(8)		  BSD System Manager's Manual		    KADMIND(8)

     kadmind --	server for administrative access to Kerberos database

     kadmind [-c file |	--config-file=file] [-k	file | --key-file=file]
	     [--keytab=keytab] [-r realm | --realm=realm] [-d |	--debug] [-p
	     port | --ports=port] [--no-kerberos4]

     kadmind listens for requests for changes to the Kerberos database and
     performs these, subject to	permissions.  When starting, if	stdin is a
     socket it assumes that it has been	started	by inetd(8), otherwise it be-
     haves as a	daemon,	forking	processes for each new connection. The --debug
     option causes kadmind to accept exactly one connection, which is useful
     for debugging.

     If	built with krb4	support, it implements both the	Heimdal	Kerberos 5 ad-
     ministrative protocol and the Kerberos 4 protocol.	Password changes via
     the Kerberos 4 protocol are also performed	by kadmind, but	the
     kpasswdd(8) daemon	is responsible for the Kerberos	5 password changing
     protocol (used by kpasswd(1))

     This daemon should	only be	run on the master server, and not on any

     Principals	are always allowed to change their own password	and list their
     own principal.  Apart from	that, doing any	operation requires permission
     explicitly	added in the ACL file /var/heimdal/kadmind.acl.	 The format of
     this file is:

     principal rights [principal-pattern]

     Where rights is any (comma	separated) combination of:
     +o	 change-password or cpw
     +o	 list
     +o	 delete
     +o	 modify
     +o	 add
     +o	 get
     +o	 all

     And the optional principal-pattern	restricts the rights to	operations on
     principals	that match the glob-style pattern.

     Supported options:

     -c	file, --config-file=file
	     location of config	file

     -k	file, --key-file=file
	     location of master	key file

	     what keytab to use

     -r	realm, --realm=realm
	     realm to use

     -d, --debug
	     enable debugging

     -p	port, --ports=port
	     ports to listen to. By default, if	run as a daemon, it listens to
	     ports 749,	and 751	(if Kerberos 4 support is built	and enabled),
	     but you can add any number	of ports with this option. The port
	     string is a whitespace separated list of port specifications,
	     with the special string "+" representing the default set of

	     make kadmind ignore Kerberos 4 kadmin requests.


     This will cause kadmind to	listen to port 4711 in addition	to any com-
     piled in defaults:

	   kadmind --ports="+ 4711" &

     This acl file will	grant Joe all rights, and allow	Mallory	to view	and
     add host principals.

	   joe/admin@EXAMPLE.COM      all
	   mallory/admin@EXAMPLE.COM  add,get  host/*@EXAMPLE.COM

     kpasswd(1), kadmin(8), kdc(8), kpasswdd(8)

HEIMDAL				 March 5, 2002			       HEIMDAL


Want to link to this manual page? Use this URL:

home | help