FreeBSD manual
download PDF document: kadmind.8.pdf
KADMIND(8) FreeBSD System Manager's Manual KADMIND(8)
NAME
kadmind - server for administrative access to Kerberos database
SYNOPSIS
kadmind [-c file | --config-file=file] [-k file | --key-file=file]
[--keytab=keytab] [-r realm | --realm=realm] [-d | --debug]
[-p port | --ports=port]
DESCRIPTION
kadmind listens for requests for changes to the Kerberos database and
performs these, subject to permissions. When starting, if stdin is a
socket it assumes that it has been started by inetd(8), otherwise it
behaves as a daemon, forking processes for each new connection. The
--debug option causes kadmind to accept exactly one connection, which is
useful for debugging.
The kpasswdd(8) daemon is responsible for the Kerberos 5 password
changing protocol (used by kpasswd(1)).
This daemon should only be run on the master server, and not on any
slaves.
Principals are always allowed to change their own password and list their
own principal. Apart from that, doing any operation requires permission
explicitly added in the ACL file /var/heimdal/kadmind.acl. The format of
this file is:
principal rights [principal-pattern]
Where rights is any (comma separated) combination of:
o change-password or cpw
o list
o delete
o modify
o add
o get
o all
And the optional principal-pattern restricts the rights to operations on
principals that match the glob-style pattern.
Supported options:
-c file, --config-file=file
location of config file
-k file, --key-file=file
location of master key file
--keytab=keytab
what keytab to use
-r realm, --realm=realm
realm to use
-d, --debug
enable debugging
FILES
/var/heimdal/kadmind.acl
EXAMPLES
This will cause kadmind to listen to port 4711 in addition to any
compiled in defaults:
kadmind --ports="+ 4711" &
This acl file will grant Joe all rights, and allow Mallory to view and
add host principals.
joe/admin@EXAMPLE.COM all
mallory/admin@EXAMPLE.COM add,get host/*@EXAMPLE.COM
SEE ALSO
kpasswd(1), kadmin(8), kdc(8), kpasswdd(8)
HEIMDAL December 8, 2004 HEIMDAL