kadmind(8) [osx man page]
KADMIND(8) BSD System Manager's Manual KADMIND(8) NAME
kadmind -- server for administrative access to Kerberos database SYNOPSIS
kadmind [-c file | --config-file=file] [-k file | --key-file=file] [--keytab=keytab] [-r realm | --realm=realm] [-d | --debug] [-p port | --ports=port] DESCRIPTION
kadmind listens for requests for changes to the Kerberos database and performs these, subject to permissions. When starting, if stdin is a socket it assumes that it has been started by inetd(8), otherwise it behaves as a daemon, forking processes for each new connection. The --debug option causes kadmind to accept exactly one connection, which is useful for debugging. The kpasswdd(8) daemon is responsible for the Kerberos 5 password changing protocol (used by kpasswd(1)). This daemon should only be run on the master server, and not on any slaves. Principals are always allowed to change their own password and list their own principal. Apart from that, doing any operation requires per- mission explicitly added in the ACL file /var/heimdal/kadmind.acl. The format of this file is: principal rights [principal-pattern] Where rights is any (comma separated) combination of: o change-password or cpw o list o delete o modify o add o get o get-keys o all And the optional principal-pattern restricts the rights to operations on principals that match the glob-style pattern. Supported options: -c file, --config-file=file location of config file -k file, --key-file=file location of master key file --keytab=keytab what keytab to use -r realm, --realm=realm realm to use -d, --debug enable debugging -p port, --ports=port ports to listen to. By default, if run as a daemon, it listens to port 749, but you can add any number of ports with this option. The port string is a whitespace separated list of port specifications, with the special string ``+'' representing the default port. FILES
/var/heimdal/kadmind.acl EXAMPLES
This will cause kadmind to listen to port 4711 in addition to any compiled in defaults: kadmind --ports="+ 4711" & This acl file will grant Joe all rights, and allow Mallory to view and add host principals, as well as extract host principal keys (e.g., into keytabs). joe/admin@EXAMPLE.COM all mallory/admin@EXAMPLE.COM add,get-keys host/*@EXAMPLE.COM SEE ALSO
kpasswd(1), kadmin(8), kdc(8), kpasswdd(8) HEIMDAL
December 8, 2004 HEIMDAL
Check Out this Related Man Page
KADMIND(8) System Manager's Manual KADMIND(8) NAME
kadmind - KADM5 administration server SYNOPSIS
kadmind [-r realm] [-m] [-nofork] [-port port-number] DESCRIPTION
This command starts the KADM5 administration server. The administration server runs on the master Kerberos server, which stores the KDC principal database and the KADM5 policy database. Kadmind accepts remote requests to administer the information in these databases. Remote requests are sent, for example, by kadmin(8) and the kpasswd(1) command, both of which are clients of kadmind. kadmind requires a number of configuration files to be set up in order for it to work: kdc.conf The KDC configuration file contains configuration informatin for the KDC and the KADM5 system. Kadmind understands a number of variable settings in this file, some of whch are mandatory and some of which are optional. See the CONFIGURATION VALUES section below. keytab Kadmind requires a keytab containing correct entries for the kadmin/admin and kadmin/changepw principals for every realm that kadmind will answer requests for. The keytab can be created with the kadmin(8) client. The location of the keytab is determined by the admin_keytab configuration variable (see CONFIGURATION VALUES). ACL file Kadmind's ACL (access control list) tells it which principals are allowed to perform KADM5 administration actions. The path of the ACL file is specified via the acl_file configuration variable (see CONFIGURATION VALUES). The syntax of the ACL file is specified in the ACL FILE SYNTAX section below. After the server begins running, it puts itself in the background and disassociates itself from its controlling terminal. OPTIONS
-r realm specifies the default realm that kadmind will serve; if it is not specified, the default realm of the host is used. kadmind will answer requests for any realm that exists in the local KDC database and for which the appropriate principals are in its keytab. -m specifies that the master database password should be fetched from the keyboard rather than from a file on disk. Note that the server gets the password prior to putting itself in the background; in combination with the -nofork option, you must place it in the background by hand. -nofork specifies that the server does not put itself in the background and does not disassociate itself from the terminal. In normal oper- ation, you should always allow the server place itself in the background. -port port-number specifies the port on which the administration server listens for connections. The default is is controlled by the kadmind_port configuration variable (see below). CONFIGURATION VALUES
In addition to the relations defined in kdc.conf(5), kadmind understands the following relations, all of which should appear in the [realms] section: acl_file The path of kadmind's ACL file. Mandatory. No default. dict_file The path of kadmind's password dictionary. A principal with any password policy will not be allowed to select any password in the dictionary. Optional. No default. admin_keytab The name of the keytab containing entries for the principals kadmin/admin and kadmin/changepw in each realm that kadmind will serve. The default is the value of the KRB5_KTNAME environment variable, if defined. Mandatory. kadmind_port The TCP port on which kadmind will listen. The default is 749. ACL FILE SYNTAX
The ACL file controls which principals can or cannot perform which administrative functions. For operations that affect principals, the ACL file also controls which principals can operate on which other principals. This file can contain comment lines, null lines or lines which contain ACL entries. Comment lines start with the sharp sign (#) and continue until the end of the line. Lines containing ACL entries have the format of principal whitespace operation-mask [whitespace operation-target] Ordering is important. The first matching entry is the one which will control access for a particular principal on a particular principal. principal may specify a partially or fully qualified Kerberos version 5 principal name. Each component of the name may be wildcarded using the asterisk ( * ) character. operation-target [Optional] may specify a partially or fully qualified Kerberos version 5 principal name. Each component of the name may be wild- carded using the asterisk ( * ) character. operation-mask Specifies what operations may or may not be peformed by a principal matching a particular entry. This is a string of one or more of the following list of characters or their upper-case counterparts. If the character is upper-case, then the operation is disal- lowed. If the character is lower-case, then the operation is permitted. a [Dis]allows the addition of principals or policies in the database. d [Dis]allows the deletion of principals or policies in the database. m [Dis]allows the modification of principals or policies in the database. c [Dis]allows the changing of passwords for principals in the database. i [Dis]allows inquiries to the database. l [Dis]allows the listing of principals or policies in the database. x Short for admcil. * Same as x. Some examples of valid entries here are: user/instance@realm adm A standard fully qualified name. The operation-mask only applies to this principal and specifies that [s]he may add, delete or mod- ify principals and policies, but not change anybody else's password. user/instance@realm cim service/instance@realm A standard fully qualified name and a standard fully qualified target. The operation-mask only applies to this principal operating on this target and specifies that [s]he may change the target's password, request information about the target and modify it. user/*@realm ac A wildcarded name. The operation-mask applies to all principals in realm "realm" whose first component is "user" and specifies that [s]he may add principals and change anybody's password. user/*@realm i */instance@realm A wildcarded name and target. The operation-mask applies to all principals in realm "realm" whose first component is "user" and specifies that [s]he may perform inquiries on principals whose second component is "instance" and realm is "realm". FILES
principal.db default name for Kerberos principal database <dbname>.kadm5 KADM5 administrative database. (This would be "principal.kadm5", if you use the default database name.) Contains pol- icy information. <dbname>.kadm5.lock lock file for the KADM5 administrative database. This file works backwards from most other lock files. I.e., kadmin will exit with an error if this file does not exist. kadm5.acl file containing list of principals and their kadmin administrative privileges. See above for a description. kadm5.keytab keytab file for kadmin/admin principal. kadm5.dict file containing dictionary of strings explicitly disallowed as passwords. SEE ALSO
kpasswd(1), kadmin(8), kdb5_util(8), kadm5_export(8), kadm5_import(8) KADMIND(8)