Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

kadmin_util(8) [osx man page]

kadmin_util(8)						    BSD System Manager's Manual 					    kadmin_util(8)

NAME
kadmin_util -- Kerberos -- Open Directory Single Sign On SYNOPSIS
kadmin_util -a principal_name -d principal_name [-r REALM] [-h] [-p] [-v debug_level] DESCRIPTION
kadmin_util is a tool for managing the access control list used by kadmind to control which users have the ability to modify the Kerberos database of user information. It will look at the acl_file item in the realm section of the kdc config file to determine which acl files to update. -a principal_name Adds the given principal name to the acl file with administrator privs. -d principal_name Removes the given principal name from the acl. (-a & -d are mutually exclusinve) -h Send a HUP signal to kadmind if the update completes without errors -p Write the output error to standard out in an XML Plist format -r REALM Denotes which realm to update. If this parameter is omitted, kadmin_util will operate on the first realm it finds in the kdc config file. To operate on all the available realms use '*' for the realm name -v debug_level Sets the debug level (1 = progress >1 for more detail) EXAMPLES
To add adminuser@REALM.COM to the acl file as kerberos administrator for realm REALM.COM kadmin_util -a adminuser@REALM.COM -r REALM.COM To remove adminuser@REALM.COM from all the realms serviced by this kdc (you need the quotes around the * to keep the shell from substituting filenames) kadmin_util -d adminuser@REALM.COM -r '*' FILES
/var/db/krb5kdc/kadm5.acl the standard acl file location /var/db/krb5kdc/kdc.conf the default kdc config file DIAGNOSTICS
You can add -v debug_level to any kadmin_util command. Debug level 1 provides status information, higher levels add progressivly more levels of detail. NOTES
The kadmin_util tool is used by the Apple Single Sign On system to set up a KDC integrated with the rest of the Single Sign On components. SEE ALSO
DirectoryService(1), kerberos(1), kadmind(8), kerberosautoconfig(8), krbservicesetup(8), krb5kdc(8), sso_util(8) Darwin June 2, 2019 Darwin

Check Out this Related Man Page

kadmind(1M)															       kadmind(1M)

NAME
kadmind - Kerberos administration daemon SYNOPSIS
/usr/lib/krb5/kadmind [-d] [-m] [-p port-number] [-r realm] kadmind runs on the master key distribution center (KDC), which stores the principal and policy databases. kadmind accepts remote requests to administer the information in these databases. Remote requests are sent, for example, by kpasswd(1), gkadmin(1M), and kadmin(1M) com- mands, all of which are clients of kadmind. When you install a KDC, kadmind is set up in the init scripts to start automatically when the KDC is rebooted. kadmind requires a number of configuration files to be set up for it to work: /etc/krb5/kdc.conf The KDC configuration file contains configuration information for the KDC and the Kerberos administration system. kadmind understands a number of configuration variables (called relations) in this file, some of which are mandatory and some of which are optional. In par- ticular, kadmind uses the acl_file, dict_file, admin_keytab, and kadmind_port relations in the [realms] section. Refer to the kdc.conf(4) man page for information regarding the format of the KDC configuration file. /etc/krb5/kadm5.keytab kadmind requires akeytab (key table) containing correct entries for the kadmin/admin and kadmin/changepw principals for every realm that kadmind answers requests. The keytab can be created with the kadmin.local(1M), kdb5_util(1M) command. The location of the keytab is determined by the admin_keytab relation in the kdc.conf(4) file. /etc/krb5/kadm5.acl kadmind uses an ACL (access control list) to determine which principals are allowed to perform Kerberos administration actions. The path of the ACL file is determined by the acl_file relation in the kdc.conf file. See kdc.conf(4). For information regarding the format of the ACL file, refer to kadm5.acl(4). Note that the kadmind daemon will need to be restarted in order to reread the kadm5.acl file after it has been modified. You can do this, as root, with the following command: # svcadm restart svc:/network/security/kadmin:default After kadmind begins running, it puts itself in the background and disassociates itself from its controlling terminal. kadmind can be configured for incremental database propagation. Incremental propagation allows slave KDC servers to receive principal and policy updates incrementally instead of receiving full dumps of the database. These settings can be changed in the kdc.conf(4) file: sunw_dbprop_enable = [true | false] Enable or disable incremental database propagation. Default is false. sunw_dbprop_master_ulogsize = N Specifies the maximum amount of log entries available for incremental propagation to the slave KDC servers. The maximum value that this can be is 2500 entries. Default value is 1000 entries. The kiprop/<hostname>@<REALM> principal must exist in the master's kadm5.keytab file to enable the slave to authenticate incremental propa- gation from the master. In the principal syntax above, <hostname> is the master KDC's host name and <REALM> is the realm in which the mas- ter KDC resides. Kerberos client machines can automatically migrate Unix users to the default Kerberos realm specified in the local krb5.conf(4), if the user does not have a valid kerberos account already. You achieve this by using the pam_krb5_migrate(5) service module for the service in question. The Kerberos service principal used by the client machine attempting the migration needs to be validated using the u privilege in kadm5.acl(4). When using the u privilege, kadmind validates user passwords using PAM, specifically using a PAM_SERVICE name of k5migrate by calling pam_authenticate(3PAM) and pam_acct_mgmt(3PAM). A suitable PAM stack configuration example for k5migrate would look like: k5migrate auth required pam_unix_auth.so.1 k5migrate account required pam_unix_account.so.1 The following options are supported: -d Specifies that kadmind does not put itself in the background and does not disassociate itself from the terminal. In normal operation, you should use the default behavior, which is to allow the daemon to put itself in the background. -m Specifies that the master database password should be retrieved from the keyboard rather than from the stash file. When using -m, the kadmind daemon receives the password prior to putting itself in the background. If used in combination with the -d option, you must explicitly place the daemon in the background. -p port-number Specifies the port on which the kadmind daemon listens for connections. The default is controlled by the kadmind_port rela- tion in the kdc.conf(4) file. -r realm Specifies the default realm that kadmind serves. If realm is not specified, the default realm of the host is used. kadmind answers requests for any realm that exists in the local KDC database and for which the appropriate principals are in its keytab. /var/krb5/principal Kerberos principal database. /var/krb5/principal.ulog The update log file for incremental propagation /var/krb5/principal.kadm5 Kerberos administrative database containing policy information. /var/krb5/principal.kadm5.lock Kerberos administrative database lock file. This file works backwards from most other lock files (that is, kadmin exits with an error if this file does not exist). /var/krb5/kadm5.dict Dictionary of strings explicitly disallowed as passwords. /etc/krb5/kadm5.acl List of principals and their kadmin administrative privileges. /etc/krb5/kadm5.keytab Keytab for kadmin/admin principal. /etc/krb5/kdc.conf KDC configuration information. See attributes(5) for descriptions of the following attributes: +-----------------------------+-----------------------------+ | ATTRIBUTE TYPE | ATTRIBUTE VALUE | +-----------------------------+-----------------------------+ |Availability |SUNWkdcu | +-----------------------------+-----------------------------+ |Interface Stability |Evolving | +-----------------------------+-----------------------------+ kpasswd(1), svcs(1), gkadmin(1M), kadmin(1M), kadmin.local(1M), kdb5_util(1M), kproplog(1M), svcadm(1M), pam_acct_mgmt(3PAM), pam_authenti- cate(3PAM), kadm5.acl(4), kdc.conf(4), krb5.conf(4), attributes(5), krb5envvar(5), pam_krb5_migrate(5), smf(5), SEAM(5) The Kerberos administration daemon (kadmind) is now compliant with the change-password standard mentioned in RFC 3244, which means it can now handle change-password requests from non-Solaris Kerberos clients. The kadmind service is managed by the service management facility, smf(5), under the service identifier: svc:/network/security/kadmin Administrative actions on this service, such as enabling, disabling, or requesting restart, can be performed using svcadm(1M). The ser- vice's status can be queried using the svcs(1) command. 11 Jul 2005 kadmind(1M)
Man Page