kadmind - KADM5 administration server
kadmind [-r realm] [-m] [-nofork] [-port port-number]
This command starts the KADM5 administration server. The administration server runs on
the master Kerberos server, which stores the KDC principal database and the KADM5 policy
database. Kadmind accepts remote requests to administer the information in these data-
bases. Remote requests are sent, for example, by kadmin(8) and the kpasswd(1) command,
both of which are clients of kadmind.
kadmind requires a number of configuration files to be set up in order for it to work:
kdc.conf The KDC configuration file contains configuration informatin for the KDC and the
KADM5 system. Kadmind understands a number of variable settings in this file,
some of whch are mandatory and some of which are optional. See the CONFIGURA-
TION VALUES section below.
keytab Kadmind requires a keytab containing correct entries for the kadmin/admin and
kadmin/changepw principals for every realm that kadmind will answer requests
for. The keytab can be created with the kadmin(8) client. The location of the
keytab is determined by the admin_keytab configuration variable (see CONFIGURA-
ACL file Kadmind's ACL (access control list) tells it which principals are allowed to
perform KADM5 administration actions. The path of the ACL file is specified via
the acl_file configuration variable (see CONFIGURATION VALUES). The syntax of
the ACL file is specified in the ACL FILE SYNTAX section below.
After the server begins running, it puts itself in the background and disassociates itself
from its controlling terminal.
specifies the default realm that kadmind will serve; if it is not specified, the
default realm of the host is used. kadmind will answer requests for any realm that
exists in the local KDC database and for which the appropriate principals are in
-m specifies that the master database password should be fetched from the keyboard
rather than from a file on disk. Note that the server gets the password prior to
putting itself in the background; in combination with the -nofork option, you must
place it in the background by hand.
specifies that the server does not put itself in the background and does not disas-
sociate itself from the terminal. In normal operation, you should always allow the
server place itself in the background.
specifies the port on which the administration server listens for connections. The
default is is controlled by the kadmind_port configuration variable (see below).
In addition to the relations defined in kdc.conf(5), kadmind understands the following
relations, all of which should appear in the [realms] section:
The path of kadmind's ACL file. Mandatory. No default.
The path of kadmind's password dictionary. A principal with any password policy
will not be allowed to select any password in the dictionary. Optional. No
The name of the keytab containing entries for the principals kadmin/admin and kad-
min/changepw in each realm that kadmind will serve. The default is the value of
the KRB5_KTNAME environment variable, if defined. Mandatory.
The TCP port on which kadmind will listen. The default is 749.
ACL FILE SYNTAX
The ACL file controls which principals can or cannot perform which administrative func-
tions. For operations that affect principals, the ACL file also controls which principals
can operate on which other principals. This file can contain comment lines, null lines or
lines which contain ACL entries. Comment lines start with the sharp sign (#) and continue
until the end of the line. Lines containing ACL entries have the format of principal
whitespace operation-mask [whitespace operation-target]
Ordering is important. The first matching entry is the one which will control access for
a particular principal on a particular principal.
may specify a partially or fully qualified Kerberos version 5 principal name. Each
component of the name may be wildcarded using the asterisk ( * ) character.
[Optional] may specify a partially or fully qualified Kerberos version 5 principal
name. Each component of the name may be wildcarded using the asterisk ( * ) char-
Specifies what operations may or may not be peformed by a principal matching a par-
ticular entry. This is a string of one or more of the following list of characters
or their upper-case counterparts. If the character is upper-case, then the opera-
tion is disallowed. If the character is lower-case, then the operation is permit-
a [Dis]allows the addition of principals or policies in the database.
d [Dis]allows the deletion of principals or policies in the database.
m [Dis]allows the modification of principals or policies in the database.
c [Dis]allows the changing of passwords for principals in the database.
i [Dis]allows inquiries to the database.
l [Dis]allows the listing of principals or policies in the database.
x Short for admcil.
* Same as x.
Some examples of valid entries here are:
A standard fully qualified name. The operation-mask only applies to this principal
and specifies that [s]he may add, delete or modify principals and policies, but not
change anybody else's password.
user/instance@realm cim service/instance@realm
A standard fully qualified name and a standard fully qualified target. The opera-
tion-mask only applies to this principal operating on this target and specifies
that [s]he may change the target's password, request information about the target
and modify it.
A wildcarded name. The operation-mask applies to all principals in realm "realm"
whose first component is "user" and specifies that [s]he may add principals and
change anybody's password.
user/*@realm i */instance@realm
A wildcarded name and target. The operation-mask applies to all principals in
realm "realm" whose first component is "user" and specifies that [s]he may perform
inquiries on principals whose second component is "instance" and realm is "realm".
principal.db default name for Kerberos principal database
<dbname>.kadm5 KADM5 administrative database. (This would be "principal.kadm5", if
you use the default database name.) Contains policy information.
<dbname>.kadm5.lock lock file for the KADM5 administrative database. This file works
backwards from most other lock files. I.e., kadmin will exit with an
error if this file does not exist.
kadm5.acl file containing list of principals and their kadmin administrative
privileges. See above for a description.
kadm5.keytab keytab file for kadmin/admin principal.
kadm5.dict file containing dictionary of strings explicitly disallowed as pass-
kpasswd(1), kadmin(8), kdb5_util(8), kadm5_export(8), kadm5_import(8)