summaryrefslogtreecommitdiffstats
path: root/crypto/heimdal/kadmin/kadmind.8
diff options
context:
space:
mode:
Diffstat (limited to 'crypto/heimdal/kadmin/kadmind.8')
-rw-r--r--crypto/heimdal/kadmin/kadmind.8133
1 files changed, 133 insertions, 0 deletions
diff --git a/crypto/heimdal/kadmin/kadmind.8 b/crypto/heimdal/kadmin/kadmind.8
new file mode 100644
index 0000000..67d5c9b
--- /dev/null
+++ b/crypto/heimdal/kadmin/kadmind.8
@@ -0,0 +1,133 @@
+.Dd June 7, 2000
+.Dt KADMIND 8
+.Os HEIMDAL
+.Sh NAME
+.Nm kadmind
+.Nd
+server for administrative access to kerberos database
+.Sh SYNOPSIS
+.Nm
+.Oo Fl c Ar file \*(Ba Xo
+.Fl -config-file= Ns Ar file Oc
+.Xc
+.Oo Fl k Ar file \*(Ba Xo
+.Fl -key-file= Ns Ar file Oc
+.Xc
+.Op Fl -keytab= Ns Ar keytab
+.Oo Fl r Ar realm \*(Ba Xo
+.Fl -realm= Ns Ar realm Oc
+.Xc
+.Op Fl d | Fl -debug
+.Oo Fl p Ar port \*(Ba Xo
+.Fl -ports= Ns Ar port Oc
+.Xc
+.Sh DESCRIPTION
+.Nm
+listens for requests for changes to the Kerberos database and performs
+these, subject to permissions. When starting, if stdin is a socket it assumes that it has been started by
+.Xr inetd 8 ,
+otherwise it behaves as a daemon, forking processes for each new
+connection. The
+.Fl -debug
+option causes
+.Nm
+to accept exactly one connection, which is useful for debugging.
+
+If built with krb4 support, it implements both the Heimdal Kerberos 5
+administrative protocol and the Kerberos 4 protocol. Password changes
+via the Kerberos 4 protocol are also performed by
+.Nm kadmind ,
+but the
+.Xr kpasswdd 8
+daemon is responsible for the Kerberos 5 password changing protocol
+(used by
+.Xr kpasswd 1 ).
+.Pp
+This daemon should only be run on ther master server, and not on any
+slaves.
+.Pp
+Principals are always allowed to change their own password and list
+their own principals. Apart from that, doing any operation requires
+permission explicitly added in the ACL file
+.Pa /var/heimdal/kadmind.acl .
+The format of this file is:
+.Bd -ragged
+.Va principal
+.Va rights
+.Op Va principal-pattern
+.Ed
+.Pp
+Where rights is any combination of:
+.Bl -bullet
+.It
+change-password | cpw
+.It
+list
+.It
+delete
+.It
+modify
+.It
+add
+.It
+get
+.It
+all
+.El
+.Pp
+And the optional
+.Ar principal-pattern
+restricts the rights to principals that match the glob-style pattern.
+.Pp
+Supported options:
+.Bl -tag -width Ds
+.It Xo
+.Fl c Ar file Ns ,
+.Fl -config-file= Ns Ar file
+.Xc
+location of config file
+.It Xo
+.Fl k Ar file Ns ,
+.Fl -key-file= Ns Ar file
+.Xc
+location of master key file
+.It Xo
+.Fl -keytab= Ns Ar keytab
+.Xc
+what keytab to use
+.It Xo
+.Fl r Ar realm Ns ,
+.Fl -realm= Ns Ar realm
+.Xc
+realm to use
+.It Xo
+.Fl d Ns ,
+.Fl -debug
+.Xc
+enable debugging
+.It Xo
+.Fl p Ar port Ns ,
+.Fl -ports= Ns Ar port
+.Xc
+ports to listen to. By default, if run as a daemon, it listen to ports
+749, and 751 (if built with Kerberos 4 support), but you can add any
+number of ports with this option. The port string is a whitespace
+separated list of port specifications, with the special string
+.Dq +
+representing the default set of ports.
+.El
+.\".Sh ENVIRONMENT
+.Sh FILES
+.Pa /var/heimdal/kadmind.acl
+.Sh EXAMPLES
+This will cause kadmind to listen to port 4711 in addition to any
+compiled in defaults:
+.Bd -literal -offset indent
+# kadmind --ports="+ 4711" &
+.Ed
+.\".Sh DIAGNOSTICS
+.Sh SEE ALSO
+.Xr kdc 8 ,
+.Xr kadmin 1 ,
+.Xr kpasswdd 8 ,
+.Xr kpasswd 1
OpenPOWER on IntegriCloud