
KADMIND(8)               UNIX System Manager's Manual               KADMIND(8)

NNAAMMEE
     kkaaddmmiinndd - server for administrative access to kerberos database

SSYYNNOOPPSSIISS
     kkaaddmmiinndd [--cc _f_i_l_e | ----ccoonnffiigg--ffiillee==_f_i_l_e] [--kk _f_i_l_e | ----kkeeyy--ffiillee==_f_i_l_e]
     [----kkeeyyttaabb==_k_e_y_t_a_b] [--rr _r_e_a_l_m | ----rreeaallmm==_r_e_a_l_m] [--dd | ----ddeebbuugg] [--pp _p_o_r_t |
     ----ppoorrttss==_p_o_r_t]

DDEESSCCRRIIPPTTIIOONN
     kkaaddmmiinndd listens for requests for changes to the Kerberos database and
     performs these, subject to permissions.  When starting, if stdin is a
     socket it assumes that it has been started by inetd(8),  otherwise it be-
     haves as a daemon, forking processes for each new connection. The ----ddeebbuugg
     option causes kkaaddmmiinndd to accept exactly one connection, which is useful
     for debugging.

     If built with krb4 support, it implements both the Heimdal Kerberos 5 ad-
     ministrative protocol and the Kerberos 4 protocol. Password changes via
     the Kerberos 4 protocol are also performed by kkaaddmmiinndd, but the kpass-
     wdd(8) daemon is responsible for the Kerberos 5 password changing proto-
     col (used by kpasswd(1))

     This daemon should only be run on ther master server, and not on any
     slaves.

     Principals are always allowed to change their own password and list their
     own principals.  Apart from that, doing any operation requires permission
     explicitly added in the ACL file _/_v_a_r_/_h_e_i_m_d_a_l_/_k_a_d_m_i_n_d_._a_c_l. The format of
     this file is:

     _p_r_i_n_c_i_p_a_l _r_i_g_h_t_s [_p_r_i_n_c_i_p_a_l_-_p_a_t_t_e_r_n]

     Where rights is any combination of:

     ++oo   change-password | cpw

     ++oo   list

     ++oo   delete

     ++oo   modify

     ++oo   add

     ++oo   get

     ++oo   all

     And the optional _p_r_i_n_c_i_p_a_l_-_p_a_t_t_e_r_n restricts the rights to principals
     that match the glob-style pattern.

     Supported options:

     --cc _f_i_l_e, ----ccoonnffiigg--ffiillee==_f_i_l_e
             location of config file

     --kk _f_i_l_e, ----kkeeyy--ffiillee==_f_i_l_e
             location of master key file

     ----kkeeyyttaabb==_k_e_y_t_a_b


             what keytab to use

     --rr _r_e_a_l_m, ----rreeaallmm==_r_e_a_l_m
             realm to use

     --dd, ----ddeebbuugg
             enable debugging

     --pp _p_o_r_t, ----ppoorrttss==_p_o_r_t
             ports to listen to. By default, if run as a daemon, it listen to
             ports 749, and 751 (if built with Kerberos 4 support), but you
             can add any number of ports with this option. The port string is
             a whitespace separated list of port specifications, with the spe-
             cial string ``+'' representing the default set of ports.

FFIILLEESS
     _/_v_a_r_/_h_e_i_m_d_a_l_/_k_a_d_m_i_n_d_._a_c_l

EEXXAAMMPPLLEESS
     This will cause kadmind to listen to port 4711 in addition to any com-
     piled in defaults:

           # kadmind --ports="+ 4711" &

SSEEEE AALLSSOO
     kdc(8),  kadmin(1),  kpasswdd(8),  kpasswd(1)

 HEIMDAL                         June 7, 2000                                2