1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
|
KADMIND(8) UNIX System Manager's Manual KADMIND(8)
NNAAMMEE
kkaaddmmiinndd - server for administrative access to kerberos database
SSYYNNOOPPSSIISS
kkaaddmmiinndd [--cc _f_i_l_e | ----ccoonnffiigg--ffiillee==_f_i_l_e] [--kk _f_i_l_e | ----kkeeyy--ffiillee==_f_i_l_e]
[----kkeeyyttaabb==_k_e_y_t_a_b] [--rr _r_e_a_l_m | ----rreeaallmm==_r_e_a_l_m] [--dd | ----ddeebbuugg] [--pp _p_o_r_t |
----ppoorrttss==_p_o_r_t]
DDEESSCCRRIIPPTTIIOONN
kkaaddmmiinndd listens for requests for changes to the Kerberos database and
performs these, subject to permissions. When starting, if stdin is a
socket it assumes that it has been started by inetd(8), otherwise it be-
haves as a daemon, forking processes for each new connection. The ----ddeebbuugg
option causes kkaaddmmiinndd to accept exactly one connection, which is useful
for debugging.
If built with krb4 support, it implements both the Heimdal Kerberos 5 ad-
ministrative protocol and the Kerberos 4 protocol. Password changes via
the Kerberos 4 protocol are also performed by kkaaddmmiinndd, but the kpass-
wdd(8) daemon is responsible for the Kerberos 5 password changing proto-
col (used by kpasswd(1))
This daemon should only be run on ther master server, and not on any
slaves.
Principals are always allowed to change their own password and list their
own principals. Apart from that, doing any operation requires permission
explicitly added in the ACL file _/_v_a_r_/_h_e_i_m_d_a_l_/_k_a_d_m_i_n_d_._a_c_l. The format of
this file is:
_p_r_i_n_c_i_p_a_l _r_i_g_h_t_s [_p_r_i_n_c_i_p_a_l_-_p_a_t_t_e_r_n]
Where rights is any combination of:
++oo change-password | cpw
++oo list
++oo delete
++oo modify
++oo add
++oo get
++oo all
And the optional _p_r_i_n_c_i_p_a_l_-_p_a_t_t_e_r_n restricts the rights to principals
that match the glob-style pattern.
Supported options:
--cc _f_i_l_e, ----ccoonnffiigg--ffiillee==_f_i_l_e
location of config file
--kk _f_i_l_e, ----kkeeyy--ffiillee==_f_i_l_e
location of master key file
----kkeeyyttaabb==_k_e_y_t_a_b
what keytab to use
--rr _r_e_a_l_m, ----rreeaallmm==_r_e_a_l_m
realm to use
--dd, ----ddeebbuugg
enable debugging
--pp _p_o_r_t, ----ppoorrttss==_p_o_r_t
ports to listen to. By default, if run as a daemon, it listen to
ports 749, and 751 (if built with Kerberos 4 support), but you
can add any number of ports with this option. The port string is
a whitespace separated list of port specifications, with the spe-
cial string ``+'' representing the default set of ports.
FFIILLEESS
_/_v_a_r_/_h_e_i_m_d_a_l_/_k_a_d_m_i_n_d_._a_c_l
EEXXAAMMPPLLEESS
This will cause kadmind to listen to port 4711 in addition to any com-
piled in defaults:
# kadmind --ports="+ 4711" &
SSEEEE AALLSSOO
kdc(8), kadmin(1), kpasswdd(8), kpasswd(1)
HEIMDAL June 7, 2000 2
|