KADMIND(8) | System Manager's Manual | KADMIND(8) |
kadmind
— server
for administrative access to Kerberos database
kadmind |
[-c
file | --config-file= file]
[-k file | --key-file= file]
[--keytab= keytab]
[-r realm | --realm= realm]
[-d | --debug ]
[-p port | --ports= port] |
kadmind
listens for requests for changes
to the Kerberos database and performs these, subject to permissions. When
starting, if stdin is a socket it assumes that it has been started by
inetd(8), otherwise it behaves as a
daemon, forking processes for each new connection. The
--debug
option causes
kadmind
to accept exactly one connection, which is
useful for debugging.
The kpasswdd(8) daemon is responsible for the Kerberos 5 password changing protocol (used by kpasswd(1)).
This daemon should only be run on the master server, and not on any slaves.
Principals are always allowed to change their own password and list their own principal. Apart from that, doing any operation requires permission explicitly added in the ACL file /var/heimdal/kadmind.acl. The format of this file is:
Where rights is any (comma separated) combination of:
And the optional principal-pattern restricts the rights to operations on principals that match the glob-style pattern.
Supported options:
-c
file,
--config-file=
file-k
file,
--key-file=
file--keytab=
keytab-r
realm,
--realm=
realm-d
,
--debug
-p
port,
--ports=
port/var/heimdal/kadmind.acl
This will cause kadmind
to listen to port
4711 in addition to any compiled in defaults:
kadmind
--ports
="+ 4711"
&
This acl file will grant Joe all rights, and allow Mallory to view and add host principals, as well as extract host principal keys (e.g., into keytabs).
joe/admin@EXAMPLE.COM all mallory/admin@EXAMPLE.COM add,get-keys host/*@EXAMPLE.COM
December 8, 2004 | HEIMDAL |