KCM(8) System Manager's Manual KCM(8)

kcmprocess-based credential cache for Kerberos tickets.

kcm [--cache-name=cachename] [-c file | --config-file=file] [-g group | --group=group] [--max-request=size] [--disallow-getting-krbtgt] [--use-uid-matching] [--detach] [-h | --help] [-k principal | --system-principal=principal] [-l time | --lifetime=time] [-n | --no-name-constraints] [-r time | --renewable-life=time] [-s path | --socket-path=path] [--door-path=path] [-S principal | --server=principal] [-t keytab | --keytab=keytab] [-u user | --user=user] [-v | --version]

kcm is a process based credential cache. To use it, set the KRB5CCNAME enviroment variable to ‘KCM:uid’ or add the stanza

[libdefaults]
        default_cc_name = KCM:%{uid}

to the /etc/krb5.conf configuration file and make sure kcm is started in the system startup files.

The kcm daemon can hold the credentials for all users in the system. Access control is done with Unix-like permissions. The daemon checks the access on all operations based on the uid of the user. The tickets are renewed as long as is permitted by the KDC's policy.

The kcm daemon can also keep a SYSTEM credential that server processes can use to access services. One example of usage might be an nss_ldap module that quickly needs to get credentials and doesn't want to renew the ticket itself.

Supported options:

cachename
system cache name
file, --config-file=file
location of config file
group, --group=group
system cache group
size
max size for a kcm-request
disallow extracting any krbtgt from the
use uid only to determine if a user can access a credential or not kcm daemon.
detach from console
, --help
 
principal, --system-principal=principal
system principal name
time, --lifetime=time
lifetime of system tickets
, --no-name-constraints
disable credentials cache name constraints
time, --renewable-life=time
renewable lifetime of system tickets
path, --socket-path=path
path to kcm domain socket
path
path to kcm door socket
principal, --server=principal
server to get system ticket for
keytab, --keytab=keytab
system keytab name
user, --user=user
system cache owner
, --version
 
May 29, 2005 Heimdal