'\" te
.\" Copyright 1987, 1989 by the Student Information Processing Board of the Massachusetts Institute of Technology. For copying and distribution information, please see the file kerberosv5/mit-sipb-copyright.h.
.\" Portions Copyright (c) 2007, Sun Microsystems, Inc. All Rights Reserved
.\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License").  You may not use this file except in compliance with the License.
.\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.  See the License for the specific language governing permissions and limitations under the License.
.\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE.  If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
.TH kadmind 1M "29 Feb 2008" "SunOS 5.11" "System Administration Commands"
.SH NAME
kadmind \- Kerberos administration daemon
.SH SYNOPSIS
.LP
.nf
\fB/usr/lib/krb5/kadmind\fR [\fB-d\fR] [\fB-m\fR] [\fB-p\fR \fIport-number\fR] [\fB-r\fR \fIrealm\fR]
     \fB-x\fR \fIdb_args\fR]...
.fi

.SH DESCRIPTION
.sp
.LP
\fBkadmind\fR runs on the master key distribution center (\fBKDC\fR), which
stores the principal and policy databases. \fBkadmind\fR accepts remote
requests to administer the information in these databases. Remote requests are
sent, for example, by \fBkpasswd\fR(1), \fBgkadmin\fR(1M), and \fBkadmin\fR(1M)
commands, all of which are clients of \fBkadmind\fR. When you install a
\fBKDC\fR, \fBkadmind\fR is set up in the \fBinit\fR scripts to start
automatically when the \fBKDC\fR is rebooted.
.sp
.LP
\fBkadmind\fR requires a number of configuration files to be set up for it to
work:
.sp
.ne 2
.mk
.na
\fB\fB/etc/krb5/kdc.conf\fR\fR
.ad
.sp .6
.RS 4n
The \fBKDC\fR configuration file contains configuration information for the
\fBKDC\fR and the Kerberos administration system. \fBkadmind\fR understands a
number of configuration variables (called relations) in this file, some of
which are mandatory and some of which are optional. In particular,
\fBkadmind\fR uses the \fBacl_file\fR, \fBdict_file\fR, \fBadmin_keytab\fR, and
\fBkadmind_port\fR relations in the [\fIrealms\fR] section. Refer to the
\fBkdc.conf\fR(4) man page for information regarding the format of the
\fBKDC\fR configuration file.
.RE

.sp
.ne 2
.mk
.na
\fB\fB/etc/krb5/kadm5.keytab\fR\fR
.ad
.sp .6
.RS 4n
\fBkadmind\fR requires a \fBkeytab\fR (key table) containing correct entries
for the \fBkadmin\fR/\fIfqdn\fR, \fBkadmin\fR/\fBchangepw\fR and
\fBkadmin\fR/\fBchangepw\fR principals for every realm that \fBkadmind\fR
answers requests. The \fBkeytab\fR can be created with the
\fBkadmin.local\fR(1M) or \fBkdb5_util\fR(1M) command. The location of the
keytab is determined by the \fBadmin_keytab\fR relation in the
\fBkdc.conf\fR(4) file.
.RE

.sp
.ne 2
.mk
.na
\fB\fB/etc/krb5/kadm5.acl\fR\fR
.ad
.sp .6
.RS 4n
\fBkadmind\fR uses an \fBACL\fR (access control list) to determine which
principals are allowed to perform Kerberos administration actions. The path of
the \fBACL\fR file is determined by the \fBacl_file\fR relation in the
\fBkdc.conf\fR file. See \fBkdc.conf\fR(4). For information regarding the
format of the \fBACL\fR file, refer to \fBkadm5.acl\fR(4).
.sp
The \fBkadmind\fR daemon will need to be restarted to reread the
\fBkadm5.acl\fR file after it has been modified. You can do this, as root, with
the following command:
.sp
.in +2
.nf
# svcadm restart svc:/network/security/kadmin:default
.fi
.in -2
.sp

.RE

.sp
.LP
After \fBkadmind\fR begins running, it puts itself in the background and
disassociates itself from its controlling terminal.
.sp
.LP
\fBkadmind\fR can be configured for incremental database propagation.
Incremental propagation allows slave KDC servers to receive principal and
policy updates incrementally instead of receiving full dumps of the database.
These settings can be changed in the \fBkdc.conf\fR(4) file:
.sp
.ne 2
.mk
.na
\fB\fBsunw_dbprop_enable = [true | false]\fR\fR
.ad
.sp .6
.RS 4n
Enable or disable incremental database propagation. Default is \fBfalse\fR.
.RE

.sp
.ne 2
.mk
.na
\fB\fBsunw_dbprop_master_ulogsize = N\fR\fR
.ad
.sp .6
.RS 4n
Specifies the maximum amount of log entries available for incremental
propagation to the slave KDC servers. The maximum value that this can be is
2500 entries. Default value is 1000 entries.
.RE

.sp
.LP
The \fBkiprop/\fR\fI<hostname>\fR\fB@\fR\fI<REALM>\fR principal must exist in
the master's \fBkadm5.keytab\fR file to enable the slave to authenticate
incremental propagation from the master. In the principal syntax above,
\fI<hostname>\fR is the master KDC's host name and \fI<REALM>\fR is the realm
in which the master KDC resides.
.sp
.LP
Kerberos client machines can automatically migrate Unix users to the default
Kerberos realm specified in the local \fBkrb5.conf\fR(4), if the user does not
have a valid kerberos account already. You achieve this by using the
\fBpam_krb5_migrate\fR(5) service module for the service in question. The
Kerberos service principal used by the client machine attempting the migration
needs to be validated using the \fBu\fR privilege in \fBkadm5.acl\fR(4). When
using the \fBu\fR privilege, \fBkadmind\fR validates user passwords using PAM,
specifically using a \fBPAM_SERVICE\fR name of \fBk5migrate\fR by calling
\fBpam_authenticate\fR(3PAM) and \fBpam_acct_mgmt\fR(3PAM).
.sp
.LP
A suitable PAM stack configuration example for \fBk5migrate\fR would look like:
.sp
.in +2
.nf
k5migrate        auth    required        pam_unix_auth.so.1
k5migrate        account required        pam_unix_account.so.1
.fi
.in -2
.sp

.SH OPTIONS
.sp
.LP
The following options are supported:
.sp
.ne 2
.mk
.na
\fB\fB-d\fR\fR
.ad
.sp .6
.RS 4n
Specifies that \fBkadmind\fR does not put itself in the background and does not
disassociate itself from the terminal. In normal operation, you should use the
default behavior, which is to allow the daemon to put itself in the background.
.RE

.sp
.ne 2
.mk
.na
\fB\fB-m\fR\fR
.ad
.sp .6
.RS 4n
Specifies that the master database password should be retrieved from the
keyboard rather than from the stash file. When using \fB-m\fR, the
\fBkadmind\fR daemon receives the password prior to putting itself in the
background. If used in combination with the \fB-d\fR option, you must
explicitly place the daemon in the background.
.RE

.sp
.ne 2
.mk
.na
\fB\fB-p\fR \fIport-number\fR\fR
.ad
.sp .6
.RS 4n
Specifies the port on which the \fBkadmind\fR daemon listens for connections.
The default is controlled by the \fBkadmind_port\fR relation in the
\fBkdc.conf\fR(4) file.
.RE

.sp
.ne 2
.mk
.na
\fB\fB-r\fR \fIrealm\fR\fR
.ad
.sp .6
.RS 4n
Specifies the default realm that \fBkadmind\fR serves. If \fIrealm\fR is not
specified, the default \fIrealm\fR of the host is used. \fBkadmind\fR answers
requests for any realm that exists in the local \fBKDC\fR database and for
which the appropriate principals are in its \fBkeytab\fR.
.RE

.sp
.ne 2
.mk
.na
\fB\fB-x\fR \fIdb_args\fR\fR
.ad
.sp .6
.RS 4n
Pass database-specific arguments to \fBkadmind\fR. Supported arguments are for
LDAP and the \fBBerkeley-db2\fR plug-in. These arguments are:
.sp
.ne 2
.mk
.na
\fB\fBbinddn\fR=\fIbinddn\fR\fR
.ad
.sp .6
.RS 4n
LDAP simple bind DN for authorization on the directory server. Overrides the
\fBldap_kadmind_dn\fR parameter setting in \fBkrb5.conf\fR(4).
.RE

.sp
.ne 2
.mk
.na
\fB\fBbindpwd\fR=\fIbindpwd\fR\fR
.ad
.sp .6
.RS 4n
Bind password.
.RE

.sp
.ne 2
.mk
.na
\fB\fBdbname\fR=\fIname\fR\fR
.ad
.sp .6
.RS 4n
For the \fBBerkeley-db2\fR plug-in, specifies a name for the Kerberos database.
.RE

.sp
.ne 2
.mk
.na
\fB\fBnconns\fR=\fInum\fR\fR
.ad
.sp .6
.RS 4n
Maximum number of server connections.
.RE

.sp
.ne 2
.mk
.na
\fB\fBport\fR=\fInum\fR\fR
.ad
.sp .6
.RS 4n
Directory server connection port.
.RE

.RE

.SH FILES
.sp
.ne 2
.mk
.na
\fB\fB/var/krb5/principal\fR\fR
.ad
.sp .6
.RS 4n
Kerberos principal database.
.RE

.sp
.ne 2
.mk
.na
\fB\fB/var/krb5/principal.ulog\fR\fR
.ad
.sp .6
.RS 4n
The update log file for incremental propagation.
.RE

.sp
.ne 2
.mk
.na
\fB\fB/var/krb5/principal.kadm5\fR\fR
.ad
.sp .6
.RS 4n
Kerberos administrative database containing policy information.
.RE

.sp
.ne 2
.mk
.na
\fB\fB/var/krb5/principal.kadm5.lock\fR\fR
.ad
.sp .6
.RS 4n
Kerberos administrative database lock file. This file works backwards from most
other lock files (that is, \fBkadmin\fR exits with an error if this file does
not exist).
.RE

.sp
.ne 2
.mk
.na
\fB\fB/var/krb5/kadm5.dict\fR\fR
.ad
.sp .6
.RS 4n
Dictionary of strings explicitly disallowed as passwords.
.RE

.sp
.ne 2
.mk
.na
\fB\fB/etc/krb5/kadm5.acl\fR\fR
.ad
.sp .6
.RS 4n
List of principals and their \fBkadmin\fR administrative privileges.
.RE

.sp
.ne 2
.mk
.na
\fB\fB/etc/krb5/kadm5.keytab\fR\fR
.ad
.sp .6
.RS 4n
Keytab for \fBkadmin\fR principals: \fBkadmin\fR/\fIfqdn\fR,
\fBchangepw\fR/\fIfqdn\fR, and \fBkadmin\fR/\fBchangepw\fR.
.RE

.sp
.ne 2
.mk
.na
\fB\fB/etc/krb5/kdc.conf\fR\fR
.ad
.sp .6
.RS 4n
\fBKDC\fR configuration information.
.RE

.SH ATTRIBUTES
.sp
.LP
See \fBattributes\fR(5) for descriptions of the following attributes:
.sp

.sp
.TS
tab() box;
cw(2.75i) |cw(2.75i) 
lw(2.75i) |lw(2.75i) 
.
ATTRIBUTE TYPEATTRIBUTE VALUE
_
Interface StabilityEvolving
.TE

.SH SEE ALSO
.sp
.LP
\fBkpasswd\fR(1), \fBsvcs\fR(1), \fBgkadmin\fR(1M), \fBkadmin\fR(1M),
\fBkadmin.local\fR(1M), \fBkdb5_util\fR(1M), \fBkdb5_ldap_util\fR(1M),
\fBkproplog\fR(1M), \fBsvcadm\fR(1M), \fBpam_acct_mgmt\fR(3PAM),
\fBpam_authenticate\fR(3PAM), \fBkadm5.acl\fR(4), \fBkdc.conf\fR(4),
\fBkrb5.conf\fR(4), \fBattributes\fR(5), \fBkerberos\fR(5),
\fBkrb5envvar\fR(5), \fBpam_krb5_migrate\fR(5), \fBsmf\fR(5)
.SH NOTES
.sp
.LP
The Kerberos administration daemon (\fBkadmind\fR) is now compliant with the
change-password standard mentioned in RFC 3244, which means it can now handle
change-password requests from non-Solaris Kerberos clients.
.sp
.LP
The \fBkadmind\fR service is managed by the service management facility,
\fBsmf\fR(5), under the service identifier:
.sp
.in +2
.nf
svc:/network/security/kadmin
.fi
.in -2
.sp

.sp
.LP
Administrative actions on this service, such as enabling, disabling, or
requesting restart, can be performed using \fBsvcadm\fR(1M). The service's
status can be queried using the \fBsvcs\fR(1) command.