xref: /freebsd/crypto/heimdal/kadmin/kadmind.8 (revision 6a068746777241722b2b32c5d0bc443a2a64d80b)
1*ae771770SStanislav Sedov.\" Copyright (c) 2002 - 2004 Kungliga Tekniska Högskolan
2bbd80c28SJacques Vidrine.\" (Royal Institute of Technology, Stockholm, Sweden).
3bbd80c28SJacques Vidrine.\" All rights reserved.
4bbd80c28SJacques Vidrine.\"
5bbd80c28SJacques Vidrine.\" Redistribution and use in source and binary forms, with or without
6bbd80c28SJacques Vidrine.\" modification, are permitted provided that the following conditions
7bbd80c28SJacques Vidrine.\" are met:
8bbd80c28SJacques Vidrine.\"
9bbd80c28SJacques Vidrine.\" 1. Redistributions of source code must retain the above copyright
10bbd80c28SJacques Vidrine.\"    notice, this list of conditions and the following disclaimer.
11bbd80c28SJacques Vidrine.\"
12bbd80c28SJacques Vidrine.\" 2. Redistributions in binary form must reproduce the above copyright
13bbd80c28SJacques Vidrine.\"    notice, this list of conditions and the following disclaimer in the
14bbd80c28SJacques Vidrine.\"    documentation and/or other materials provided with the distribution.
15bbd80c28SJacques Vidrine.\"
16bbd80c28SJacques Vidrine.\" 3. Neither the name of the Institute nor the names of its contributors
17bbd80c28SJacques Vidrine.\"    may be used to endorse or promote products derived from this software
18bbd80c28SJacques Vidrine.\"    without specific prior written permission.
19bbd80c28SJacques Vidrine.\"
20bbd80c28SJacques Vidrine.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
21bbd80c28SJacques Vidrine.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22bbd80c28SJacques Vidrine.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23bbd80c28SJacques Vidrine.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
24bbd80c28SJacques Vidrine.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25bbd80c28SJacques Vidrine.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26bbd80c28SJacques Vidrine.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27bbd80c28SJacques Vidrine.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28bbd80c28SJacques Vidrine.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29bbd80c28SJacques Vidrine.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30bbd80c28SJacques Vidrine.\" SUCH DAMAGE.
31bbd80c28SJacques Vidrine.\"
32*ae771770SStanislav Sedov.\" $Id$
338373020dSJacques Vidrine.\"
34c19800e8SDoug Rabson.Dd December  8, 2004
355e9cd1aeSAssar Westerlund.Dt KADMIND 8
365e9cd1aeSAssar Westerlund.Os HEIMDAL
375e9cd1aeSAssar Westerlund.Sh NAME
385e9cd1aeSAssar Westerlund.Nm kadmind
39bbd80c28SJacques Vidrine.Nd "server for administrative access to Kerberos database"
405e9cd1aeSAssar Westerlund.Sh SYNOPSIS
415e9cd1aeSAssar Westerlund.Nm
42c19800e8SDoug Rabson.Bk -words
435e9cd1aeSAssar Westerlund.Oo Fl c Ar file \*(Ba Xo
44*ae771770SStanislav Sedov.Fl Fl config-file= Ns Ar file
455e9cd1aeSAssar Westerlund.Xc
46adb0ddaeSAssar Westerlund.Oc
475e9cd1aeSAssar Westerlund.Oo Fl k Ar file \*(Ba Xo
48*ae771770SStanislav Sedov.Fl Fl key-file= Ns Ar file
495e9cd1aeSAssar Westerlund.Xc
50adb0ddaeSAssar Westerlund.Oc
51*ae771770SStanislav Sedov.Op Fl Fl keytab= Ns Ar keytab
525e9cd1aeSAssar Westerlund.Oo Fl r Ar realm \*(Ba Xo
53*ae771770SStanislav Sedov.Fl Fl realm= Ns Ar realm
545e9cd1aeSAssar Westerlund.Xc
55adb0ddaeSAssar Westerlund.Oc
56*ae771770SStanislav Sedov.Op Fl d | Fl Fl debug
575e9cd1aeSAssar Westerlund.Oo Fl p Ar port \*(Ba Xo
58*ae771770SStanislav Sedov.Fl Fl ports= Ns Ar port
595e9cd1aeSAssar Westerlund.Xc
60adb0ddaeSAssar Westerlund.Oc
61c19800e8SDoug Rabson.Ek
625e9cd1aeSAssar Westerlund.Sh DESCRIPTION
635e9cd1aeSAssar Westerlund.Nm
645e9cd1aeSAssar Westerlundlistens for requests for changes to the Kerberos database and performs
658373020dSJacques Vidrinethese, subject to permissions.  When starting, if stdin is a socket it
668373020dSJacques Vidrineassumes that it has been started by
675e9cd1aeSAssar Westerlund.Xr inetd 8 ,
685e9cd1aeSAssar Westerlundotherwise it behaves as a daemon, forking processes for each new
695e9cd1aeSAssar Westerlundconnection. The
70*ae771770SStanislav Sedov.Fl Fl debug
715e9cd1aeSAssar Westerlundoption causes
725e9cd1aeSAssar Westerlund.Nm
735e9cd1aeSAssar Westerlundto accept exactly one connection, which is useful for debugging.
7445524cd7SAssar Westerlund.Pp
75c19800e8SDoug RabsonThe
765e9cd1aeSAssar Westerlund.Xr kpasswdd 8
775e9cd1aeSAssar Westerlunddaemon is responsible for the Kerberos 5 password changing protocol
785e9cd1aeSAssar Westerlund(used by
79*ae771770SStanislav Sedov.Xr kpasswd 1 ) .
805e9cd1aeSAssar Westerlund.Pp
81bbd80c28SJacques VidrineThis daemon should only be run on the master server, and not on any
825e9cd1aeSAssar Westerlundslaves.
835e9cd1aeSAssar Westerlund.Pp
845e9cd1aeSAssar WesterlundPrincipals are always allowed to change their own password and list
858373020dSJacques Vidrinetheir own principal.  Apart from that, doing any operation requires
865e9cd1aeSAssar Westerlundpermission explicitly added in the ACL file
875e9cd1aeSAssar Westerlund.Pa /var/heimdal/kadmind.acl .
885e9cd1aeSAssar WesterlundThe format of this file is:
895e9cd1aeSAssar Westerlund.Bd -ragged
905e9cd1aeSAssar Westerlund.Va principal
915e9cd1aeSAssar Westerlund.Va rights
925e9cd1aeSAssar Westerlund.Op Va principal-pattern
935e9cd1aeSAssar Westerlund.Ed
945e9cd1aeSAssar Westerlund.Pp
958373020dSJacques VidrineWhere rights is any (comma separated) combination of:
968373020dSJacques Vidrine.Bl -bullet -compact
975e9cd1aeSAssar Westerlund.It
988373020dSJacques Vidrinechange-password or cpw
995e9cd1aeSAssar Westerlund.It
1005e9cd1aeSAssar Westerlundlist
1015e9cd1aeSAssar Westerlund.It
1025e9cd1aeSAssar Westerlunddelete
1035e9cd1aeSAssar Westerlund.It
1045e9cd1aeSAssar Westerlundmodify
1055e9cd1aeSAssar Westerlund.It
1065e9cd1aeSAssar Westerlundadd
1075e9cd1aeSAssar Westerlund.It
1085e9cd1aeSAssar Westerlundget
1095e9cd1aeSAssar Westerlund.It
1105e9cd1aeSAssar Westerlundall
1115e9cd1aeSAssar Westerlund.El
1125e9cd1aeSAssar Westerlund.Pp
1135e9cd1aeSAssar WesterlundAnd the optional
1145e9cd1aeSAssar Westerlund.Ar principal-pattern
1158373020dSJacques Vidrinerestricts the rights to operations on principals that match the
1168373020dSJacques Vidrineglob-style pattern.
1175e9cd1aeSAssar Westerlund.Pp
1185e9cd1aeSAssar WesterlundSupported options:
1195e9cd1aeSAssar Westerlund.Bl -tag -width Ds
120*ae771770SStanislav Sedov.It Fl c Ar file , Fl Fl config-file= Ns Ar file
1215e9cd1aeSAssar Westerlundlocation of config file
122*ae771770SStanislav Sedov.It Fl k Ar file , Fl Fl key-file= Ns Ar file
1235e9cd1aeSAssar Westerlundlocation of master key file
124*ae771770SStanislav Sedov.It Fl Fl keytab= Ns Ar keytab
1255e9cd1aeSAssar Westerlundwhat keytab to use
126*ae771770SStanislav Sedov.It Fl r Ar realm , Fl Fl realm= Ns Ar realm
1275e9cd1aeSAssar Westerlundrealm to use
128*ae771770SStanislav Sedov.It Fl d , Fl Fl debug
1295e9cd1aeSAssar Westerlundenable debugging
130*ae771770SStanislav Sedov.It Fl p Ar port , Fl Fl ports= Ns Ar port
131c19800e8SDoug Rabsonports to listen to. By default, if run as a daemon, it listens to port
132c19800e8SDoug Rabson749, but you can add any number of ports with this option. The port
133c19800e8SDoug Rabsonstring is a whitespace separated list of port specifications, with the
134c19800e8SDoug Rabsonspecial string
1355e9cd1aeSAssar Westerlund.Dq +
136c19800e8SDoug Rabsonrepresenting the default port.
1375e9cd1aeSAssar Westerlund.El
1385e9cd1aeSAssar Westerlund.\".Sh ENVIRONMENT
1395e9cd1aeSAssar Westerlund.Sh FILES
1405e9cd1aeSAssar Westerlund.Pa /var/heimdal/kadmind.acl
1415e9cd1aeSAssar Westerlund.Sh EXAMPLES
1424137ff4cSJacques VidrineThis will cause
1434137ff4cSJacques Vidrine.Nm
1444137ff4cSJacques Vidrineto listen to port 4711 in addition to any
1455e9cd1aeSAssar Westerlundcompiled in defaults:
1464137ff4cSJacques Vidrine.Pp
147*ae771770SStanislav Sedov.D1 Nm Fl Fl ports Ns Li "=\*[q]+ 4711\*[q] &"
1488373020dSJacques Vidrine.Pp
1498373020dSJacques VidrineThis acl file will grant Joe all rights, and allow Mallory to view and
1508373020dSJacques Vidrineadd host principals.
1518373020dSJacques Vidrine.Bd -literal -offset indent
1528373020dSJacques Vidrinejoe/admin@EXAMPLE.COM      all
1538373020dSJacques Vidrinemallory/admin@EXAMPLE.COM  add,get  host/*@EXAMPLE.COM
1548373020dSJacques Vidrine.Ed
1555e9cd1aeSAssar Westerlund.\".Sh DIAGNOSTICS
1565e9cd1aeSAssar Westerlund.Sh SEE ALSO
1574137ff4cSJacques Vidrine.Xr kpasswd 1 ,
1588373020dSJacques Vidrine.Xr kadmin 8 ,
1594137ff4cSJacques Vidrine.Xr kdc 8 ,
1604137ff4cSJacques Vidrine.Xr kpasswdd 8
161