1*ae771770SStanislav Sedov.\" Copyright (c) 2002 - 2004 Kungliga Tekniska Högskolan 2bbd80c28SJacques Vidrine.\" (Royal Institute of Technology, Stockholm, Sweden). 3bbd80c28SJacques Vidrine.\" All rights reserved. 4bbd80c28SJacques Vidrine.\" 5bbd80c28SJacques Vidrine.\" Redistribution and use in source and binary forms, with or without 6bbd80c28SJacques Vidrine.\" modification, are permitted provided that the following conditions 7bbd80c28SJacques Vidrine.\" are met: 8bbd80c28SJacques Vidrine.\" 9bbd80c28SJacques Vidrine.\" 1. Redistributions of source code must retain the above copyright 10bbd80c28SJacques Vidrine.\" notice, this list of conditions and the following disclaimer. 11bbd80c28SJacques Vidrine.\" 12bbd80c28SJacques Vidrine.\" 2. Redistributions in binary form must reproduce the above copyright 13bbd80c28SJacques Vidrine.\" notice, this list of conditions and the following disclaimer in the 14bbd80c28SJacques Vidrine.\" documentation and/or other materials provided with the distribution. 15bbd80c28SJacques Vidrine.\" 16bbd80c28SJacques Vidrine.\" 3. Neither the name of the Institute nor the names of its contributors 17bbd80c28SJacques Vidrine.\" may be used to endorse or promote products derived from this software 18bbd80c28SJacques Vidrine.\" without specific prior written permission. 19bbd80c28SJacques Vidrine.\" 20bbd80c28SJacques Vidrine.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 21bbd80c28SJacques Vidrine.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22bbd80c28SJacques Vidrine.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23bbd80c28SJacques Vidrine.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 24bbd80c28SJacques Vidrine.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25bbd80c28SJacques Vidrine.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26bbd80c28SJacques Vidrine.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27bbd80c28SJacques Vidrine.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28bbd80c28SJacques Vidrine.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29bbd80c28SJacques Vidrine.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30bbd80c28SJacques Vidrine.\" SUCH DAMAGE. 31bbd80c28SJacques Vidrine.\" 32*ae771770SStanislav Sedov.\" $Id$ 338373020dSJacques Vidrine.\" 34c19800e8SDoug Rabson.Dd December 8, 2004 355e9cd1aeSAssar Westerlund.Dt KADMIND 8 365e9cd1aeSAssar Westerlund.Os HEIMDAL 375e9cd1aeSAssar Westerlund.Sh NAME 385e9cd1aeSAssar Westerlund.Nm kadmind 39bbd80c28SJacques Vidrine.Nd "server for administrative access to Kerberos database" 405e9cd1aeSAssar Westerlund.Sh SYNOPSIS 415e9cd1aeSAssar Westerlund.Nm 42c19800e8SDoug Rabson.Bk -words 435e9cd1aeSAssar Westerlund.Oo Fl c Ar file \*(Ba Xo 44*ae771770SStanislav Sedov.Fl Fl config-file= Ns Ar file 455e9cd1aeSAssar Westerlund.Xc 46adb0ddaeSAssar Westerlund.Oc 475e9cd1aeSAssar Westerlund.Oo Fl k Ar file \*(Ba Xo 48*ae771770SStanislav Sedov.Fl Fl key-file= Ns Ar file 495e9cd1aeSAssar Westerlund.Xc 50adb0ddaeSAssar Westerlund.Oc 51*ae771770SStanislav Sedov.Op Fl Fl keytab= Ns Ar keytab 525e9cd1aeSAssar Westerlund.Oo Fl r Ar realm \*(Ba Xo 53*ae771770SStanislav Sedov.Fl Fl realm= Ns Ar realm 545e9cd1aeSAssar Westerlund.Xc 55adb0ddaeSAssar Westerlund.Oc 56*ae771770SStanislav Sedov.Op Fl d | Fl Fl debug 575e9cd1aeSAssar Westerlund.Oo Fl p Ar port \*(Ba Xo 58*ae771770SStanislav Sedov.Fl Fl ports= Ns Ar port 595e9cd1aeSAssar Westerlund.Xc 60adb0ddaeSAssar Westerlund.Oc 61c19800e8SDoug Rabson.Ek 625e9cd1aeSAssar Westerlund.Sh DESCRIPTION 635e9cd1aeSAssar Westerlund.Nm 645e9cd1aeSAssar Westerlundlistens for requests for changes to the Kerberos database and performs 658373020dSJacques Vidrinethese, subject to permissions. When starting, if stdin is a socket it 668373020dSJacques Vidrineassumes that it has been started by 675e9cd1aeSAssar Westerlund.Xr inetd 8 , 685e9cd1aeSAssar Westerlundotherwise it behaves as a daemon, forking processes for each new 695e9cd1aeSAssar Westerlundconnection. The 70*ae771770SStanislav Sedov.Fl Fl debug 715e9cd1aeSAssar Westerlundoption causes 725e9cd1aeSAssar Westerlund.Nm 735e9cd1aeSAssar Westerlundto accept exactly one connection, which is useful for debugging. 7445524cd7SAssar Westerlund.Pp 75c19800e8SDoug RabsonThe 765e9cd1aeSAssar Westerlund.Xr kpasswdd 8 775e9cd1aeSAssar Westerlunddaemon is responsible for the Kerberos 5 password changing protocol 785e9cd1aeSAssar Westerlund(used by 79*ae771770SStanislav Sedov.Xr kpasswd 1 ) . 805e9cd1aeSAssar Westerlund.Pp 81bbd80c28SJacques VidrineThis daemon should only be run on the master server, and not on any 825e9cd1aeSAssar Westerlundslaves. 835e9cd1aeSAssar Westerlund.Pp 845e9cd1aeSAssar WesterlundPrincipals are always allowed to change their own password and list 858373020dSJacques Vidrinetheir own principal. Apart from that, doing any operation requires 865e9cd1aeSAssar Westerlundpermission explicitly added in the ACL file 875e9cd1aeSAssar Westerlund.Pa /var/heimdal/kadmind.acl . 885e9cd1aeSAssar WesterlundThe format of this file is: 895e9cd1aeSAssar Westerlund.Bd -ragged 905e9cd1aeSAssar Westerlund.Va principal 915e9cd1aeSAssar Westerlund.Va rights 925e9cd1aeSAssar Westerlund.Op Va principal-pattern 935e9cd1aeSAssar Westerlund.Ed 945e9cd1aeSAssar Westerlund.Pp 958373020dSJacques VidrineWhere rights is any (comma separated) combination of: 968373020dSJacques Vidrine.Bl -bullet -compact 975e9cd1aeSAssar Westerlund.It 988373020dSJacques Vidrinechange-password or cpw 995e9cd1aeSAssar Westerlund.It 1005e9cd1aeSAssar Westerlundlist 1015e9cd1aeSAssar Westerlund.It 1025e9cd1aeSAssar Westerlunddelete 1035e9cd1aeSAssar Westerlund.It 1045e9cd1aeSAssar Westerlundmodify 1055e9cd1aeSAssar Westerlund.It 1065e9cd1aeSAssar Westerlundadd 1075e9cd1aeSAssar Westerlund.It 1085e9cd1aeSAssar Westerlundget 1095e9cd1aeSAssar Westerlund.It 1105e9cd1aeSAssar Westerlundall 1115e9cd1aeSAssar Westerlund.El 1125e9cd1aeSAssar Westerlund.Pp 1135e9cd1aeSAssar WesterlundAnd the optional 1145e9cd1aeSAssar Westerlund.Ar principal-pattern 1158373020dSJacques Vidrinerestricts the rights to operations on principals that match the 1168373020dSJacques Vidrineglob-style pattern. 1175e9cd1aeSAssar Westerlund.Pp 1185e9cd1aeSAssar WesterlundSupported options: 1195e9cd1aeSAssar Westerlund.Bl -tag -width Ds 120*ae771770SStanislav Sedov.It Fl c Ar file , Fl Fl config-file= Ns Ar file 1215e9cd1aeSAssar Westerlundlocation of config file 122*ae771770SStanislav Sedov.It Fl k Ar file , Fl Fl key-file= Ns Ar file 1235e9cd1aeSAssar Westerlundlocation of master key file 124*ae771770SStanislav Sedov.It Fl Fl keytab= Ns Ar keytab 1255e9cd1aeSAssar Westerlundwhat keytab to use 126*ae771770SStanislav Sedov.It Fl r Ar realm , Fl Fl realm= Ns Ar realm 1275e9cd1aeSAssar Westerlundrealm to use 128*ae771770SStanislav Sedov.It Fl d , Fl Fl debug 1295e9cd1aeSAssar Westerlundenable debugging 130*ae771770SStanislav Sedov.It Fl p Ar port , Fl Fl ports= Ns Ar port 131c19800e8SDoug Rabsonports to listen to. By default, if run as a daemon, it listens to port 132c19800e8SDoug Rabson749, but you can add any number of ports with this option. The port 133c19800e8SDoug Rabsonstring is a whitespace separated list of port specifications, with the 134c19800e8SDoug Rabsonspecial string 1355e9cd1aeSAssar Westerlund.Dq + 136c19800e8SDoug Rabsonrepresenting the default port. 1375e9cd1aeSAssar Westerlund.El 1385e9cd1aeSAssar Westerlund.\".Sh ENVIRONMENT 1395e9cd1aeSAssar Westerlund.Sh FILES 1405e9cd1aeSAssar Westerlund.Pa /var/heimdal/kadmind.acl 1415e9cd1aeSAssar Westerlund.Sh EXAMPLES 1424137ff4cSJacques VidrineThis will cause 1434137ff4cSJacques Vidrine.Nm 1444137ff4cSJacques Vidrineto listen to port 4711 in addition to any 1455e9cd1aeSAssar Westerlundcompiled in defaults: 1464137ff4cSJacques Vidrine.Pp 147*ae771770SStanislav Sedov.D1 Nm Fl Fl ports Ns Li "=\*[q]+ 4711\*[q] &" 1488373020dSJacques Vidrine.Pp 1498373020dSJacques VidrineThis acl file will grant Joe all rights, and allow Mallory to view and 1508373020dSJacques Vidrineadd host principals. 1518373020dSJacques Vidrine.Bd -literal -offset indent 1528373020dSJacques Vidrinejoe/admin@EXAMPLE.COM all 1538373020dSJacques Vidrinemallory/admin@EXAMPLE.COM add,get host/*@EXAMPLE.COM 1548373020dSJacques Vidrine.Ed 1555e9cd1aeSAssar Westerlund.\".Sh DIAGNOSTICS 1565e9cd1aeSAssar Westerlund.Sh SEE ALSO 1574137ff4cSJacques Vidrine.Xr kpasswd 1 , 1588373020dSJacques Vidrine.Xr kadmin 8 , 1594137ff4cSJacques Vidrine.Xr kdc 8 , 1604137ff4cSJacques Vidrine.Xr kpasswdd 8 161