1.\" Copyright (c) 2002 - 2004 Kungliga Tekniska Högskolan 2.\" (Royal Institute of Technology, Stockholm, Sweden). 3.\" All rights reserved. 4.\" 5.\" Redistribution and use in source and binary forms, with or without 6.\" modification, are permitted provided that the following conditions 7.\" are met: 8.\" 9.\" 1. Redistributions of source code must retain the above copyright 10.\" notice, this list of conditions and the following disclaimer. 11.\" 12.\" 2. Redistributions in binary form must reproduce the above copyright 13.\" notice, this list of conditions and the following disclaimer in the 14.\" documentation and/or other materials provided with the distribution. 15.\" 16.\" 3. Neither the name of the Institute nor the names of its contributors 17.\" may be used to endorse or promote products derived from this software 18.\" without specific prior written permission. 19.\" 20.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 21.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 24.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30.\" SUCH DAMAGE. 31.\" 32.\" $Id$ 33.\" 34.Dd December 8, 2004 35.Dt KADMIND 8 36.Os HEIMDAL 37.Sh NAME 38.Nm kadmind 39.Nd "server for administrative access to Kerberos database" 40.Sh SYNOPSIS 41.Nm 42.Bk -words 43.Oo Fl c Ar file \*(Ba Xo 44.Fl Fl config-file= Ns Ar file 45.Xc 46.Oc 47.Oo Fl k Ar file \*(Ba Xo 48.Fl Fl key-file= Ns Ar file 49.Xc 50.Oc 51.Op Fl Fl keytab= Ns Ar keytab 52.Oo Fl r Ar realm \*(Ba Xo 53.Fl Fl realm= Ns Ar realm 54.Xc 55.Oc 56.Op Fl d | Fl Fl debug 57.Oo Fl p Ar port \*(Ba Xo 58.Fl Fl ports= Ns Ar port 59.Xc 60.Oc 61.Ek 62.Sh DESCRIPTION 63.Nm 64listens for requests for changes to the Kerberos database and performs 65these, subject to permissions. When starting, if stdin is a socket it 66assumes that it has been started by 67.Xr inetd 8 , 68otherwise it behaves as a daemon, forking processes for each new 69connection. The 70.Fl Fl debug 71option causes 72.Nm 73to accept exactly one connection, which is useful for debugging. 74.Pp 75The 76.Xr kpasswdd 8 77daemon is responsible for the Kerberos 5 password changing protocol 78(used by 79.Xr kpasswd 1 ) . 80.Pp 81This daemon should only be run on the master server, and not on any 82slaves. 83.Pp 84Principals are always allowed to change their own password and list 85their own principal. Apart from that, doing any operation requires 86permission explicitly added in the ACL file 87.Pa /var/heimdal/kadmind.acl . 88The format of this file is: 89.Bd -ragged 90.Va principal 91.Va rights 92.Op Va principal-pattern 93.Ed 94.Pp 95Where rights is any (comma separated) combination of: 96.Bl -bullet -compact 97.It 98change-password or cpw 99.It 100list 101.It 102delete 103.It 104modify 105.It 106add 107.It 108get 109.It 110all 111.El 112.Pp 113And the optional 114.Ar principal-pattern 115restricts the rights to operations on principals that match the 116glob-style pattern. 117.Pp 118Supported options: 119.Bl -tag -width Ds 120.It Fl c Ar file , Fl Fl config-file= Ns Ar file 121location of config file 122.It Fl k Ar file , Fl Fl key-file= Ns Ar file 123location of master key file 124.It Fl Fl keytab= Ns Ar keytab 125what keytab to use 126.It Fl r Ar realm , Fl Fl realm= Ns Ar realm 127realm to use 128.It Fl d , Fl Fl debug 129enable debugging 130.It Fl p Ar port , Fl Fl ports= Ns Ar port 131ports to listen to. By default, if run as a daemon, it listens to port 132749, but you can add any number of ports with this option. The port 133string is a whitespace separated list of port specifications, with the 134special string 135.Dq + 136representing the default port. 137.El 138.\".Sh ENVIRONMENT 139.Sh FILES 140.Pa /var/heimdal/kadmind.acl 141.Sh EXAMPLES 142This will cause 143.Nm 144to listen to port 4711 in addition to any 145compiled in defaults: 146.Pp 147.D1 Nm Fl Fl ports Ns Li "=\*[q]+ 4711\*[q] &" 148.Pp 149This acl file will grant Joe all rights, and allow Mallory to view and 150add host principals. 151.Bd -literal -offset indent 152joe/admin@EXAMPLE.COM all 153mallory/admin@EXAMPLE.COM add,get host/*@EXAMPLE.COM 154.Ed 155.\".Sh DIAGNOSTICS 156.Sh SEE ALSO 157.Xr kpasswd 1 , 158.Xr kadmin 8 , 159.Xr kdc 8 , 160.Xr kpasswdd 8 161