1.\" Copyright (c) 2002 - 2003 Kungliga Tekniska H�gskolan 2.\" (Royal Institute of Technology, Stockholm, Sweden). 3.\" All rights reserved. 4.\" 5.\" Redistribution and use in source and binary forms, with or without 6.\" modification, are permitted provided that the following conditions 7.\" are met: 8.\" 9.\" 1. Redistributions of source code must retain the above copyright 10.\" notice, this list of conditions and the following disclaimer. 11.\" 12.\" 2. Redistributions in binary form must reproduce the above copyright 13.\" notice, this list of conditions and the following disclaimer in the 14.\" documentation and/or other materials provided with the distribution. 15.\" 16.\" 3. Neither the name of the Institute nor the names of its contributors 17.\" may be used to endorse or promote products derived from this software 18.\" without specific prior written permission. 19.\" 20.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 21.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 24.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30.\" SUCH DAMAGE. 31.\" 32.\" $Id: kadmind.8,v 1.14 2003/04/06 17:47:57 lha Exp $ 33.\" 34.Dd March 5, 2002 35.Dt KADMIND 8 36.Os HEIMDAL 37.Sh NAME 38.Nm kadmind 39.Nd "server for administrative access to Kerberos database" 40.Sh SYNOPSIS 41.Nm 42.Oo Fl c Ar file \*(Ba Xo 43.Fl -config-file= Ns Ar file 44.Xc 45.Oc 46.Oo Fl k Ar file \*(Ba Xo 47.Fl -key-file= Ns Ar file 48.Xc 49.Oc 50.Op Fl -keytab= Ns Ar keytab 51.Oo Fl r Ar realm \*(Ba Xo 52.Fl -realm= Ns Ar realm 53.Xc 54.Oc 55.Op Fl d | Fl -debug 56.Oo Fl p Ar port \*(Ba Xo 57.Fl -ports= Ns Ar port 58.Xc 59.Oc 60.Op Fl -no-kerberos4 61.Sh DESCRIPTION 62.Nm 63listens for requests for changes to the Kerberos database and performs 64these, subject to permissions. When starting, if stdin is a socket it 65assumes that it has been started by 66.Xr inetd 8 , 67otherwise it behaves as a daemon, forking processes for each new 68connection. The 69.Fl -debug 70option causes 71.Nm 72to accept exactly one connection, which is useful for debugging. 73.Pp 74If built with krb4 support, it implements both the Heimdal Kerberos 5 75administrative protocol and the Kerberos 4 protocol. Password changes 76via the Kerberos 4 protocol are also performed by 77.Nm kadmind , 78but the 79.Xr kpasswdd 8 80daemon is responsible for the Kerberos 5 password changing protocol 81(used by 82.Xr kpasswd 1 ) 83. 84.Pp 85This daemon should only be run on the master server, and not on any 86slaves. 87.Pp 88Principals are always allowed to change their own password and list 89their own principal. Apart from that, doing any operation requires 90permission explicitly added in the ACL file 91.Pa /var/heimdal/kadmind.acl . 92The format of this file is: 93.Bd -ragged 94.Va principal 95.Va rights 96.Op Va principal-pattern 97.Ed 98.Pp 99Where rights is any (comma separated) combination of: 100.Bl -bullet -compact 101.It 102change-password or cpw 103.It 104list 105.It 106delete 107.It 108modify 109.It 110add 111.It 112get 113.It 114all 115.El 116.Pp 117And the optional 118.Ar principal-pattern 119restricts the rights to operations on principals that match the 120glob-style pattern. 121.Pp 122Supported options: 123.Bl -tag -width Ds 124.It Xo 125.Fl c Ar file , 126.Fl -config-file= Ns Ar file 127.Xc 128location of config file 129.It Xo 130.Fl k Ar file , 131.Fl -key-file= Ns Ar file 132.Xc 133location of master key file 134.It Xo 135.Fl -keytab= Ns Ar keytab 136.Xc 137what keytab to use 138.It Xo 139.Fl r Ar realm , 140.Fl -realm= Ns Ar realm 141.Xc 142realm to use 143.It Xo 144.Fl d , 145.Fl -debug 146.Xc 147enable debugging 148.It Xo 149.Fl p Ar port , 150.Fl -ports= Ns Ar port 151.Xc 152ports to listen to. By default, if run as a daemon, it listens to ports 153749, and 751 (if Kerberos 4 support is built and enabled), but you can 154add any number of ports with this option. The port string is a 155whitespace separated list of port specifications, with the special 156string 157.Dq + 158representing the default set of ports. 159.It Fl -no-kerberos4 160make 161.Nm 162ignore Kerberos 4 kadmin requests. 163.El 164.\".Sh ENVIRONMENT 165.Sh FILES 166.Pa /var/heimdal/kadmind.acl 167.Sh EXAMPLES 168This will cause 169.Nm 170to listen to port 4711 in addition to any 171compiled in defaults: 172.Pp 173.D1 Nm Fl -ports Ns Li "=\*[q]+ 4711\*[q] &" 174.Pp 175This acl file will grant Joe all rights, and allow Mallory to view and 176add host principals. 177.Bd -literal -offset indent 178joe/admin@EXAMPLE.COM all 179mallory/admin@EXAMPLE.COM add,get host/*@EXAMPLE.COM 180.Ed 181.\".Sh DIAGNOSTICS 182.Sh SEE ALSO 183.Xr kpasswd 1 , 184.Xr kadmin 8 , 185.Xr kdc 8 , 186.Xr kpasswdd 8 187