xref: /freebsd/crypto/heimdal/kadmin/kadmind.8 (revision 4137ff4cc173ea2e05227027e1c9e0ea42bcc0dc)
1.Dd June  7, 2000
2.Dt KADMIND 8
3.Os HEIMDAL
4.Sh NAME
5.Nm kadmind
6.Nd "server for administrative access to kerberos database"
7.Sh SYNOPSIS
8.Nm
9.Oo Fl c Ar file \*(Ba Xo
10.Fl -config-file= Ns Ar file
11.Xc
12.Oc
13.Oo Fl k Ar file \*(Ba Xo
14.Fl -key-file= Ns Ar file
15.Xc
16.Oc
17.Op Fl -keytab= Ns Ar keytab
18.Oo Fl r Ar realm \*(Ba Xo
19.Fl -realm= Ns Ar realm
20.Xc
21.Oc
22.Op Fl d | Fl -debug
23.Oo Fl p Ar port \*(Ba Xo
24.Fl -ports= Ns Ar port
25.Xc
26.Oc
27.Sh DESCRIPTION
28.Nm
29listens for requests for changes to the Kerberos database and performs
30these, subject to permissions.  When starting, if stdin is a socket it assumes that it has been started by
31.Xr inetd 8 ,
32otherwise it behaves as a daemon, forking processes for each new
33connection. The
34.Fl -debug
35option causes
36.Nm
37to accept exactly one connection, which is useful for debugging.
38.Pp
39If built with krb4 support, it implements both the Heimdal Kerberos 5
40administrative protocol and the Kerberos 4 protocol. Password changes
41via the Kerberos 4 protocol are also performed by
42.Nm kadmind ,
43but the
44.Xr kpasswdd 8
45daemon is responsible for the Kerberos 5 password changing protocol
46(used by
47.Xr kpasswd 1 )
48.
49.Pp
50This daemon should only be run on ther master server, and not on any
51slaves.
52.Pp
53Principals are always allowed to change their own password and list
54their own principals.  Apart from that, doing any operation requires
55permission explicitly added in the ACL file
56.Pa /var/heimdal/kadmind.acl .
57The format of this file is:
58.Bd -ragged
59.Va principal
60.Va rights
61.Op Va principal-pattern
62.Ed
63.Pp
64Where rights is any combination of:
65.Bl -bullet
66.It
67change-password | cpw
68.It
69list
70.It
71delete
72.It
73modify
74.It
75add
76.It
77get
78.It
79all
80.El
81.Pp
82And the optional
83.Ar principal-pattern
84restricts the rights to principals that match the glob-style pattern.
85.Pp
86Supported options:
87.Bl -tag -width Ds
88.It Xo
89.Fl c Ar file Ns ,
90.Fl -config-file= Ns Ar file
91.Xc
92location of config file
93.It Xo
94.Fl k Ar file Ns ,
95.Fl -key-file= Ns Ar file
96.Xc
97location of master key file
98.It Xo
99.Fl -keytab= Ns Ar keytab
100.Xc
101what keytab to use
102.It Xo
103.Fl r Ar realm Ns ,
104.Fl -realm= Ns Ar realm
105.Xc
106realm to use
107.It Xo
108.Fl d Ns ,
109.Fl -debug
110.Xc
111enable debugging
112.It Xo
113.Fl p Ar port Ns ,
114.Fl -ports= Ns Ar port
115.Xc
116ports to listen to. By default, if run as a daemon, it listen to ports
117749, and 751 (if built with Kerberos 4 support), but you can add any
118number of ports with this option. The port string is a whitespace
119separated list of port specifications, with the special string
120.Dq +
121representing the default set of ports.
122.El
123.\".Sh ENVIRONMENT
124.Sh FILES
125.Pa /var/heimdal/kadmind.acl
126.Sh EXAMPLES
127This will cause
128.Nm
129to listen to port 4711 in addition to any
130compiled in defaults:
131.Pp
132.D1 Nm Fl -ports Ns Li "=\*[q]+ 4711\*[q] &"
133.\".Sh DIAGNOSTICS
134.Sh SEE ALSO
135.Xr kadmin 1 ,
136.Xr kpasswd 1 ,
137.Xr kdc 8 ,
138.Xr kpasswdd 8
139