1.\" $Id: kadmind.8,v 1.10.2.1 2002/10/21 14:53:39 joda Exp $ 2.\" 3.Dd March 5, 2002 4.Dt KADMIND 8 5.Os HEIMDAL 6.Sh NAME 7.Nm kadmind 8.Nd "server for administrative access to kerberos database" 9.Sh SYNOPSIS 10.Nm 11.Oo Fl c Ar file \*(Ba Xo 12.Fl -config-file= Ns Ar file 13.Xc 14.Oc 15.Oo Fl k Ar file \*(Ba Xo 16.Fl -key-file= Ns Ar file 17.Xc 18.Oc 19.Op Fl -keytab= Ns Ar keytab 20.Oo Fl r Ar realm \*(Ba Xo 21.Fl -realm= Ns Ar realm 22.Xc 23.Oc 24.Op Fl d | Fl -debug 25.Oo Fl p Ar port \*(Ba Xo 26.Fl -ports= Ns Ar port 27.Xc 28.Oc 29.Op Fl -no-kerberos4 30.Sh DESCRIPTION 31.Nm 32listens for requests for changes to the Kerberos database and performs 33these, subject to permissions. When starting, if stdin is a socket it 34assumes that it has been started by 35.Xr inetd 8 , 36otherwise it behaves as a daemon, forking processes for each new 37connection. The 38.Fl -debug 39option causes 40.Nm 41to accept exactly one connection, which is useful for debugging. 42.Pp 43If built with krb4 support, it implements both the Heimdal Kerberos 5 44administrative protocol and the Kerberos 4 protocol. Password changes 45via the Kerberos 4 protocol are also performed by 46.Nm kadmind , 47but the 48.Xr kpasswdd 8 49daemon is responsible for the Kerberos 5 password changing protocol 50(used by 51.Xr kpasswd 1 ) 52. 53.Pp 54This daemon should only be run on ther master server, and not on any 55slaves. 56.Pp 57Principals are always allowed to change their own password and list 58their own principal. Apart from that, doing any operation requires 59permission explicitly added in the ACL file 60.Pa /var/heimdal/kadmind.acl . 61The format of this file is: 62.Bd -ragged 63.Va principal 64.Va rights 65.Op Va principal-pattern 66.Ed 67.Pp 68Where rights is any (comma separated) combination of: 69.Bl -bullet -compact 70.It 71change-password or cpw 72.It 73list 74.It 75delete 76.It 77modify 78.It 79add 80.It 81get 82.It 83all 84.El 85.Pp 86And the optional 87.Ar principal-pattern 88restricts the rights to operations on principals that match the 89glob-style pattern. 90.Pp 91Supported options: 92.Bl -tag -width Ds 93.It Xo 94.Fl c Ar file , 95.Fl -config-file= Ns Ar file 96.Xc 97location of config file 98.It Xo 99.Fl k Ar file , 100.Fl -key-file= Ns Ar file 101.Xc 102location of master key file 103.It Xo 104.Fl -keytab= Ns Ar keytab 105.Xc 106what keytab to use 107.It Xo 108.Fl r Ar realm , 109.Fl -realm= Ns Ar realm 110.Xc 111realm to use 112.It Xo 113.Fl d , 114.Fl -debug 115.Xc 116enable debugging 117.It Xo 118.Fl p Ar port , 119.Fl -ports= Ns Ar port 120.Xc 121ports to listen to. By default, if run as a daemon, it listen to ports 122749, and 751 (if Kerberos 4 support is built and enabled), but you can 123add any number of ports with this option. The port string is a 124whitespace separated list of port specifications, with the special 125string 126.Dq + 127representing the default set of ports. 128.It Fl -no-kerberos4 129make 130.Nm 131ignore Kerberos 4 kadmin requests. 132.El 133.\".Sh ENVIRONMENT 134.Sh FILES 135.Pa /var/heimdal/kadmind.acl 136.Sh EXAMPLES 137This will cause 138.Nm 139to listen to port 4711 in addition to any 140compiled in defaults: 141.Pp 142.D1 Nm Fl -ports Ns Li "=\*[q]+ 4711\*[q] &" 143.Pp 144This acl file will grant Joe all rights, and allow Mallory to view and 145add host principals. 146.Bd -literal -offset indent 147joe/admin@EXAMPLE.COM all 148mallory/admin@EXAMPLE.COM add,get host/*@EXAMPLE.COM 149.Ed 150.\".Sh DIAGNOSTICS 151.Sh SEE ALSO 152.Xr kpasswd 1 , 153.Xr kadmin 8 , 154.Xr kdc 8 , 155.Xr kpasswdd 8 156