xref: /freebsd/crypto/heimdal/kadmin/kadmind.8 (revision 5e9cd1ae3e10592ed70e7575551cba1bbab04d84) 
1.Dd June  7, 2000
2.Dt KADMIND 8
3.Os HEIMDAL
4.Sh NAME
5.Nm kadmind
6.Nd
7server for administrative access to kerberos database
8.Sh SYNOPSIS
9.Nm
10.Oo Fl c Ar file \*(Ba Xo
11.Fl -config-file= Ns Ar file Oc
12.Xc
13.Oo Fl k Ar file \*(Ba Xo
14.Fl -key-file= Ns Ar file Oc
15.Xc
16.Op Fl -keytab= Ns Ar keytab
17.Oo Fl r Ar realm \*(Ba Xo
18.Fl -realm= Ns Ar realm Oc
19.Xc
20.Op Fl d | Fl -debug
21.Oo Fl p Ar port \*(Ba Xo
22.Fl -ports= Ns Ar port Oc
23.Xc
24.Sh DESCRIPTION
25.Nm
26listens for requests for changes to the Kerberos database and performs
27these, subject to permissions.  When starting, if stdin is a socket it assumes that it has been started by
28.Xr inetd 8 ,
29otherwise it behaves as a daemon, forking processes for each new
30connection. The
31.Fl -debug
32option causes
33.Nm
34to accept exactly one connection, which is useful for debugging.
35
36If built with krb4 support, it implements both the Heimdal Kerberos 5
37administrative protocol and the Kerberos 4 protocol. Password changes
38via the Kerberos 4 protocol are also performed by
39.Nm kadmind ,
40but the
41.Xr kpasswdd 8
42daemon is responsible for the Kerberos 5 password changing protocol
43(used by
44.Xr kpasswd 1 ).
45.Pp
46This daemon should only be run on ther master server, and not on any
47slaves.
48.Pp
49Principals are always allowed to change their own password and list
50their own principals.  Apart from that, doing any operation requires
51permission explicitly added in the ACL file
52.Pa /var/heimdal/kadmind.acl .
53The format of this file is:
54.Bd -ragged
55.Va principal
56.Va rights
57.Op Va principal-pattern
58.Ed
59.Pp
60Where rights is any combination of:
61.Bl -bullet
62.It
63change-password | cpw
64.It
65list
66.It
67delete
68.It
69modify
70.It
71add
72.It
73get
74.It
75all
76.El
77.Pp
78And the optional
79.Ar principal-pattern
80restricts the rights to principals that match the glob-style pattern.
81.Pp
82Supported options:
83.Bl -tag -width Ds
84.It Xo
85.Fl c Ar file Ns ,
86.Fl -config-file= Ns Ar file
87.Xc
88location of config file
89.It Xo
90.Fl k Ar file Ns ,
91.Fl -key-file= Ns Ar file
92.Xc
93location of master key file
94.It Xo
95.Fl -keytab= Ns Ar keytab
96.Xc
97what keytab to use
98.It Xo
99.Fl r Ar realm Ns ,
100.Fl -realm= Ns Ar realm
101.Xc
102realm to use
103.It Xo
104.Fl d Ns ,
105.Fl -debug
106.Xc
107enable debugging
108.It Xo
109.Fl p Ar port Ns ,
110.Fl -ports= Ns Ar port
111.Xc
112ports to listen to. By default, if run as a daemon, it listen to ports
113749, and 751 (if built with Kerberos 4 support), but you can add any
114number of ports with this option. The port string is a whitespace
115separated list of port specifications, with the special string
116.Dq +
117representing the default set of ports.
118.El
119.\".Sh ENVIRONMENT
120.Sh FILES
121.Pa /var/heimdal/kadmind.acl
122.Sh EXAMPLES
123This will cause kadmind to listen to port 4711 in addition to any
124compiled in defaults:
125.Bd -literal -offset indent
126# kadmind --ports="+ 4711" &
127.Ed
128.\".Sh DIAGNOSTICS
129.Sh SEE ALSO
130.Xr kdc 8 ,
131.Xr kadmin 1 ,
132.Xr kpasswdd 8 ,
133.Xr kpasswd 1
134