1.\" Copyright (c) 2002 - 2004 Kungliga Tekniska H�gskolan 2.\" (Royal Institute of Technology, Stockholm, Sweden). 3.\" All rights reserved. 4.\" 5.\" Redistribution and use in source and binary forms, with or without 6.\" modification, are permitted provided that the following conditions 7.\" are met: 8.\" 9.\" 1. Redistributions of source code must retain the above copyright 10.\" notice, this list of conditions and the following disclaimer. 11.\" 12.\" 2. Redistributions in binary form must reproduce the above copyright 13.\" notice, this list of conditions and the following disclaimer in the 14.\" documentation and/or other materials provided with the distribution. 15.\" 16.\" 3. Neither the name of the Institute nor the names of its contributors 17.\" may be used to endorse or promote products derived from this software 18.\" without specific prior written permission. 19.\" 20.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 21.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 24.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30.\" SUCH DAMAGE. 31.\" 32.\" $Id: kadmind.8 14370 2004-12-08 17:20:21Z lha $ 33.\" 34.Dd December 8, 2004 35.Dt KADMIND 8 36.Os HEIMDAL 37.Sh NAME 38.Nm kadmind 39.Nd "server for administrative access to Kerberos database" 40.Sh SYNOPSIS 41.Nm 42.Bk -words 43.Oo Fl c Ar file \*(Ba Xo 44.Fl -config-file= Ns Ar file 45.Xc 46.Oc 47.Oo Fl k Ar file \*(Ba Xo 48.Fl -key-file= Ns Ar file 49.Xc 50.Oc 51.Op Fl -keytab= Ns Ar keytab 52.Oo Fl r Ar realm \*(Ba Xo 53.Fl -realm= Ns Ar realm 54.Xc 55.Oc 56.Op Fl d | Fl -debug 57.Oo Fl p Ar port \*(Ba Xo 58.Fl -ports= Ns Ar port 59.Xc 60.Oc 61.Ek 62.Sh DESCRIPTION 63.Nm 64listens for requests for changes to the Kerberos database and performs 65these, subject to permissions. When starting, if stdin is a socket it 66assumes that it has been started by 67.Xr inetd 8 , 68otherwise it behaves as a daemon, forking processes for each new 69connection. The 70.Fl -debug 71option causes 72.Nm 73to accept exactly one connection, which is useful for debugging. 74.Pp 75The 76.Xr kpasswdd 8 77daemon is responsible for the Kerberos 5 password changing protocol 78(used by 79.Xr kpasswd 1 ) 80. 81.Pp 82This daemon should only be run on the master server, and not on any 83slaves. 84.Pp 85Principals are always allowed to change their own password and list 86their own principal. Apart from that, doing any operation requires 87permission explicitly added in the ACL file 88.Pa /var/heimdal/kadmind.acl . 89The format of this file is: 90.Bd -ragged 91.Va principal 92.Va rights 93.Op Va principal-pattern 94.Ed 95.Pp 96Where rights is any (comma separated) combination of: 97.Bl -bullet -compact 98.It 99change-password or cpw 100.It 101list 102.It 103delete 104.It 105modify 106.It 107add 108.It 109get 110.It 111all 112.El 113.Pp 114And the optional 115.Ar principal-pattern 116restricts the rights to operations on principals that match the 117glob-style pattern. 118.Pp 119Supported options: 120.Bl -tag -width Ds 121.It Xo 122.Fl c Ar file , 123.Fl -config-file= Ns Ar file 124.Xc 125location of config file 126.It Xo 127.Fl k Ar file , 128.Fl -key-file= Ns Ar file 129.Xc 130location of master key file 131.It Xo 132.Fl -keytab= Ns Ar keytab 133.Xc 134what keytab to use 135.It Xo 136.Fl r Ar realm , 137.Fl -realm= Ns Ar realm 138.Xc 139realm to use 140.It Xo 141.Fl d , 142.Fl -debug 143.Xc 144enable debugging 145.It Xo 146.Fl p Ar port , 147.Fl -ports= Ns Ar port 148.Xc 149ports to listen to. By default, if run as a daemon, it listens to port 150749, but you can add any number of ports with this option. The port 151string is a whitespace separated list of port specifications, with the 152special string 153.Dq + 154representing the default port. 155.El 156.\".Sh ENVIRONMENT 157.Sh FILES 158.Pa /var/heimdal/kadmind.acl 159.Sh EXAMPLES 160This will cause 161.Nm 162to listen to port 4711 in addition to any 163compiled in defaults: 164.Pp 165.D1 Nm Fl -ports Ns Li "=\*[q]+ 4711\*[q] &" 166.Pp 167This acl file will grant Joe all rights, and allow Mallory to view and 168add host principals. 169.Bd -literal -offset indent 170joe/admin@EXAMPLE.COM all 171mallory/admin@EXAMPLE.COM add,get host/*@EXAMPLE.COM 172.Ed 173.\".Sh DIAGNOSTICS 174.Sh SEE ALSO 175.Xr kpasswd 1 , 176.Xr kadmin 8 , 177.Xr kdc 8 , 178.Xr kpasswdd 8 179