xref: /freebsd/crypto/heimdal/kadmin/kadmind.8 (revision a0409676120c1e558d0ade943019934e0f15118d)
1.\" Copyright (c) 2002 - 2004 Kungliga Tekniska Högskolan
2.\" (Royal Institute of Technology, Stockholm, Sweden).
3.\" All rights reserved.
4.\"
5.\" Redistribution and use in source and binary forms, with or without
6.\" modification, are permitted provided that the following conditions
7.\" are met:
8.\"
9.\" 1. Redistributions of source code must retain the above copyright
10.\"    notice, this list of conditions and the following disclaimer.
11.\"
12.\" 2. Redistributions in binary form must reproduce the above copyright
13.\"    notice, this list of conditions and the following disclaimer in the
14.\"    documentation and/or other materials provided with the distribution.
15.\"
16.\" 3. Neither the name of the Institute nor the names of its contributors
17.\"    may be used to endorse or promote products derived from this software
18.\"    without specific prior written permission.
19.\"
20.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
21.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
24.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30.\" SUCH DAMAGE.
31.\"
32.\" $Id$
33.\"
34.Dd December  8, 2004
35.Dt KADMIND 8
36.Os HEIMDAL
37.Sh NAME
38.Nm kadmind
39.Nd "server for administrative access to Kerberos database"
40.Sh SYNOPSIS
41.Nm
42.Bk -words
43.Oo Fl c Ar file \*(Ba Xo
44.Fl Fl config-file= Ns Ar file
45.Xc
46.Oc
47.Oo Fl k Ar file \*(Ba Xo
48.Fl Fl key-file= Ns Ar file
49.Xc
50.Oc
51.Op Fl Fl keytab= Ns Ar keytab
52.Oo Fl r Ar realm \*(Ba Xo
53.Fl Fl realm= Ns Ar realm
54.Xc
55.Oc
56.Op Fl d | Fl Fl debug
57.Oo Fl p Ar port \*(Ba Xo
58.Fl Fl ports= Ns Ar port
59.Xc
60.Oc
61.Ek
62.Sh DESCRIPTION
63.Nm
64listens for requests for changes to the Kerberos database and performs
65these, subject to permissions.  When starting, if stdin is a socket it
66assumes that it has been started by
67.Xr inetd 8 ,
68otherwise it behaves as a daemon, forking processes for each new
69connection. The
70.Fl Fl debug
71option causes
72.Nm
73to accept exactly one connection, which is useful for debugging.
74.Pp
75The
76.Xr kpasswdd 8
77daemon is responsible for the Kerberos 5 password changing protocol
78(used by
79.Xr kpasswd 1 ) .
80.Pp
81This daemon should only be run on the master server, and not on any
82slaves.
83.Pp
84Principals are always allowed to change their own password and list
85their own principal.  Apart from that, doing any operation requires
86permission explicitly added in the ACL file
87.Pa /var/heimdal/kadmind.acl .
88The format of this file is:
89.Bd -ragged
90.Va principal
91.Va rights
92.Op Va principal-pattern
93.Ed
94.Pp
95Where rights is any (comma separated) combination of:
96.Bl -bullet -compact
97.It
98change-password or cpw
99.It
100list
101.It
102delete
103.It
104modify
105.It
106add
107.It
108get
109.It
110all
111.El
112.Pp
113And the optional
114.Ar principal-pattern
115restricts the rights to operations on principals that match the
116glob-style pattern.
117.Pp
118Supported options:
119.Bl -tag -width Ds
120.It Fl c Ar file , Fl Fl config-file= Ns Ar file
121location of config file
122.It Fl k Ar file , Fl Fl key-file= Ns Ar file
123location of master key file
124.It Fl Fl keytab= Ns Ar keytab
125what keytab to use
126.It Fl r Ar realm , Fl Fl realm= Ns Ar realm
127realm to use
128.It Fl d , Fl Fl debug
129enable debugging
130.It Fl p Ar port , Fl Fl ports= Ns Ar port
131ports to listen to. By default, if run as a daemon, it listens to port
132749, but you can add any number of ports with this option. The port
133string is a whitespace separated list of port specifications, with the
134special string
135.Dq +
136representing the default port.
137.El
138.\".Sh ENVIRONMENT
139.Sh FILES
140.Pa /var/heimdal/kadmind.acl
141.Sh EXAMPLES
142This will cause
143.Nm
144to listen to port 4711 in addition to any
145compiled in defaults:
146.Pp
147.D1 Nm Fl Fl ports Ns Li "=\*[q]+ 4711\*[q] &"
148.Pp
149This acl file will grant Joe all rights, and allow Mallory to view and
150add host principals.
151.Bd -literal -offset indent
152joe/admin@EXAMPLE.COM      all
153mallory/admin@EXAMPLE.COM  add,get  host/*@EXAMPLE.COM
154.Ed
155.\".Sh DIAGNOSTICS
156.Sh SEE ALSO
157.Xr kpasswd 1 ,
158.Xr kadmin 8 ,
159.Xr kdc 8 ,
160.Xr kpasswdd 8
161