xref: /freebsd/crypto/heimdal/kadmin/kadmind.8 (revision a3e8fd0b7f663db7eafff527d5c3ca3bcfa8a537) 
1.\" $Id: kadmind.8,v 1.10 2002/08/20 17:07:11 joda Exp $
2.\"
3.Dd March 5, 2002
4.Dt KADMIND 8
5.Os HEIMDAL
6.Sh NAME
7.Nm kadmind
8.Nd "server for administrative access to kerberos database"
9.Sh SYNOPSIS
10.Nm
11.Oo Fl c Ar file \*(Ba Xo
12.Fl -config-file= Ns Ar file
13.Xc
14.Oc
15.Oo Fl k Ar file \*(Ba Xo
16.Fl -key-file= Ns Ar file
17.Xc
18.Oc
19.Op Fl -keytab= Ns Ar keytab
20.Oo Fl r Ar realm \*(Ba Xo
21.Fl -realm= Ns Ar realm
22.Xc
23.Oc
24.Op Fl d | Fl -debug
25.Oo Fl p Ar port \*(Ba Xo
26.Fl -ports= Ns Ar port
27.Xc
28.Oc
29.Sh DESCRIPTION
30.Nm
31listens for requests for changes to the Kerberos database and performs
32these, subject to permissions.  When starting, if stdin is a socket it
33assumes that it has been started by
34.Xr inetd 8 ,
35otherwise it behaves as a daemon, forking processes for each new
36connection. The
37.Fl -debug
38option causes
39.Nm
40to accept exactly one connection, which is useful for debugging.
41.Pp
42If built with krb4 support, it implements both the Heimdal Kerberos 5
43administrative protocol and the Kerberos 4 protocol. Password changes
44via the Kerberos 4 protocol are also performed by
45.Nm kadmind ,
46but the
47.Xr kpasswdd 8
48daemon is responsible for the Kerberos 5 password changing protocol
49(used by
50.Xr kpasswd 1 )
51.
52.Pp
53This daemon should only be run on ther master server, and not on any
54slaves.
55.Pp
56Principals are always allowed to change their own password and list
57their own principal.  Apart from that, doing any operation requires
58permission explicitly added in the ACL file
59.Pa /var/heimdal/kadmind.acl .
60The format of this file is:
61.Bd -ragged
62.Va principal
63.Va rights
64.Op Va principal-pattern
65.Ed
66.Pp
67Where rights is any (comma separated) combination of:
68.Bl -bullet -compact
69.It
70change-password or cpw
71.It
72list
73.It
74delete
75.It
76modify
77.It
78add
79.It
80get
81.It
82all
83.El
84.Pp
85And the optional
86.Ar principal-pattern
87restricts the rights to operations on principals that match the
88glob-style pattern.
89.Pp
90Supported options:
91.Bl -tag -width Ds
92.It Xo
93.Fl c Ar file ,
94.Fl -config-file= Ns Ar file
95.Xc
96location of config file
97.It Xo
98.Fl k Ar file ,
99.Fl -key-file= Ns Ar file
100.Xc
101location of master key file
102.It Xo
103.Fl -keytab= Ns Ar keytab
104.Xc
105what keytab to use
106.It Xo
107.Fl r Ar realm ,
108.Fl -realm= Ns Ar realm
109.Xc
110realm to use
111.It Xo
112.Fl d ,
113.Fl -debug
114.Xc
115enable debugging
116.It Xo
117.Fl p Ar port ,
118.Fl -ports= Ns Ar port
119.Xc
120ports to listen to. By default, if run as a daemon, it listen to ports
121749, and 751 (if built with Kerberos 4 support), but you can add any
122number of ports with this option. The port string is a whitespace
123separated list of port specifications, with the special string
124.Dq +
125representing the default set of ports.
126.El
127.\".Sh ENVIRONMENT
128.Sh FILES
129.Pa /var/heimdal/kadmind.acl
130.Sh EXAMPLES
131This will cause
132.Nm
133to listen to port 4711 in addition to any
134compiled in defaults:
135.Pp
136.D1 Nm Fl -ports Ns Li "=\*[q]+ 4711\*[q] &"
137.Pp
138This acl file will grant Joe all rights, and allow Mallory to view and
139add host principals.
140.Bd -literal -offset indent
141joe/admin@EXAMPLE.COM      all
142mallory/admin@EXAMPLE.COM  add,get  host/*@EXAMPLE.COM
143.Ed
144.\".Sh DIAGNOSTICS
145.Sh SEE ALSO
146.Xr kpasswd 1 ,
147.Xr kadmin 8 ,
148.Xr kdc 8 ,
149.Xr kpasswdd 8
150