1.\" Copyright (c) 2005 Kungliga Tekniska Högskolan 2.\" (Royal Institute of Technology, Stockholm, Sweden). 3.\" All rights reserved. 4.\" 5.\" Redistribution and use in source and binary forms, with or without 6.\" modification, are permitted provided that the following conditions 7.\" are met: 8.\" 9.\" 1. Redistributions of source code must retain the above copyright 10.\" notice, this list of conditions and the following disclaimer. 11.\" 12.\" 2. Redistributions in binary form must reproduce the above copyright 13.\" notice, this list of conditions and the following disclaimer in the 14.\" documentation and/or other materials provided with the distribution. 15.\" 16.\" 3. Neither the name of the Institute nor the names of its contributors 17.\" may be used to endorse or promote products derived from this software 18.\" without specific prior written permission. 19.\" 20.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 21.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 24.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30.\" SUCH DAMAGE. 31.\" 32.\" $Id$ 33.\" 34.Dd May 29, 2005 35.Dt KCM 8 36.Os Heimdal 37.Sh NAME 38.Nm kcm 39.Nd process-based credential cache for Kerberos tickets. 40.Sh SYNOPSIS 41.Nm 42.Op Fl Fl cache-name= Ns Ar cachename 43.Oo Fl c Ar file \*(Ba Xo 44.Fl Fl config-file= Ns Ar file 45.Xc 46.Oc 47.Oo Fl g Ar group \*(Ba Xo 48.Fl Fl group= Ns Ar group 49.Xc 50.Oc 51.Op Fl Fl max-request= Ns Ar size 52.Op Fl Fl disallow-getting-krbtgt 53.Op Fl Fl detach 54.Op Fl h | Fl Fl help 55.Oo Fl k Ar principal \*(Ba Xo 56.Fl Fl system-principal= Ns Ar principal 57.Xc 58.Oc 59.Oo Fl l Ar time \*(Ba Xo 60.Fl Fl lifetime= Ns Ar time 61.Xc 62.Oc 63.Oo Fl m Ar mode \*(Ba Xo 64.Fl Fl mode= Ns Ar mode 65.Xc 66.Oc 67.Op Fl n | Fl Fl no-name-constraints 68.Oo Fl r Ar time \*(Ba Xo 69.Fl Fl renewable-life= Ns Ar time 70.Xc 71.Oc 72.Oo Fl s Ar path \*(Ba Xo 73.Fl Fl socket-path= Ns Ar path 74.Xc 75.Oc 76.Oo Xo 77.Fl Fl door-path= Ns Ar path 78.Xc 79.Oc 80.Oo Fl S Ar principal \*(Ba Xo 81.Fl Fl server= Ns Ar principal 82.Xc 83.Oc 84.Oo Fl t Ar keytab \*(Ba Xo 85.Fl Fl keytab= Ns Ar keytab 86.Xc 87.Oc 88.Oo Fl u Ar user \*(Ba Xo 89.Fl Fl user= Ns Ar user 90.Xc 91.Oc 92.Op Fl v | Fl Fl version 93.Sh DESCRIPTION 94.Nm 95is a process based credential cache. 96To use it, set the 97.Ev KRB5CCNAME 98environment variable to 99.Ql KCM: Ns Ar uid 100or add the stanza 101.Bd -literal 102 103[libdefaults] 104 default_cc_name = KCM:%{uid} 105 106.Ed 107to the 108.Pa /etc/krb5.conf 109configuration file and make sure 110.Nm kcm 111is started in the system startup files. 112.Pp 113The 114.Nm 115daemon can hold the credentials for all users in the system. Access 116control is done with Unix-like permissions. The daemon checks the 117access on all operations based on the uid and gid of the user. The 118tickets are renewed as long as is permitted by the KDC's policy. 119.Pp 120The 121.Nm 122daemon can also keep a SYSTEM credential that server processes can 123use to access services. One example of usage might be an nss_ldap 124module that quickly needs to get credentials and doesn't want to renew 125the ticket itself. 126.Pp 127Supported options: 128.Bl -tag -width Ds 129.It Fl Fl cache-name= Ns Ar cachename 130system cache name 131.It Fl c Ar file , Fl Fl config-file= Ns Ar file 132location of config file 133.It Fl g Ar group , Fl Fl group= Ns Ar group 134system cache group 135.It Fl Fl max-request= Ns Ar size 136max size for a kcm-request 137.It Fl Fl disallow-getting-krbtgt 138disallow extracting any krbtgt from the 139.Nm kcm 140daemon. 141.It Fl Fl detach 142detach from console 143.It Fl h , Fl Fl help 144.It Fl k Ar principal , Fl Fl system-principal= Ns Ar principal 145system principal name 146.It Fl l Ar time , Fl Fl lifetime= Ns Ar time 147lifetime of system tickets 148.It Fl m Ar mode , Fl Fl mode= Ns Ar mode 149octal mode of system cache 150.It Fl n , Fl Fl no-name-constraints 151disable credentials cache name constraints 152.It Fl r Ar time , Fl Fl renewable-life= Ns Ar time 153renewable lifetime of system tickets 154.It Fl s Ar path , Fl Fl socket-path= Ns Ar path 155path to kcm domain socket 156.It Fl Fl door-path= Ns Ar path 157path to kcm door socket 158.It Fl S Ar principal , Fl Fl server= Ns Ar principal 159server to get system ticket for 160.It Fl t Ar keytab , Fl Fl keytab= Ns Ar keytab 161system keytab name 162.It Fl u Ar user , Fl Fl user= Ns Ar user 163system cache owner 164.It Fl v , Fl Fl version 165.El 166.\".Sh ENVIRONMENT 167.\".Sh FILES 168.\".Sh EXAMPLES 169.\".Sh DIAGNOSTICS 170.\".Sh SEE ALSO 171.\".Sh STANDARDS 172.\".Sh HISTORY 173.\".Sh AUTHORS 174.\".Sh BUGS 175