Cradicle Explorer
darling-Heimdal
/ kadmin / kadmind.8
kadmind.8
  1  .\" Copyright (c) 2002 - 2004 Kungliga Tekniska Högskolan
  2  .\" (Royal Institute of Technology, Stockholm, Sweden).
  3  .\" All rights reserved.
  4  .\"
  5  .\" Redistribution and use in source and binary forms, with or without
  6  .\" modification, are permitted provided that the following conditions
  7  .\" are met:
  8  .\"
  9  .\" 1. Redistributions of source code must retain the above copyright
 10  .\"    notice, this list of conditions and the following disclaimer.
 11  .\"
 12  .\" 2. Redistributions in binary form must reproduce the above copyright
 13  .\"    notice, this list of conditions and the following disclaimer in the
 14  .\"    documentation and/or other materials provided with the distribution.
 15  .\"
 16  .\" 3. Neither the name of the Institute nor the names of its contributors
 17  .\"    may be used to endorse or promote products derived from this software
 18  .\"    without specific prior written permission.
 19  .\"
 20  .\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
 21  .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 22  .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 23  .\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
 24  .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 25  .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 26  .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 27  .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 28  .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 29  .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 30  .\" SUCH DAMAGE.
 31  .\"
 32  .\" $Id$
 33  .\"
 34  .Dd December  8, 2004
 35  .Dt KADMIND 8
 36  .Os HEIMDAL
 37  .Sh NAME
 38  .Nm kadmind
 39  .Nd "server for administrative access to Kerberos database"
 40  .Sh SYNOPSIS
 41  .Nm
 42  .Bk -words
 43  .Oo Fl c Ar file \*(Ba Xo
 44  .Fl Fl config-file= Ns Ar file
 45  .Xc
 46  .Oc
 47  .Oo Fl k Ar file \*(Ba Xo
 48  .Fl Fl key-file= Ns Ar file
 49  .Xc
 50  .Oc
 51  .Op Fl Fl keytab= Ns Ar keytab
 52  .Oo Fl r Ar realm \*(Ba Xo
 53  .Fl Fl realm= Ns Ar realm
 54  .Xc
 55  .Oc
 56  .Op Fl d | Fl Fl debug
 57  .Oo Fl p Ar port \*(Ba Xo
 58  .Fl Fl ports= Ns Ar port
 59  .Xc
 60  .Oc
 61  .Ek
 62  .Sh DESCRIPTION
 63  .Nm
 64  listens for requests for changes to the Kerberos database and performs
 65  these, subject to permissions.  When starting, if stdin is a socket it
 66  assumes that it has been started by
 67  .Xr inetd 8 ,
 68  otherwise it behaves as a daemon, forking processes for each new
 69  connection. The
 70  .Fl Fl debug
 71  option causes
 72  .Nm
 73  to accept exactly one connection, which is useful for debugging.
 74  .Pp
 75  The
 76  .Xr kpasswdd 8
 77  daemon is responsible for the Kerberos 5 password changing protocol
 78  (used by
 79  .Xr kpasswd 1 ) .
 80  .Pp
 81  This daemon should only be run on the master server, and not on any
 82  slaves.
 83  .Pp
 84  Principals are always allowed to change their own password and list
 85  their own principal.  Apart from that, doing any operation requires
 86  permission explicitly added in the ACL file
 87  .Pa /var/heimdal/kadmind.acl .
 88  The format of this file is:
 89  .Bd -ragged
 90  .Va principal
 91  .Va rights
 92  .Op Va principal-pattern
 93  .Ed
 94  .Pp
 95  Where rights is any (comma separated) combination of:
 96  .Bl -bullet -compact
 97  .It
 98  change-password or cpw
 99  .It
100  list
101  .It
102  delete
103  .It
104  modify
105  .It
106  add
107  .It
108  get
109  .It
110  get-keys
111  .It
112  all
113  .El
114  .Pp
115  And the optional
116  .Ar principal-pattern
117  restricts the rights to operations on principals that match the
118  glob-style pattern.
119  .Pp
120  Supported options:
121  .Bl -tag -width Ds
122  .It Fl c Ar file , Fl Fl config-file= Ns Ar file
123  location of config file
124  .It Fl k Ar file , Fl Fl key-file= Ns Ar file
125  location of master key file
126  .It Fl Fl keytab= Ns Ar keytab
127  what keytab to use
128  .It Fl r Ar realm , Fl Fl realm= Ns Ar realm
129  realm to use
130  .It Fl d , Fl Fl debug
131  enable debugging
132  .It Fl p Ar port , Fl Fl ports= Ns Ar port
133  ports to listen to. By default, if run as a daemon, it listens to port
134  749, but you can add any number of ports with this option. The port
135  string is a whitespace separated list of port specifications, with the
136  special string
137  .Dq +
138  representing the default port.
139  .El
140  .\".Sh ENVIRONMENT
141  .Sh FILES
142  .Pa /var/heimdal/kadmind.acl
143  .Sh EXAMPLES
144  This will cause
145  .Nm
146  to listen to port 4711 in addition to any
147  compiled in defaults:
148  .Pp
149  .D1 Nm Fl Fl ports Ns Li "=\*[q]+ 4711\*[q] &"
150  .Pp
151  This acl file will grant Joe all rights, and allow Mallory to view and
152  add host principals, as well as extract host principal keys (e.g., into
153  keytabs).
154  .Bd -literal -offset indent
155  joe/admin@EXAMPLE.COM      all
156  mallory/admin@EXAMPLE.COM  add,get-keys  host/*@EXAMPLE.COM
157  .Ed
158  .\".Sh DIAGNOSTICS
159  .Sh SEE ALSO
160  .Xr kpasswd 1 ,
161  .Xr kadmin 8 ,
162  .Xr kdc 8 ,
163  .Xr kpasswdd 8