1 .\" $Id: kadmind.8,v 1.10.2.1 2002/10/21 14:53:39 joda Exp $
8 .Nd "server for administrative access to kerberos database"
11 .Oo Fl c Ar file \*(Ba Xo
12 .Fl -config-file= Ns Ar file
15 .Oo Fl k Ar file \*(Ba Xo
16 .Fl -key-file= Ns Ar file
19 .Op Fl -keytab= Ns Ar keytab
20 .Oo Fl r Ar realm \*(Ba Xo
21 .Fl -realm= Ns Ar realm
25 .Oo Fl p Ar port \*(Ba Xo
26 .Fl -ports= Ns Ar port
32 listens for requests for changes to the Kerberos database and performs
33 these, subject to permissions. When starting, if stdin is a socket it
34 assumes that it has been started by
36 otherwise it behaves as a daemon, forking processes for each new
41 to accept exactly one connection, which is useful for debugging.
43 If built with krb4 support, it implements both the Heimdal Kerberos 5
44 administrative protocol and the Kerberos 4 protocol. Password changes
45 via the Kerberos 4 protocol are also performed by
49 daemon is responsible for the Kerberos 5 password changing protocol
54 This daemon should only be run on ther master server, and not on any
57 Principals are always allowed to change their own password and list
58 their own principal. Apart from that, doing any operation requires
59 permission explicitly added in the ACL file
60 .Pa /var/heimdal/kadmind.acl .
61 The format of this file is:
65 .Op Va principal-pattern
68 Where rights is any (comma separated) combination of:
71 change-password or cpw
88 restricts the rights to operations on principals that match the
95 .Fl -config-file= Ns Ar file
97 location of config file
100 .Fl -key-file= Ns Ar file
102 location of master key file
104 .Fl -keytab= Ns Ar keytab
109 .Fl -realm= Ns Ar realm
119 .Fl -ports= Ns Ar port
121 ports to listen to. By default, if run as a daemon, it listen to ports
122 749, and 751 (if Kerberos 4 support is built and enabled), but you can
123 add any number of ports with this option. The port string is a
124 whitespace separated list of port specifications, with the special
127 representing the default set of ports.
131 ignore Kerberos 4 kadmin requests.
135 .Pa /var/heimdal/kadmind.acl
139 to listen to port 4711 in addition to any
140 compiled in defaults:
142 .D1 Nm Fl -ports Ns Li "=\*[q]+ 4711\*[q] &"
144 This acl file will grant Joe all rights, and allow Mallory to view and
146 .Bd -literal -offset indent
147 joe/admin@EXAMPLE.COM all
148 mallory/admin@EXAMPLE.COM add,get host/*@EXAMPLE.COM