18373020dSJacques Vidrine.\" $Id: kadmind.8,v 1.10 2002/08/20 17:07:11 joda Exp $ 28373020dSJacques Vidrine.\" 38373020dSJacques Vidrine.Dd March 5, 2002 45e9cd1aeSAssar Westerlund.Dt KADMIND 8 55e9cd1aeSAssar Westerlund.Os HEIMDAL 65e9cd1aeSAssar Westerlund.Sh NAME 75e9cd1aeSAssar Westerlund.Nm kadmind 845524cd7SAssar Westerlund.Nd "server for administrative access to kerberos database" 95e9cd1aeSAssar Westerlund.Sh SYNOPSIS 105e9cd1aeSAssar Westerlund.Nm 115e9cd1aeSAssar Westerlund.Oo Fl c Ar file \*(Ba Xo 12adb0ddaeSAssar Westerlund.Fl -config-file= Ns Ar file 135e9cd1aeSAssar Westerlund.Xc 14adb0ddaeSAssar Westerlund.Oc 155e9cd1aeSAssar Westerlund.Oo Fl k Ar file \*(Ba Xo 16adb0ddaeSAssar Westerlund.Fl -key-file= Ns Ar file 175e9cd1aeSAssar Westerlund.Xc 18adb0ddaeSAssar Westerlund.Oc 195e9cd1aeSAssar Westerlund.Op Fl -keytab= Ns Ar keytab 205e9cd1aeSAssar Westerlund.Oo Fl r Ar realm \*(Ba Xo 21adb0ddaeSAssar Westerlund.Fl -realm= Ns Ar realm 225e9cd1aeSAssar Westerlund.Xc 23adb0ddaeSAssar Westerlund.Oc 245e9cd1aeSAssar Westerlund.Op Fl d | Fl -debug 255e9cd1aeSAssar Westerlund.Oo Fl p Ar port \*(Ba Xo 26adb0ddaeSAssar Westerlund.Fl -ports= Ns Ar port 275e9cd1aeSAssar Westerlund.Xc 28adb0ddaeSAssar Westerlund.Oc 295e9cd1aeSAssar Westerlund.Sh DESCRIPTION 305e9cd1aeSAssar Westerlund.Nm 315e9cd1aeSAssar Westerlundlistens for requests for changes to the Kerberos database and performs 328373020dSJacques Vidrinethese, subject to permissions. When starting, if stdin is a socket it 338373020dSJacques Vidrineassumes that it has been started by 345e9cd1aeSAssar Westerlund.Xr inetd 8 , 355e9cd1aeSAssar Westerlundotherwise it behaves as a daemon, forking processes for each new 365e9cd1aeSAssar Westerlundconnection. The 375e9cd1aeSAssar Westerlund.Fl -debug 385e9cd1aeSAssar Westerlundoption causes 395e9cd1aeSAssar Westerlund.Nm 405e9cd1aeSAssar Westerlundto accept exactly one connection, which is useful for debugging. 4145524cd7SAssar Westerlund.Pp 425e9cd1aeSAssar WesterlundIf built with krb4 support, it implements both the Heimdal Kerberos 5 435e9cd1aeSAssar Westerlundadministrative protocol and the Kerberos 4 protocol. Password changes 445e9cd1aeSAssar Westerlundvia the Kerberos 4 protocol are also performed by 455e9cd1aeSAssar Westerlund.Nm kadmind , 465e9cd1aeSAssar Westerlundbut the 475e9cd1aeSAssar Westerlund.Xr kpasswdd 8 485e9cd1aeSAssar Westerlunddaemon is responsible for the Kerberos 5 password changing protocol 495e9cd1aeSAssar Westerlund(used by 50adb0ddaeSAssar Westerlund.Xr kpasswd 1 ) 51adb0ddaeSAssar Westerlund. 525e9cd1aeSAssar Westerlund.Pp 535e9cd1aeSAssar WesterlundThis daemon should only be run on ther master server, and not on any 545e9cd1aeSAssar Westerlundslaves. 555e9cd1aeSAssar Westerlund.Pp 565e9cd1aeSAssar WesterlundPrincipals are always allowed to change their own password and list 578373020dSJacques Vidrinetheir own principal. Apart from that, doing any operation requires 585e9cd1aeSAssar Westerlundpermission explicitly added in the ACL file 595e9cd1aeSAssar Westerlund.Pa /var/heimdal/kadmind.acl . 605e9cd1aeSAssar WesterlundThe format of this file is: 615e9cd1aeSAssar Westerlund.Bd -ragged 625e9cd1aeSAssar Westerlund.Va principal 635e9cd1aeSAssar Westerlund.Va rights 645e9cd1aeSAssar Westerlund.Op Va principal-pattern 655e9cd1aeSAssar Westerlund.Ed 665e9cd1aeSAssar Westerlund.Pp 678373020dSJacques VidrineWhere rights is any (comma separated) combination of: 688373020dSJacques Vidrine.Bl -bullet -compact 695e9cd1aeSAssar Westerlund.It 708373020dSJacques Vidrinechange-password or cpw 715e9cd1aeSAssar Westerlund.It 725e9cd1aeSAssar Westerlundlist 735e9cd1aeSAssar Westerlund.It 745e9cd1aeSAssar Westerlunddelete 755e9cd1aeSAssar Westerlund.It 765e9cd1aeSAssar Westerlundmodify 775e9cd1aeSAssar Westerlund.It 785e9cd1aeSAssar Westerlundadd 795e9cd1aeSAssar Westerlund.It 805e9cd1aeSAssar Westerlundget 815e9cd1aeSAssar Westerlund.It 825e9cd1aeSAssar Westerlundall 835e9cd1aeSAssar Westerlund.El 845e9cd1aeSAssar Westerlund.Pp 855e9cd1aeSAssar WesterlundAnd the optional 865e9cd1aeSAssar Westerlund.Ar principal-pattern 878373020dSJacques Vidrinerestricts the rights to operations on principals that match the 888373020dSJacques Vidrineglob-style pattern. 895e9cd1aeSAssar Westerlund.Pp 905e9cd1aeSAssar WesterlundSupported options: 915e9cd1aeSAssar Westerlund.Bl -tag -width Ds 925e9cd1aeSAssar Westerlund.It Xo 938373020dSJacques Vidrine.Fl c Ar file , 945e9cd1aeSAssar Westerlund.Fl -config-file= Ns Ar file 955e9cd1aeSAssar Westerlund.Xc 965e9cd1aeSAssar Westerlundlocation of config file 975e9cd1aeSAssar Westerlund.It Xo 988373020dSJacques Vidrine.Fl k Ar file , 995e9cd1aeSAssar Westerlund.Fl -key-file= Ns Ar file 1005e9cd1aeSAssar Westerlund.Xc 1015e9cd1aeSAssar Westerlundlocation of master key file 1025e9cd1aeSAssar Westerlund.It Xo 1035e9cd1aeSAssar Westerlund.Fl -keytab= Ns Ar keytab 1045e9cd1aeSAssar Westerlund.Xc 1055e9cd1aeSAssar Westerlundwhat keytab to use 1065e9cd1aeSAssar Westerlund.It Xo 1078373020dSJacques Vidrine.Fl r Ar realm , 1085e9cd1aeSAssar Westerlund.Fl -realm= Ns Ar realm 1095e9cd1aeSAssar Westerlund.Xc 1105e9cd1aeSAssar Westerlundrealm to use 1115e9cd1aeSAssar Westerlund.It Xo 1128373020dSJacques Vidrine.Fl d , 1135e9cd1aeSAssar Westerlund.Fl -debug 1145e9cd1aeSAssar Westerlund.Xc 1155e9cd1aeSAssar Westerlundenable debugging 1165e9cd1aeSAssar Westerlund.It Xo 1178373020dSJacques Vidrine.Fl p Ar port , 1185e9cd1aeSAssar Westerlund.Fl -ports= Ns Ar port 1195e9cd1aeSAssar Westerlund.Xc 1205e9cd1aeSAssar Westerlundports to listen to. By default, if run as a daemon, it listen to ports 1215e9cd1aeSAssar Westerlund749, and 751 (if built with Kerberos 4 support), but you can add any 1225e9cd1aeSAssar Westerlundnumber of ports with this option. The port string is a whitespace 1235e9cd1aeSAssar Westerlundseparated list of port specifications, with the special string 1245e9cd1aeSAssar Westerlund.Dq + 1255e9cd1aeSAssar Westerlundrepresenting the default set of ports. 1265e9cd1aeSAssar Westerlund.El 1275e9cd1aeSAssar Westerlund.\".Sh ENVIRONMENT 1285e9cd1aeSAssar Westerlund.Sh FILES 1295e9cd1aeSAssar Westerlund.Pa /var/heimdal/kadmind.acl 1305e9cd1aeSAssar Westerlund.Sh EXAMPLES 1314137ff4cSJacques VidrineThis will cause 1324137ff4cSJacques Vidrine.Nm 1334137ff4cSJacques Vidrineto listen to port 4711 in addition to any 1345e9cd1aeSAssar Westerlundcompiled in defaults: 1354137ff4cSJacques Vidrine.Pp 1364137ff4cSJacques Vidrine.D1 Nm Fl -ports Ns Li "=\*[q]+ 4711\*[q] &" 1378373020dSJacques Vidrine.Pp 1388373020dSJacques VidrineThis acl file will grant Joe all rights, and allow Mallory to view and 1398373020dSJacques Vidrineadd host principals. 1408373020dSJacques Vidrine.Bd -literal -offset indent 1418373020dSJacques Vidrinejoe/admin@EXAMPLE.COM all 1428373020dSJacques Vidrinemallory/admin@EXAMPLE.COM add,get host/*@EXAMPLE.COM 1438373020dSJacques Vidrine.Ed 1445e9cd1aeSAssar Westerlund.\".Sh DIAGNOSTICS 1455e9cd1aeSAssar Westerlund.Sh SEE ALSO 1464137ff4cSJacques Vidrine.Xr kpasswd 1 , 1478373020dSJacques Vidrine.Xr kadmin 8 , 1484137ff4cSJacques Vidrine.Xr kdc 8 , 1494137ff4cSJacques Vidrine.Xr kpasswdd 8 150