1bbd80c28SJacques Vidrine.\" Copyright (c) 2002 - 2003 Kungliga Tekniska H�gskolan 2bbd80c28SJacques Vidrine.\" (Royal Institute of Technology, Stockholm, Sweden). 3bbd80c28SJacques Vidrine.\" All rights reserved. 4bbd80c28SJacques Vidrine.\" 5bbd80c28SJacques Vidrine.\" Redistribution and use in source and binary forms, with or without 6bbd80c28SJacques Vidrine.\" modification, are permitted provided that the following conditions 7bbd80c28SJacques Vidrine.\" are met: 8bbd80c28SJacques Vidrine.\" 9bbd80c28SJacques Vidrine.\" 1. Redistributions of source code must retain the above copyright 10bbd80c28SJacques Vidrine.\" notice, this list of conditions and the following disclaimer. 11bbd80c28SJacques Vidrine.\" 12bbd80c28SJacques Vidrine.\" 2. Redistributions in binary form must reproduce the above copyright 13bbd80c28SJacques Vidrine.\" notice, this list of conditions and the following disclaimer in the 14bbd80c28SJacques Vidrine.\" documentation and/or other materials provided with the distribution. 15bbd80c28SJacques Vidrine.\" 16bbd80c28SJacques Vidrine.\" 3. Neither the name of the Institute nor the names of its contributors 17bbd80c28SJacques Vidrine.\" may be used to endorse or promote products derived from this software 18bbd80c28SJacques Vidrine.\" without specific prior written permission. 19bbd80c28SJacques Vidrine.\" 20bbd80c28SJacques Vidrine.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 21bbd80c28SJacques Vidrine.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22bbd80c28SJacques Vidrine.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23bbd80c28SJacques Vidrine.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 24bbd80c28SJacques Vidrine.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25bbd80c28SJacques Vidrine.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26bbd80c28SJacques Vidrine.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27bbd80c28SJacques Vidrine.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28bbd80c28SJacques Vidrine.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29bbd80c28SJacques Vidrine.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30bbd80c28SJacques Vidrine.\" SUCH DAMAGE. 31bbd80c28SJacques Vidrine.\" 32bbd80c28SJacques Vidrine.\" $Id: kadmind.8,v 1.14 2003/04/06 17:47:57 lha Exp $ 338373020dSJacques Vidrine.\" 348373020dSJacques Vidrine.Dd March 5, 2002 355e9cd1aeSAssar Westerlund.Dt KADMIND 8 365e9cd1aeSAssar Westerlund.Os HEIMDAL 375e9cd1aeSAssar Westerlund.Sh NAME 385e9cd1aeSAssar Westerlund.Nm kadmind 39bbd80c28SJacques Vidrine.Nd "server for administrative access to Kerberos database" 405e9cd1aeSAssar Westerlund.Sh SYNOPSIS 415e9cd1aeSAssar Westerlund.Nm 425e9cd1aeSAssar Westerlund.Oo Fl c Ar file \*(Ba Xo 43adb0ddaeSAssar Westerlund.Fl -config-file= Ns Ar file 445e9cd1aeSAssar Westerlund.Xc 45adb0ddaeSAssar Westerlund.Oc 465e9cd1aeSAssar Westerlund.Oo Fl k Ar file \*(Ba Xo 47adb0ddaeSAssar Westerlund.Fl -key-file= Ns Ar file 485e9cd1aeSAssar Westerlund.Xc 49adb0ddaeSAssar Westerlund.Oc 505e9cd1aeSAssar Westerlund.Op Fl -keytab= Ns Ar keytab 515e9cd1aeSAssar Westerlund.Oo Fl r Ar realm \*(Ba Xo 52adb0ddaeSAssar Westerlund.Fl -realm= Ns Ar realm 535e9cd1aeSAssar Westerlund.Xc 54adb0ddaeSAssar Westerlund.Oc 555e9cd1aeSAssar Westerlund.Op Fl d | Fl -debug 565e9cd1aeSAssar Westerlund.Oo Fl p Ar port \*(Ba Xo 57adb0ddaeSAssar Westerlund.Fl -ports= Ns Ar port 585e9cd1aeSAssar Westerlund.Xc 59adb0ddaeSAssar Westerlund.Oc 605bda878eSJacques Vidrine.Op Fl -no-kerberos4 615e9cd1aeSAssar Westerlund.Sh DESCRIPTION 625e9cd1aeSAssar Westerlund.Nm 635e9cd1aeSAssar Westerlundlistens for requests for changes to the Kerberos database and performs 648373020dSJacques Vidrinethese, subject to permissions. When starting, if stdin is a socket it 658373020dSJacques Vidrineassumes that it has been started by 665e9cd1aeSAssar Westerlund.Xr inetd 8 , 675e9cd1aeSAssar Westerlundotherwise it behaves as a daemon, forking processes for each new 685e9cd1aeSAssar Westerlundconnection. The 695e9cd1aeSAssar Westerlund.Fl -debug 705e9cd1aeSAssar Westerlundoption causes 715e9cd1aeSAssar Westerlund.Nm 725e9cd1aeSAssar Westerlundto accept exactly one connection, which is useful for debugging. 7345524cd7SAssar Westerlund.Pp 745e9cd1aeSAssar WesterlundIf built with krb4 support, it implements both the Heimdal Kerberos 5 755e9cd1aeSAssar Westerlundadministrative protocol and the Kerberos 4 protocol. Password changes 765e9cd1aeSAssar Westerlundvia the Kerberos 4 protocol are also performed by 775e9cd1aeSAssar Westerlund.Nm kadmind , 785e9cd1aeSAssar Westerlundbut the 795e9cd1aeSAssar Westerlund.Xr kpasswdd 8 805e9cd1aeSAssar Westerlunddaemon is responsible for the Kerberos 5 password changing protocol 815e9cd1aeSAssar Westerlund(used by 82adb0ddaeSAssar Westerlund.Xr kpasswd 1 ) 83adb0ddaeSAssar Westerlund. 845e9cd1aeSAssar Westerlund.Pp 85bbd80c28SJacques VidrineThis daemon should only be run on the master server, and not on any 865e9cd1aeSAssar Westerlundslaves. 875e9cd1aeSAssar Westerlund.Pp 885e9cd1aeSAssar WesterlundPrincipals are always allowed to change their own password and list 898373020dSJacques Vidrinetheir own principal. Apart from that, doing any operation requires 905e9cd1aeSAssar Westerlundpermission explicitly added in the ACL file 915e9cd1aeSAssar Westerlund.Pa /var/heimdal/kadmind.acl . 925e9cd1aeSAssar WesterlundThe format of this file is: 935e9cd1aeSAssar Westerlund.Bd -ragged 945e9cd1aeSAssar Westerlund.Va principal 955e9cd1aeSAssar Westerlund.Va rights 965e9cd1aeSAssar Westerlund.Op Va principal-pattern 975e9cd1aeSAssar Westerlund.Ed 985e9cd1aeSAssar Westerlund.Pp 998373020dSJacques VidrineWhere rights is any (comma separated) combination of: 1008373020dSJacques Vidrine.Bl -bullet -compact 1015e9cd1aeSAssar Westerlund.It 1028373020dSJacques Vidrinechange-password or cpw 1035e9cd1aeSAssar Westerlund.It 1045e9cd1aeSAssar Westerlundlist 1055e9cd1aeSAssar Westerlund.It 1065e9cd1aeSAssar Westerlunddelete 1075e9cd1aeSAssar Westerlund.It 1085e9cd1aeSAssar Westerlundmodify 1095e9cd1aeSAssar Westerlund.It 1105e9cd1aeSAssar Westerlundadd 1115e9cd1aeSAssar Westerlund.It 1125e9cd1aeSAssar Westerlundget 1135e9cd1aeSAssar Westerlund.It 1145e9cd1aeSAssar Westerlundall 1155e9cd1aeSAssar Westerlund.El 1165e9cd1aeSAssar Westerlund.Pp 1175e9cd1aeSAssar WesterlundAnd the optional 1185e9cd1aeSAssar Westerlund.Ar principal-pattern 1198373020dSJacques Vidrinerestricts the rights to operations on principals that match the 1208373020dSJacques Vidrineglob-style pattern. 1215e9cd1aeSAssar Westerlund.Pp 1225e9cd1aeSAssar WesterlundSupported options: 1235e9cd1aeSAssar Westerlund.Bl -tag -width Ds 1245e9cd1aeSAssar Westerlund.It Xo 1258373020dSJacques Vidrine.Fl c Ar file , 1265e9cd1aeSAssar Westerlund.Fl -config-file= Ns Ar file 1275e9cd1aeSAssar Westerlund.Xc 1285e9cd1aeSAssar Westerlundlocation of config file 1295e9cd1aeSAssar Westerlund.It Xo 1308373020dSJacques Vidrine.Fl k Ar file , 1315e9cd1aeSAssar Westerlund.Fl -key-file= Ns Ar file 1325e9cd1aeSAssar Westerlund.Xc 1335e9cd1aeSAssar Westerlundlocation of master key file 1345e9cd1aeSAssar Westerlund.It Xo 1355e9cd1aeSAssar Westerlund.Fl -keytab= Ns Ar keytab 1365e9cd1aeSAssar Westerlund.Xc 1375e9cd1aeSAssar Westerlundwhat keytab to use 1385e9cd1aeSAssar Westerlund.It Xo 1398373020dSJacques Vidrine.Fl r Ar realm , 1405e9cd1aeSAssar Westerlund.Fl -realm= Ns Ar realm 1415e9cd1aeSAssar Westerlund.Xc 1425e9cd1aeSAssar Westerlundrealm to use 1435e9cd1aeSAssar Westerlund.It Xo 1448373020dSJacques Vidrine.Fl d , 1455e9cd1aeSAssar Westerlund.Fl -debug 1465e9cd1aeSAssar Westerlund.Xc 1475e9cd1aeSAssar Westerlundenable debugging 1485e9cd1aeSAssar Westerlund.It Xo 1498373020dSJacques Vidrine.Fl p Ar port , 1505e9cd1aeSAssar Westerlund.Fl -ports= Ns Ar port 1515e9cd1aeSAssar Westerlund.Xc 152bbd80c28SJacques Vidrineports to listen to. By default, if run as a daemon, it listens to ports 1535bda878eSJacques Vidrine749, and 751 (if Kerberos 4 support is built and enabled), but you can 1545bda878eSJacques Vidrineadd any number of ports with this option. The port string is a 1555bda878eSJacques Vidrinewhitespace separated list of port specifications, with the special 1565bda878eSJacques Vidrinestring 1575e9cd1aeSAssar Westerlund.Dq + 1585e9cd1aeSAssar Westerlundrepresenting the default set of ports. 1595bda878eSJacques Vidrine.It Fl -no-kerberos4 1605bda878eSJacques Vidrinemake 1615bda878eSJacques Vidrine.Nm 1625bda878eSJacques Vidrineignore Kerberos 4 kadmin requests. 1635e9cd1aeSAssar Westerlund.El 1645e9cd1aeSAssar Westerlund.\".Sh ENVIRONMENT 1655e9cd1aeSAssar Westerlund.Sh FILES 1665e9cd1aeSAssar Westerlund.Pa /var/heimdal/kadmind.acl 1675e9cd1aeSAssar Westerlund.Sh EXAMPLES 1684137ff4cSJacques VidrineThis will cause 1694137ff4cSJacques Vidrine.Nm 1704137ff4cSJacques Vidrineto listen to port 4711 in addition to any 1715e9cd1aeSAssar Westerlundcompiled in defaults: 1724137ff4cSJacques Vidrine.Pp 1734137ff4cSJacques Vidrine.D1 Nm Fl -ports Ns Li "=\*[q]+ 4711\*[q] &" 1748373020dSJacques Vidrine.Pp 1758373020dSJacques VidrineThis acl file will grant Joe all rights, and allow Mallory to view and 1768373020dSJacques Vidrineadd host principals. 1778373020dSJacques Vidrine.Bd -literal -offset indent 1788373020dSJacques Vidrinejoe/admin@EXAMPLE.COM all 1798373020dSJacques Vidrinemallory/admin@EXAMPLE.COM add,get host/*@EXAMPLE.COM 1808373020dSJacques Vidrine.Ed 1815e9cd1aeSAssar Westerlund.\".Sh DIAGNOSTICS 1825e9cd1aeSAssar Westerlund.Sh SEE ALSO 1834137ff4cSJacques Vidrine.Xr kpasswd 1 , 1848373020dSJacques Vidrine.Xr kadmin 8 , 1854137ff4cSJacques Vidrine.Xr kdc 8 , 1864137ff4cSJacques Vidrine.Xr kpasswdd 8 187