kadmind(1M)
NAME
kadmind - Kerberos administration daemon
SYNOPSIS
/usr/lib/kadmind [-d] [-m] [-p port-number] [-r realm]
DESCRIPTION
kadmind runs on the master key distribution center (KDC),
which stores the principal and policy databases. kadmind
accepts remote requests to administer the information in
these databases. Remote requests are sent, for example, by
kpasswd(1), gkamdin(1M), and kadmin(1M) commands, all of
which are clients of kadmind. When you install a KDC, kad-
mind is set up in the init scripts to start automatically
when the KDC is rebooted.
kadmind requires a number of configuration files to be set
up for it to work:
/etc/krb5/kdc.conf
The KDC configuration file contains configuration
information for the KDC and the Kerberos adminis-
tration system. kadmind understands a number of
configuration variables (called relations) in
this file, some of which are mandatory and some
of which are optional. In particular, kadmind
uses the acl_file, dict_file, admin_keytab, and
kadmind_port relations in the [realms] section.
Refer to the kdc.conf(4) man page for information
regarding the format of the KDC configuration
file.
/etc/krb5/kadm5.keytab
kadmind requires akeytab (key table) containing
correct entries for the kadmin/admin and
kadmin/changepw principals for every realm that
kadmind answers requests. The keytab can be
created with the kadmin.local(1M), kdb5_util(1M)
command. The location of the keytab is determined
by the admin_keytab relation in the kdc.conf(4)
file.
/etc/krb5/kadm5.acl
kadmind uses an ACL (access control list) to
determine which principals are allowed to perform
Kerberos administration actions. The path of the
ACL file is determined by the acl_file relation
in the kdc.conf file. See kdc.conf(4). For infor-
mation regarding the format of the ACL file,
refer to kadm5.acl(4).
Note that the kadmind daemon will need to be
restarted in order to reread the kadm5.acl file
after it has been modified. You can do this, as
root, with the following commands:
# /etc/init.d/kdc.master stop
# /etc/init.d/kdc.master start
After kadmind begins running, it puts itself in the back-
ground and disassociates itself from its controlling termi-
nal.
OPTIONS
The following options are supported:
-d Specifies that kadmind does not put itself in the
background and does not disassociate itself from the
terminal. In normal operation, you should use the
default behavior, which is to allow the daemon to put
itself in the background.
-m Specifies that the master database password should be
retrieved from the keyboard rather than from the stash
file. When using -m, the kadmind daemon receives the
password prior to putting itself in the background.
If used in combination with the -d option, you must
explicitly place the daemon in the background.
-p port-number
Specifies the port on which the kadmind daemon listens
for connections. The default is controlled by the
kadmind_port relation in the kdc.conf(4) file.
-r realm
Specifies the default realm that kadmind serves. If
realm is not specified, the default realm of the host
is used. kadmind answers requests for any realm that
exists in the local KDC database and for which the
appropriate principals are in its keytab.
FILES
/var/krb5/principal.db
Kerberos principal database.
/var/krb5/principal.kadm5
Kerberos administrative database containing policy
information.
/var/krb5/principal.kadm5.lock
Kerberos administrative database lock file. This file
works backwards from most other lock files (that is,
kadmin exits with an error if this file does not
exist).
/var/krb5/kadm5.dict
Dictionary of strings explicitly disallowed as pass-
words.
/etc/krb5/kadm5.acl
List of principals and their kadmin administrative
privileges.
/etc/krb5/kadm5.keytab
Keytab for kadmin/admin principal.
/etc/krb5/kdc.conf
KDC configuration information.
ATTRIBUTES
See attributes(5) for descriptions of the following attri-
butes:
____________________________________________________________
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
|_____________________________|_____________________________|
| Availability | SUNWkdcu |
|_____________________________|_____________________________|
| Interface Stability | Evolving |
|_____________________________|_____________________________|
SEE ALSO
kpasswd(1), gkadmin(1M), kadmin(1M), kadmin.local(1M),
kdb5_util(1M), kadm5.acl(4), kdc.conf(4), attributes(5),
SEAM(5)
NOTES
The Kerberos administration daemon (kadmind) is now compli-
ant with the change-password standard mentioned in RFC 3244,
which means it can now handle change-password requests from
non-Solaris Kerberos clients.
Man(1) output converted with
man2html