kadmind(1M)

NAME

     kadmind - Kerberos administration daemon

SYNOPSIS

     /usr/lib/kadmind [-d] [-m] [-p port-number] [-r realm]

DESCRIPTION

     kadmind runs on the master key  distribution  center  (KDC),
     which  stores  the  principal  and policy databases. kadmind
     accepts remote requests to  administer  the  information  in
     these  databases.  Remote requests are sent, for example, by
     kpasswd(1), gkamdin(1M), and  kadmin(1M)  commands,  all  of
     which  are  clients of kadmind. When you install a KDC, kad-
     mind is set up in the init scripts  to  start  automatically
     when the KDC is rebooted.

     kadmind requires a number of configuration files to  be  set
     up for it to work:

          /etc/krb5/kdc.conf
                The KDC configuration file contains configuration
                information for the KDC and the Kerberos adminis-
                tration system. kadmind understands a  number  of
                configuration  variables  (called  relations)  in
                this file, some of which are mandatory  and  some
                of  which  are  optional.  In particular, kadmind
                uses the acl_file, dict_file,  admin_keytab,  and
                kadmind_port  relations  in the [realms] section.
                Refer to the kdc.conf(4) man page for information
                regarding  the  format  of  the KDC configuration
                file.

          /etc/krb5/kadm5.keytab
                kadmind requires akeytab (key  table)  containing
                correct   entries   for   the   kadmin/admin  and
                kadmin/changepw principals for every  realm  that
                kadmind  answers  requests.  The  keytab  can  be
                created with the kadmin.local(1M),  kdb5_util(1M)
                command. The location of the keytab is determined
                by the admin_keytab relation in  the  kdc.conf(4)
                file.

          /etc/krb5/kadm5.acl
                kadmind uses an  ACL  (access  control  list)  to
                determine which principals are allowed to perform
                Kerberos administration actions. The path of  the
                ACL  file  is determined by the acl_file relation
                in the kdc.conf file. See kdc.conf(4). For infor-
                mation  regarding  the  format  of  the ACL file,
                refer to kadm5.acl(4).

                Note that the kadmind  daemon  will  need  to  be
                restarted in order   to reread the kadm5.acl file
                after it has been modified. You can do  this,  as
                root, with the following commands:

                # /etc/init.d/kdc.master stop
                # /etc/init.d/kdc.master start

     After kadmind begins running, it puts itself  in  the  back-
     ground  and disassociates itself from its controlling termi-
     nal.

OPTIONS

     The following options are supported:

     -d    Specifies that kadmind does  not  put  itself  in  the
           background  and  does not disassociate itself from the
           terminal. In normal  operation,  you  should  use  the
           default  behavior, which is to allow the daemon to put
           itself in the background.

     -m    Specifies that the master database password should  be
           retrieved from the keyboard rather than from the stash
           file. When using -m, the kadmind daemon  receives  the
           password  prior  to  putting itself in the background.
           If used in combination with the -d  option,  you  must
           explicitly place the daemon in the background.

     -p port-number
           Specifies the port on which the kadmind daemon listens
           for  connections.  The  default  is  controlled by the
           kadmind_port relation in the kdc.conf(4) file.

     -r realm
           Specifies the default realm that  kadmind  serves.  If
           realm  is not specified, the default realm of the host
           is used. kadmind answers requests for any  realm  that
           exists  in  the  local  KDC database and for which the
           appropriate principals are in its keytab.

FILES

     /var/krb5/principal.db
           Kerberos principal database.

     /var/krb5/principal.kadm5
           Kerberos  administrative  database  containing  policy
           information.

     /var/krb5/principal.kadm5.lock
           Kerberos administrative database lock file. This  file
           works  backwards  from most other lock files (that is,
           kadmin exits with an  error  if  this  file  does  not
           exist).

     /var/krb5/kadm5.dict
           Dictionary of strings explicitly disallowed  as  pass-
           words.

     /etc/krb5/kadm5.acl
           List of principals  and  their  kadmin  administrative
           privileges.

     /etc/krb5/kadm5.keytab
           Keytab for kadmin/admin principal.

     /etc/krb5/kdc.conf
           KDC configuration information.

ATTRIBUTES

     See attributes(5) for descriptions of the  following  attri-
     butes:

     ____________________________________________________________
    |       ATTRIBUTE TYPE        |       ATTRIBUTE VALUE       |
    |_____________________________|_____________________________|
    | Availability                | SUNWkdcu                    |
    |_____________________________|_____________________________|
    | Interface Stability         | Evolving                    |
    |_____________________________|_____________________________|

SEE ALSO

     kpasswd(1),   gkadmin(1M),   kadmin(1M),   kadmin.local(1M),
     kdb5_util(1M),   kadm5.acl(4),  kdc.conf(4),  attributes(5),
     SEAM(5)

NOTES

     The Kerberos administration daemon (kadmind) is now  compli-
     ant with the change-password standard mentioned in RFC 3244,
     which means it can now handle change-password requests  from
     non-Solaris Kerberos clients.
Man(1) output converted with man2html