8.Sh SYNOPSIS
9.Nm
10.Oo Fl c Ar file \*(Ba Xo
11.Fl -config-file= Ns Ar file Oc
12.Xc
13.Oo Fl k Ar file \*(Ba Xo
14.Fl -key-file= Ns Ar file Oc
15.Xc
16.Op Fl -keytab= Ns Ar keytab
17.Oo Fl r Ar realm \*(Ba Xo
18.Fl -realm= Ns Ar realm Oc
19.Xc
20.Op Fl d | Fl -debug
21.Oo Fl p Ar port \*(Ba Xo
22.Fl -ports= Ns Ar port Oc
23.Xc
24.Sh DESCRIPTION
25.Nm
26listens for requests for changes to the Kerberos database and performs
27these, subject to permissions. When starting, if stdin is a socket it assumes that it has been started by
28.Xr inetd 8 ,
29otherwise it behaves as a daemon, forking processes for each new
30connection. The
31.Fl -debug
32option causes
33.Nm
34to accept exactly one connection, which is useful for debugging.
| 7.Sh SYNOPSIS
8.Nm
9.Oo Fl c Ar file \*(Ba Xo
10.Fl -config-file= Ns Ar file Oc
11.Xc
12.Oo Fl k Ar file \*(Ba Xo
13.Fl -key-file= Ns Ar file Oc
14.Xc
15.Op Fl -keytab= Ns Ar keytab
16.Oo Fl r Ar realm \*(Ba Xo
17.Fl -realm= Ns Ar realm Oc
18.Xc
19.Op Fl d | Fl -debug
20.Oo Fl p Ar port \*(Ba Xo
21.Fl -ports= Ns Ar port Oc
22.Xc
23.Sh DESCRIPTION
24.Nm
25listens for requests for changes to the Kerberos database and performs
26these, subject to permissions. When starting, if stdin is a socket it assumes that it has been started by
27.Xr inetd 8 ,
28otherwise it behaves as a daemon, forking processes for each new
29connection. The
30.Fl -debug
31option causes
32.Nm
33to accept exactly one connection, which is useful for debugging.
|
36If built with krb4 support, it implements both the Heimdal Kerberos 5
37administrative protocol and the Kerberos 4 protocol. Password changes
38via the Kerberos 4 protocol are also performed by
39.Nm kadmind ,
40but the
41.Xr kpasswdd 8
42daemon is responsible for the Kerberos 5 password changing protocol
43(used by
44.Xr kpasswd 1 ).
45.Pp
46This daemon should only be run on ther master server, and not on any
47slaves.
48.Pp
49Principals are always allowed to change their own password and list
50their own principals. Apart from that, doing any operation requires
51permission explicitly added in the ACL file
52.Pa /var/heimdal/kadmind.acl .
53The format of this file is:
54.Bd -ragged
55.Va principal
56.Va rights
57.Op Va principal-pattern
58.Ed
59.Pp
60Where rights is any combination of:
61.Bl -bullet
62.It
63change-password | cpw
64.It
65list
66.It
67delete
68.It
69modify
70.It
71add
72.It
73get
74.It
75all
76.El
77.Pp
78And the optional
79.Ar principal-pattern
80restricts the rights to principals that match the glob-style pattern.
81.Pp
82Supported options:
83.Bl -tag -width Ds
84.It Xo
85.Fl c Ar file Ns ,
86.Fl -config-file= Ns Ar file
87.Xc
88location of config file
89.It Xo
90.Fl k Ar file Ns ,
91.Fl -key-file= Ns Ar file
92.Xc
93location of master key file
94.It Xo
95.Fl -keytab= Ns Ar keytab
96.Xc
97what keytab to use
98.It Xo
99.Fl r Ar realm Ns ,
100.Fl -realm= Ns Ar realm
101.Xc
102realm to use
103.It Xo
104.Fl d Ns ,
105.Fl -debug
106.Xc
107enable debugging
108.It Xo
109.Fl p Ar port Ns ,
110.Fl -ports= Ns Ar port
111.Xc
112ports to listen to. By default, if run as a daemon, it listen to ports
113749, and 751 (if built with Kerberos 4 support), but you can add any
114number of ports with this option. The port string is a whitespace
115separated list of port specifications, with the special string
116.Dq +
117representing the default set of ports.
118.El
119.\".Sh ENVIRONMENT
120.Sh FILES
121.Pa /var/heimdal/kadmind.acl
122.Sh EXAMPLES
123This will cause kadmind to listen to port 4711 in addition to any
124compiled in defaults:
125.Bd -literal -offset indent
126# kadmind --ports="+ 4711" &
127.Ed
128.\".Sh DIAGNOSTICS
129.Sh SEE ALSO
130.Xr kdc 8 ,
131.Xr kadmin 1 ,
132.Xr kpasswdd 8 ,
133.Xr kpasswd 1
| 35If built with krb4 support, it implements both the Heimdal Kerberos 5
36administrative protocol and the Kerberos 4 protocol. Password changes
37via the Kerberos 4 protocol are also performed by
38.Nm kadmind ,
39but the
40.Xr kpasswdd 8
41daemon is responsible for the Kerberos 5 password changing protocol
42(used by
43.Xr kpasswd 1 ).
44.Pp
45This daemon should only be run on ther master server, and not on any
46slaves.
47.Pp
48Principals are always allowed to change their own password and list
49their own principals. Apart from that, doing any operation requires
50permission explicitly added in the ACL file
51.Pa /var/heimdal/kadmind.acl .
52The format of this file is:
53.Bd -ragged
54.Va principal
55.Va rights
56.Op Va principal-pattern
57.Ed
58.Pp
59Where rights is any combination of:
60.Bl -bullet
61.It
62change-password | cpw
63.It
64list
65.It
66delete
67.It
68modify
69.It
70add
71.It
72get
73.It
74all
75.El
76.Pp
77And the optional
78.Ar principal-pattern
79restricts the rights to principals that match the glob-style pattern.
80.Pp
81Supported options:
82.Bl -tag -width Ds
83.It Xo
84.Fl c Ar file Ns ,
85.Fl -config-file= Ns Ar file
86.Xc
87location of config file
88.It Xo
89.Fl k Ar file Ns ,
90.Fl -key-file= Ns Ar file
91.Xc
92location of master key file
93.It Xo
94.Fl -keytab= Ns Ar keytab
95.Xc
96what keytab to use
97.It Xo
98.Fl r Ar realm Ns ,
99.Fl -realm= Ns Ar realm
100.Xc
101realm to use
102.It Xo
103.Fl d Ns ,
104.Fl -debug
105.Xc
106enable debugging
107.It Xo
108.Fl p Ar port Ns ,
109.Fl -ports= Ns Ar port
110.Xc
111ports to listen to. By default, if run as a daemon, it listen to ports
112749, and 751 (if built with Kerberos 4 support), but you can add any
113number of ports with this option. The port string is a whitespace
114separated list of port specifications, with the special string
115.Dq +
116representing the default set of ports.
117.El
118.\".Sh ENVIRONMENT
119.Sh FILES
120.Pa /var/heimdal/kadmind.acl
121.Sh EXAMPLES
122This will cause kadmind to listen to port 4711 in addition to any
123compiled in defaults:
124.Bd -literal -offset indent
125# kadmind --ports="+ 4711" &
126.Ed
127.\".Sh DIAGNOSTICS
128.Sh SEE ALSO
129.Xr kdc 8 ,
130.Xr kadmin 1 ,
131.Xr kpasswdd 8 ,
132.Xr kpasswd 1
|