NAME
kadmind − Kerberos administration daemon
SYNOPSIS
/usr/lib/kadmind [-d] [-m] [-p port-number] [-r realm]
DESCRIPTION
kadmind runs on the master key distribution center (KDC), which stores the principal and policy databases. kadmind accepts remote requests to administer the information in these databases. Remote requests are sent, for example, by kpasswd(1), gkamdin(1M), and kadmin(1M) commands, all of which are clients of kadmind. When you install a KDC, kadmind is set up in the init scripts to start automatically when the KDC is rebooted.
kadmind requires a number of configuration files to be set up for it to work:
/etc/krb5/kdc.conf
The KDC configuration file contains configuration information for the KDC and the Kerberos administration system. kadmind understands a number of configuration variables (called relations) in this file, some of which are mandatory and some of which are optional. In particular, kadmind uses the acl_file, dict_file, admin_keytab, and kadmind_port relations in the [realms] section. Refer to the kdc.conf(4) man page for information regarding the format of the KDC configuration file.
/etc/krb5/kadm5.keytab
kadmind requires akeytab (key table) containing correct entries for the kadmin/admin and kadmin/changepw principals for every realm that kadmind answers requests. The keytab can be created with the kadmin.local(1M), kdb5_util(1M) command. The location of the keytab is determined by the admin_keytab relation in the kdc.conf(4) file.
/etc/krb5/kadm5.acl
kadmind uses an ACL (access control list) to determine which principals are allowed to perform Kerberos administration actions. The path of the ACL file is determined by the acl_file relation in the kdc.conf file. See kdc.conf(4). For information regarding the format of the ACL file, refer to kadm5.acl(4).
After kadmind begins running, it puts itself in the background and disassociates itself from its controlling terminal.
OPTIONS
The following options are supported:
|
-d |
Specifies that kadmind does not put itself in the background and does not disassociate itself from the terminal. In normal operation, you should use the default behavior, which is to allow the daemon to put itself in the background. | ||
|
-m |
Specifies that the master database password should be retrieved from the keyboard rather than from the stash file. When using -m, the kadmind daemon receives the password prior to putting itself in the background. If used in combination with the -d option, you must explicitly place the daemon in the background. |
-p port-number
Specifies the port on which the kadmind daemon listens for connections. The default is controlled by the kadmind_port relation in the kdc.conf(4) file.
-r realm
Specifies the default realm that kadmind serves. If realm is not specified, the default realm of the host is used. kadmind answers requests for any realm that exists in the local KDC database and for which the appropriate principals are in its keytab.
FILES
/var/krb5/principal.db
Kerberos principal database.
/var/krb5/principal.kadm5
Kerberos administrative database containing policy information.
/var/krb5/principal.kadm5.lock
Kerberos administrative database lock file. This file works backwards from most other lock files (that is, kadmin exits with an error if this file does not exist).
/var/krb5/kadm5.dict
Dictionary of strings explicitly disallowed as passwords.
/etc/krb5/kadm5.acl
List of principals and their kadmin administrative privileges.
/etc/krb5/kadm5.keytab
Keytab for kadmin/admin principal.
/etc/krb5/kdc.conf
KDC configuration information.
ATTRIBUTES
See attributes(5) for descriptions of the following attributes:
SEE ALSO
kpasswd(1), gkadmin(1M), kadmin(1M), kadmin.local(1M), kdb5_util(1M), kadm5.acl(4), kdc.conf(4), attributes(5), SEAM(5)