1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
|
KADMIND(8) BSD System Manager's Manual KADMIND(8)
N�NA�AM�ME�E
k�ka�ad�dm�mi�in�nd�d -- server for administrative access to Kerberos database
S�SY�YN�NO�OP�PS�SI�IS�S
k�ka�ad�dm�mi�in�nd�d [-�-c�c _�f_�i_�l_�e | -�--�-c�co�on�nf�fi�ig�g-�-f�fi�il�le�e=�=_�f_�i_�l_�e] [-�-k�k _�f_�i_�l_�e | -�--�-k�ke�ey�y-�-f�fi�il�le�e=�=_�f_�i_�l_�e]
[-�--�-k�ke�ey�yt�ta�ab�b=�=_�k_�e_�y_�t_�a_�b] [-�-r�r _�r_�e_�a_�l_�m | -�--�-r�re�ea�al�lm�m=�=_�r_�e_�a_�l_�m] [-�-d�d | -�--�-d�de�eb�bu�ug�g] [-�-p�p
_�p_�o_�r_�t | -�--�-p�po�or�rt�ts�s=�=_�p_�o_�r_�t]
D�DE�ES�SC�CR�RI�IP�PT�TI�IO�ON�N
k�ka�ad�dm�mi�in�nd�d listens for requests for changes to the Kerberos database and
performs these, subject to permissions. When starting, if stdin is a
socket it assumes that it has been started by inetd(8), otherwise it
behaves as a daemon, forking processes for each new connection. The
-�--�-d�de�eb�bu�ug�g option causes k�ka�ad�dm�mi�in�nd�d to accept exactly one connection, which is
useful for debugging.
The kpasswdd(8) daemon is responsible for the Kerberos 5 password chang-
ing protocol (used by kpasswd(1)).
This daemon should only be run on the master server, and not on any
slaves.
Principals are always allowed to change their own password and list their
own principal. Apart from that, doing any operation requires permission
explicitly added in the ACL file _�/_�v_�a_�r_�/_�h_�e_�i_�m_�d_�a_�l_�/_�k_�a_�d_�m_�i_�n_�d_�._�a_�c_�l. The format of
this file is:
_�p_�r_�i_�n_�c_�i_�p_�a_�l _�r_�i_�g_�h_�t_�s [_�p_�r_�i_�n_�c_�i_�p_�a_�l_�-_�p_�a_�t_�t_�e_�r_�n]
Where rights is any (comma separated) combination of:
+�+�o�o change-password or cpw
+�+�o�o list
+�+�o�o delete
+�+�o�o modify
+�+�o�o add
+�+�o�o get
+�+�o�o get-keys
+�+�o�o all
And the optional _�p_�r_�i_�n_�c_�i_�p_�a_�l_�-_�p_�a_�t_�t_�e_�r_�n restricts the rights to operations on
principals that match the glob-style pattern.
Supported options:
-�-c�c _�f_�i_�l_�e, -�--�-c�co�on�nf�fi�ig�g-�-f�fi�il�le�e=�=_�f_�i_�l_�e
location of config file
-�-k�k _�f_�i_�l_�e, -�--�-k�ke�ey�y-�-f�fi�il�le�e=�=_�f_�i_�l_�e
location of master key file
-�--�-k�ke�ey�yt�ta�ab�b=�=_�k_�e_�y_�t_�a_�b
what keytab to use
-�-r�r _�r_�e_�a_�l_�m, -�--�-r�re�ea�al�lm�m=�=_�r_�e_�a_�l_�m
realm to use
-�-d�d, -�--�-d�de�eb�bu�ug�g
enable debugging
-�-p�p _�p_�o_�r_�t, -�--�-p�po�or�rt�ts�s=�=_�p_�o_�r_�t
ports to listen to. By default, if run as a daemon, it listens to
port 749, but you can add any number of ports with this option.
The port string is a whitespace separated list of port specifica-
tions, with the special string ``+'' representing the default
port.
F�FI�IL�LE�ES�S
_�/_�v_�a_�r_�/_�h_�e_�i_�m_�d_�a_�l_�/_�k_�a_�d_�m_�i_�n_�d_�._�a_�c_�l
E�EX�XA�AM�MP�PL�LE�ES�S
This will cause k�ka�ad�dm�mi�in�nd�d to listen to port 4711 in addition to any com-
piled in defaults:
k�ka�ad�dm�mi�in�nd�d -�--�-p�po�or�rt�ts�s="+ 4711" &
This acl file will grant Joe all rights, and allow Mallory to view and
add host principals, as well as extract host principal keys (e.g., into
keytabs).
joe/admin@EXAMPLE.COM all
mallory/admin@EXAMPLE.COM add,get-keys host/*@EXAMPLE.COM
S�SE�EE�E A�AL�LS�SO�O
kpasswd(1), kadmin(1), kdc(8), kpasswdd(8)
HEIMDAL December 8, 2004 HEIMDAL
|
