187 lines
4.8 KiB
Groff
187 lines
4.8 KiB
Groff
.\" Copyright (c) 2002 - 2003 Kungliga Tekniska Högskolan
|
|
.\" (Royal Institute of Technology, Stockholm, Sweden).
|
|
.\" All rights reserved.
|
|
.\"
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
.\" modification, are permitted provided that the following conditions
|
|
.\" are met:
|
|
.\"
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
.\"
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
.\" documentation and/or other materials provided with the distribution.
|
|
.\"
|
|
.\" 3. Neither the name of the Institute nor the names of its contributors
|
|
.\" may be used to endorse or promote products derived from this software
|
|
.\" without specific prior written permission.
|
|
.\"
|
|
.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
|
|
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
|
|
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
.\" SUCH DAMAGE.
|
|
.\"
|
|
.\" $Id: kadmind.8,v 1.14 2003/04/06 17:47:57 lha Exp $
|
|
.\"
|
|
.Dd March 5, 2002
|
|
.Dt KADMIND 8
|
|
.Os HEIMDAL
|
|
.Sh NAME
|
|
.Nm kadmind
|
|
.Nd "server for administrative access to Kerberos database"
|
|
.Sh SYNOPSIS
|
|
.Nm
|
|
.Oo Fl c Ar file \*(Ba Xo
|
|
.Fl -config-file= Ns Ar file
|
|
.Xc
|
|
.Oc
|
|
.Oo Fl k Ar file \*(Ba Xo
|
|
.Fl -key-file= Ns Ar file
|
|
.Xc
|
|
.Oc
|
|
.Op Fl -keytab= Ns Ar keytab
|
|
.Oo Fl r Ar realm \*(Ba Xo
|
|
.Fl -realm= Ns Ar realm
|
|
.Xc
|
|
.Oc
|
|
.Op Fl d | Fl -debug
|
|
.Oo Fl p Ar port \*(Ba Xo
|
|
.Fl -ports= Ns Ar port
|
|
.Xc
|
|
.Oc
|
|
.Op Fl -no-kerberos4
|
|
.Sh DESCRIPTION
|
|
.Nm
|
|
listens for requests for changes to the Kerberos database and performs
|
|
these, subject to permissions. When starting, if stdin is a socket it
|
|
assumes that it has been started by
|
|
.Xr inetd 8 ,
|
|
otherwise it behaves as a daemon, forking processes for each new
|
|
connection. The
|
|
.Fl -debug
|
|
option causes
|
|
.Nm
|
|
to accept exactly one connection, which is useful for debugging.
|
|
.Pp
|
|
If built with krb4 support, it implements both the Heimdal Kerberos 5
|
|
administrative protocol and the Kerberos 4 protocol. Password changes
|
|
via the Kerberos 4 protocol are also performed by
|
|
.Nm kadmind ,
|
|
but the
|
|
.Xr kpasswdd 8
|
|
daemon is responsible for the Kerberos 5 password changing protocol
|
|
(used by
|
|
.Xr kpasswd 1 )
|
|
.
|
|
.Pp
|
|
This daemon should only be run on the master server, and not on any
|
|
slaves.
|
|
.Pp
|
|
Principals are always allowed to change their own password and list
|
|
their own principal. Apart from that, doing any operation requires
|
|
permission explicitly added in the ACL file
|
|
.Pa /var/heimdal/kadmind.acl .
|
|
The format of this file is:
|
|
.Bd -ragged
|
|
.Va principal
|
|
.Va rights
|
|
.Op Va principal-pattern
|
|
.Ed
|
|
.Pp
|
|
Where rights is any (comma separated) combination of:
|
|
.Bl -bullet -compact
|
|
.It
|
|
change-password or cpw
|
|
.It
|
|
list
|
|
.It
|
|
delete
|
|
.It
|
|
modify
|
|
.It
|
|
add
|
|
.It
|
|
get
|
|
.It
|
|
all
|
|
.El
|
|
.Pp
|
|
And the optional
|
|
.Ar principal-pattern
|
|
restricts the rights to operations on principals that match the
|
|
glob-style pattern.
|
|
.Pp
|
|
Supported options:
|
|
.Bl -tag -width Ds
|
|
.It Xo
|
|
.Fl c Ar file ,
|
|
.Fl -config-file= Ns Ar file
|
|
.Xc
|
|
location of config file
|
|
.It Xo
|
|
.Fl k Ar file ,
|
|
.Fl -key-file= Ns Ar file
|
|
.Xc
|
|
location of master key file
|
|
.It Xo
|
|
.Fl -keytab= Ns Ar keytab
|
|
.Xc
|
|
what keytab to use
|
|
.It Xo
|
|
.Fl r Ar realm ,
|
|
.Fl -realm= Ns Ar realm
|
|
.Xc
|
|
realm to use
|
|
.It Xo
|
|
.Fl d ,
|
|
.Fl -debug
|
|
.Xc
|
|
enable debugging
|
|
.It Xo
|
|
.Fl p Ar port ,
|
|
.Fl -ports= Ns Ar port
|
|
.Xc
|
|
ports to listen to. By default, if run as a daemon, it listens to ports
|
|
749, and 751 (if Kerberos 4 support is built and enabled), but you can
|
|
add any number of ports with this option. The port string is a
|
|
whitespace separated list of port specifications, with the special
|
|
string
|
|
.Dq +
|
|
representing the default set of ports.
|
|
.It Fl -no-kerberos4
|
|
make
|
|
.Nm
|
|
ignore Kerberos 4 kadmin requests.
|
|
.El
|
|
.\".Sh ENVIRONMENT
|
|
.Sh FILES
|
|
.Pa /var/heimdal/kadmind.acl
|
|
.Sh EXAMPLES
|
|
This will cause
|
|
.Nm
|
|
to listen to port 4711 in addition to any
|
|
compiled in defaults:
|
|
.Pp
|
|
.D1 Nm Fl -ports Ns Li "=\*[q]+ 4711\*[q] &"
|
|
.Pp
|
|
This acl file will grant Joe all rights, and allow Mallory to view and
|
|
add host principals.
|
|
.Bd -literal -offset indent
|
|
joe/admin@EXAMPLE.COM all
|
|
mallory/admin@EXAMPLE.COM add,get host/*@EXAMPLE.COM
|
|
.Ed
|
|
.\".Sh DIAGNOSTICS
|
|
.Sh SEE ALSO
|
|
.Xr kpasswd 1 ,
|
|
.Xr kadmin 8 ,
|
|
.Xr kdc 8 ,
|
|
.Xr kpasswdd 8
|