1130b656e5
This will make a number of things easier in the future, as well as (finally!) avoiding the Id-smashing problem which has plagued developers for so long. Boy, I'm glad we're not using sup anymore. This update would have been insane otherwise.
118 lines
2.7 KiB
Groff
118 lines
2.7 KiB
Groff
.\" from: kadmind.8,v 4.1 89/07/25 17:28:33 jtkohl Exp $
|
|
.\" $FreeBSD$
|
|
.\" Copyright 1989 by the Massachusetts Institute of Technology.
|
|
.\"
|
|
.\" For copying and distribution information,
|
|
.\" please see the file <Copyright.MIT>.
|
|
.\"
|
|
.TH KADMIND 8 "Kerberos Version 4.0" "MIT Project Athena"
|
|
.SH NAME
|
|
kadmind \- network daemon for Kerberos database administration
|
|
.SH SYNOPSIS
|
|
.B kadmind
|
|
[
|
|
.B \-n
|
|
] [
|
|
.B \-h
|
|
] [
|
|
.B \-r realm
|
|
] [
|
|
.B \-f filename
|
|
] [
|
|
.B \-d dbname
|
|
] [
|
|
.B \-a acldir
|
|
]
|
|
.SH DESCRIPTION
|
|
.I kadmind
|
|
is the network database server for the Kerberos password-changing and
|
|
administration tools.
|
|
.PP
|
|
Upon execution, it prompts the user to enter the master key string for
|
|
the database.
|
|
.PP
|
|
If the
|
|
.B \-n
|
|
option is specified, the master key is instead fetched from the master
|
|
key cache file.
|
|
.PP
|
|
If the
|
|
.B \-r
|
|
.I realm
|
|
option is specified, the admin server will pretend that its
|
|
local realm is
|
|
.I realm
|
|
instead of the actual local realm of the host it is running on.
|
|
This makes it possible to run a server for a foreign kerberos
|
|
realm.
|
|
.PP
|
|
If the
|
|
.B \-f
|
|
.I filename
|
|
option is specified, then that file is used to hold the log information
|
|
instead of the default.
|
|
.PP
|
|
If the
|
|
.B \-d
|
|
.I dbname
|
|
option is specified, then that file is used as the database name instead
|
|
of the default.
|
|
.PP
|
|
If the
|
|
.B \-a
|
|
.I acldir
|
|
option is specified, then
|
|
.I acldir
|
|
is used as the directory in which to search for access control lists
|
|
instead of the default.
|
|
.PP
|
|
If the
|
|
.B \-h
|
|
option is specified,
|
|
.I kadmind
|
|
prints out a short summary of the permissible control arguments, and
|
|
then exits.
|
|
.PP
|
|
When performing requests on behalf of clients,
|
|
.I kadmind
|
|
checks access control lists (ACLs) to determine the authorization of the client
|
|
to perform the requested action.
|
|
Currently three distinct access types are supported:
|
|
.TP 1i
|
|
Addition
|
|
(.add ACL file). If a principal is on this list, it may add new
|
|
principals to the database.
|
|
.TP
|
|
Retrieval
|
|
(.get ACL file). If a principal is on this list, it may retrieve
|
|
database entries. NOTE: A principal's private key is never returned by
|
|
the get functions.
|
|
.TP
|
|
Modification
|
|
(.mod ACL file). If a principal is on this list, it may modify entries
|
|
in the database.
|
|
.PP
|
|
A principal is always granted authorization to change its own password.
|
|
.SH FILES
|
|
.TP 20n
|
|
/var/log/kadmind.syslog
|
|
Default log file.
|
|
.TP
|
|
/etc/kerberosIV/admin_acl.{add,get,mod}
|
|
Access control list files
|
|
.TP
|
|
/etc/kerberosIV/principal.db
|
|
DBM file containing database
|
|
.TP
|
|
/etc/kerberosIV/principal.ok
|
|
Semaphore indicating that the DBM database is not being modified.
|
|
.TP
|
|
/etc/kerberosIV/master_key
|
|
Master key cache file.
|
|
.SH "SEE ALSO"
|
|
kerberos(1), kpasswd(1), kadmin(8), acl_check(3)
|
|
.SH AUTHORS
|
|
Douglas A. Church, MIT Project Athena
|
|
.br
|
|
John T. Kohl, Project Athena/Digital Equipment Corporation
|