1.\" $NetBSD: kadmind.8,v 1.6 2019/12/15 22:50:46 christos Exp $ 2.\" 3.\" Copyright (c) 2002 - 2004 Kungliga Tekniska Högskolan 4.\" (Royal Institute of Technology, Stockholm, Sweden). 5.\" All rights reserved. 6.\" 7.\" Redistribution and use in source and binary forms, with or without 8.\" modification, are permitted provided that the following conditions 9.\" are met: 10.\" 11.\" 1. Redistributions of source code must retain the above copyright 12.\" notice, this list of conditions and the following disclaimer. 13.\" 14.\" 2. Redistributions in binary form must reproduce the above copyright 15.\" notice, this list of conditions and the following disclaimer in the 16.\" documentation and/or other materials provided with the distribution. 17.\" 18.\" 3. Neither the name of the Institute nor the names of its contributors 19.\" may be used to endorse or promote products derived from this software 20.\" without specific prior written permission. 21.\" 22.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 23.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 26.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32.\" SUCH DAMAGE. 33.\" 34.\" Id 35.\" 36.Dd December 8, 2004 37.Dt KADMIND 8 38.Os 39.Sh NAME 40.Nm kadmind 41.Nd "server for administrative access to Kerberos database" 42.Sh SYNOPSIS 43.Nm 44.Bk -words 45.Oo Fl c Ar file \*(Ba Xo 46.Fl Fl config-file= Ns Ar file 47.Xc 48.Oc 49.Oo Fl k Ar file \*(Ba Xo 50.Fl Fl key-file= Ns Ar file 51.Xc 52.Oc 53.Op Fl Fl keytab= Ns Ar keytab 54.Oo Fl r Ar realm \*(Ba Xo 55.Fl Fl realm= Ns Ar realm 56.Xc 57.Oc 58.Op Fl d | Fl Fl debug 59.Oo Fl p Ar port \*(Ba Xo 60.Fl Fl ports= Ns Ar port 61.Xc 62.Oc 63.Ek 64.Sh DESCRIPTION 65.Nm 66listens for requests for changes to the Kerberos database and performs 67these, subject to permissions. When starting, if stdin is a socket it 68assumes that it has been started by 69.Xr inetd 8 , 70otherwise it behaves as a daemon, forking processes for each new 71connection. The 72.Fl Fl debug 73option causes 74.Nm 75to accept exactly one connection, which is useful for debugging. 76.Pp 77The 78.Xr kpasswdd 8 79daemon is responsible for the Kerberos 5 password changing protocol 80(used by 81.Xr kpasswd 1 ) . 82.Pp 83This daemon should only be run on the master server, and not on any 84slaves. 85.Pp 86Principals are always allowed to change their own password and list 87their own principal. Apart from that, doing any operation requires 88permission explicitly added in the ACL file 89.Pa /var/heimdal/kadmind.acl . 90The format of this file is: 91.Bd -ragged 92.Va principal 93.Va rights 94.Op Va principal-pattern 95.Ed 96.Pp 97Where rights is any (comma separated) combination of: 98.Bl -bullet -compact 99.It 100change-password or cpw 101.It 102list 103.It 104delete 105.It 106modify 107.It 108add 109.It 110get 111.It 112get-keys 113.It 114all (everything except get-keys) 115.El 116.Pp 117And the optional 118.Ar principal-pattern 119restricts the rights to operations on principals that match the 120glob-style pattern. 121.Pp 122Supported options: 123.Bl -tag -width Ds 124.It Fl c Ar file , Fl Fl config-file= Ns Ar file 125location of config file 126.It Fl k Ar file , Fl Fl key-file= Ns Ar file 127location of master key file 128.It Fl Fl keytab= Ns Ar keytab 129what keytab to use 130.It Fl r Ar realm , Fl Fl realm= Ns Ar realm 131realm to use 132.It Fl d , Fl Fl debug 133enable debugging 134.It Fl p Ar port , Fl Fl ports= Ns Ar port 135ports to listen to. By default, if run as a daemon, it listens to port 136749, but you can add any number of ports with this option. The port 137string is a whitespace separated list of port specifications, with the 138special string 139.Dq + 140representing the default port. 141.El 142.\".Sh ENVIRONMENT 143.Sh FILES 144.Pa /var/heimdal/kadmind.acl 145.Sh EXAMPLES 146This will cause 147.Nm 148to listen to port 4711 in addition to any 149compiled in defaults: 150.Pp 151.D1 Nm Fl Fl ports Ns Li "=\*[q]+ 4711\*[q] &" 152.Pp 153This acl file will grant Joe all rights, and allow Mallory to view and 154add host principals, as well as extract host principal keys (e.g., into 155keytabs). 156.Bd -literal -offset indent 157joe/admin@EXAMPLE.COM all 158mallory/admin@EXAMPLE.COM add,get-keys host/*@EXAMPLE.COM 159.Ed 160.\".Sh DIAGNOSTICS 161.Sh SEE ALSO 162.Xr kpasswd 1 , 163.Xr kadmin 1 , 164.Xr kdc 8 , 165.Xr kpasswdd 8 166