Provided by: heimdal-kdc_7.8.git20221117.28daf24+dfsg-5ubuntu3_amd64 bug

NAME
       kadmind — server for administrative access to Kerberos database


SYNOPSIS
       kadmind   [-c file | --config-file=file]   [-k file | --key-file=file]   [--keytab=keytab]  [-r  realm  |
               --realm=realm] [-d | --debug] [-p port | --ports=port]


DESCRIPTION
       kadmind listens for requests for changes  to  the  Kerberos  database  and  performs  these,  subject  to
       permissions.   When  starting,  if  stdin  is  a  socket it assumes that it has been started by inetd(8),
       otherwise it behaves as a daemon, forking processes for each new connection. The  --debug  option  causes
       kadmind to accept exactly one connection, which is useful for debugging.

       The kpasswdd(8) daemon is responsible for the Kerberos 5 password changing protocol (used by kpasswd(1)).

       This daemon should only be run on the master server, and not on any slaves.

       Principals  are  always  allowed  to  change their own password and list their own principal.  Apart from
       that, doing any operation requires permission explicitly added in the ACL file  /var/heimdal/kadmind.acl.
       The format of this file is:

       principal rights [principal-pattern]

       Where rights is any (comma separated) combination of:
          change-password or cpw
          list
          delete
          modify
          add
          get
          get-keys
          all (everything except get-keys)

       And  the optional principal-pattern restricts the rights to operations on principals that match the glob-
       style pattern.

       Supported options:

       -c file, --config-file=file
               location of config file

       -k file, --key-file=file
               location of master key file

       --keytab=keytab
               what keytab to use

       -r realm, --realm=realm
               realm to use

       -d, --debug
               enable debugging

       -p port, --ports=port
               ports to listen to. By default, if run as a daemon, it listens to port 749, but you can  add  any
               number  of  ports  with  this  option.  The  port  string  is a whitespace separated list of port
               specifications, with the special string “+” representing the default port.


FILES
       /var/heimdal/kadmind.acl


EXAMPLES
       This will cause kadmind to listen to port 4711 in addition to any compiled in defaults:

             kadmind --ports="+ 4711" &

       This acl file will grant Joe all rights, and allow Mallory to view and add host principals,  as  well  as
       extract host principal keys (e.g., into keytabs).

             joe/admin@EXAMPLE.COM      all
             mallory/admin@EXAMPLE.COM  add,get-keys  host/*@EXAMPLE.COM


SEE ALSO
       kpasswd(1), kadmin(1), kdc(8), kpasswdd(8)

HEIMDAL                                         December 8, 2004                                      KADMIND(8)