System Administration Commands kadmind(1M)
NAME
kadmind - Kerberos administration daemon
SYNOPSIS
/usr/lib/krb5/kadmind [-d] [-m] [-p port-number] [-r realm]
-x dbargs]...
DESCRIPTION
kadmind runs on the master key distribution center (KDC),
which stores the principal and policy databases. kadmind
accepts remote requests to administer the information in
these databases. Remote requests are sent, for example, by
kpasswd(1), gkadmin(1M), and kadmin(1M) commands, all of
which are clients of kadmind. When you install a KDC, kad-
mind is set up in the init scripts to start automatically
when the KDC is rebooted.
kadmind requires a number of configuration files to be set
up for it to work:
/etc/krb5/kdc.conf
The KDC configuration file contains configuration infor-
mation for the KDC and the Kerberos administration sys-
tem. kadmind understands a number of configuration vari-
ables (called relations) in this file, some of which are
mandatory and some of which are optional. In particular,
kadmind uses the aclfile, dictfile, adminkeytab, and
kadmindport relations in the [realms] section. Refer to
the kdc.conf(4) man page for information regarding the
format of the KDC configuration file.
/etc/krb5/kadm5.keytab
kadmind requires a keytab (key table) containing correct
entries for the kadmin/fqdn, kadmin/changepw and
kadmin/changepw principals for every realm that kadmind
answers requests. The keytab can be created with the
kadmin.local(1M) or kdb5util(1M) command. The location
of the keytab is determined by the adminkeytab relation
in the kdc.conf(4) file.
/etc/krb5/kadm5.acl
kadmind uses an ACL (access control list) to determine
which principals are allowed to perform Kerberos
administration actions. The path of the ACL file is
determined by the aclfile relation in the kdc.conf
SunOS 5.11 Last change: 29 Feb 2008 1
System Administration Commands kadmind(1M)
file. See kdc.conf(4). For information regarding the
format of the ACL file, refer to kadm5.acl(4).
The kadmind daemon will need to be restarted to reread
the kadm5.acl file after it has been modified. You can
do this, as root, with the following command:
# svcadm restart svc:/network/security/kadmin:default
After kadmind begins running, it puts itself in the back-
ground and disassociates itself from its controlling termi-
nal.
kadmind can be configured for incremental database propaga-
tion. Incremental propagation allows slave KDC servers to
receive principal and policy updates incrementally instead
of receiving full dumps of the database. These settings can
be changed in the kdc.conf(4) file:
sunwdbpropenable = [true false]
Enable or disable incremental database propagation.
Default is false.
sunwdbpropmasterulogsize = N
Specifies the maximum amount of log entries available
for incremental propagation to the slave KDC servers.
The maximum value that this can be is 2500 entries.
Default value is 1000 entries.
The kiprop/@ principal must exist in the
master's kadm5.keytab file to enable the slave to authenti-
cate incremental propagation from the master. In the princi-
pal syntax above, is the master KDC's host name
and is the realm in which the master KDC resides.
Kerberos client machines can automatically migrate Unix
users to the default Kerberos realm specified in the local
krb5.conf(4), if the user does not have a valid kerberos
account already. You achieve this by using the
pamkrb5migrate(5) service module for the service in ques-
tion. The Kerberos service principal used by the client
SunOS 5.11 Last change: 29 Feb 2008 2
System Administration Commands kadmind(1M)
machine attempting the migration needs to be validated using
the u privilege in kadm5.acl(4). When using the u privilege,
kadmind validates user passwords using PAM, specifically
using a PAMSERVICE name of k5migrate by calling
pamauthenticate(3PAM) and pamacctmgmt(3PAM).
A suitable PAM stack configuration example for k5migrate
would look like:
k5migrate auth required pamunixauth.so.1
k5migrate account required pamunixaccount.so.1
OPTIONS
The following options are supported:
-d
Specifies that kadmind does not put itself in the back-
ground and does not disassociate itself from the termi-
nal. In normal operation, you should use the default
behavior, which is to allow the daemon to put itself in
the background.
-m
Specifies that the master database password should be
retrieved from the keyboard rather than from the stash
file. When using -m, the kadmind daemon receives the
password prior to putting itself in the background. If
used in combination with the -d option, you must expli-
citly place the daemon in the background.
-p port-number
Specifies the port on which the kadmind daemon listens
for connections. The default is controlled by the
kadmindport relation in the kdc.conf(4) file.
-r realm
Specifies the default realm that kadmind serves. If
realm is not specified, the default realm of the host is
used. kadmind answers requests for any realm that exists
in the local KDC database and for which the appropriate
principals are in its keytab.
SunOS 5.11 Last change: 29 Feb 2008 3
System Administration Commands kadmind(1M)
-x dbargs
Pass database-specific arguments to kadmind. Supported
arguments are for LDAP and the Berkeley-db2 plug-in.
These arguments are:
binddn=binddn
LDAP simple bind DN for authorization on the direc-
tory server. Overrides the ldapkadminddn parameter
setting in krb5.conf(4).
bindpwd=bindpwd
Bind password.
dbname=name
For the Berkeley-db2 plug-in, specifies a name for
the Kerberos database.
nconns=num
Maximum number of server connections.
port=num
Directory server connection port.
FILES
/var/krb5/principal
Kerberos principal database.
/var/krb5/principal.ulog
The update log file for incremental propagation.
/var/krb5/principal.kadm5
Kerberos administrative database containing policy
information.
SunOS 5.11 Last change: 29 Feb 2008 4
System Administration Commands kadmind(1M)
/var/krb5/principal.kadm5.lock
Kerberos administrative database lock file. This file
works backwards from most other lock files (that is,
kadmin exits with an error if this file does not exist).
/var/krb5/kadm5.dict
Dictionary of strings explicitly disallowed as pass-
words.
/etc/krb5/kadm5.acl
List of principals and their kadmin administrative
privileges.
/etc/krb5/kadm5.keytab
Keytab for kadmin principals: kadmin/fqdn,
changepw/fqdn, and kadmin/changepw.
/etc/krb5/kdc.conf
KDC configuration information.
ATRIBUTES
See attributes(5) for descriptions of the following attri-
butes:
ATRIBUTE TYPE ATRIBUTE VALUE
Availability SUNWkdcu
Interface Stability Evolving
SEE ALSO
kpasswd(1), svcs(1), gkadmin(1M), kadmin(1M),
kadmin.local(1M), kdb5util(1M), kdb5ldaputil(1M),
kproplog(1M), svcadm(1M), pamacctmgmt(3PAM),
pamauthenticate(3PAM), kadm5.acl(4), kdc.conf(4),
krb5.conf(4), attributes(5), kerberos(5), krb5envvar(5),
pamkrb5migrate(5), smf(5)
SunOS 5.11 Last change: 29 Feb 2008 5
System Administration Commands kadmind(1M)
NOTES
The Kerberos administration daemon (kadmind) is now compli-
ant with the change-password standard mentioned in RFC 3244,
which means it can now handle change-password requests from
non-Solaris Kerberos clients.
The kadmind service is managed by the service management
facility, smf(5), under the service identifier:
svc:/network/security/kadmin
Administrative actions on this service, such as enabling,
disabling, or requesting restart, can be performed using
svcadm(1M). The service's status can be queried using the
svcs(1) command.
SunOS 5.11 Last change: 29 Feb 2008 6
|
