Manual Pages for UNIX Darwin command on man kadmind

KADMIND(8) KADMIND(8)

NAME

kadmind - KADM5 administration server

SYNOPSIS

kkaaddmmiinndd [-xx dbargs] [-rr realm] [-mm] [-nnooffoorrkk] [-ppoorrtt port-number]

DESCRIPTION

This command starts the KADM5 administration server. If the database is db2, the administration server runs on the master Kerberos server, which stores the KDC prinicpal database and the KADM5 policy database. If the database is LDAP, the administration server and the KDC server need not run on the same machine. KKaaddmmiinndd accepts remote requests to administer the information in these databases. Remote requests are sent, for example, by kadmin(8) and the kpasswd(1) command, both of which are clients of kkaaddmmiinndd. kkaaddmmiinndd requires a number of configuration files to be set up in order for it to work: kdc.conf The KDC configuration file contains configuration informatin

for the KDC and the KADM5 system. KKaaddmmiinndd understands a num-

ber of variable settings in this file, some of whch are

mandatory and some of which are optional. See the CONFIGURA-

TION VALUES section below. keytab KKaaddmmiinndd requires a keytab containing correct entries for the kadmin/admin and kadmin/changepw principals for every realm

that kadmind will answer requests for. The keytab can be

created with the kadmin(8) client. The location of the

keytab is determined by the adminkeytab configuration vari-

able (see CONFIGURATION VALUES). ACL file KKaaddmmiinndd's ACL (access control list) tells it which principals are allowed to perform KADM5 administration actions. The

path of the ACL file is specified via the aclfile configura-

tion variable (see CONFIGURATION VALUES). The syntax of the ACL file is specified in the ACL FILE SYNTAX section below. After the server begins running, it puts itself in the background and disassociates itself from its controlling terminal. OOPPTTIIOONNSS

-xx dbargs

specifies the database specific arguments. Options supported for LDAP database are:

-x nconns=

specifies the number of connections to be maintained per LDAP server.

-x host=

specifies the LDAP server to connect to by a LDAP URI.

-x binddn=

specifies the DN of the object used by the administration server to bind to the LDAP server. This object should have the read and write rights on the realm container, principal container and the subtree that is referenced by the realm.

-x bindpwd=

specifies the password for the above mentioned binddn. It

is recommended not to use this option. Instead, the pass-

word can be stashed using the stashsrvpw command of kdb5ldaputil.

-rr realm

specifies the default realm that kadmind will serve; if it is

not specified, the default realm of the host is used. kkaaddmmiinndd will answer requests for any realm that exists in the local KDC database and for which the appropriate principals are in its keytab.

-mm specifies that the master database password should be fetched

from the keyboard rather than from a file on disk. Note that the server gets the password prior to putting itself in the

background; in combination with the -nofork option, you must

place it in the background by hand.

-nnooffoorrkk

specifies that the server does not put itself in the background and does not disassociate itself from the terminal. In normal operation, you should always allow the server place itself in the background.

-ppoorrtt port-number

specifies the port on which the administration server listens

for connections. The default is is controlled by the kad-

mindport configuration variable (see below). CCOONNFFIIGGUURRAATTIIOONN VVAALLUUEESS

In addition to the relations defined in kdc.conf(5), kadmind under-

stands the following relations, all of which should appear in the [realms] section: aclfile

The path of kadmind's ACL file. Mandatory. No default.

dictfile

The path of kadmind's password dictionary. A principal with any

password policy will not be allowed to select any password in the dictionary. Optional. No default. adminkeytab The name of the keytab containing entries for the principals kadmin/admin and kadmin/changepw in each realm that kkaaddmmiinndd will

serve. The default is the value of the KRB5KTNAME environment

variable, if defined. Mandatory.

kadmindport

The TCP port on which kkaaddmmiinndd will listen. The default is 749. AACCLL FFIILLEE SSYYNNTTAAXX The ACL file controls which principals can or cannot perform which administrative functions. For operations that affect principals, the ACL file also controls which principals can operate on which other principals. This file can contain comment lines, null lines or lines

which contain ACL entries. Comment lines start with the sharp sign (##)

and continue until the end of the line. Lines containing ACL entries

have the format of pprriinncciippaall whitespace ooppeerraattiioonn-mmaasskk [whitespace

ooppeerraattiioonn-ttaarrggeett]

Ordering is important. The first matching entry is the one which will control access for a particular principal on a particular principal. principal may specify a partially or fully qualified Kerberos version 5 principal name. Each component of the name may be wildcarded using the asterisk ( ** ) character.

operation-target

[Optional] may specify a partially or fully qualified Kerberos version 5 principal name. Each component of the name may be wildcarded using the asterisk ( ** ) character.

operation-mask

Specifies what operations may or may not be peformed by a prin-

cipal matching a particular entry. This is a string of one or

more of the following list of characters or their upper-case

counterparts. If the character is upper-case, then the opera-

tion is disallowed. If the character is lower-case, then the

operation is permitted. aa [Dis]allows the addition of principals or policies in the database. dd [Dis]allows the deletion of principals or policies in the database. mm [Dis]allows the modification of principals or policies in the database. cc [Dis]allows the changing of passwords for principals in the database. ii [Dis]allows inquiries to the database. ll [Dis]allows the listing of principals or policies in the database. xx Short for admcil. ** Same as xx. Some examples of valid entries here are: user/instance@realm adm

A standard fully qualified name. The ooppeerraattiioonn-mmaasskk only

applies to this principal and specifies that [s]he may add, delete or modify principals and policies, but not change anybody else's password. user/instance@realm cim service/instance@realm A standard fully qualified name and a standard fully qualified

target. The ooppeerraattiioonn-mmaasskk only applies to this principal oper-

ating on this target and specifies that [s]he may change the

target's password, request information about the target and mod-

ify it. user/*@realm ac

A wildcarded name. The ooppeerraattiioonn-mmaasskk applies to all principals

in realm "realm" whose first component is "user" and specifies that [s]he may add principals and change anybody's password. user/*@realm i */instance@realm

A wildcarded name and target. The ooppeerraattiioonn-mmaasskk applies to all

principals in realm "realm" whose first component is "user" and specifies that [s]he may perform inquiries on principals whose second component is "instance" and realm is "realm". FILES principal.db default name for Kerberos principal database .kadm5 KADM5 administrative database. (This would be "principal.kadm5", if you use the default database name.) Contains policy information. .kadm5.lock lock file for the KADM5 administrative database. This file works backwards from most other lock files. I.e., kkaaddmmiinn will exit with an error if this file does not exist. NNoottee:: The above three files are specific to db2 database. kadm5.acl file containing list of principals and their kkaaddmmiinn administrative privileges. See above for a description. kadm5.keytab keytab file for kadmin/admin principal. kadm5.dict file containing dictionary of strings explicitly disallowed as passwords.