|
Packit Service |
99d1c0 |
.. _kadmind(8):
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
kadmind
|
|
Packit Service |
99d1c0 |
=======
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
SYNOPSIS
|
|
Packit Service |
99d1c0 |
--------
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
**kadmind**
|
|
Packit Service |
99d1c0 |
[**-x** *db_args*]
|
|
Packit Service |
99d1c0 |
[**-r** *realm*]
|
|
Packit Service |
99d1c0 |
[**-m**]
|
|
Packit Service |
99d1c0 |
[**-nofork**]
|
|
Packit Service |
99d1c0 |
[**-proponly**]
|
|
Packit Service |
99d1c0 |
[**-port** *port-number*]
|
|
Packit Service |
99d1c0 |
[**-P** *pid_file*]
|
|
Packit Service |
99d1c0 |
[**-p** *kdb5_util_path*]
|
|
Packit Service |
99d1c0 |
[**-K** *kprop_path*]
|
|
Packit Service |
99d1c0 |
[**-k** *kprop_port*]
|
|
Packit Service |
99d1c0 |
[**-F** *dump_file*]
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
DESCRIPTION
|
|
Packit Service |
99d1c0 |
-----------
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
kadmind starts the Kerberos administration server. kadmind typically
|
|
Packit Service |
99d1c0 |
runs on the master Kerberos server, which stores the KDC database. If
|
|
Packit Service |
99d1c0 |
the KDC database uses the LDAP module, the administration server and
|
|
Packit Service |
99d1c0 |
the KDC server need not run on the same machine. kadmind accepts
|
|
Packit Service |
99d1c0 |
remote requests from programs such as :ref:`kadmin(1)` and
|
|
Packit Service |
99d1c0 |
:ref:`kpasswd(1)` to administer the information in these database.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
kadmind requires a number of configuration files to be set up in order
|
|
Packit Service |
99d1c0 |
for it to work:
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
:ref:`kdc.conf(5)`
|
|
Packit Service |
99d1c0 |
The KDC configuration file contains configuration information for
|
|
Packit Service |
99d1c0 |
the KDC and admin servers. kadmind uses settings in this file to
|
|
Packit Service |
99d1c0 |
locate the Kerberos database, and is also affected by the
|
|
Packit Service |
99d1c0 |
**acl_file**, **dict_file**, **kadmind_port**, and iprop-related
|
|
Packit Service |
99d1c0 |
settings.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
:ref:`kadm5.acl(5)`
|
|
Packit Service |
99d1c0 |
kadmind's ACL (access control list) tells it which principals are
|
|
Packit Service |
99d1c0 |
allowed to perform administration actions. The pathname to the
|
|
Packit Service |
99d1c0 |
ACL file can be specified with the **acl_file** :ref:`kdc.conf(5)`
|
|
Packit Service |
99d1c0 |
variable; by default, it is |kdcdir|\ ``/kadm5.acl``.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
After the server begins running, it puts itself in the background and
|
|
Packit Service |
99d1c0 |
disassociates itself from its controlling terminal.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
kadmind can be configured for incremental database propagation.
|
|
Packit Service |
99d1c0 |
Incremental propagation allows replica KDC servers to receive
|
|
Packit Service |
99d1c0 |
principal and policy updates incrementally instead of receiving full
|
|
Packit Service |
99d1c0 |
dumps of the database. This facility can be enabled in the
|
|
Packit Service |
99d1c0 |
:ref:`kdc.conf(5)` file with the **iprop_enable** option. Incremental
|
|
Packit Service |
99d1c0 |
propagation requires the principal ``kiprop/MASTER\@REALM`` (where
|
|
Packit Service |
99d1c0 |
MASTER is the master KDC's canonical host name, and REALM the realm
|
|
Packit Service |
99d1c0 |
name). In release 1.13, this principal is automatically created and
|
|
Packit Service |
99d1c0 |
registered into the datebase.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
OPTIONS
|
|
Packit Service |
99d1c0 |
-------
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
**-r** *realm*
|
|
Packit Service |
99d1c0 |
specifies the realm that kadmind will serve; if it is not
|
|
Packit Service |
99d1c0 |
specified, the default realm of the host is used.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
**-m**
|
|
Packit Service |
99d1c0 |
causes the master database password to be fetched from the
|
|
Packit Service |
99d1c0 |
keyboard (before the server puts itself in the background, if not
|
|
Packit Service |
99d1c0 |
invoked with the **-nofork** option) rather than from a file on
|
|
Packit Service |
99d1c0 |
disk.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
**-nofork**
|
|
Packit Service |
99d1c0 |
causes the server to remain in the foreground and remain
|
|
Packit Service |
99d1c0 |
associated to the terminal.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
**-proponly**
|
|
Packit Service |
99d1c0 |
causes the server to only listen and respond to Kerberos replica
|
|
Packit Service |
99d1c0 |
incremental propagation polling requests. This option can be used
|
|
Packit Service |
99d1c0 |
to set up a hierarchical propagation topology where a replica KDC
|
|
Packit Service |
99d1c0 |
provides incremental updates to other Kerberos replicas.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
**-port** *port-number*
|
|
Packit Service |
99d1c0 |
specifies the port on which the administration server listens for
|
|
Packit Service |
99d1c0 |
connections. The default port is determined by the
|
|
Packit Service |
99d1c0 |
**kadmind_port** configuration variable in :ref:`kdc.conf(5)`.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
**-P** *pid_file*
|
|
Packit Service |
99d1c0 |
specifies the file to which the PID of kadmind process should be
|
|
Packit Service |
99d1c0 |
written after it starts up. This file can be used to identify
|
|
Packit Service |
99d1c0 |
whether kadmind is still running and to allow init scripts to stop
|
|
Packit Service |
99d1c0 |
the correct process.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
**-p** *kdb5_util_path*
|
|
Packit Service |
99d1c0 |
specifies the path to the kdb5_util command to use when dumping the
|
|
Packit Service |
99d1c0 |
KDB in response to full resync requests when iprop is enabled.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
**-K** *kprop_path*
|
|
Packit Service |
99d1c0 |
specifies the path to the kprop command to use to send full dumps
|
|
Packit Service |
99d1c0 |
to replicas in response to full resync requests.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
**-k** *kprop_port*
|
|
Packit Service |
99d1c0 |
specifies the port by which the kprop process that is spawned by
|
|
Packit Service |
99d1c0 |
kadmind connects to the replica kpropd, in order to transfer the
|
|
Packit Service |
99d1c0 |
dump file during an iprop full resync request.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
**-F** *dump_file*
|
|
Packit Service |
99d1c0 |
specifies the file path to be used for dumping the KDB in response
|
|
Packit Service |
99d1c0 |
to full resync requests when iprop is enabled.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
**-x** *db_args*
|
|
Packit Service |
99d1c0 |
specifies database-specific arguments. See :ref:`Database Options
|
|
Packit Service |
99d1c0 |
<dboptions>` in :ref:`kadmin(1)` for supported arguments.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
ENVIRONMENT
|
|
Packit Service |
99d1c0 |
-----------
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
See :ref:`kerberos(7)` for a description of Kerberos environment
|
|
Packit Service |
99d1c0 |
variables.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
SEE ALSO
|
|
Packit Service |
99d1c0 |
--------
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
:ref:`kpasswd(1)`, :ref:`kadmin(1)`, :ref:`kdb5_util(8)`,
|
|
Packit Service |
99d1c0 |
:ref:`kdb5_ldap_util(8)`, :ref:`kadm5.acl(5)`, :ref:`kerberos(7)`
|