.. _krb5kdc(8): krb5kdc ======= SYNOPSIS -------- **krb5kdc** [**-x** *db_args*] [**-d** *dbname*] [**-k** *keytype*] [**-M** *mkeyname*] [**-p** *portnum*] [**-m**] [**-r** *realm*] [**-n**] [**-w** *numworkers*] [**-P** *pid_file*] [**-T** *time_offset*] DESCRIPTION ----------- krb5kdc is the Kerberos version 5 Authentication Service and Key Distribution Center (AS/KDC). OPTIONS ------- The **-r** *realm* option specifies the realm for which the server should provide service. This option may be specified multiple times to serve multiple realms. If no **-r** option is given, the default realm (as specified in :ref:`krb5.conf(5)`) will be served. The **-d** *dbname* option specifies the name under which the principal database can be found. This option does not apply to the LDAP database. The **-k** *keytype* option specifies the key type of the master key to be entered manually as a password when **-m** is given; the default is |defmkey|. The **-M** *mkeyname* option specifies the principal name for the master key in the database (usually ``K/M`` in the KDC's realm). The **-m** option specifies that the master database password should be fetched from the keyboard rather than from a stash file. The **-n** option specifies that the KDC does not put itself in the background and does not disassociate itself from the terminal. The **-P** *pid_file* option tells the KDC to write its PID into *pid_file* after it starts up. This can be used to identify whether the KDC is still running and to allow init scripts to stop the correct process. The **-p** *portnum* option specifies the default UDP and TCP port numbers which the KDC should listen on for Kerberos version 5 requests, as a comma-separated list. This value overrides the port numbers specified in the :ref:`kdcdefaults` section of :ref:`kdc.conf(5)`, but may be overridden by realm-specific values. If no value is given from any source, the default port is 88. The **-w** *numworkers* option tells the KDC to fork *numworkers* processes to listen to the KDC ports and process requests in parallel. The top level KDC process (whose pid is recorded in the pid file if the **-P** option is also given) acts as a supervisor. The supervisor will relay SIGHUP signals to the worker subprocesses, and will terminate the worker subprocess if the it is itself terminated or if any other worker process exits. The **-x** *db_args* option specifies database-specific arguments. See :ref:`Database Options <dboptions>` in :ref:`kadmin(1)` for supported arguments. The **-T** *offset* option specifies a time offset, in seconds, which the KDC will operate under. It is intended only for testing purposes. EXAMPLE ------- The KDC may service requests for multiple realms (maximum 32 realms). The realms are listed on the command line. Per-realm options that can be specified on the command line pertain for each realm that follows it and are superseded by subsequent definitions of the same option. For example:: krb5kdc -p 2001 -r REALM1 -p 2002 -r REALM2 -r REALM3 specifies that the KDC listen on port 2001 for REALM1 and on port 2002 for REALM2 and REALM3. Additionally, per-realm parameters may be specified in the :ref:`kdc.conf(5)` file. The location of this file may be specified by the **KRB5_KDC_PROFILE** environment variable. Per-realm parameters specified in this file take precedence over options specified on the command line. See the :ref:`kdc.conf(5)` description for further details. ENVIRONMENT ----------- See :ref:`kerberos(7)` for a description of Kerberos environment variables. SEE ALSO -------- :ref:`kdb5_util(8)`, :ref:`kdc.conf(5)`, :ref:`krb5.conf(5)`, :ref:`kdb5_ldap_util(8)`, :ref:`kerberos(7)`