1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
|
.\" $Source$
.\" $Author$
.\" $Id$
.\"
.\" Copyright 1995 by the Massachusetts Institute of Technology.
.\"
.\" Export of this software from the United States of America may
.\" require a specific license from the United States Government.
.\" It is the responsibility of any person or organization contemplating
.\" export to obtain such a license before exporting.
.\"
.\" WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
.\" distribute this software and its documentation for any purpose and
.\" without fee is hereby granted, provided that the above copyright
.\" notice appear in all copies and that both that copyright notice and
.\" this permission notice appear in supporting documentation, and that
.\" the name of M.I.T. not be used in advertising or publicity pertaining
.\" to distribution of the software without specific, written prior
.\" permission. M.I.T. makes no representations about the suitability of
.\" this software for any purpose. It is provided "as is" without express
.\" or implied warranty.
.\"
.\"
.TH KADMIND5 8 "Kerberos Version 5.0" "MIT Project Athena"
.SH NAME
kadmind5 \- network daemon for Kerberos version 5 database information
.SH SYNOPSIS
.B kadmind5
[
.B \-m
] [
.B \-n
] [
.B \-a
aclfile
] [
.B \-d
dbname
] [
.B \-e
enctype
] [
.B \-k
mkeytype
] [
.B \-p
port
] [
.B \-r
realm
] [
.B \-s
keystash
] [
.B \-t
timeout
] [
.B \-D
debugmask
] [
.B \-M
mkeyname
] [
.B \-T
keytab
]
.SH DESCRIPTION
.I kadmind5
is the network database server for the Kerberos version 5
password-changing and administration tools.
.SH FLAGS
.PP
.B Database, Key and Realm flags
.IP \-r
.B realm
specifies the realm that this server is to administer. The default is
the local realm.
.IP \-d
.B dbname
specifies the location of the database.
.IP \-M
.B mkeyname
specifies the name of the master key.
.IP \-k
.B mkeytype
specifies the master key type.
.IP \-m
Indicates that the master key name is to be entered manually.
.IP \-e
.B enctype
specifies the encryption type which is to be used.
.IP \-s
.B keystash
specifies the key stash file ( created by
.I kdb5_stash(8)
) used for automatic restart.
.IP \-T
.B keytab
specifies the name of the service key table.
.PP
.B ACL flag
.IP \-a
.B aclfile
specifies the location of the ACL file. This file controls remote
principals' abilities to perform administrative functions. See the
ACL FILE section below for the format of this file.
.PP
.B Connection flags
.IP \-t
Indicates that the server is to terminate a connection if it remains
inactive for
.B timeout
seconds.
.IP \-p
Indicates that the administrative server is to listen on port
.B port
instead of the default port.
.PP
.B Debugging flags
.IP \-D
Enables certain debugging features and messages selected by
.B debugmask.
.IP \-n
Specifies that the daemon is not to operate in the background.
.PP
.SH ACL FILE
.PP
The ACL file controls which principals can or cannot perform which
administrative functions on which principals.
This file can contain comment lines, null
lines or lines which contain ACL entries. Comment lines start with
the sharp sign (
.B \#
) and continue until the end of the line. Lines containing ACL
entries have the format of
.B principal
.I whitespace
.B operation-mask
[
.I whitespace
.B operation-target
]
Ordering is important. The first matching entry is the one which will
control access for a particular principal on a particular principal.
.PP
.IP principal
may specify a partially or fully qualified Kerberos version 5
principal name. Each component of the name may be wildcarded using
the asterisk (
.B *
) character.
.IP operation-target
[Optional] may specify a partially or fully qualified Kerberos version 5
principal name. Each component of the name may be wildcarded using the
asterisk (
.B *
) character.
.IP operation-mask
Specifies what operations may or may not be peformed by a principal
matching a particular entry. This is a string of one or more of the
following list of characters or their upper-case counterparts. If the
character is upper-case, then the operation is disallowed. If the
character is lower-case, then the operation is permitted.
.TP i
.I a
[Dis]allows the addition of principals from the database.
.TP i
.I d
[Dis]allows the deletion of principals from the database.
.TP i
.I m
[Dis]allows the modification of principals in the database.
.TP i
.I c
[Dis]allows the changing of passwords for principals in the database.
.TP i
.I o
[Dis]allows the changing of the principal's own password in the
database.
.TP i
.I i
[Dis]allows inquiries to the database.
.TP i
.I e
[Dis]allows extraction of service key entries.
.TP i
.I p
Short for
.I adm.
.TP i
.I w
Short for
.I pw.
.TP i
.I x or *
Short for
.I admcoie.
.PP
Some examples of valid entries here are:
.TP 2i
.I user/instance@realm po
A standard fully qualified name. The
.B operation-mask
only applies to this principal and specifies that [s]he may add,
delete or modify principals and change his/her own password, but not
anybody elses.
.TP 2i
.I user/instance@realm ceim service/instance@realm
A standard fully qualified name and a standard fully qualified target. The
.B operation-mask
only applies to this principal operating on this target and specifies that
[s]he may change the target's password, extract its service key, request
information about the target and modify it.
.TP 2i
.I user/*@realm aw
A wildcarded name. The
.B operation-mask
applies to all principals in realm "realm" whose first component is
"user" and specifies that [s]he may add principals and change anybody
else's password or change his/her own.
.TP 2i
.I user/*@realm ei */instance@realm
A wildcarded name and target. The
.B operation-mask
applies to all principals in realm "realm" whose first component is
"user" and specifies that [s]he may extract service keys for or perform
inquiries on principals whose second component is "instance" and realm
is "realm".
.TP 2i
.I * o
The catchall entry. The
.B operation-mask
applies to all principals and indicates that they may change their own
passwords. This entry is the default entry.
.SH SEE ALSO
kpasswd(1), kadmin5(8)
.SH BUGS
|
