1KADMIND(8)                       MIT Kerberos                       KADMIND(8)
2
3
4

NAME

6       kadmind - KADM5 administration server
7

SYNOPSIS

9       kadmind  [-x  db_args]  [-r  realm]  [-m]  [-nofork] [-proponly] [-port
10       port-number] [-P pid_file]  [-p  kdb5_util_path]  [-K  kprop_path]  [-k
11       kprop_port] [-F dump_file]
12

DESCRIPTION

14       kadmind  starts  the Kerberos administration server.  kadmind typically
15       runs on the master Kerberos server, which stores the KDC database.   If
16       the  KDC  database  uses the LDAP module, the administration server and
17       the KDC server need not run  on  the  same  machine.   kadmind  accepts
18       remote  requests  from  programs  such  as  kadmin(1) and kpasswd(1) to
19       administer the information in these database.
20
21       kadmind requires a number of configuration files to be set up in  order
22       for it to work:
23
24       kdc.conf(5)
25              The  KDC  configuration  file contains configuration information
26              for the KDC and admin servers.  kadmind uses  settings  in  this
27              file  to  locate  the Kerberos database, and is also affected by
28              the acl_file, dict_file, kadmind_port,  and  iprop-related  set‐
29              tings.
30
31       kadm5.acl(5)
32              kadmind's  ACL  (access  control list) tells it which principals
33              are allowed to perform administration actions.  The pathname  to
34              the  ACL  file  can  be  specified with the acl_file kdc.conf(5)
35              variable; by default, it is /var/kerberos/krb5kdc/kadm5.acl.
36
37       After the server begins running, it puts itself in the  background  and
38       disassociates itself from its controlling terminal.
39
40       kadmind can be configured for incremental database propagation.  Incre‐
41       mental propagation allows replica KDC servers to receive principal  and
42       policy  updates  incrementally  instead  of receiving full dumps of the
43       database.  This facility can be enabled in the  kdc.conf(5)  file  with
44       the  iprop_enable option.  Incremental propagation requires the princi‐
45       pal kiprop/MASTER\@REALM (where MASTER is the  master  KDC's  canonical
46       host  name, and REALM the realm name).  In release 1.13, this principal
47       is automatically created and registered into the datebase.
48

OPTIONS

50       -r realm
51              specifies the realm that kadmind will serve; if it is not speci‐
52              fied, the default realm of the host is used.
53
54       -m     causes  the master database password to be fetched from the key‐
55              board (before the server puts itself in the background,  if  not
56              invoked  with  the  -nofork  option)  rather than from a file on
57              disk.
58
59       -nofork
60              causes the server to remain in the foreground and remain associ‐
61              ated to the terminal.  In normal operation, you should allow the
62              server to place itself in the background.
63
64       -proponly
65              causes the server to only listen and respond to Kerberos replica
66              incremental  propagation  polling  requests.  This option can be
67              used to set up  a  hierarchical  propagation  topology  where  a
68              replica  KDC  provides  incremental  updates  to  other Kerberos
69              replicas.
70
71       -port port-number
72              specifies the port on which the  administration  server  listens
73              for  connections.   The  default  port is determined by the kad‐
74              mind_port configuration variable in kdc.conf(5).
75
76       -P pid_file
77              specifies the file to which the PID of kadmind process should be
78              written  after  it starts up.  This file can be used to identify
79              whether kadmind is still running and to allow  init  scripts  to
80              stop the correct process.
81
82       -p kdb5_util_path
83              specifies  the path to the kdb5_util command to use when dumping
84              the KDB in response  to  full  resync  requests  when  iprop  is
85              enabled.
86
87       -K kprop_path
88              specifies  the  path  to  the  kprop command to use to send full
89              dumps to replicas in response to full resync requests.
90
91       -k kprop_port
92              specifies the port by which the kprop process that is spawned by
93              kadmind connects to the replica kpropd, in order to transfer the
94              dump file during an iprop full resync request.
95
96       -F dump_file
97              specifies the file path to  be  used  for  dumping  the  KDB  in
98              response to full resync requests when iprop is enabled.
99
100       -x db_args
101              specifies  database-specific arguments.  See Database Options in
102              kadmin(1) for supported arguments.
103

ENVIRONMENT

105       See kerberos(7) for a description of Kerberos environment variables.
106

SEE ALSO

108       kpasswd(1), kadmin(1), kdb5_util(8),  kdb5_ldap_util(8),  kadm5.acl(5),
109       kerberos(7)
110

AUTHOR

112       MIT
113
115       1985-2019, MIT
116
117
118
119
1201.17                                                                KADMIND(8)
Impressum