kcm(8) - f35

1KCM(8)                    BSD System Manager's Manual                   KCM(8)
2

NAME

4     kcm — process-based credential cache for Kerberos tickets.
5

SYNOPSIS

7     kcm [--cache-name=cachename] [-c file | --config-file=file] [-g group |
8         --group=group] [--max-request=size] [--disallow-getting-krbtgt]
9         [--detach] [-h | --help] [-k principal |
10         --system-principal=principal] [-l time | --lifetime=time] [-m mode |
11         --mode=mode] [-n | --no-name-constraints] [-r time |
12         --renewable-life=time] [-s path | --socket-path=path]
13         [--door-path=path] [-S principal | --server=principal] [-t keytab |
14         --keytab=keytab] [-u user | --user=user] [-v | --version]
15

DESCRIPTION

17     kcm is a process based credential cache.  To use it, set the KRB5CCNAME
18     environment variable to ‘KCM:uid’ or add the stanza
19
20
21     [libdefaults]
22             default_cc_name = KCM:%{uid}
23
24     to the /etc/krb5.conf configuration file and make sure kcm is started in
25     the system startup files.
26
27     The kcm daemon can hold the credentials for all users in the system.
28     Access control is done with Unix-like permissions.  The daemon checks the
29     access on all operations based on the uid and gid of the user.  The tick‐
30     ets are renewed as long as is permitted by the KDC's policy.
31
32     The kcm daemon can also keep a SYSTEM credential that server processes
33     can use to access services.  One example of usage might be an nss_ldap
34     module that quickly needs to get credentials and doesn't want to renew
35     the ticket itself.
36
37     Supported options:
38
39     --cache-name=cachename
40             system cache name
41
42     -c file, --config-file=file
43             location of config file
44
45     -g group, --group=group
46             system cache group
47
48     --max-request=size
49             max size for a kcm-request
50
51     --disallow-getting-krbtgt
52             disallow extracting any krbtgt from the kcm daemon.
53
54     --detach
55             detach from console
56
57     -h, --help
58
59     -k principal, --system-principal=principal
60             system principal name
61
62     -l time, --lifetime=time
63             lifetime of system tickets
64
65     -m mode, --mode=mode
66             octal mode of system cache
67
68     -n, --no-name-constraints
69             disable credentials cache name constraints
70
71     -r time, --renewable-life=time
72             renewable lifetime of system tickets
73
74     -s path, --socket-path=path
75             path to kcm domain socket
76
77     --door-path=path
78             path to kcm door socket
79
80     -S principal, --server=principal
81             server to get system ticket for
82
83     -t keytab, --keytab=keytab
84             system keytab name
85
86     -u user, --user=user
87             system cache owner
88
89     -v, --version
90
91BSD                              May 29, 2005                              BSD