1KADMIND(8)                       MIT Kerberos                       KADMIND(8)
2
3
4

NAME

6       kadmind - KADM5 administration server
7

SYNOPSIS

9       kadmind  [-x  db_args]  [-r  realm]  [-m]  [-nofork] [-proponly] [-port
10       port-number] [-P pid_file]  [-p  kdb5_util_path]  [-K  kprop_path]  [-k
11       kprop_port] [-F dump_file]
12

DESCRIPTION

14       kadmind  starts  the Kerberos administration server.  kadmind typically
15       runs on the primary Kerberos server, which stores the KDC database.  If
16       the  KDC  database  uses the LDAP module, the administration server and
17       the KDC server need not run on the same machine.  kadmind  accepts  re‐
18       mote  requests  from  programs such as kadmin and kpasswd to administer
19       the information in these database.
20
21       kadmind requires a number of configuration files to be set up in  order
22       for it to work:
23
24       kdc.conf
25              The  KDC  configuration  file contains configuration information
26              for the KDC and admin servers.  kadmind uses  settings  in  this
27              file  to  locate  the Kerberos database, and is also affected by
28              the acl_file, dict_file, kadmind_port,  and  iprop-related  set‐
29              tings.
30
31       kadm5.acl
32              kadmind's  ACL  (access  control list) tells it which principals
33              are allowed to perform administration actions.  The pathname  to
34              the  ACL  file can be specified with the acl_file kdc.conf vari‐
35              able; by default, it is /var/kerberos/krb5kdc/kadm5.acl.
36
37       After the server begins running, it puts itself in the  background  and
38       disassociates itself from its controlling terminal.
39
40       kadmind can be configured for incremental database propagation.  Incre‐
41       mental propagation allows replica KDC servers to receive principal  and
42       policy  updates  incrementally  instead  of receiving full dumps of the
43       database.  This facility can be enabled in the kdc.conf file  with  the
44       iprop_enable  option.   Incremental  propagation requires the principal
45       kiprop/PRIMARY\@REALM (where PRIMARY is  the  primary  KDC's  canonical
46       host  name, and REALM the realm name).  In release 1.13, this principal
47       is automatically created and registered into the datebase.
48

OPTIONS

50       -r realm
51              specifies the realm that kadmind will serve; if it is not speci‐
52              fied, the default realm of the host is used.
53
54       -m     causes  the master database password to be fetched from the key‐
55              board (before the server puts itself in the background,  if  not
56              invoked  with  the  -nofork  option)  rather than from a file on
57              disk.
58
59       -nofork
60              causes the server to remain in the foreground and remain associ‐
61              ated to the terminal.
62
63       -proponly
64              causes the server to only listen and respond to Kerberos replica
65              incremental propagation polling requests.  This  option  can  be
66              used  to  set  up  a  hierarchical  propagation topology where a
67              replica KDC  provides  incremental  updates  to  other  Kerberos
68              replicas.
69
70       -port port-number
71              specifies  the  port  on which the administration server listens
72              for connections.  The default port is  determined  by  the  kad‐
73              mind_port configuration variable in kdc.conf.
74
75       -P pid_file
76              specifies the file to which the PID of kadmind process should be
77              written after it starts up.  This file can be used  to  identify
78              whether  kadmind  is  still running and to allow init scripts to
79              stop the correct process.
80
81       -p kdb5_util_path
82              specifies the path to the kdb5_util command to use when  dumping
83              the  KDB  in  response to full resync requests when iprop is en‐
84              abled.
85
86       -K kprop_path
87              specifies the path to the kprop command  to  use  to  send  full
88              dumps to replicas in response to full resync requests.
89
90       -k kprop_port
91              specifies the port by which the kprop process that is spawned by
92              kadmind connects to the replica kpropd, in order to transfer the
93              dump file during an iprop full resync request.
94
95       -F dump_file
96              specifies  the  file  path to be used for dumping the KDB in re‐
97              sponse to full resync requests when iprop is enabled.
98
99       -x db_args
100              specifies database-specific arguments.  See Database Options  in
101              kadmin for supported arguments.
102

ENVIRONMENT

104       See kerberos for a description of Kerberos environment variables.
105

SEE ALSO

107       kpasswd, kadmin, kdb5_util, kdb5_ldap_util, kadm5.acl, kerberos
108

AUTHOR

110       MIT
111
113       1985-2022, MIT
114
115
116
117
1181.19.2                                                              KADMIND(8)
Impressum