1KADMIND(8) MIT Kerberos KADMIND(8)
2
3
4
6 kadmind - KADM5 administration server
7
9 kadmind [-x db_args] [-r realm] [-m] [-nofork] [-proponly] [-port
10 port-number] [-P pid_file] [-p kdb5_util_path] [-K kprop_path] [-k
11 kprop_port] [-F dump_file]
12
14 kadmind starts the Kerberos administration server. kadmind typically
15 runs on the primary Kerberos server, which stores the KDC database. If
16 the KDC database uses the LDAP module, the administration server and
17 the KDC server need not run on the same machine. kadmind accepts re‐
18 mote requests from programs such as kadmin and kpasswd to administer
19 the information in these database.
20
21 kadmind requires a number of configuration files to be set up in order
22 for it to work:
23
24 kdc.conf
25 The KDC configuration file contains configuration information
26 for the KDC and admin servers. kadmind uses settings in this
27 file to locate the Kerberos database, and is also affected by
28 the acl_file, dict_file, kadmind_port, and iprop-related set‐
29 tings.
30
31 kadm5.acl
32 kadmind's ACL (access control list) tells it which principals
33 are allowed to perform administration actions. The pathname to
34 the ACL file can be specified with the acl_file kdc.conf vari‐
35 able; by default, it is /var/kerberos/krb5kdc/kadm5.acl.
36
37 After the server begins running, it puts itself in the background and
38 disassociates itself from its controlling terminal.
39
40 kadmind can be configured for incremental database propagation. Incre‐
41 mental propagation allows replica KDC servers to receive principal and
42 policy updates incrementally instead of receiving full dumps of the
43 database. This facility can be enabled in the kdc.conf file with the
44 iprop_enable option. Incremental propagation requires the principal
45 kiprop/PRIMARY\@REALM (where PRIMARY is the primary KDC's canonical
46 host name, and REALM the realm name). In release 1.13, this principal
47 is automatically created and registered into the datebase.
48
50 -r realm
51 specifies the realm that kadmind will serve; if it is not speci‐
52 fied, the default realm of the host is used.
53
54 -m causes the master database password to be fetched from the key‐
55 board (before the server puts itself in the background, if not
56 invoked with the -nofork option) rather than from a file on
57 disk.
58
59 -nofork
60 causes the server to remain in the foreground and remain associ‐
61 ated to the terminal.
62
63 -proponly
64 causes the server to only listen and respond to Kerberos replica
65 incremental propagation polling requests. This option can be
66 used to set up a hierarchical propagation topology where a
67 replica KDC provides incremental updates to other Kerberos
68 replicas.
69
70 -port port-number
71 specifies the port on which the administration server listens
72 for connections. The default port is determined by the kad‐
73 mind_port configuration variable in kdc.conf.
74
75 -P pid_file
76 specifies the file to which the PID of kadmind process should be
77 written after it starts up. This file can be used to identify
78 whether kadmind is still running and to allow init scripts to
79 stop the correct process.
80
81 -p kdb5_util_path
82 specifies the path to the kdb5_util command to use when dumping
83 the KDB in response to full resync requests when iprop is en‐
84 abled.
85
86 -K kprop_path
87 specifies the path to the kprop command to use to send full
88 dumps to replicas in response to full resync requests.
89
90 -k kprop_port
91 specifies the port by which the kprop process that is spawned by
92 kadmind connects to the replica kpropd, in order to transfer the
93 dump file during an iprop full resync request.
94
95 -F dump_file
96 specifies the file path to be used for dumping the KDB in re‐
97 sponse to full resync requests when iprop is enabled.
98
99 -x db_args
100 specifies database-specific arguments. See Database Options in
101 kadmin for supported arguments.
102
104 See kerberos for a description of Kerberos environment variables.
105
107 kpasswd, kadmin, kdb5_util, kdb5_ldap_util, kadm5.acl, kerberos
108
110 MIT
111
113 1985-2022, MIT
114
115
116
117
1181.19.2 KADMIND(8)