1kadmind(1M)             System Administration Commands             kadmind(1M)
2
3
4

NAME

6       kadmind - Kerberos administration daemon
7

SYNOPSIS

9       /usr/lib/krb5/kadmind [-d] [-m] [-p port-number] [-r realm]
10            -x db_args]...
11
12

DESCRIPTION

14       kadmind  runs on the master key distribution center (KDC), which stores
15       the principal and policy databases. kadmind accepts remote requests  to
16       administer  the  information  in  these  databases. Remote requests are
17       sent, for example, by kpasswd(1), gkadmin(1M), and kadmin(1M) commands,
18       all of which are clients of kadmind. When you install a KDC, kadmind is
19       set up in the init scripts to  start  automatically  when  the  KDC  is
20       rebooted.
21
22
23       kadmind requires a number of configuration files to be set up for it to
24       work:
25
26       /etc/krb5/kdc.conf
27
28           The KDC configuration file contains configuration  information  for
29           the KDC and the Kerberos administration system. kadmind understands
30           a number of configuration  variables  (called  relations)  in  this
31           file,  some  of which are mandatory and some of which are optional.
32           In particular, kadmind uses the acl_file, dict_file,  admin_keytab,
33           and  kadmind_port  relations  in the [realms] section. Refer to the
34           kdc.conf(4) man page for information regarding the  format  of  the
35           KDC configuration file.
36
37
38       /etc/krb5/kadm5.keytab
39
40           kadmind  requires  a  keytab (key table) containing correct entries
41           for the kadmin/fqdn, kadmin/changepw and kadmin/changepw principals
42           for  every  realm  that kadmind answers requests. The keytab can be
43           created with the kadmin.local(1M)  or  kdb5_util(1M)  command.  The
44           location  of  the keytab is determined by the admin_keytab relation
45           in the kdc.conf(4) file.
46
47
48       /etc/krb5/kadm5.acl
49
50           kadmind uses an ACL (access control list) to determine which  prin‐
51           cipals  are allowed to perform Kerberos administration actions. The
52           path of the ACL file is determined by the acl_file relation in  the
53           kdc.conf  file. See kdc.conf(4). For information regarding the for‐
54           mat of the ACL file, refer to kadm5.acl(4).
55
56           The kadmind  daemon  will  need  to  be  restarted  to  reread  the
57           kadm5.acl  file  after  it  has  been modified. You can do this, as
58           root, with the following command:
59
60             # svcadm restart svc:/network/security/kadmin:default
61
62
63
64
65
66       After kadmind begins running, it puts itself in the background and dis‐
67       associates itself from its controlling terminal.
68
69
70       kadmind  can be configured for incremental database propagation. Incre‐
71       mental propagation allows slave KDC servers to  receive  principal  and
72       policy  updates  incrementally  instead  of receiving full dumps of the
73       database. These settings can be changed in the kdc.conf(4) file:
74
75       sunw_dbprop_enable = [true | false]
76
77           Enable or disable  incremental  database  propagation.  Default  is
78           false.
79
80
81       sunw_dbprop_master_ulogsize = N
82
83           Specifies the maximum amount of log entries available for incremen‐
84           tal propagation to the slave KDC servers. The  maximum  value  that
85           this can be is 2500 entries. Default value is 1000 entries.
86
87
88
89       The  kiprop/<hostname>@<REALM>  principal  must  exist  in the master's
90       kadm5.keytab file to enable the slave to authenticate incremental prop‐
91       agation  from  the master. In the principal syntax above, <hostname> is
92       the master KDC's host name and <REALM> is the realm in which the master
93       KDC resides.
94
95
96       Kerberos  client  machines  can automatically migrate Unix users to the
97       default Kerberos realm specified in the local krb5.conf(4), if the user
98       does  not  have  a  valid kerberos account already. You achieve this by
99       using the pam_krb5_migrate(5) service module for the service  in  ques‐
100       tion.  The  Kerberos  service  principal  used  by  the  client machine
101       attempting the migration needs to be validated using the u privilege in
102       kadm5.acl(4).  When using the u privilege, kadmind validates user pass‐
103       words using PAM, specifically using a PAM_SERVICE name of k5migrate  by
104       calling pam_authenticate(3PAM) and pam_acct_mgmt(3PAM).
105
106
107       A  suitable  PAM  stack  configuration example for k5migrate would look
108       like:
109
110         k5migrate        auth    required        pam_unix_auth.so.1
111         k5migrate        account required        pam_unix_account.so.1
112
113
114

OPTIONS

116       The following options are supported:
117
118       -d
119
120           Specifies that kadmind does not put itself in  the  background  and
121           does  not  disassociate  itself from the terminal. In normal opera‐
122           tion, you should use the default behavior, which is  to  allow  the
123           daemon to put itself in the background.
124
125
126       -m
127
128           Specifies  that  the  master  database password should be retrieved
129           from the keyboard rather than from the stash file. When  using  -m,
130           the kadmind daemon receives the password prior to putting itself in
131           the background. If used in combination with the -d option, you must
132           explicitly place the daemon in the background.
133
134
135       -p port-number
136
137           Specifies  the port on which the kadmind daemon listens for connec‐
138           tions. The default is controlled by the  kadmind_port  relation  in
139           the kdc.conf(4) file.
140
141
142       -r realm
143
144           Specifies  the  default  realm that kadmind serves. If realm is not
145           specified, the default realm of the host is used.  kadmind  answers
146           requests  for  any  realm that exists in the local KDC database and
147           for which the appropriate principals are in its keytab.
148
149
150       -x db_args
151
152           Pass database-specific arguments to  kadmind.  Supported  arguments
153           are for LDAP and the Berkeley-db2 plug-in. These arguments are:
154
155           binddn=binddn
156
157               LDAP  simple bind DN for authorization on the directory server.
158               Overrides   the   ldap_kadmind_dn    parameter    setting    in
159               krb5.conf(4).
160
161
162           bindpwd=bindpwd
163
164               Bind password.
165
166
167           dbname=name
168
169               For the Berkeley-db2 plug-in, specifies a name for the Kerberos
170               database.
171
172
173           nconns=num
174
175               Maximum number of server connections.
176
177
178           port=num
179
180               Directory server connection port.
181
182
183

FILES

185       /var/krb5/principal
186
187           Kerberos principal database.
188
189
190       /var/krb5/principal.ulog
191
192           The update log file for incremental propagation.
193
194
195       /var/krb5/principal.kadm5
196
197           Kerberos administrative database containing policy information.
198
199
200       /var/krb5/principal.kadm5.lock
201
202           Kerberos administrative database lock file. This file  works  back‐
203           wards  from  most  other  lock files (that is, kadmin exits with an
204           error if this file does not exist).
205
206
207       /var/krb5/kadm5.dict
208
209           Dictionary of strings explicitly disallowed as passwords.
210
211
212       /etc/krb5/kadm5.acl
213
214           List of principals and their kadmin administrative privileges.
215
216
217       /etc/krb5/kadm5.keytab
218
219           Keytab for kadmin principals: kadmin/fqdn, changepw/fqdn, and  kad‐
220           min/changepw.
221
222
223       /etc/krb5/kdc.conf
224
225           KDC configuration information.
226
227

ATTRIBUTES

229       See attributes(5) for descriptions of the following attributes:
230
231
232
233
234       ┌─────────────────────────────┬─────────────────────────────┐
235       │      ATTRIBUTE TYPE         │      ATTRIBUTE VALUE        │
236       ├─────────────────────────────┼─────────────────────────────┤
237       │Availability                 │SUNWkdcu                     │
238       ├─────────────────────────────┼─────────────────────────────┤
239       │Interface Stability          │Evolving                     │
240       └─────────────────────────────┴─────────────────────────────┘
241

SEE ALSO

243       kpasswd(1),   svcs(1),   gkadmin(1M),   kadmin(1M),   kadmin.local(1M),
244       kdb5_util(1M),    kdb5_ldap_util(1M),     kproplog(1M),     svcadm(1M),
245       pam_acct_mgmt(3PAM), pam_authenticate(3PAM), kadm5.acl(4), kdc.conf(4),
246       krb5.conf(4),      attributes(5),      kerberos(5),      krb5envvar(5),
247       pam_krb5_migrate(5), smf(5)
248

NOTES

250       The  Kerberos administration daemon (kadmind) is now compliant with the
251       change-password standard mentioned in RFC 3244, which means it can  now
252       handle change-password requests from non-Solaris Kerberos clients.
253
254
255       The  kadmind  service  is  managed  by the service management facility,
256       smf(5), under the service identifier:
257
258         svc:/network/security/kadmin
259
260
261
262
263       Administrative actions on this service, such as enabling, disabling, or
264       requesting  restart,  can  be performed using svcadm(1M). The service's
265       status can be queried using the svcs(1) command.
266
267
268
269SunOS 5.11                        29 Feb 2008                      kadmind(1M)
Impressum