summaryrefslogtreecommitdiffstats
path: root/third_party/heimdal/kadmin/kadmind.8
diff options
context:
space:
mode:
Diffstat (limited to 'third_party/heimdal/kadmin/kadmind.8')
-rw-r--r--third_party/heimdal/kadmin/kadmind.8194
1 files changed, 194 insertions, 0 deletions
diff --git a/third_party/heimdal/kadmin/kadmind.8 b/third_party/heimdal/kadmin/kadmind.8
new file mode 100644
index 0000000..9ff1f52
--- /dev/null
+++ b/third_party/heimdal/kadmin/kadmind.8
@@ -0,0 +1,194 @@
+.\" Copyright (c) 2002 - 2004 Kungliga Tekniska Högskolan
+.\" (Royal Institute of Technology, Stockholm, Sweden).
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\" 3. Neither the name of the Institute nor the names of its contributors
+.\" may be used to endorse or promote products derived from this software
+.\" without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $Id$
+.\"
+.Dd December 8, 2004
+.Dt KADMIND 8
+.Os HEIMDAL
+.Sh NAME
+.Nm kadmind
+.Nd "server for administrative access to Kerberos database"
+.Sh SYNOPSIS
+.Nm
+.Bk -words
+.Oo Fl c Ar file \*(Ba Xo
+.Fl Fl config-file= Ns Ar file
+.Xc
+.Oc
+.Oo Fl k Ar file \*(Ba Xo
+.Fl Fl key-file= Ns Ar file
+.Xc
+.Oc
+.Op Fl Fl keytab= Ns Ar keytab
+.Oo Fl r Ar realm \*(Ba Xo
+.Fl Fl realm= Ns Ar realm
+.Xc
+.Oc
+.Op Fl d | Fl Fl debug
+.Oo Fl p Ar port \*(Ba Xo
+.Fl Fl ports= Ns Ar port
+.Xc
+.Oc
+.Ek
+.Sh DESCRIPTION
+.Nm
+listens for requests for changes to the Kerberos database and performs
+these, subject to permissions. When starting, if stdin is a socket it
+assumes that it has been started by
+.Xr inetd 8 ,
+otherwise it behaves as a daemon, forking processes for each new
+connection. The
+.Fl Fl debug
+option causes
+.Nm
+to accept exactly one connection, which is useful for debugging.
+.Pp
+The
+.Xr kpasswdd 8
+daemon is responsible for the Kerberos 5 password changing protocol
+(used by
+.Xr kpasswd 1 ) .
+.Pp
+This daemon should only be run on the master server, and not on any
+slaves.
+.Pp
+Principals are always allowed to change their own password and list
+their own principal. Apart from that, doing any operation requires
+permission explicitly added in the ACL file
+.Pa /var/heimdal/kadmind.acl .
+The format of this file is:
+.Bd -ragged
+.Va principal
+.Va rights
+.Op Va principal-pattern
+.Ed
+.Pp
+Where rights is any (comma separated) combination of:
+.Bl -bullet -compact
+.It
+change-password or cpw
+.It
+list
+.It
+delete
+.It
+modify
+.It
+add
+.It
+get
+.It
+get-keys
+.It
+all (everything except get-keys)
+.El
+.Pp
+And the optional
+.Ar principal-pattern
+restricts the rights to operations on principals that match the
+glob-style pattern.
+.Pp
+Supported options:
+.Bl -tag -width Ds
+.It Fl c Ar file , Fl Fl config-file= Ns Ar file
+location of config file
+.It Fl k Ar file , Fl Fl key-file= Ns Ar file
+location of master key file
+.It Fl Fl keytab= Ns Ar keytab
+what keytab to use
+.It Fl r Ar realm , Fl Fl realm= Ns Ar realm
+realm to use
+.It Fl d , Fl Fl debug
+enable debugging
+.It Fl p Ar port , Fl Fl ports= Ns Ar port
+ports to listen to. By default, if run as a daemon, it listens to port
+749, but you can add any number of ports with this option. The port
+string is a whitespace separated list of port specifications, with the
+special string
+.Dq +
+representing the default port.
+.El
+.\".Sh ENVIRONMENT
+.Sh FILES
+.Pa /var/heimdal/kadmind.acl
+.Sh EXAMPLES
+This will cause
+.Nm
+to listen to port 4711 in addition to any
+compiled in defaults:
+.Pp
+.D1 Nm Fl Fl ports Ns Li "=\*[q]+ 4711\*[q] &"
+.Pp
+This acl file will grant Joe all rights, and allow Mallory to view and
+add host principals, as well as extract host principal keys (e.g., into
+keytabs).
+.Bd -literal -offset indent
+joe/admin@EXAMPLE.COM all
+mallory/admin@EXAMPLE.COM add,get-keys host/*@EXAMPLE.COM
+.Ed
+.Sh CONFIGURATION FILE
+kadmind uses the following configuration parameters from the
+.Ar [kadmin]
+section of
+.Ar krb5.conf:
+.Bl -tag -width Ds -offset indent
+.It password_lifetime
+.El
+.Pp
+kadmind uses the following configuration parameters from the per-realm entries
+in the
+.Ar [realms]
+section of
+.Ar krb5.conf:
+.Bl -tag -width Ds -offset indent
+.It supported_enctypes
+.El
+.Pp
+kadmind uses the following configuration parameters from the
+.Ar [password_quality]
+section of
+.Ar krb5.conf:
+.Bl -tag -width Ds -offset indent
+.It enforce_on_admin_set
+.It min_length
+.It min_classes
+.It external_program
+.It check_library
+.It check_function
+.It policy_libraries
+.It policies
+.El
+.Sh SEE ALSO
+.Xr kpasswd 1 ,
+.Xr kadmin 1 ,
+.Xr kdc 8 ,
+.Xr kpasswdd 8