for administrative access to Kerberos database
file | --config-file=file]
[-k file | --key-file=file]
[-r realm | --realm=realm]
[-d | --debug]
[-p port | --ports=port]
listens for requests for changes to the
Kerberos database and performs these, subject to permissions. When starting,
if stdin is a socket it assumes that it has been started by
, otherwise it behaves as a daemon,
forking processes for each new connection. The
to accept exactly one connection,
which is useful for debugging.
daemon is responsible for the
Kerberos 5 password changing protocol (used by
This daemon should only be run on the master server, and not on any slaves.
Principals are always allowed to change their own password and list their own
principal. Apart from that, doing any operation requires permission explicitly
added in the ACL file /var/heimdal/kadmind.acl
The format of this file is:
Where rights is any (comma separated) combination of:
- change-password or cpw
And the optional principal-pattern
the rights to operations on principals that match the glob-style pattern.
- location of config file
- location of master key file
- what keytab to use
- realm to use
- enable debugging
- ports to listen to. By default, if run as a daemon, it
listens to port 749, but you can add any number of ports with this option.
The port string is a whitespace separated list of port specifications,
with the special string “+” representing the default
This will cause kadmind
to listen to port 4711 in
addition to any compiled in defaults:
This acl file will grant Joe all rights, and allow Mallory to view and add host
principals, as well as extract host principal keys (e.g., into keytabs).
mallory/admin@EXAMPLE.COM add,get-keys host/*@EXAMPLE.COM