focal (8) kadmind.8.gz

Provided by: krb5-admin-server_1.17-6ubuntu4.7_amd64 bug

NAME

       kadmind - KADM5 administration server

SYNOPSIS

       kadmind  [-x  db_args]  [-r  realm]  [-m]  [-nofork]  [-proponly]  [-port  port-number] [-P pid_file] [-p
       kdb5_util_path] [-K kprop_path] [-k kprop_port] [-F dump_file]

DESCRIPTION

       kadmind starts the Kerberos administration server.  kadmind typically runs on the master Kerberos server,
       which  stores  the KDC database.  If the KDC database uses the LDAP module, the administration server and
       the KDC server need not run on the same machine.  kadmind accepts remote requests from programs  such  as
       kadmin(1) and kpasswd(1) to administer the information in these database.

       kadmind requires a number of configuration files to be set up in order for it to work:

       kdc.conf(5)
              The  KDC  configuration  file  contains  configuration  information for the KDC and admin servers.
              kadmind uses settings in this file to locate the Kerberos database, and is also  affected  by  the
              acl_file, dict_file, kadmind_port, and iprop-related settings.

       kadm5.acl(5)
              kadmind's   ACL   (access  control  list)  tells  it  which  principals  are  allowed  to  perform
              administration actions.  The pathname  to  the  ACL  file  can  be  specified  with  the  acl_file
              kdc.conf(5) variable; by default, it is /etc/krb5kdc/kadm5.acl.

       After  the  server  begins  running,  it  puts itself in the background and disassociates itself from its
       controlling terminal.

       kadmind can be configured for incremental database propagation.  Incremental propagation  allows  replica
       KDC  servers to receive principal and policy updates incrementally instead of receiving full dumps of the
       database.  This  facility  can  be  enabled  in  the  kdc.conf(5)  file  with  the  iprop_enable  option.
       Incremental  propagation  requires  the  principal kiprop/MASTER\@REALM (where MASTER is the master KDC's
       canonical host name, and REALM the realm name).  In release 1.13, this principal is automatically created
       and registered into the datebase.

OPTIONS

       -r realm
              specifies the realm that kadmind will serve; if it is not specified, the default realm of the host
              is used.

       -m     causes the master database password to be fetched from the keyboard (before the server puts itself
              in the background, if not invoked with the -nofork option) rather than from a file on disk.

       -nofork
              causes  the  server  to remain in the foreground and remain associated to the terminal.  In normal
              operation, you should allow the server to place itself in the background.

       -proponly
              causes the server to only listen and respond to Kerberos replica incremental  propagation  polling
              requests.   This  option can be used to set up a hierarchical propagation topology where a replica
              KDC provides incremental updates to other Kerberos replicas.

       -port port-number
              specifies the port on which the administration server listens for connections.  The  default  port
              is determined by the kadmind_port configuration variable in kdc.conf(5).

       -P pid_file
              specifies the file to which the PID of kadmind process should be written after it starts up.  This
              file can be used to identify whether kadmind is still running and to allow init  scripts  to  stop
              the correct process.

       -p kdb5_util_path
              specifies the path to the kdb5_util command to use when dumping the KDB in response to full resync
              requests when iprop is enabled.

       -K kprop_path
              specifies the path to the kprop command to use to send full dumps to replicas in response to  full
              resync requests.

       -k kprop_port
              specifies  the  port by which the kprop process that is spawned by kadmind connects to the replica
              kpropd, in order to transfer the dump file during an iprop full resync request.

       -F dump_file
              specifies the file path to be used for dumping the KDB in response to full  resync  requests  when
              iprop is enabled.

       -x db_args
              specifies database-specific arguments.  See Database Options in kadmin(1) for supported arguments.

ENVIRONMENT

       See kerberos(7) for a description of Kerberos environment variables.

SEE ALSO

       kpasswd(1), kadmin(1), kdb5_util(8), kdb5_ldap_util(8), kadm5.acl(5), kerberos(7)

AUTHOR

       MIT

       1985-2019, MIT