Provided by: heimdal-kcm_7.7.0+dfsg-4ubuntu1_amd64 bug


     kcm — process-based credential cache for Kerberos tickets.


     kcm [--cache-name=cachename] [-c file | --config-file=file] [-g group | --group=group]
         [--max-request=size] [--disallow-getting-krbtgt] [--detach] [-h | --help] [-k principal
         | --system-principal=principal] [-l time | --lifetime=time] [-m mode | --mode=mode]
         [-n | --no-name-constraints] [-r time | --renewable-life=time] [-s path |
         --socket-path=path] [--door-path=path] [-S principal | --server=principal] [-t keytab |
         --keytab=keytab] [-u user | --user=user] [-v | --version]


     kcm is a process based credential cache.  To use it, set the KRB5CCNAME environment variable
     to ‘KCM:uid’ or add the stanza

             default_cc_name = KCM:%{uid}

     to the /etc/krb5.conf configuration file and make sure kcm is started in the system startup

     The kcm daemon can hold the credentials for all users in the system.  Access control is done
     with Unix-like permissions.  The daemon checks the access on all operations based on the uid
     and gid of the user.  The tickets are renewed as long as is permitted by the KDC's policy.

     The kcm daemon can also keep a SYSTEM credential that server processes can use to access
     services.  One example of usage might be an nss_ldap module that quickly needs to get
     credentials and doesn't want to renew the ticket itself.

     Supported options:

             system cache name

     -c file, --config-file=file
             location of config file

     -g group, --group=group
             system cache group

             max size for a kcm-request

             disallow extracting any krbtgt from the kcm daemon.

             detach from console

     -h, --help

     -k principal, --system-principal=principal
             system principal name

     -l time, --lifetime=time
             lifetime of system tickets

     -m mode, --mode=mode
             octal mode of system cache

     -n, --no-name-constraints
             disable credentials cache name constraints

     -r time, --renewable-life=time
             renewable lifetime of system tickets

     -s path, --socket-path=path
             path to kcm domain socket

             path to kcm door socket

     -S principal, --server=principal
             server to get system ticket for

     -t keytab, --keytab=keytab
             system keytab name

     -u user, --user=user
             system cache owner

     -v, --version