Provided by: heimdal-kdc_1.6~git20131207+dfsg-1ubuntu1.2_amd64 bug


     kadmind — server for administrative access to Kerberos database


     kadmind [-c file | --config-file=file] [-k file | --key-file=file] [--keytab=keytab] [-r
             realm | --realm=realm] [-d | --debug] [-p port | --ports=port]


     kadmind listens for requests for changes to the Kerberos database and performs these,
     subject to permissions.  When starting, if stdin is a socket it assumes that it has been
     started by inetd(8), otherwise it behaves as a daemon, forking processes for each new
     connection. The --debug option causes kadmind to accept exactly one connection, which is
     useful for debugging.

     The kpasswdd(8) daemon is responsible for the Kerberos 5 password changing protocol (used by

     This daemon should only be run on the master server, and not on any slaves.

     Principals are always allowed to change their own password and list their own principal.
     Apart from that, doing any operation requires permission explicitly added in the ACL file
     /var/heimdal/kadmind.acl.  The format of this file is:

     principal rights [principal-pattern]

     Where rights is any (comma separated) combination of:
        change-password or cpw

     And the optional principal-pattern restricts the rights to operations on principals that
     match the glob-style pattern.

     Supported options:

     -c file, --config-file=file
             location of config file

     -k file, --key-file=file
             location of master key file

             what keytab to use

     -r realm, --realm=realm
             realm to use

     -d, --debug
             enable debugging

     -p port, --ports=port
             ports to listen to. By default, if run as a daemon, it listens to port 749, but you
             can add any number of ports with this option. The port string is a whitespace
             separated list of port specifications, with the special string “+” representing the
             default port.




     This will cause kadmind to listen to port 4711 in addition to any compiled in defaults:

           kadmind --ports="+ 4711" &

     This acl file will grant Joe all rights, and allow Mallory to view and add host principals,
     as well as extract host principal keys (e.g., into keytabs).

           joe/admin@EXAMPLE.COM      all
           mallory/admin@EXAMPLE.COM  add,get-keys  host/*@EXAMPLE.COM


     kpasswd(1), kadmin(8), kdc(8), kpasswdd(8)