Provided by: krb5-admin-server_1.12+dfsg-2ubuntu5.4_amd64 bug

NAME
       kadmind - KADM5 administration server


SYNOPSIS
       kadmind  [-x db_args] [-r realm] [-m] [-nofork] [-port port-number] [-P pid_file] [-p kdb5_util_path] [-K
       kprop_path] [-F dump_file]


DESCRIPTION
       kadmind starts the Kerberos administration server.  kadmind typically runs on the master Kerberos server,
       which stores the KDC database.  If the KDC database uses the LDAP module, the administration  server  and
       the  KDC  server need not run on the same machine.  kadmind accepts remote requests from programs such as
       kadmin(1) and kpasswd(1) to administer the information in these database.

       kadmind requires a number of configuration files to be set up in order for it to work:

       kdc.conf(5)
              The KDC configuration file contains configuration information  for  the  KDC  and  admin  servers.
              kadmind  uses  settings  in this file to locate the Kerberos database, and is also affected by the
              acl_file, dict_file, kadmind_port, and iprop-related settings.

       kadm5.acl(5)
              kadmind's  ACL  (access  control  list)  tells  it  which  principals  are  allowed   to   perform
              administration  actions.   The  pathname  to  the  ACL  file  can  be  specified with the acl_file
              kdc.conf(5) variable; by default, it is /etc/krb5kdc/kadm5.acl.

       After the server begins running, it puts itself in the  background  and  disassociates  itself  from  its
       controlling terminal.

       kadmind can be configured for incremental database propagation.  Incremental propagation allows slave KDC
       servers  to  receive  principal  and  policy updates incrementally instead of receiving full dumps of the
       database.  This  facility  can  be  enabled  in  the  kdc.conf(5)  file  with  the  iprop_enable  option.
       Incremental  propagation  requires  the  principal kiprop/MASTER\@REALM (where MASTER is the master KDC's
       canonical host name, and REALM the realm name) to be registered in the database.


OPTIONS
       -r realm
              specifies the realm that kadmind will serve; if it is not specified, the default realm of the host
              is used.

       -m     causes the master database password to be fetched from the keyboard (before the server puts itself
              in the background, if not invoked with the -nofork option) rather than from a file on disk.

       -nofork
              causes the server to remain in the foreground and remain associated to the  terminal.   In  normal
              operation, you should allow the server to place itself in the background.

       -port port-number
              specifies  the  port on which the administration server listens for connections.  The default port
              is determined by the kadmind_port configuration variable in kdc.conf(5).

       -P pid_file
              specifies the file to which the PID of kadmind process should be written after it starts up.  This
              file can be used to identify whether kadmind is still running and to allow init  scripts  to  stop
              the correct process.

       -p kdb5_util_path
              specifies the path to the kdb5_util command to use when dumping the KDB in response to full resync
              requests when iprop is enabled.

       -K kprop_path
              specifies  the  path  to the kprop command to use to send full dumps to slaves in response to full
              resync requests.

       -F dump_file
              specifies the file path to be used for dumping the KDB in response to full  resync  requests  when
              iprop is enabled.

       -x db_args
              specifies database-specific arguments.

              Options supported for LDAP database are:

                 -x nconns=number_of_connections
                        specifies the number of connections to be maintained per LDAP server.

                 -x host=ldapuri
                        specifies the LDAP server to connect to by URI.

                 -x binddn=binddn
                        specifies  the  DN  of  the object used by the administration server to bind to the LDAP
                        server.  This object should have read and write privileges on the realm  container,  the
                        principal container, and the subtree that is referenced by the realm.

                 -x bindpwd=bind_password
                        specifies the password for the above mentioned binddn.  Using this option may expose the
                        password to other users on the system via the process list; to avoid this, instead stash
                        the password using the stashsrvpw command of kdb5_ldap_util(8).

                 -x debug=level
                        sets  the OpenLDAP client library debug level.  level is an integer to be interpreted by
                        the library.  Debugging messages are printed to standard error, so this option  must  be
                        used with the -nofork option to be useful.  New in release 1.12.


SEE ALSO
       kpasswd(1), kadmin(1), kdb5_util(8), kdb5_ldap_util(8), kadm5.acl(5)


AUTHOR
       MIT


COPYRIGHT
       1985-2013, MIT

1.12                                                                                                  KADMIND(8)