Go to main content

man pages section 8: System Administration Commands

Exit Print View

Updated: Wednesday, July 27, 2022

kadmind (8)


kadmind - KADM5 administration server


kadmind  [-x  db_args]  [-r  realm]  [-m]  [-nofork] [-proponly] [-port
port-number] [-P pid_file]  [-p  kdb5_util_path]  [-K  kprop_path]  [-k
kprop_port] [-F dump_file]


KADMIND(8)                       MIT Kerberos                       KADMIND(8)

       kadmind - KADM5 administration server

       kadmind  [-x  db_args]  [-r  realm]  [-m]  [-nofork] [-proponly] [-port
       port-number] [-P pid_file]  [-p  kdb5_util_path]  [-K  kprop_path]  [-k
       kprop_port] [-F dump_file]

       kadmind  starts  the Kerberos administration server.  kadmind typically
       runs on the master Kerberos server, which stores the KDC database.   If
       the  KDC  database  uses the LDAP module, the administration server and
       the KDC server need not run  on  the  same  machine.   kadmind  accepts
       remote  requests  from  programs  such  as  kadmin(1) and kpasswd(1) to
       administer the information in these database.

       kadmind requires a number of configuration files to be set up in  order
       for it to work:

              The  KDC  configuration  file contains configuration information
              for the KDC and admin servers.  kadmind uses  settings  in  this
              file  to  locate  the Kerberos database, and is also affected by
              the acl_file, dict_file, kadmind_port,  and  iprop-related  set-

              kadmind's  ACL  (access  control list) tells it which principals
              are allowed to perform administration actions.  The pathname  to
              the  ACL  file  can  be  specified with the acl_file kdc.conf(5)
              variable; by default, it is /var/krb5/kadm5.acl.

       After the server begins running, it puts itself in the  background  and
       disassociates itself from its controlling terminal.

       kadmind can be configured for incremental database propagation.  Incre-
       mental propagation allows replica KDC servers to receive principal  and
       policy  updates  incrementally  instead  of receiving full dumps of the
       database.  This facility can be enabled in the  kdc.conf(5)  file  with
       the  iprop_enable option.  Incremental propagation requires the princi-
       pal kiprop/MASTER\@REALM (where MASTER is the  master  KDC's  canonical
       host  name, and REALM the realm name).  In release 1.13, this principal
       is automatically created and registered into the datebase.

       -r realm
              specifies the realm that kadmind will serve; if it is not speci-
              fied, the default realm of the host is used.

       -m     causes  the master database password to be fetched from the key-
              board (before the server puts itself in the background,  if  not
              invoked  with  the  -nofork  option)  rather than from a file on

              causes the server to remain in the foreground and remain associ-
              ated to the terminal.

              causes the server to only listen and respond to Kerberos replica
              incremental propagation polling requests.  This  option  can  be
              used  to  set  up  a  hierarchical  propagation topology where a
              replica KDC  provides  incremental  updates  to  other  Kerberos

       -port port-number
              specifies  the  port  on which the administration server listens
              for connections.  The default port is  determined  by  the  kad-
              mind_port configuration variable in kdc.conf(5).

       -P pid_file
              specifies the file to which the PID of kadmind process should be
              written after it starts up.  This file can be used  to  identify
              whether  kadmind  is  still running and to allow init scripts to
              stop the correct process.

       -p kdb5_util_path
              specifies the path to the kdb5_util command to use when  dumping
              the  KDB  in  response  to  full  resync  requests when iprop is

       -K kprop_path
              specifies the path to the kprop command  to  use  to  send  full
              dumps to replicas in response to full resync requests.

       -k kprop_port
              specifies the port by which the kprop process that is spawned by
              kadmind connects to the replica kpropd, in order to transfer the
              dump file during an iprop full resync request.

       -F dump_file
              specifies  the  file  path  to  be  used  for dumping the KDB in
              response to full resync requests when iprop is enabled.

       -x db_args
              specifies database-specific arguments.  See Database Options  in
              kadmin(1) for supported arguments.

       See kerberos(7) for a description of Kerberos environment variables.

       See attributes(7) for descriptions of the following attributes:

       |Availability   | security/kerberos-5/kdc |
       |Stability      | Pass-through committed  |

       kpasswd(1),  kadmin(1),  kdb5_util(8), kdb5_ldap_util(8), kadm5.acl(5),


       1985-2021, MIT

       The kadmind service is managed  by  the  service  management  facility,
       smf(7), under the service identifier:


       Administrative actions on this service, such as enabling, disabling, or
       requesting restart, can be performed  using  svcadm(8).  The  service's
       status can be queried using the svcs(1) command.

       Source  code  for open source software components in Oracle Solaris can
       be found at https://www.oracle.com/downloads/opensource/solaris-source-

       This     software     was    built    from    source    available    at
       https://github.com/oracle/solaris-userland.   The  original   community
       source      was      downloaded      from       http://web.mit.edu/ker-

       Further information about this software can be found on the open source
       community website at http://web.mit.edu/kerberos/.

1.18.4                                                              KADMIND(8)