Go to main content

man pages section 8: System Administration Commands

Exit Print View

Updated: Thursday, June 13, 2019

kadmind (8)


kadmind - KADM5 administration server


kadmind  [-x  db_args]  [-r  realm]  [-m]  [-nofork] [-proponly] [-port
port-number] [-P pid_file]  [-p  kdb5_util_path]  [-K  kprop_path]  [-k
kprop_port] [-F dump_file]


KADMIND(8)                       MIT Kerberos                       KADMIND(8)

       kadmind - KADM5 administration server

       kadmind  [-x  db_args]  [-r  realm]  [-m]  [-nofork] [-proponly] [-port
       port-number] [-P pid_file]  [-p  kdb5_util_path]  [-K  kprop_path]  [-k
       kprop_port] [-F dump_file]

       kadmind  starts  the Kerberos administration server.  kadmind typically
       runs on the master Kerberos server, which stores the KDC database.   If
       the  KDC  database  uses the LDAP module, the administration server and
       the KDC server need not run  on  the  same  machine.   kadmind  accepts
       remote  requests  from  programs  such  as  kadmin(1) and kpasswd(1) to
       administer the information in these database.

       kadmind requires a number of configuration files to be set up in  order
       for it to work:

              The  KDC  configuration  file contains configuration information
              for the KDC and admin servers.  kadmind uses  settings  in  this
              file  to  locate  the Kerberos database, and is also affected by
              the acl_file, dict_file, kadmind_port,  and  iprop-related  set-

              kadmind's  ACL  (access  control list) tells it which principals
              are allowed to perform administration actions.  The pathname  to
              the  ACL  file  can  be  specified with the acl_file kdc.conf(5)
              variable; by default, it is /var/krb5/kadm5.acl.

       After the server begins running, it puts itself in the  background  and
       disassociates itself from its controlling terminal.

       kadmind can be configured for incremental database propagation.  Incre-
       mental propagation allows slave KDC servers to  receive  principal  and
       policy  updates  incrementally  instead  of receiving full dumps of the
       database.  This facility can be enabled in the  kdc.conf(5)  file  with
       the  iprop_enable option.  Incremental propagation requires the princi-
       pal kiprop/MASTER\@REALM (where MASTER is the  master  KDC's  canonical
       host  name, and REALM the realm name).  In release 1.13, this principal
       is automatically created and registered into the datebase.

       -r realm
              specifies the realm that kadmind will serve; if it is not speci-
              fied, the default realm of the host is used.

       -m     causes  the master database password to be fetched from the key-
              board (before the server puts itself in the background,  if  not
              invoked  with  the  -nofork  option)  rather than from a file on

              causes the server to remain in the foreground and remain associ-
              ated to the terminal.  In normal operation, you should allow the
              server to place itself in the background.

              causes the server to only listen and respond to  Kerberos  slave
              incremental  propagation  polling  requests.  This option can be
              used to set up a hierarchical propagation topology where a slave
              KDC provides incremental updates to other Kerberos slaves.

       -port port-number
              specifies  the  port  on which the administration server listens
              for connections.  The default port is  determined  by  the  kad-
              mind_port configuration variable in kdc.conf(5).

       -P pid_file
              specifies the file to which the PID of kadmind process should be
              written after it starts up.  This file can be used  to  identify
              whether  kadmind  is  still running and to allow init scripts to
              stop the correct process.

       -p kdb5_util_path
              specifies the path to the kdb5_util command to use when  dumping
              the  KDB  in  response  to  full  resync  requests when iprop is

       -K kprop_path
              specifies the path to the kprop command  to  use  to  send  full
              dumps to slaves in response to full resync requests.

       -k kprop_port
              specifies the port by which the kprop process that is spawned by
              kadmind connects to the slave kpropd, in order to  transfer  the
              dump file during an iprop full resync request.

       -F dump_file
              specifies  the  file  path  to  be  used  for dumping the KDB in
              response to full resync requests when iprop is enabled.

       -x db_args
              specifies database-specific arguments.  See Database Options  in
              kadmin(1) for supported arguments.

       See attributes(7) for descriptions of the following attributes:

       |Availability   | security/kerberos-5/kdc |
       |Stability      | Pass-through committed  |
       kpasswd(1), kadmin(1), kdb5_util(8), kdb5_ldap_util(8), kadm5.acl(5)


       1985-2018, MIT

       The  kadmind  service  is  managed  by the service management facility,
       smf(5), under the service identifier:


       Administrative actions on this service, such as enabling, disabling, or
       requesting  restart,  can  be performed using svcadm(1M). The service's
       status can be queried using the svcs(1) command.

       This    software    was    built    from    source     available     at
       https://github.com/oracle/solaris-userland.    The  original  community
       source     was      downloaded      from       https://web.mit.edu/ker-

       Further information about this software can be found on the open source
       community website at https://web.mit.edu/kerberos/.

1.16.1                                                              KADMIND(8)