kadmind - KADM5 administration server
kadmind [-x db_args] [-r realm] [-m] [-nofork] [-proponly] [-port port-number] [-P pid_file] [-p kdb5_util_path] [-K kprop_path] [-k kprop_port] [-F dump_file]
KADMIND(8) MIT Kerberos KADMIND(8)
NAME
kadmind - KADM5 administration server
SYNOPSIS
kadmind [-x db_args] [-r realm] [-m] [-nofork] [-proponly] [-port
port-number] [-P pid_file] [-p kdb5_util_path] [-K kprop_path] [-k
kprop_port] [-F dump_file]
DESCRIPTION
kadmind starts the Kerberos administration server. kadmind typically
runs on the master Kerberos server, which stores the KDC database. If
the KDC database uses the LDAP module, the administration server and
the KDC server need not run on the same machine. kadmind accepts
remote requests from programs such as kadmin(1) and kpasswd(1) to
administer the information in these database.
kadmind requires a number of configuration files to be set up in order
for it to work:
kdc.conf(5)
The KDC configuration file contains configuration information
for the KDC and admin servers. kadmind uses settings in this
file to locate the Kerberos database, and is also affected by
the acl_file, dict_file, kadmind_port, and iprop-related set-
tings.
kadm5.acl(5)
kadmind's ACL (access control list) tells it which principals
are allowed to perform administration actions. The pathname to
the ACL file can be specified with the acl_file kdc.conf(5)
variable; by default, it is /var/krb5/kadm5.acl.
After the server begins running, it puts itself in the background and
disassociates itself from its controlling terminal.
kadmind can be configured for incremental database propagation. Incre-
mental propagation allows replica KDC servers to receive principal and
policy updates incrementally instead of receiving full dumps of the
database. This facility can be enabled in the kdc.conf(5) file with
the iprop_enable option. Incremental propagation requires the princi-
pal kiprop/MASTER\@REALM (where MASTER is the master KDC's canonical
host name, and REALM the realm name). In release 1.13, this principal
is automatically created and registered into the datebase.
OPTIONS
-r realm
specifies the realm that kadmind will serve; if it is not speci-
fied, the default realm of the host is used.
-m causes the master database password to be fetched from the key-
board (before the server puts itself in the background, if not
invoked with the -nofork option) rather than from a file on
disk.
-nofork
causes the server to remain in the foreground and remain associ-
ated to the terminal.
-proponly
causes the server to only listen and respond to Kerberos replica
incremental propagation polling requests. This option can be
used to set up a hierarchical propagation topology where a
replica KDC provides incremental updates to other Kerberos
replicas.
-port port-number
specifies the port on which the administration server listens
for connections. The default port is determined by the kad-
mind_port configuration variable in kdc.conf(5).
-P pid_file
specifies the file to which the PID of kadmind process should be
written after it starts up. This file can be used to identify
whether kadmind is still running and to allow init scripts to
stop the correct process.
-p kdb5_util_path
specifies the path to the kdb5_util command to use when dumping
the KDB in response to full resync requests when iprop is
enabled.
-K kprop_path
specifies the path to the kprop command to use to send full
dumps to replicas in response to full resync requests.
-k kprop_port
specifies the port by which the kprop process that is spawned by
kadmind connects to the replica kpropd, in order to transfer the
dump file during an iprop full resync request.
-F dump_file
specifies the file path to be used for dumping the KDB in
response to full resync requests when iprop is enabled.
-x db_args
specifies database-specific arguments. See Database Options in
kadmin(1) for supported arguments.
ENVIRONMENT
See kerberos(7) for a description of Kerberos environment variables.
ATTRIBUTES
See attributes(7) for descriptions of the following attributes:
+---------------+-------------------------+
|ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+---------------+-------------------------+
|Availability | security/kerberos-5/kdc |
+---------------+-------------------------+
|Stability | Pass-through committed |
+---------------+-------------------------+
SEE ALSO
kpasswd(1), kadmin(1), kdb5_util(8), kdb5_ldap_util(8), kadm5.acl(5),
kerberos(7)
AUTHOR
MIT
COPYRIGHT
1985-2021, MIT
NOTES
The kadmind service is managed by the service management facility,
smf(7), under the service identifier:
svc:/network/security/kadmin:default
Administrative actions on this service, such as enabling, disabling, or
requesting restart, can be performed using svcadm(8). The service's
status can be queried using the svcs(1) command.
Source code for open source software components in Oracle Solaris can
be found at https://www.oracle.com/downloads/opensource/solaris-source-
code-downloads.html.
This software was built from source available at
https://github.com/oracle/solaris-userland. The original community
source was downloaded from http://web.mit.edu/ker-
beros/dist/krb5/1.18/krb5-1.18.4.tar.gz.
Further information about this software can be found on the open source
community website at http://web.mit.edu/kerberos/.
1.18.4 KADMIND(8)