kdcsetup(1) BSD General Commands Manual kdcsetup(1)

NAME
     kkddccsseettuupp - Kerberos - Open Directory Single Sign On

SYNOPSIS
     kkddccsseettuupp [-ee] [-dd] [-ff dirnode] [-cc dirnode] [-xx] [-ww] -a adminname
              [-pp password] REALM

DESCRIPTION
     kkddccsseettuupp is a tool for configuring an Apple Open Directory KDC, it also
     will set up a stock MIT KDC. It creates the needed setup files and adds
     the krb5kdc and kadmind servers to the launchd configuration. If the -f
     option is used kkddccsseettuupp writes the KerbersKDC and  KerberosClient config
     records into the given open directory node. If the -c option is used
     kkddccsseettuupp will create a clone (or slave kdc). If neither option is speci-
     fied, kkddccsseettuupp will set up a stock MIT KDC, prompting for the Master
     Password.

     -ee       Eanbles kdcmond and kadmind in the launchd config (other options
              except for -v are ignored)

     -dd       Disables kdcmond and kadmind in the launchd config (other
              options except for -v are ignored)

     -ff dirnode
              Create a "master" KDC, write the KerberosKDC and KerberosClient
              records into the given open directory node

     -cc dirnode
              Create a "replica" KDC, read the KerberosKDC record from the
              given open directory node and set this KDC up in the same way.
              This does not copy over the Kerberos database or the kad-
              min.keytab file. It does update the KerberosClient record,
              adding an entry into the kdc list

     -xx       Promotes a replica KDC to a master. This updates the Ker-
              berosClient record in the current open directory node

     -ww       Add kdcmond and kadmind to the launchd config

     -aa adminname
              Name of an administrator authorized to make changes in the open
              directory node. Also this admin will be used as the administra-
              tor in the KDC database. Note: this is not a principal name

     -pp password
              The password for the above admin

     REALM    The realm that this KDC serves

EEXXAAMMPPLLEESS
     To use kerberosautoconfig and kkddccsseettuupp to set up a stock MIT KDC

     kerberosautoconfig -r REALM.ORG -m myserver.org

     kdcsetup -w -a administrator -p adminpass REALM.ORG

     To use kerberosautoconfig and kkddccsseettuupp to set up an Apple KDC as a master
     with a local open directory master

     kerberosautoconfig -r REALM.ORG -m myserver.org

     kdcsetup -f /LDAPv3/127.0.0.1 -w -a administrator -p adminpass REALM.ORG

     To use kerberosautoconfig and kkddccsseettuupp to set up an Apple KDC as a
     replica

     kerberosautoconfig -r REALM.ORG -m myserver.org

     kdcsetup -c /LDAPv3/127.0.0.1 -w -a administrator -p adminpass REALM.ORG

FILES     /var/db/krb5kdc/               directory where all the config & database
                                    files for the KDC are stored
     /var/log/krb5kdc/              directory where the log files from the KDC
                                    are written
     /System/Library/LaunchDaemons/com.apple.kdcmond
     /System/Library/LaunchDaemons/edu.mit.kadmind
                                    the -w option adds kdcmond and kadmind to
                                    the launchd config

DIAGNOSTICS
     You can add -v debuglevel to any kkddccsseettuupp command. Debug level 1 pro-
     vides status information, higher levels add progressivly more levels of
     detail.

NNOOTTEESS
     The kkddccsseettuupp tool is used by the Apple Single Sign On system to set up a
     KDC integrated with the rest of the Single Sign On components.

SEE ALSO
     DirectoryService(1), kerberos(1), launchctl(1), kadmind(8),
     kerberosautoconfig(8), kdcmond(8), krbservicesetup(8), krb5kdc(8),
     launchd(8), ssoutil(8)

Darwin                         December 21, 2019                        Darwin