System Administration Commands kadmind(1M)
NAME
kadmind - Kerberos administration daemon
SYNOPSIS
/usr/lib/krb5/kadmind [-d] [-m] [-p port-number] [-r realm]
-x db_args]...
DESCRIPTION
kadmind runs on the master key distribution center (KDC),
which stores the principal and policy databases. kadmind
accepts remote requests to administer the information in these databases. Remote requests are sent, for example, by kpasswd(1), gkadmin(1M), and kadmin(1M) commands, all ofwhich are clients of kadmind. When you install a KDC, kad-
mind is set up in the init scripts to start automatically when the KDC is rebooted.kadmind requires a number of configuration files to be set
up for it to work: /etc/krb5/kdc.confThe KDC configuration file contains configuration infor-
mation for the KDC and the Kerberos administration sys-
tem. kadmind understands a number of configuration vari-
ables (called relations) in this file, some of which are mandatory and some of which are optional. In particular,kadmind uses the acl_file, dict_file, admin_keytab, and
kadmind_port relations in the [realms] section. Refer to
the kdc.conf(4) man page for information regarding the format of the KDC configuration file. /etc/krb5/kadm5.keytabkadmind requires a keytab (key table) containing correct
entries for the kadmin/fqdn, kadmin/changepw andkadmin/changepw principals for every realm that kadmind
answers requests. The keytab can be created with thekadmin.local(1M) or kdb5_util(1M) command. The location
of the keytab is determined by the admin_keytab relation
in the kdc.conf(4) file. /etc/krb5/kadm5.aclkadmind uses an ACL (access control list) to determine
which principals are allowed to perform Kerberos administration actions. The path of the ACL file isdetermined by the acl_file relation in the kdc.conf
SunOS 5.11 Last change: 29 Feb 2008 1
System Administration Commands kadmind(1M)
file. See kdc.conf(4). For information regarding the format of the ACL file, refer to kadm5.acl(4).The kadmind daemon will need to be restarted to reread
the kadm5.acl file after it has been modified. You can do this, as root, with the following command:# svcadm restart svc:/network/security/kadmin:default
After kadmind begins running, it puts itself in the back-
ground and disassociates itself from its controlling termi-
nal.kadmind can be configured for incremental database propaga-
tion. Incremental propagation allows slave KDC servers to receive principal and policy updates incrementally instead of receiving full dumps of the database. These settings can be changed in the kdc.conf(4) file:sunw_dbprop_enable = [true | false]
Enable or disable incremental database propagation. Default is false.sunw_dbprop_master_ulogsize = N
Specifies the maximum amount of log entries available for incremental propagation to the slave KDC servers. The maximum value that this can be is 2500 entries. Default value is 1000 entries. The kiprop/@ principal must exist in the master's kadm5.keytab file to enable the slave to authenti-
cate incremental propagation from the master. In the princi-
pal syntax above,is the master KDC's host name and is the realm in which the master KDC resides. Kerberos client machines can automatically migrate Unix users to the default Kerberos realm specified in the local krb5.conf(4), if the user does not have a valid kerberos account already. You achieve this by using the pam_krb5_migrate(5) service module for the service in ques-
tion. The Kerberos service principal used by the clientSunOS 5.11 Last change: 29 Feb 2008 2
System Administration Commands kadmind(1M)
machine attempting the migration needs to be validated using the u privilege in kadm5.acl(4). When using the u privilege,kadmind validates user passwords using PAM, specifically
using a PAM_SERVICE name of k5migrate by calling
pam_authenticate(3PAM) and pam_acct_mgmt(3PAM).
A suitable PAM stack configuration example for k5migrate would look like:k5migrate auth required pam_unix_auth.so.1
k5migrate account required pam_unix_account.so.1
OPTIONS The following options are supported:-d
Specifies that kadmind does not put itself in the back-
ground and does not disassociate itself from the termi-
nal. In normal operation, you should use the default behavior, which is to allow the daemon to put itself in the background.-m
Specifies that the master database password should be retrieved from the keyboard rather than from the stashfile. When using -m, the kadmind daemon receives the
password prior to putting itself in the background. Ifused in combination with the -d option, you must expli-
citly place the daemon in the background.-p port-number
Specifies the port on which the kadmind daemon listens
for connections. The default is controlled by thekadmind_port relation in the kdc.conf(4) file.
-r realm
Specifies the default realm that kadmind serves. If
realm is not specified, the default realm of the host isused. kadmind answers requests for any realm that exists
in the local KDC database and for which the appropriate principals are in its keytab.SunOS 5.11 Last change: 29 Feb 2008 3
System Administration Commands kadmind(1M)
-x db_args
Pass database-specific arguments to kadmind. Supported
arguments are for LDAP and the Berkeley-db2 plug-in.
These arguments are: binddn=binddnLDAP simple bind DN for authorization on the direc-
tory server. Overrides the ldap_kadmind_dn parameter
setting in krb5.conf(4). bindpwd=bindpwd Bind password. dbname=nameFor the Berkeley-db2 plug-in, specifies a name for
the Kerberos database. nconns=num Maximum number of server connections. port=num Directory server connection port. FILES /var/krb5/principal Kerberos principal database. /var/krb5/principal.ulog The update log file for incremental propagation. /var/krb5/principal.kadm5 Kerberos administrative database containing policy information.SunOS 5.11 Last change: 29 Feb 2008 4
System Administration Commands kadmind(1M)
/var/krb5/principal.kadm5.lock Kerberos administrative database lock file. This file works backwards from most other lock files (that is, kadmin exits with an error if this file does not exist). /var/krb5/kadm5.dictDictionary of strings explicitly disallowed as pass-
words. /etc/krb5/kadm5.acl List of principals and their kadmin administrative privileges. /etc/krb5/kadm5.keytab Keytab for kadmin principals: kadmin/fqdn, changepw/fqdn, and kadmin/changepw. /etc/krb5/kdc.conf KDC configuration information.ATTRIBUTES
See attributes(5) for descriptions of the following attri-
butes:____________________________________________________________
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
|_____________________________|_____________________________|
| Availability | system/security/kerberos-5 |
|_____________________________|_____________________________|
| Interface Stability | Committed ||_____________________________|_____________________________|
SEE ALSO
kpasswd(1), svcs(1), gkadmin(1M), kadmin(1M),kadmin.local(1M), kdb5_util(1M), kdb5_ldap_util(1M),
kproplog(1M), svcadm(1M), pam_acct_mgmt(3PAM),
pam_authenticate(3PAM), kadm5.acl(4), kdc.conf(4),
krb5.conf(4), attributes(5), kerberos(5), krb5envvar(5),pam_krb5_migrate(5), smf(5)
SunOS 5.11 Last change: 29 Feb 2008 5
System Administration Commands kadmind(1M)
NOTESThe Kerberos administration daemon (kadmind) is now compli-
ant with the change-password standard mentioned in RFC 3244,
which means it can now handle change-password requests from
non-Solaris Kerberos clients.
The kadmind service is managed by the service management
facility, smf(5), under the service identifier: svc:/network/security/kadmin Administrative actions on this service, such as enabling, disabling, or requesting restart, can be performed using svcadm(1M). The service's status can be queried using the svcs(1) command.SunOS 5.11 Last change: 29 Feb 2008 6