.\" Copyright 1987, 1988, 1989 by the Student Information Processing Board
.\" 	of the Massachusetts Institute of Technology
.\" 
.\" Permission to use, copy, modify, and distribute this software
.\" and its documentation for any purpose and without fee is
.\" hereby granted, provided that the above copyright notice
.\" appear in all copies and that both that copyright notice and
.\" this permission notice appear in supporting documentation,
.\" and that the names of M.I.T. and the M.I.T. S.I.P.B. not be
.\" used in advertising or publicity pertaining to distribution
.\" of the software without specific, written prior permission.
.\" M.I.T. and the M.I.T. S.I.P.B. make no representations about
.\" the suitability of this software for any purpose.  It is
.\" provided "as is" without express or implied warranty.
.\" 
.\"	$OpenBSD: kadmind.8,v 1.2 1997/05/30 03:11:20 gene Exp $
.TH KADMIND 8 "Kerberos Version 4.0" "MIT Project Athena"
.SH NAME
kadmind \- Kerberos database administration daemon
.SH SYNOPSIS
.B kadmind
[
.B \-n
] [
.B \-h
] [
.B \-r realm
] [
.B \-f filename
] [
.B \-d dbname
] [
.B \-a acldir
]
.SH DESCRIPTION
.I kadmind
is the network database server for the Kerberos password-changing and
administration tools.
.PP
Upon execution, it prompts the user to enter the master key string for
the database.
.PP
If the
.B \-n
option is specified, the master key is instead fetched from the master
key cache file.
.PP
If the
.B \-r
.I realm
option is specified, the admin server will pretend that its
local realm is 
.I realm
instead of the actual local realm of the host it is running on.
This makes it possible to run a server for a foreign kerberos
realm.
.PP
If the
.B \-f
.I filename
option is specified, then that file is used to hold the log information
instead of the default.
.PP
If the
.B \-d
.I dbname
option is specified, then that file is used as the database name instead
of the default.
.PP
If the
.B \-a
.I acldir
option is specified, then
.I acldir
is used as the directory in which to search for access control lists
instead of the default.
.PP
If the
.B \-h
option is specified,
.I kadmind
prints out a short summary of the permissible control arguments, and
then exits.
.PP
When performing requests on behalf of clients,
.I kadmind
checks access control lists (ACLs) to determine the authorization of the client
to perform the requested action.
Currently three distinct access types are supported:
.TP 1i
Addition
(.add ACL file).  If a principal is on this list, it may add new
principals to the database.
.TP
Retrieval
(.get ACL file).  If a principal is on this list, it may retrieve
database entries.  NOTE:  A principal's private key is never returned by
the get functions.
.TP
Modification
(.mod ACL file).  If a principal is on this list, it may modify entries
in the database.
.PP
A principal is always granted authorization to change its own password.
.SH FILES
.TP 20n
/var/log/admin_server.log
Default log file.
.TP 
/etc/kerberosIV
Default access control list directory.
.TP
admin_acl.{add,get,mod}
Access control list files (within the directory)
.TP
/etc/kerberosIV/principal.pag, /etc/kerberosIV/principal.dir
Default DBM files containing database
.TP
/etc/kerberosIV/master_key
Master key cache file.
.SH "SEE ALSO"
kerberos(1), kpasswd(1), kadmin(8), acl_check(3)
.SH AUTHORS
Douglas A. Church, MIT Project Athena
.br
John T. Kohl, Project Athena/Digital Equipment Corporation