kadmind listens for requests for changes to the Kerberos database and performs these, subject to permissions. When starting, if stdin is a socket it assumes that it has been started by inetd(8), otherwise it behaves as a daemon, forking processes for each new connection. The --debug option causes kadmind to accept exactly one connection, which is useful for debugging.
If built with krb4 support, it implements both the Heimdal Kerberos 5 administrative protocol and the Kerberos 4 protocol. Password changes via the Kerberos 4 protocol are also performed by kadmind, but the kpasswdd(8) daemon is responsible for the Kerberos 5 password changing protocol (used by kpasswd(1))
This daemon should only be run on the master server, and not on any slaves.
Principals are always allowed to change their own password and list their own principal. Apart from that, doing any operation requires permission explicitly added in the ACL file /var/heimdal/kadmind.acl. The format of this file is:
Where rights is any (comma separated) combination of:
- change-password or cpw
And the optional principal-pattern restricts the rights to operations on principals that match the glob-style pattern.