(heimdal.info.gz) Remote administration
Info Catalog
(heimdal.info.gz) Serving Kerberos 4/524/kaserver
(heimdal.info.gz) Setting up a realm
(heimdal.info.gz) Password changing
4.7 Remote administration
=========================
The administration server, `kadmind', can be started by `inetd' (which
isn't recommended) or run as a normal daemon. If you want to start it
from `inetd' you should add a line similar to the one below to your
`/etc/inetd.conf'.
kerberos-adm stream tcp nowait root /usr/heimdal/libexec/kadmind kadmind
You might need to add `kerberos-adm' to your `/etc/services' as
`749/tcp'.
Access to the administration server is controlled by an ACL file,
(default `/var/heimdal/kadmind.acl'.) The file has the following syntax:
principal [priv1,priv2,...] [glob-pattern]
The matching is from top to bottom for matching principals (and if
given, glob-pattern). When there is a match, the access rights of that
line are applied.
The privileges you can assign to a principal are: `add',
`change-password' (or `cpw' for short), `delete', `get', `list', and
`modify', or the special privilege `all'. All of these roughly
correspond to the different commands in `kadmin'.
If a GLOB-PATTERN is given on a line, it restricts the access rights
for the principal to only apply for subjects that match the pattern.
The patterns are of the same type as those used in shell globbing, see
fnmatch(3).
In the example below `lha/admin' can change every principal in the
database. `jimmy/admin' can only modify principals that belong to the
realm `E.KTH.SE'. `mille/admin' is working at the help desk, so he
should only be able to change the passwords for single component
principals (ordinary users). He will not be able to change any `/admin'
principal.
lha/admin@E.KTH.SE all
jimmy/admin@E.KTH.SE all *@E.KTH.SE
jimmy/admin@E.KTH.SE all */*@E.KTH.SE
mille/admin@E.KTH.SE change-password *@E.KTH.SE
Info Catalog
(heimdal.info.gz) Serving Kerberos 4/524/kaserver
(heimdal.info.gz) Setting up a realm
(heimdal.info.gz) Password changing
automatically generated byinfo2html