path: root/usr/src/man/man8/krb5kdc.8

'\" te
.\" Copyright 1987, 1989 by the Student Information Processing Board of the Massachusetts Institute of Technology.  For copying and distribution information,  please see the file kerberosv5/mit-sipb-copyright.h.
.\" Portions Copyright (c) 2007, Sun Microsystems, Inc.  All Rights Reserved
.\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License").  You may not use this file except in compliance with the License.
.\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.  See the License for the specific language governing permissions and limitations under the License.
.\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE.  If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
.TH KRB5KDC 8 "Oct 29, 2015"
.SH NAME
krb5kdc \- KDC daemon
.SH SYNOPSIS
.LP
.nf
\fB/usr/lib/krb5/krb5kdc\fR [\fB-d\fR \fIdbpath\fR] [\fB-r\fR \fIrealm\fR]  [\fB-m\fR]
     [\fB-k\fR \fImasterenctype\fR] [\fB-M\fR \fImasterkeyname\fR]
     [\fB-p\fR \fIport\fR] [\fB-n\fR] [\fB-x\fR \fIdb_args\fR]...
.fi

.SH DESCRIPTION
.sp
.LP
\fBkrb5kdc\fR is the daemon that runs on the master and slave \fBKDC\fRs to
process the Kerberos tickets. For Kerberos to function properly, \fBkrb5kdc\fR
must be running on at least one \fBKDC\fR that the Kerberos clients can access.
Prior to running \fBkrb5kdc\fR, you must initialize the Kerberos database using
\fBkdb5_util\fR(8). See the \fI\fR for information regarding how to set up
\fBKDC\fRs and initialize the Kerberos database.
.SH OPTIONS
.sp
.LP
The following options are supported:
.sp
.ne 2
.na
\fB\fB-d\fR \fIdbpath\fR\fR
.ad
.sp .6
.RS 4n
Specify the path to the database; default value is \fB/var/krb5\fR.
.RE

.sp
.ne 2
.na
\fB\fB-k\fR \fImasterenctype\fR\fR
.ad
.sp .6
.RS 4n
Specify the encryption type for encrypting the database. The default value is
\fBdes-cbc-crc\fR. \fBdes3-cbc-sha1\fR, \fBarcfour-hmac-md5\fR,
\fBarcfour-hmac-md5-exp\fR, \fBaes128-cts-hmac-sha1-96\fR, and
\fBaes256-cts-hmac-sha1-96\fR are also valid.
.RE

.sp
.ne 2
.na
\fB\fB-m\fR\fR
.ad
.sp .6
.RS 4n
Specify that the master key for the database is to be entered manually.
.RE

.sp
.ne 2
.na
\fB\fB-M\fR \fImasterkeyname\fR\fR
.ad
.sp .6
.RS 4n
Specify the principal to retrieve the master Key for the database.
.RE

.sp
.ne 2
.na
\fB\fB-n\fR\fR
.ad
.sp .6
.RS 4n
Specify that \fBkrb5kdc\fR should not detach from the terminal.
.RE

.sp
.ne 2
.na
\fB\fB-p\fR \fIport\fR\fR
.ad
.sp .6
.RS 4n
Specify the port that will be used by the \fBKDC\fR to listen for incoming
requests.
.RE

.sp
.ne 2
.na
\fB\fB-r\fR \fIrealm\fR\fR
.ad
.sp .6
.RS 4n
Specify the realm name; default is the local realm name.
.RE

.sp
.ne 2
.na
\fB\fB-x\fR \fIdb_args\fR\fR
.ad
.sp .6
.RS 4n
Pass database-specific arguments to \fBkadmin\fR. Supported arguments are for
the LDAP plug-in. These arguments are:
.sp
.ne 2
.na
\fB\fBbinddn\fR=\fIbinddn\fR\fR
.ad
.sp .6
.RS 4n
Specifies the DN of the object used by the KDC server to bind to the LDAP
server. This object should have the rights to read the realm container,
principal container and the subtree that is referenced by the realm. Overrides
the \fBldap_kdc_dn\fR parameter setting in \fBkrb5.conf\fR(5).
.RE

.sp
.ne 2
.na
\fB\fBbindpwd\fR=\fIbindpwd\fR\fR
.ad
.sp .6
.RS 4n
Specifies the password for the above-mentioned \fIbinddn\fR. It is recommended
not to use this option. Instead, the password can be stashed using the
\fBstashsrvpw\fR command of \fBkdb5_ldap_util\fR(8).
.RE

.sp
.ne 2
.na
\fB\fBnconns\fR=\fInum\fR\fR
.ad
.sp .6
.RS 4n
Specifies the number of connections to be maintained per LDAP server.
.RE

.sp
.ne 2
.na
\fB\fBhost\fR=\fIldapuri\fR\fR
.ad
.sp .6
.RS 4n
Specifies, by an LDAP URI, the LDAP server to which to connect.
.RE

.RE

.SH FILES
.sp
.ne 2
.na
\fB\fB/var/krb5/principal.db\fR\fR
.ad
.sp .6
.RS 4n
Kerberos principal database.
.RE

.sp
.ne 2
.na
\fB\fB/var/krb5/principal.kadm5\fR\fR
.ad
.sp .6
.RS 4n
Kerberos administrative database. This file contains policy information.
.RE

.sp
.ne 2
.na
\fB\fB/var/krb5/principal.kadm5.lock\fR\fR
.ad
.sp .6
.RS 4n
Kerberos administrative database lock file. This file works backwards from most
other lock files (that is, \fBkadmin\fR will exit with an error if this file
does \fInot\fR exist).
.RE

.sp
.ne 2
.na
\fB\fB/etc/krb5/kdc.conf\fR\fR
.ad
.sp .6
.RS 4n
\fBKDC\fR configuration file. This file is read at startup.
.RE

.sp
.ne 2
.na
\fB\fB/etc/krb5/kpropd.acl\fR\fR
.ad
.sp .6
.RS 4n
File that defines the access control list for propagating the Kerberos database
using \fBkprop\fR.
.RE

.SH SEE ALSO
.sp
.LP
\fBkill\fR(1), \fBkpasswd\fR(1), \fBkadmind\fR(8),
\fBkadmin.local\fR(8), \fBkdb5_util\fR(8), \fBkdb5_ldap_util\fR(8),
\fBlogadm\fR(8), \fBkrb5.conf\fR(5), \fBattributes\fR(7), \fBkrb5envvar\fR(7),
.BR kerberos (7),
.sp
.LP
\fI\fR
.SH NOTES
.sp
.LP
The following signal has the specified effect when sent to the server process
using the \fBkill\fR(1)command:
.sp
.ne 2
.na
\fB\fBSIGHUP\fR\fR
.ad
.sp .6
.RS 4n
\fBkrb5kdc\fR closes and re-opens log files that it directly opens. This can be
useful for external log-rotation utilities such as \fBlogadm\fR(8). If this
method is used for log file rotation, set the \fBkrb5.conf\fR(5)
\fBkdc_rotate\fR period relation to \fBnever\fR.
.RE