(heimdal.info) Remote administration
Info Catalog
(heimdal.info) Serving Kerberos 4/524/kaserver
(heimdal.info) Setting up a realm
(heimdal.info) Password changing
Remote administration
=====================
The administration server, `kadmind', can be started by `inetd' (which
isn't recommended) or run as a normal daemon. If you want to start it
from `inetd' you should add a line similar to the one below to your
`/etc/inetd.conf'.
kerberos-adm stream tcp nowait root /usr/heimdal/libexec/kadmind kadmind
You might need to add `kerberos-adm' to your `/etc/services' as 749/tcp.
Access to the administration server is controlled by an acl-file,
(default `/var/heimdal/kadmind.acl'.) The lines in the access file, has
the following syntax:
principal [priv1,priv2,...] [glob-pattern]
The matching is from top to bottom for matching principal (and if given,
glob-pattern). When there is a match, the rights of that lines are
used.
The privileges you can assign to a principal are: `add',
`change-password' (or `cpw' for short), `delete', `get', `list', and
`modify', or the special privilege `all'. All of these roughly
corresponds to the different commands in `kadmin'.
If a GLOB-PATTERN is given on a line, it restricts the right for the
principal to only apply for the subjects that match the pattern. The
patters are of the same type as those used in shell globbing, see
<none,,fnmatch(3)>.
In the example below `lha/admin' can change every principal in the
database. `jimmy/admin' can only modify principals that belong to the
realm `E.KTH.SE'. `mille/admin' is working at the help desk, so he
should only be able to change the passwords for single component
principals (ordinary users). He will not be able to change any `/admin'
principal.
lha/admin@E.KTH.SE all
jimmy/admin@E.KTH.SE all *@E.KTH.SE
jimmy/admin@E.KTH.SE all */*@E.KTH.SE
mille/admin@E.KTH.SE change-password *@E.KTH.SE
Info Catalog
(heimdal.info) Serving Kerberos 4/524/kaserver
(heimdal.info) Setting up a realm
(heimdal.info) Password changing
automatically generated byinfo2html