From: Jeff Bigler Date: Thu, 29 Aug 1996 20:37:26 +0000 (+0000) Subject: Added man page and line in Makefile to install it X-Git-Tag: krb5-1.0-beta7~77 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=ff94b7ba9585f498178a350077e3f81cb0446980;p=krb5.git Added man page and line in Makefile to install it git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@9011 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/kadmin/ktutil/ChangeLog b/src/kadmin/ktutil/ChangeLog index 6ca64712d..e44710e16 100644 --- a/src/kadmin/ktutil/ChangeLog +++ b/src/kadmin/ktutil/ChangeLog @@ -1,3 +1,7 @@ +Thu Aug 29 16:06:39 1996 Jeff Bigler + + * Makefile.in (install): added man page + Thu Jun 13 21:42:11 1996 Tom Yu * configure.in: remove ref to SS_RULES diff --git a/src/kadmin/ktutil/Makefile.in b/src/kadmin/ktutil/Makefile.in index d59ad0709..9888d0b61 100644 --- a/src/kadmin/ktutil/Makefile.in +++ b/src/kadmin/ktutil/Makefile.in @@ -17,6 +17,7 @@ ktutil: ktutil.o $(OBJS) $(DEPLIBS) install:: $(INSTALL_PROGRAM) ktutil ${DESTDIR}$(ADMIN_BINDIR)/ktutil + $(INSTALL_DATA) $(srcdir)/ktutil.M ${DESTDIR}$(ADMIN_MANDIR)/ktutil.8 # needed until we run makedepend ktutil_ct.c: ktutil_ct.ct diff --git a/src/kadmin/ktutil/ktutil.M b/src/kadmin/ktutil/ktutil.M new file mode 100644 index 000000000..2ee1199d4 --- /dev/null +++ b/src/kadmin/ktutil/ktutil.M @@ -0,0 +1,64 @@ +.so man1/header.doc +.TH KTUTIL 8 \*h +.SH NAME +ktutil \- Kerberos keytab file maintenance utility +.SH SYNOPSIS +.B ktutil +.SH DESCRIPTION +The +.B ktutil +command invokes a subshell from which an administrator can read, write, +or edit entries in a Kerberos V5 keytab or V4 srvtab file. +.SH COMMANDS +.TP +.B list +Displays the current keylist. Alias: +.BR l . +.TP +\fBread_kt\fP \fIkeytab\fP +Read the Kerberos V5 keytab file +.I keytab +into the current keylist. Alias: +.B rkt +.TP +\fBread_st\fP \fIsrvtab\fP +Read the Kerberos V4 srvtab file +.I srvtab +into the current keylist. Alias: +.BR rst . +.TP +\fBwrite_kt\fP \fIkeytab\fP +Write the current keylist into the Kerberos V5 keytab file +.IR keytab . +Alias: +.BR wkt . +.TP +\fBwrite_st\fP \fIsrvtab\fP +Write the current keylist into the Kerberos V4 srvtab file +.IR srvtab . +Alias: +.BR wst . +.TP +.B clear_list +Clear the current keylist. Alias: +.BR clear . +.TP +\fBdelete_entry\fP \fIslot\fP +Delets the entry in slot number +.I slot +from the current keylist. Alais: +.BR delent . +.TP +.BR list_requests +Displays a listing of available commands. Aliases: +.BR lr , +.BR ? . +.TP +.B quit +Quits +.BR ktutil . +Aliases: +.BR exit , +.BR q . +.SH SEE ALSO +kadmin(8), kdb5_util(8) diff --git a/src/kadmin/server/ChangeLog b/src/kadmin/server/ChangeLog index d8340f811..204c05d2a 100644 --- a/src/kadmin/server/ChangeLog +++ b/src/kadmin/server/ChangeLog @@ -1,3 +1,7 @@ +Thu Aug 29 16:11:01 1996 Jeff Bigler + + * Makefile.in (install): added kadmind man page + Mon Aug 12 11:48:19 1996 Barry Jaspan * ovsec_kadmd.c (main): strip path components of whoami diff --git a/src/kadmin/server/Makefile.in b/src/kadmin/server/Makefile.in index be7f4c288..e649a2358 100644 --- a/src/kadmin/server/Makefile.in +++ b/src/kadmin/server/Makefile.in @@ -10,6 +10,7 @@ $(PROG): $(OBJS) $(DEPLIBS) install:: $(INSTALL_PROGRAM) $(PROG) ${DESTDIR}$(ADMIN_BINDIR)/$(PROG) + $(INSTALL_DATA) $(srcdir)/($PROG).M ${DESTDIR}$(ADMIN_MANDIR)/($PROG).8 clean:: $(RM) $(PROG) $(OBJS) diff --git a/src/kadmin/server/kadmind.M b/src/kadmin/server/kadmind.M new file mode 100644 index 000000000..2d4683734 --- /dev/null +++ b/src/kadmin/server/kadmind.M @@ -0,0 +1,244 @@ +.so man1/header.doc +.TH KADMIND(8 \*h +.SH NAME +kadmind \- KADM5 administration server +.SH SYNOPSIS +.B kadmind +[\fB-r\fP \fIrealm\fP] [\fB\-m\fP] [\fB\-nofork\fP] [\fB\-port\fP +\fIport-number\fP] +.SH DESCRIPTION +This command starts the KADM5 administration server. The administration +server runs on the master Kerberos server, which stores the KDC +principal database and the KADM5 policy database. +.B Kadmind +accepts remote requests to administer the information in these +databases. Remote requests are sent, for example, by +.IR kadmin (8) +and the +.IR kpasswd (1) +command, both of which are clients of +.BR kadmind . +.PP +.B kadmind +requires a number of configuration files to be set up in order +for it to work: +.TP "\w'kdc.conf\ \ 'u" +kdc.conf +The KDC configuration file contains configuration informatin for the KDC +and the KADM5 system. +.B Kadmind +understands a number of variable settings in this file, some of whch are +mandatory and some of which are optional. See the CONFIGURATION VALUES +section below. +.TP +keytab +.B Kadmind +requires a keytab containing correct entries for the +.I kadmin/admin +and +.I kadmin/changepw +principals for every realm that kadmind will answer requests for. The +keytab can be created with the +.IR kadmin (8) +client. The location of the keytab is determined by the +.I admin_keytab +configuration variable (see CONFIGURATION VALUES). +.TP +ACL file +.BR Kadmind 's +ACL (access control list) tells it which principals are allowed to +perform KADM5 administration actions. The path of the ACL file is +specified via the acl_file configuration variable (see CONFIGURATION +VALUES). The syntax of the ACL file is specified in the ACL FILE SYNTAX +section below. +.PP +After the server begins running, it puts itself in the background and +disassociates itself from its controlling terminal. +.SH OPTIONS +.TP +\fB\-r\fP \fIrealm\fP +specifies the default realm that kadmind will serve; if it is not +specified, the default realm of the host is used. +.B kadmind +will answer requests for any realm that exists in the local KDC database +and for which the appropriate principals are in its keytab. +.TP +.B \-m +specifies that the master database password should be fetched from the +keyboard rather than from a file on disk. Note that the server gets the +password prior to putting itself in the background; in combination with +the -nofork option, you must place it in the background by hand. +.TP +.B \-nofork +specifies that the server does not put itself in the background and does +not disassociate itself from the terminal. In normal operation, you +should always allow the server place itself in the background. +.TP +\fB\-port\fP \fIport-number\fB +specifies the port on which the administration server listens for +connections. The default is is controlled by the +.I kadmind_port +configuration variable (see below). +.SH CONFIGURATION VALUES +.PP +In addition to the relations defined in kdc.conf(5), kadmind +understands the following relations, all of which should +appear in the [realms] section: +.TP +acl_file +The path of kadmind's ACL file. Mandatory. No default. +.TP +dict_file +The path of kadmind's password dictionary. A principal with any +password policy will not be allowed to select any password in the +dictionary. Optional. No default. +.TP +admin_keytab +The name of the keytab containing entries for the principals +.I kadmin/admin +and +.I kadmin/changepw +in each realm that +.B kadmind +will serve. The default is the value of the +.SM KRB5_KTNAME +environment variable, if defined. Mandatory. +.TP +kadmind_port +The +.SM TCP +port on which +.B kadmind +will listen. The default is 749. +.SH ACL FILE SYNTAX +.PP +The ACL file controls which principals can or cannot perform which +administrative functions. For operations that affect principals, the +ACL file also controls which principals can operate on which other +principals. This file can contain comment lines, null lines or lines +which contain ACL entries. Comment lines start with the sharp sign +(\fB\&#\fP) and continue until the end of the line. Lines containing ACL +entries have the format of +.B principal +.I whitespace +.B operation-mask +[\fIwhitespace\fP \fBoperation-target\fP] +.PP +Ordering is important. The first matching entry is the one which will +control access for a particular principal on a particular principal. +.PP +.IP principal +may specify a partially or fully qualified Kerberos version 5 +principal name. Each component of the name may be wildcarded using +the asterisk ( +.B * +) character. +.IP operation-target +[Optional] may specify a partially or fully qualified Kerberos version 5 +principal name. Each component of the name may be wildcarded using the +asterisk ( +.B * +) character. +.IP operation-mask +Specifies what operations may or may not be peformed by a principal +matching a particular entry. This is a string of one or more of the +following list of characters or their upper-case counterparts. If the +character is upper-case, then the operation is disallowed. If the +character is lower-case, then the operation is permitted. +.RS +.TP 5 +.B a +[Dis]allows the addition of principals or policies in the database. +.sp -1v +.TP +.B d +[Dis]allows the deletion of principals or policies in the database. +.sp -1v +.TP +.B m +[Dis]allows the modification of principals or policies in the database. +.sp -1v +.TP +.B c +[Dis]allows the changing of passwords for principals in the database. +.sp -1v +.TP +.B i +[Dis]allows inquiries to the database. +.sp -1v +.TP +.B l +[Dis]allows the listing of principals or policies in the database. +.sp -1v +.TP +.B x +Short for +.IR admcil . +.sp -1v +.TP +.B \&* +Same as +.BR x . +.RE +Some examples of valid entries here are: +.TP +.I user/instance@realm adm +A standard fully qualified name. The +.B operation-mask +only applies to this principal and specifies that [s]he may add, +delete or modify principals and policies, but not change anybody +else's password. +.TP +.I user/instance@realm cim service/instance@realm +A standard fully qualified name and a standard fully qualified target. The +.B operation-mask +only applies to this principal operating on this target and specifies that +[s]he may change the target's password, request information about the +target and modify it. +.TP +.I user/*@realm ac +A wildcarded name. The +.B operation-mask +applies to all principals in realm "realm" whose first component is +"user" and specifies that [s]he may add principals and change +anybody's password. +.TP +.I user/*@realm i */instance@realm +A wildcarded name and target. The +.B operation-mask +applies to all principals in realm "realm" whose first component is +"user" and specifies that [s]he may perform +inquiries on principals whose second component is "instance" and realm +is "realm". +.SH FILES +.TP "\w'.kadm5.lock\ 'u" +principal.db +default name for Kerberos principal database +.TP +.kadm5 +KADM5 administrative database. (This would be "principal.kadm5", if you +use the default database name.) Contains policy information. +.TP +.kadm5.lock +lock file for the KADM5 administrative database. This file works +backwards from most other lock files. I.e., +.B kadmin +will exit with an error if this file does +.I not +exist. +.TP +kadm5.acl +file containing list of principals and their +.B kadmin +administrative privileges. See above for a description. +.TP +kadm5.keytab +keytab file for +.I kadmin/admin +principal. +.TP +kadm5.dict +file containing dictionary of strings explicitly disallowed as +passwords. +.SH SEE ALSO +kpasswd(1), kadmin(8), kdb5_util(8), kadm5_export(8), kadm5_import(8)