25 krb5kdc is the Kerberos version 5 Authentication Service and Key
26 Distribution Center (AS/KDC).
32 The **-x** *db_args* option specifies the database specific arguments.
33 Options supported for LDAP database are:
35 **-x** nconns=<number_of_connections>
36 Specifies the number of connections to be maintained per
40 Specifies the LDAP server to connect to by a LDAP URI.
42 **-x** binddn=<binddn>
43 Specifies the DN of the object used by the KDC server to bind
44 to the LDAP server. This object should have the rights to
45 read the realm container, principal container and the subtree
46 that is referenced by the realm.
48 **-x** bindpwd=<bind_password>
49 Specifies the password for the above mentioned binddn. It is
50 recommended not to use this option. Instead, the password can
51 be stashed using the **stashsrvpw** command of
52 :ref:`kdb5_ldap_util(8)`
54 The **-r** *realm* option specifies the realm for which the server
55 should provide service.
57 The **-d** *dbname* option specifies the name under which the
58 principal database can be found. This option does not apply to the
61 The **-k** *keytype* option specifies the key type of the master key
62 to be entered manually as a password when **-m** is given; the default
65 The **-M** *mkeyname* option specifies the principal name for the master key
66 in the database (usually ``K/M`` in the KDC's realm).
68 The **-m** option specifies that the master database password should
69 be fetched from the keyboard rather than from a file on disk.
71 The **-n** option specifies that the KDC does not put itself in the
72 background and does not disassociate itself from the terminal. In
73 normal operation, you should always allow the KDC to place itself in
76 The **-P** *pid_file* option tells the KDC to write its PID (followed
77 by a newline) into *pid_file* after it starts up. This can be used to
78 identify whether the KDC is still running and to allow init scripts to
79 stop the correct process.
81 The **-p** *portnum* option specifies the default UDP port number
82 which the KDC should listen on for Kerberos version 5 requests. This
83 value is used when no port is specified in the KDC profile and when no
84 port is specified in the Kerberos configuration file. If no value is
85 available, then the value in ``/etc/services`` for service
88 The **-w** *numworkers* option tells the KDC to fork *numworkers*
89 processes to listen to the KDC ports and process requests in parallel.
90 The top level KDC process (whose pid is recorded in the pid file if
91 the **-P** option is also given) acts as a supervisor. The supervisor
92 will relay SIGHUP signals to the worker subprocesses, and will
93 terminate the worker subprocess if the it is itself terminated or if
94 any other worker process exits.
96 .. note:: On operating systems which do not have *pktinfo* support,
97 using worker processes will prevent the KDC from listening
98 for UDP packets on network interfaces created after the KDC
105 The KDC may service requests for multiple realms (maximum 32 realms).
106 The realms are listed on the command line. Per-realm options that can
107 be specified on the command line pertain for each realm that follows
108 it and are superseded by subsequent definitions of the same option.
113 krb5kdc -p 2001 -r REALM1 -p 2002 -r REALM2 -r REALM3
115 specifies that the KDC listen on port 2001 for REALM1 and on port 2002
116 for REALM2 and REALM3. Additionally, per-realm parameters may be
117 specified in the :ref:`kdc.conf(5)` file. The location of this file
118 may be specified by the **KRB5_KDC_PROFILE** environment variable.
119 Parameters specified in this file take precedence over options
120 specified on the command line. See the :ref:`kdc.conf(5)` description
127 krb5kdc uses the following environment variables:
130 * **KRB5_KDC_PROFILE**
136 :ref:`kdb5_util(8)`, :ref:`kdc.conf(5)`, :ref:`krb5.conf(5)`,
137 :ref:`kdb5_ldap_util(8)`