KRB5KDC(8) Maintenance Procedures KRB5KDC(8)
NAME
krb5kdc - KDC daemon
SYNOPSIS
/usr/lib/krb5/krb5kdc [
-d dbpath] [
-r realm] [
-m]
[
-k masterenctype] [
-M masterkeyname]
[
-p port] [
-n] [
-x db_args]...
DESCRIPTION
krb5kdc is the daemon that runs on the master and slave
KDCs to process
the Kerberos tickets. For Kerberos to function properly,
krb5kdc must be
running on at least one
KDC that the Kerberos clients can access. Prior
to running
krb5kdc, you must initialize the Kerberos database using
kdb5_util(8). See the for information regarding how to set up
KDCs and
initialize the Kerberos database.
OPTIONS
The following options are supported:
-d dbpath Specify the path to the database; default value is
/var/krb5.
-k masterenctype Specify the encryption type for encrypting the database. The default
value is
des-cbc-crc.
des3-cbc-sha1,
arcfour-hmac-md5,
arcfour-hmac- md5-exp,
aes128-cts-hmac-sha1-96, and
aes256-cts-hmac-sha1-96 are
also valid.
-m Specify that the master key for the database is to be entered
manually.
-M masterkeyname Specify the principal to retrieve the master Key for the database.
-n Specify that
krb5kdc should not detach from the terminal.
-p port Specify the port that will be used by the
KDC to listen for incoming
requests.
-r realm Specify the realm name; default is the local realm name.
-x db_args Pass database-specific arguments to
kadmin. Supported arguments are
for the LDAP plug-in. These arguments are:
binddn=
binddn Specifies the DN of the object used by the KDC server to bind to
the LDAP server. This object should have the rights to read the
realm container, principal container and the subtree that is
referenced by the realm. Overrides the
ldap_kdc_dn parameter
setting in
krb5.conf(5).
bindpwd=
bindpwd Specifies the password for the above-mentioned
binddn. It is
recommended not to use this option. Instead, the password can be
stashed using the
stashsrvpw command of
kdb5_ldap_util(8).
nconns=
num Specifies the number of connections to be maintained per LDAP
server.
host=
ldapuri Specifies, by an LDAP URI, the LDAP server to which to connect.
FILES
/var/krb5/principal.db Kerberos principal database.
/var/krb5/principal.kadm5 Kerberos administrative database. This file contains policy
information.
/var/krb5/principal.kadm5.lock Kerberos administrative database lock file. This file works backwards
from most other lock files (that is,
kadmin will exit with an error
if this file does
not exist).
/etc/krb5/kdc.conf KDC configuration file. This file is read at startup.
/etc/krb5/kpropd.acl File that defines the access control list for propagating the
Kerberos database using
kprop.
SEE ALSO
kill(1),
kpasswd(1),
kadmind(8),
kadmin.local(8),
kdb5_util(8),
kdb5_ldap_util(8),
logadm(8),
krb5.conf(5),
attributes(7),
krb5envvar(7),
kerberos(7),
NOTES
The following signal has the specified effect when sent to the server
process using the
kill(1)command:
SIGHUP krb5kdc closes and re-opens log files that it directly opens. This
can be useful for external log-rotation utilities such as
logadm(8).
If this method is used for log file rotation, set the
krb5.conf(5) kdc_rotate period relation to
never.
October 29, 2015
KRB5KDC(8)