KRB5KDC(8)KRB5KDC(8)NAMEkrb5kdc - Kerberos V5 KDC
SYNOPSISkrb5kdc [ -x db_args ] [ -d dbname ] [ -k keytype ] [ -M mkeyname ] [
-p portnum ] [ -m ] [ -r realm ] [ -4 v4mode ] [ -n ]
DESCRIPTIONkrb5kdc is the Kerberos version 5 Authentication Service and Key Dis‐
tribution Center (AS/KDC).
The -x db_args option specifies the database specific arguments.
Options supported for LDAP database are:
-x nconns=<number_of_connections>
specifies the number of connections to be maintained per LDAP
server.
-x host=<ldapuri>
specifies the LDAP server to connect to by a LDAP URI.
-x binddn=<binddn>
specifies the DN of the object used by the KDC server to bind
to the LDAP server. This object should have the rights to read
the realm container, principal container and the subtree that
is referenced by the realm.
-x bindpwd=<bind_password>
specifies the password for the above mentioned binddn. It is
recommended not to use this option. Instead, the password can
be stashed using the stashsrvpw command of kdb5_ldap_util.
The -r realm option specifies the realm for which the server should
provide service; by default the realm returned by
krb5_default_local_realm(3) is used.
The -d dbname option specifies the name under which the principal data‐
base can be found; by default the database is in DEFAULT_DBM_FILE.
This option does not apply to the LDAP database.
The -k keytype option specifies the key type of the master key in the
database; the default is KEYTYPE_DES.
The -M mkeyname option specifies the principal name for the master key
in the database; the default is KRB5_KDB_M_NAME (usually "K/M" in the
KDC's realm).
The -p portnum option specifies the default UDP port number which the
KDC should listen on for Kerberos version 5 requests. This value is
used when no port is specified in the KDC profile and when no port is
specified in the Kerberos configuration file. If no value is avail‐
able, then the value in /etc/services for service "kerberos" is used.
The -m option specifies that the master database password should be
fetched from the keyboard rather than from a file on disk.
The -4 option specifies how the KDC responds to kerberos IV requests
for tickets. The command line option overrides the value in the KDC
profile. The possible values are none, disable, full or nopreauth.
These instruct the KDC to not respond to V4 packets, to respond with a
version skew error, to issue tickets for all database entries, and to
issue tickets for all but preauthentication required database entries
respectively. The default behaviour is as if none was specified.
The -n option specifies that the KDC does not put itself in the back‐
ground and does not disassociate itself from the terminal. In normal
operation, you should always allow the KDC to place itself in the back‐
ground.
The KDC may service requests for multiple realms (maximum 32 realms).
The realms are listed on the command line. Per-realm options that can
be specified on the command line pertain for each realm that follows it
and are superceded by subsequent definitions of the same option. For
example,
krb5kdc-p 2001 -r REALM1 -p 2002 -r REALM2 -r REALM3
specifies that the KDC listen on port 2001 for REALM1 and on port 2002
for REALM2 and REALM3. Additionally, per-realm parameters may be spec‐
ified in the kdc.conf file. The location of this file may be specified
by the KRB5_KDC_PROFILE environment variable. Parameters specified in
this file take precedence over options specified on the command line.
See the kdc.conf(5) description for further details.
SEE ALSOkrb5(3), kdb5_util(8), kdc.conf(5), kdb5_ldap_util(8)BUGS
It should fork and go into the background when it finishes reading the
master password from the terminal.
KRB5KDC(8)
