Each of the KDC implementations covered in this book has different administrative interfaces. We’ve already seen the basics of each administrative interface when we set up the KDC, but this section provides an in-depth reference on the various commands available to Kerberos administrators.
In MIT Kerberos 5, Kerberos database tasks are performed by the kadmind daemon. Normally, this daemon is run on KDC startup when the main Kerberos daemon, krb5kdc, is started. The kadmind daemon listens for client requests on TCP port 749. The client, kadmin, can be run on any machine that is able to communicate with the KDC. It is recommended that a firewall be used to limit network access to port 749 to restrict unauthorized users from connecting to the administrative daemon.
The kadmin client uses configuration from
/etc/krb5.conf to locate the master KDC that runs
the kadmind server. It will use the value of the admin_server parameter
located in the realm that the client is a member of. If you compiled
with DNS support (the default), it will also attempt to use DNS to
locate the admin server service. If these methods fail, kadmin will give
up attempting to look for a server, and exit with an error message. You
can manually specify a realm name and server address with the
After a connection has been established between the kadmin client and the kadmind server, the client performs mutual authentication with the administration ...