Ubuntu Manpage: kcm — process-based credential cache for Kerberos tickets.

Provided by: heimdal-kcm_7.8.git20221117.28daf24+dfsg-9ubuntu1_amd64

NAME

       kcm — process-based credential cache for Kerberos tickets.

SYNOPSIS

       kcm    [--cache-name=cachename]   [-c   file   |   --config-file=file]   [-g   group   |   --group=group]
           [--max-request=size]  [--disallow-getting-krbtgt]  [--detach]  [-h  |   --help]   [-k   principal   |
           --system-principal=principal]    [-l    time    |    --lifetime=time]   [-m   mode   |   --mode=mode]
           [-n | --no-name-constraints]  [-r  time  |  --renewable-life=time]  [-s  path  |  --socket-path=path]
           [--door-path=path]  [-S  principal  |  --server=principal]  [-t  keytab | --keytab=keytab] [-u user |
           --user=user] [-v | --version]

DESCRIPTION

       kcm is a process based credential cache.  To use it, set the KRB5CCNAME environment variable to ‘KCM:uid’
       or add the stanza

       [libdefaults]
               default_cc_name = KCM:%{uid}

       to the /etc/krb5.conf configuration file and make sure kcm is started in the system startup files.

       The kcm daemon can hold the credentials for all users in the system.  Access control is done  with  Unix-
       like  permissions.   The daemon checks the access on all operations based on the uid and gid of the user.
       The tickets are renewed as long as is permitted by the KDC's policy.

       The kcm daemon can also keep a SYSTEM credential that server processes can use to access  services.   One
       example  of  usage  might be an nss_ldap module that quickly needs to get credentials and doesn't want to
       renew the ticket itself.

       Supported options:

       --cache-name=cachename
               system cache name

       -c file, --config-file=file
               location of config file

       -g group, --group=group
               system cache group

       --max-request=size
               max size for a kcm-request

       --disallow-getting-krbtgt
               disallow extracting any krbtgt from the kcm daemon.

       --detach
               detach from console

       -h, --help

       -k principal, --system-principal=principal
               system principal name

       -l time, --lifetime=time
               lifetime of system tickets

       -m mode, --mode=mode
               octal mode of system cache

       -n, --no-name-constraints
               disable credentials cache name constraints

       -r time, --renewable-life=time
               renewable lifetime of system tickets

       -s path, --socket-path=path
               path to kcm domain socket

       --door-path=path
               path to kcm door socket

       -S principal, --server=principal
               server to get system ticket for

       -t keytab, --keytab=keytab
               system keytab name

       -u user, --user=user
               system cache owner

       -v, --version

Debian                                            May 29, 2005                                            KCM(8)