The administration server, kadmind, can be started by inetd (which isn't recommended) or run as a normal daemon. If you want to start it from inetd you should add a line similar to the one below to your /etc/inetd.conf.
kerberos-adm stream tcp nowait root /usr/heimdal/libexec/kadmind kadmind
You might need to add `kerberos-adm' to your /etc/services as `749/tcp'.
Access to the administration server is controlled by an ACL file, (default /var/heimdal/kadmind.acl.) The file has the following syntax:
principal [priv1,priv2,...] [glob-pattern]
The matching is from top to bottom for matching principals (and if given, glob-pattern). When there is a match, the access rights of that line are applied.
The privileges you can assign to a principal are: `add', `change-password' (or `cpw' for short), `delete', `get', `list', and `modify', or the special privilege `all'. All of these roughly correspond to the different commands in kadmin.
If a glob-pattern is given on a line, it restricts the access rights for the principal to only apply for subjects that match the pattern. The patterns are of the same type as those used in shell globbing, see fnmatch(3).
In the example below `lha/admin' can change every principal in the database. `jimmy/admin' can only modify principals that belong to the realm `E.KTH.SE'. `mille/admin' is working at the help desk, so he should only be able to change the passwords for single component principals (ordinary users). He will not be able to change any `/admin' principal.
lha/admin@E.KTH.SE all jimmy/admin@E.KTH.SE all *@E.KTH.SE jimmy/admin@E.KTH.SE all */*@E.KTH.SE mille/admin@E.KTH.SE change-password *@E.KTH.SE