NAME

admind − distributed system administration daemon

SYNOPSIS

admind [ −c keywords ] [ −i secs ] [ −l [ logfile ] ] [ −O OW_path_name ]

[ −S security_level ] [ −v ]

AVAILABILITY

SUNWadmfw

DESCRIPTION

admind is the daemon used by system administration tools, such as Administration Tool and ttyhstmgr, to perform distributed system administration operations. 

The admind daemon is started automatically by the inetd daemon whenever a request to invoke an operation is received.  The admind daemon process continues to run for 15 minutes after the last request is completed, unless a different idle-time is specified with the −i command line option.  The admind daemon may be started independently from the command line, for example, at system boot time. In this case, the −i option has no effect; admindcontinues to run, even if there are no active requests. 

The admind daemon process can be configured to write tracing information into a log file by specifying the −c and −l command line options.  The −c option specifies a comma-separated list of keywords indicating the types of information to be logged. The following keywords may be useful to you as an administrator:

System-Info Includes messages about when the admind daemon was started and stopped. 

Requests Includes messages about which operations admind invoked and when. 

Errors Includes messages about errors that occurred during the daemon ­execution. 

∗ Includes all possible log messages. 

The −l option enables logging and optionally specifies the path and file name of the log file.  If no log file is specified, the default log file /var/adm/admin.log is used. 

OPTIONS

The following command line options may be useful to you as an administrator when ­starting the admind daemon:

−c keywords Specify the types of information to be logged as a comma-separated list of keywords.  The default is to log all types of messages. 

−i secs Specify the number of seconds for admind to stay up after the last request is completed. The default is 15 minutes (900 seconds). If secs is 0 or over 10,000,000, admind stays up forever.  −i only applies when admind is started by the inetd daemon.  You may want admind to run permanently (or for extended durations) on systems that are frequently administered by applications using admind (for example, a server managed through Host Manager) to improve application performance. 

−l[logfile] Enable logging and optionally define the path name to the distributed system administration log file. The default log file is:

/var/adm/admin.log

−O OW_path_name
Define the path name to the OpenWindows home directory.  If this option is not specified, the admind daemon will use the OpenWindows home directory defined in the OPENWINHOME environment variable, if defined; the home directory specified in the /etc/OPENWINHOME file, if it exists; or the default directory /usr/openwin.  When the admind ­daemon is started by the inetd daemon, the environment variable OPENWINHOME is typically not defined.  If the OpenWindows home directory is not one of the path names specified (/usr/openwin or in the file /etc/OPENWINHOME), the −O option must be added to the admind entry in the inetd.conf(4) configuration file. 

−S security_level Define the level of security to be used by the admind daemon when checking a client’s right to perform an operation on the server system.  Security level specifies the authentication mechanism used to provide and check the client’s identity.  The client’s identity must be authenticated by the specified mechanism for admind to accept his or her request.  The system-wide authentication requirements set by the security level may take precedence over any operation-specific requirements.  Consequently, the security level can be used system-wide to ensure that all operations meet minimum authentication requirements, regardless of the requirements assigned specifically to an operation.  In addition, the security level determines whether admind will perform authorization access control checking. 

Security level may be one of the following:

0 Set authentication type to NONE.  All clients’ user and group identities are set to the nobody identity by admind (see SunOS 5.2 Administering Security, Performance, and Accounting).  If access is granted to nobody, admind executes the operation.  Use this level only for testing. 

1 Set authentication type to WEAK.  Clients’ user and group identities are set by admind from their authentication credentials. Client identities are accepted by admind when they have satisfied either AUTH_SYS or AUTH_DES authentication mechanisms.  The authenticated client identity is checked by admind for authorization to execute the operation.  If an operation calls for a stronger security level, admind demotes the user identity to nobody, and then checks whether nobody is authorized to execute the operation.  Since AUTH_SYS client credentials are easily forged, this level should be used only in relatively secure environments.  No check is done that the user ID of the client represents the same user on the server system as on the client system.  It is assumed that user and group identities are set up consistently on the network.  This security level is the default. 

2 Set authentication type to STRONG.  Clients’ user and group identities are set by admind from their authentication credential mappings (effectively, user and group IDs from netid.byname for NIS, or cred table for NIS+).  Client identities are accepted by admind only when they have satisfied the AUTH_DES authentication mechanism.  The admind daemon checks whether the client identity is authorized to execute the operation.  This level provides the most secure environment for executing distributed administration operations.  It overrides any weaker level specific to an operation.  A DES credential must exist for the host running the admind daemon and all administration client user identities. 

−v Enable the writing of log messages to the system logger, syslogd.  Messages logged include fatal errors encountered while attempting to start the admind daemon process and those specified by the −c trace message keywords. 

EXAMPLES

By default, the line in /etc/inetd.conf that starts admind appears as follows:

100087/10        tli     rpc/udp    wait root /usr/sbin/admind admind

To make a network as secure as possible, change the line to:

100087/10        tli     rpc/udp    wait root /usr/sbin/admind admind −S 2

To minimize delays due to starting up admind, change the line to include the −i option:

100087/10        tli     rpc/udp    wait root /usr/sbin/admind admind −i 86400

In this example, the duration that admind remains up after the last operation request was completed is extended to 24 hours (86,400 seconds). Extending the timeout period may enhance performance on servers and workstations that frequently run or are administered by applications that use the admind daemon (for example, ttyhstmgr, or Administration Tool applications such as Printer Manager). 

FILES

/var/adm/admin.log
distributed system administration default log file

/etc/inetd.conf internet servers database file

SEE ALSO

admintool(1M), inetd(1M), rpcbind(1M), sysidtool(1M), ttyhstmgr(1M), inetd.conf(4)

Security, Performance, and Accounting Administration
File System Administration

NOTES

Whenever inetd fails to start admind, re-register the RPC number for admind, 100087, with rpcbind by sending the inetd process a SIGHUP signal:

example% kill −HUP pid
or example% kill −1

Sometimes inetd does not start admind in response to system admininstration requests, even though the inetd.conf file has the correct entry for the admind daemon.  This can happen when admind is started manually from the command line and takes over the previous registration of the admind RPC number, 100087, by inetd. When the manually-started admind daemon is terminated, the admind RPC number, 100087, is de-registered with rpcbind.  Consequently, system administration requests are ignored by inetd. 

SunOS 5.4  —  Last change: 11 May 1993