What are kcm, kadmind, kdc, and kpasswdd?

You might see several Kerberos-related processes in Activity Monitor, especially if your Mac is part of a work network.

What are these processes?

They are all part of the Kerberos login system:

• kcm (Kerberos Credential Manager): Stores and manages Kerberos tickets in memory. It acts as a secure ticket store that several processes can share.
• kdc (Key Distribution Centre): The Kerberos server that hands out login tickets. On a Mac, this only runs if your Mac is acting as a Kerberos server (rare outside macOS Server).
• kadmind (Kerberos Administration daemon): Handles admin tasks for a Kerberos realm, such as creating accounts and changing policies. Only runs on Kerberos servers.
• kpasswdd (Kerberos Password daemon): Handles Kerberos password changes. Also only runs on Kerberos servers.

Which ones run on a normal Mac?

On a typical Mac, only kcm runs. It manages your Kerberos tickets when you log in to work services like Active Directory, file shares, or intranet sites.

kdc, kadmind, and kpasswdd only run if your Mac is set up as a Kerberos server, which is uncommon outside old macOS Server setups.

Do I need Kerberos?

If your Mac is part of a work network using Active Directory or another Kerberos-based system, yes. It handles single sign-on so you do not have to type your password for every network service.

If your Mac is not part of a work network, these processes are either idle or not running.

Should you worry?

No. These are standard login system parts. If you see kdc or kadmind running on a Mac that is not a server, it is worth looking into why. But kcm running on its own is perfectly normal.

Enjoyed this post?

Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.

Tags