krb5.conf(5) - NetBSD Manual Pages

KRB5.CONF(5)              NetBSD Programmer's Manual              KRB5.CONF(5)


NAME
/etc/krb5.conf - Configuration file for Kerberos 5
DESCRIPTION
The /etc/krb5.conf file specifies several configuration parameters for the Kerberos 5 library, as well as for some programs. The file consists of one or more sections, containing a number of bind- ings. The value of each binding can be either a string or a list of other bindings. The grammar looks like: file: /* empty */ sections sections: section sections section section: '[' section_name ']' bindings section_name: STRING bindings: binding bindings binding binding: name '=' STRING name '=' '{' bindings '}' name: STRING STRINGs consists of one or more non-white space characters. Currently recognised sections and bindings are: [libdefaults] default_realm = REALM Default realm to use, this is also known as your ``local realm''. The default is the result of krb5_get_host_realm(local hostname). clockskew = time Maximum time differential (in seconds) allowed when comparing times. Default is 300 seconds (five min- utes). kdc_timeout = time Maximum time to wait for a reply from the kdc, de- fault is 3 seconds. v4_name_convert v4_instance_resolve These are decribed in the krb5_425_conv_principal(3) manual page. capath = { destination-realm = next-hop-realm ... Normally, all requests to realms different from the one of the current client are sent to this KDC to get cross-realm tickets. If this KDC does not have a cross-realm key with the desired realm and the hierarchical path to that realm does not work, a path can be configured using this directive. The text shown above instructs the KDC to try to obtain a cross-realm ticket to next-hop-realm when the de- sired realm is destination-realm. This configura- tion should preferably be done on the KDC where it will help all its clients but can also be done on the client itself. } default_etypes = etypes... A list of default etypes to use. default_etypes_des = etypes... A list of default etypes to use when requesting a DES credential. default_keytab_name = keytab The keytab to use if none other is specified, de- fault is ``FILE:/etc/krb5.keytab''. kdc_timesync = boolean Try to keep track of the time differential between the local machine and the KDC, and then compensate for that when issuing requests. max_retries = number The max number of times to try to contact each KDC. ticket_lifetime = time Default ticket lifetime. renew_lifetime = time Default renewable ticket lifetime. forwardable = boolean When obtaining initial credentials, make the cre- dentials forwardable. This option is also valid in the [realms] section. proxiable = boolean When obtaining initial credentials, make the cre- dentials proxiable. This option is also valid in the [realms] section. verify_ap_req_nofail = boolean Enable to make a failure to verify obtained creden- tials non-fatal. This can be useful if there is no keytab on a host. warn_pwexpire = time How soon to warn for expiring password. Default is seven days. http_proxy = proxy-spec A HTTP-proxy to use when talking to the KDC via HTTP. dns_proxy = proxy-spec Enable using DNS via HTTP. extra_addresses = address... A list of addresses to get tickets for along with all local addresses. time_format = string How to print time strings in logs, this string is passed to strftime(3). date_format = string How to print date strings in logs, this string is passed to strftime(3). log_utc = boolean Write log-entries using UTC instead of your local time zone. srv_lookup = boolean Use DNS SRV records to lookup realm configuration information. srv_try_txt = boolean If a SRV lookup fails, try looking up the same info in a DNS TXT record. scan_interfaces = boolean Scan all network interfaces for addresses, as op- posed to simply using the address associated with the system's host name. fcache_version = int Use file credential cache format version specified. [domain_realm] This is a list of mappings from DNS domain to Kerberos realm. Each binding in this section looks like: domain = realm The domain can be either a full name of a host or a trailing component, in the latter case the domain-string should start with a perid. [realms] REALM = { kdc = host[:port] Specifies a list of kdcs for this realm. If the optional port is absent, the de- fault value for the ``kerberos/udp'' service will be used. The kdcs will be used in the order that they are speci- fied. admin_server = host[:port] Specifies the admin server for this realm, where all the modifications to the database are perfomed. kpasswd_server = host[:port] Points to the server where all the pass- word changes are perfomed. If there is no such entry, the kpasswd port on the admin_server host will be tried. v4_instance_convert v4_name_convert default_domain See krb5_425_conv_principal(3). } [logging] entity = destination Specifies that entity should use the specified destination for logging. See the krb5_openlog(3) manual page for a list of defined destinations. [kdc] database = { dbname = DATABASENAME use this database for this realm. realm = REALM specifies the realm that will be stored in this database. mkey_file = FILENAME use this keytab file for the master key of this database. If not specified DATABASENAME.mkey will be used. acl_file = PA FILENAME use this file for the ACL list of this database. log_file = FILENAME use this file as the log of changes per- formed to the database. This file is used by ipropd-master for propagating changes to slaves. } max-request = SIZE Maximum size of a kdc request. require-preauth = BOOL If set pre-authentication is required. Since krb4 requests are not pre-authenticated they will be re- jected. ports = list of ports list of ports the kdc should listen to. addresses = list of interfaces list of addresses the kdc should bind to. enable-kerberos4 = BOOL turn on kerberos4 support. v4-realm = REALM to what realm v4 requests should be mapped. enable-524 = BOOL should the Kerberos 524 converting facility be turned on. Default is same as enable-kerberos4. enable-http = BOOL should the kdc answer kdc-requests over http. enable-kaserver = BOOL if this kdc should emulate the AFS kaserver. check-ticket-addresses = BOOL verify the addresses in the tickets used in tgs re- quests. allow-null-ticket-addresses = BOOL allow addresses-less tickets. allow-anonymous = BOOL if the kdc is allowed to hand out anonymous tick- ets. encode_as_rep_as_tgs_rep = BOOL encode as-rep as tgs-rep tobe compatible with mis- takes older DCE secd did. kdc_warn_pwexpire = TIME the time before expiration that the user should be warned that her password is about to expire. logging = Logging What type of logging the kdc should use, see also [logging]/kdc. [kadmin] require-preauth = BOOL If pre-authentication is required to talk to the kadmin server. default_keys = keytypes... for each entry in default_keys try to parse it as a sequence of etype:salttype:salt syntax of this if something like: [(des|des3|etype):](pw-salt|afs3-salt)[:string] if etype is omitted it means everything, and if string is omitted is means the default string (for that principal). Additional special values of keyt- types are: v5 The kerberos 5 salt pw-salt v4 The kerberos 4 type des:pw-salt: use_v4_salt = BOOL When true, this is the same as default_keys = des3:pw-salt v4 and is only left for backwards compatability.
ENVIRONMENT
KRB5_CONFIG points to the configuration file to read.
EXAMPLE
[libdefaults] default_realm = FOO.SE [domain_realm] .foo.se = FOO.SE .bar.se = FOO.SE [realms] FOO.SE = { kdc = kerberos.foo.se v4_name_convert = { rcmd = host } v4_instance_convert = { xyz = xyz.bar.se } default_domain = foo.se } [logging] kdc = FILE:/var/heimdal/kdc.log kdc = SYSLOG:INFO default = SYSLOG:INFO:USER
DIAGNOSTICS
Since /etc/krb5.conf is read and parsed by the krb5 library, there is not a lot of opportunities for programs to report parsing errors in any use- ful format. To help overcome this problem, there is a program verify_krb5_conf that reads /etc/krb5.conf and tries to emit useful diag- nostics from parsing errors. Note that this program does not have any way of knowing what options are actually used and thus cannot warn about unknown or misspelt ones.
SEE ALSO
verify_krb5_conf(8), krb5_openlog(3), krb5_425_conv_principal(3), strftime(3), Source(tm) HEIMDAL April 11, 1999 6

Powered by man-cgi (2024-08-26). Maintained for NetBSD by Kimmo Suominen. Based on man-cgi by Panagiotis Christias.