krb5.conf(5)
- NetBSD Manual Pages
KRB5.CONF(5) NetBSD Programmer's Manual KRB5.CONF(5)
NAME
/etc/krb5.conf - Configuration file for Kerberos 5
DESCRIPTION
The /etc/krb5.conf file specifies several configuration parameters for
the Kerberos 5 library, as well as for some programs.
The file consists of one or more sections, containing a number of bind-
ings. The value of each binding can be either a string or a list of other
bindings. The grammar looks like:
file:
/* empty */
sections
sections:
section sections
section
section:
'[' section_name ']' bindings
section_name:
STRING
bindings:
binding bindings
binding
binding:
name '=' STRING
name '=' '{' bindings '}'
name:
STRING
STRINGs consists of one or more non-white space characters. Currently
recognised sections and bindings are:
[libdefaults]
default_realm = REALM
Default realm to use, this is also known as your
``local realm''. The default is the result of
krb5_get_host_realm(local hostname).
clockskew = time
Maximum time differential (in seconds) allowed when
comparing times. Default is 300 seconds (five min-
utes).
kdc_timeout = time
Maximum time to wait for a reply from the kdc, de-
fault is 3 seconds.
v4_name_convert
v4_instance_resolve
These are decribed in the
krb5_425_conv_principal(3) manual page.
capath = realm-routing-table
default_etypes = etypes...
A list of default etypes to use.
default_etypes_des = etypes...
A list of default etypes to use when requesting a
DES credential.
default_keytab_name = keytab
The keytab to use if none other is specified, de-
fault is ``FILE:/etc/krb5.keytab''.
kdc_timesync = boolean
Try to keep track of the time differential between
the local machine and the KDC, and then compensate
for that when issuing requests.
max_retries = number
The max number of times to try to contact each KDC.
ticket_lifetime = time
Default ticket lifetime.
renew_lifetime = time
Default renewable ticket lifetime.
verify_ap_req_nofail = boolean
Enable to make a failure to verify obtained creden-
tials non-fatal. This can be useful if there is no
keytab on a host.
warn_pwexpire = time
How soon to warn for expiring password. Default is
seven days.
http_proxy = proxy-spec
A HTTP-proxy to use when talking to the KDC via
HTTP.
dns_proxy = proxy-spec
Enable using DNS via HTTP.
extra_addresses = address...
A list of addresses to get tickets for along with
all local addresses.
time_format = string
How to print time strings in logs, this string is
passed to strftime(3).
log_utc = boolean
Write log-entries using UTC instead of your local
time zone.
[domain_realm]
This is a list of mappings from DNS domain to Kerberos realm.
Each binding in this section looks like:
domain = realm
The domain can be either a full name of a host or a trailing
component, in the latter case the domain-string should start
with a perid.
[realms]
REALM = {
kdc = host[:port]
Specifies a kdc for this realm. If the
optional port is absent, the default
value for the ``kerberos/udp'' service
will be used.
v4_instance_convert
v4_name_convert
default_domain
See krb5_425_conv_principal(3).
}
[logging]
entity = destination
Specifies that entity should use the specified
destination for logging. See the krb5_openlog(3)
manual page for a list of defined destinations.
ENVIRONMENT
KRB5_CONFIG points to the configuration file to read.
EXAMPLE
[lib_defaults]
default_domain = FOO.SE
[domain_realm]
.foo.se = FOO.SE
.bar.se = FOO.SE
[realms]
FOO.SE = {
kdc = kerberos.foo.se
v4_name_convert = {
rcmd = host
}
v4_instance_convert = {
xyz = xyz.bar.se
}
default_domain = foo.se
}
[logging]
kdc = FILE:/var/heimdal/kdc.log
kdc = SYSLOG:INFO
default = SYSLOG:INFO:USER
SEE ALSO
verify_krb5_conf(8), krb5_openlog(3), krb5_425_conv_principal(3),
strftime(3), Source(tm)
HEIMDAL April 11, 1999 3
Powered by man-cgi (2024-03-20).
Maintained for NetBSD
by Kimmo Suominen.
Based on man-cgi by Panagiotis Christias.