krb5.conf(5) - NetBSD Manual Pages

Command: Section: Arch: Collection:  
KRB5.CONF(5)              NetBSD Programmer's Manual              KRB5.CONF(5)


NAME
/etc/krb5.conf - Configuration file for Kerberos 5
DESCRIPTION
The /etc/krb5.conf file specifies several configuration parameters for the Kerberos 5 library, as well as for some programs. The file consists of one or more sections, containing a number of bind- ings. The value of each binding can be either a string or a list of other bindings. The grammar looks like: file: /* empty */ sections sections: section sections section section: '[' section_name ']' bindings section_name: STRING bindings: binding bindings binding binding: name '=' STRING name '=' '{' bindings '}' name: STRING STRINGs consists of one or more non-white space characters. Currently recognised sections and bindings are: [libdefaults] default_realm = REALM Default realm to use, this is also known as your ``local realm''. The default is the result of krb5_get_host_realm(local hostname). clockskew = time Maximum time differential (in seconds) allowed when comparing times. Default is 300 seconds (five min- utes). kdc_timeout = time Maximum time to wait for a reply from the kdc, de- fault is 3 seconds. v4_name_convert v4_instance_resolve These are decribed in the krb5_425_conv_principal(3) manual page. capath = realm-routing-table default_etypes = etypes... A list of default etypes to use. default_etypes_des = etypes... A list of default etypes to use when requesting a DES credential. default_keytab_name = keytab The keytab to use if none other is specified, de- fault is ``FILE:/etc/krb5.keytab''. kdc_timesync = boolean Try to keep track of the time differential between the local machine and the KDC, and then compensate for that when issuing requests. max_retries = number The max number of times to try to contact each KDC. ticket_lifetime = time Default ticket lifetime. renew_lifetime = time Default renewable ticket lifetime. verify_ap_req_nofail = boolean Enable to make a failure to verify obtained creden- tials non-fatal. This can be useful if there is no keytab on a host. warn_pwexpire = time How soon to warn for expiring password. Default is seven days. http_proxy = proxy-spec A HTTP-proxy to use when talking to the KDC via HTTP. dns_proxy = proxy-spec Enable using DNS via HTTP. extra_addresses = address... A list of addresses to get tickets for along with all local addresses. time_format = string How to print time strings in logs, this string is passed to strftime(3). log_utc = boolean Write log-entries using UTC instead of your local time zone. [domain_realm] This is a list of mappings from DNS domain to Kerberos realm. Each binding in this section looks like: domain = realm The domain can be either a full name of a host or a trailing component, in the latter case the domain-string should start with a perid. [realms] REALM = { kdc = host[:port] Specifies a kdc for this realm. If the optional port is absent, the default value for the ``kerberos/udp'' service will be used. v4_instance_convert v4_name_convert default_domain See krb5_425_conv_principal(3). } [logging] entity = destination Specifies that entity should use the specified destination for logging. See the krb5_openlog(3) manual page for a list of defined destinations.
ENVIRONMENT
KRB5_CONFIG points to the configuration file to read.
EXAMPLE
[lib_defaults] default_domain = FOO.SE [domain_realm] .foo.se = FOO.SE .bar.se = FOO.SE [realms] FOO.SE = { kdc = kerberos.foo.se v4_name_convert = { rcmd = host } v4_instance_convert = { xyz = xyz.bar.se } default_domain = foo.se } [logging] kdc = FILE:/var/heimdal/kdc.log kdc = SYSLOG:INFO default = SYSLOG:INFO:USER
SEE ALSO
verify_krb5_conf(8), krb5_openlog(3), krb5_425_conv_principal(3), strftime(3), Source(tm) HEIMDAL April 11, 1999 3
Powered by man-cgi (2024-03-20). Maintained for NetBSD by Kimmo Suominen. Based on man-cgi by Panagiotis Christias.