2 KRB5.CONF(5) UNIX Programmer's Manual KRB5.CONF(5)
5 k
\bkr
\brb
\bb5
\b5.
\b.c
\bco
\bon
\bnf
\bf - configuration file for Kerberos 5
7 S
\bSY
\bYN
\bNO
\bOP
\bPS
\bSI
\bIS
\bS
8 D
\bDE
\bES
\bSC
\bCR
\bRI
\bIP
\bPT
\bTI
\bIO
\bON
\bN
9 The k
\bkr
\brb
\bb5
\b5.
\b.c
\bco
\bon
\bnf
\bf file specifies several configuration parameters for the
10 Kerberos 5 library, as well as for some programs.
12 The file consists of one or more sections, containing a number of bind-
13 ings. The value of each binding can be either a string or a list of oth-
14 er bindings. The grammar looks like:
25 '[' section_name ']' bindings
36 name '=' '{' bindings '}'
41 STRINGs consists of one or more non-whitespace characters.
43 STRINGs that are specified later in this man-page uses the following no-
47 values can be either yes/true or no/false.
50 values can be a list of year, month, day, hour, min, second.
51 Example: 1 month 2 days 30 min.
54 valid encryption types are: des-cbc-crc, des-cbc-md4, des-cbc-
55 md5, des3-cbc-sha1, arcfour-hmac-md5, aes128-cts-hmac-sha1-96,
56 and aes256-cts-hmac-sha1-96 .
59 an address can be either a IPv4 or a IPv6 address.
61 Currently recognised sections and bindings are:
64 Specifies the default values to be used for Kerberos applica-
65 tions. You can specify defaults per application, realm, or a
67 combination of these. The preference order is:
68 1. _
\ba_
\bp_
\bp_
\bl_
\bi_
\bc_
\ba_
\bt_
\bi_
\bo_
\bn _
\br_
\be_
\ba_
\bl_
\bm _
\bo_
\bp_
\bt_
\bi_
\bo_
\bn
69 2. _
\ba_
\bp_
\bp_
\bl_
\bi_
\bc_
\ba_
\bt_
\bi_
\bo_
\bn _
\bo_
\bp_
\bt_
\bi_
\bo_
\bn
70 3. _
\br_
\be_
\ba_
\bl_
\bm _
\bo_
\bp_
\bt_
\bi_
\bo_
\bn
71 4. _
\bo_
\bp_
\bt_
\bi_
\bo_
\bn
73 The supported options are:
75 forwardable = _
\bb_
\bo_
\bo_
\bl_
\be_
\ba_
\bn
76 When obtaining initial credentials, make the cre-
79 proxiable = _
\bb_
\bo_
\bo_
\bl_
\be_
\ba_
\bn
80 When obtaining initial credentials, make the cre-
83 no-addresses = _
\bb_
\bo_
\bo_
\bl_
\be_
\ba_
\bn
84 When obtaining initial credentials, request them
85 for an empty set of addresses, making the tickets
86 valid from any address.
88 ticket_lifetime = _
\bt_
\bi_
\bm_
\be
89 Default ticket lifetime.
91 renew_lifetime = _
\bt_
\bi_
\bm_
\be
92 Default renewable ticket lifetime.
94 encrypt = _
\bb_
\bo_
\bo_
\bl_
\be_
\ba_
\bn
95 Use encryption, when available.
97 forward = _
\bb_
\bo_
\bo_
\bl_
\be_
\ba_
\bn
98 Forward credentials to remote host (for rsh(1),
103 default_realm = _
\bR_
\bE_
\bA_
\bL_
\bM
104 Default realm to use, this is also known as your
105 ``local realm''. The default is the result of
106 k
\bkr
\brb
\bb5
\b5_
\b_g
\bge
\bet
\bt_
\b_h
\bho
\bos
\bst
\bt_
\b_r
\bre
\bea
\bal
\blm
\bm(_
\bl_
\bo_
\bc_
\ba_
\bl _
\bh_
\bo_
\bs_
\bt_
\bn_
\ba_
\bm_
\be).
108 clockskew = _
\bt_
\bi_
\bm_
\be
109 Maximum time differential (in seconds) allowed when
110 comparing times. Default is 300 seconds (five min-
113 kdc_timeout = _
\bt_
\bi_
\bm_
\be
114 Maximum time to wait for a reply from the kdc, de-
120 These are described in the krb5_425_conv_princi-
125 _
\bd_
\be_
\bs_
\bt_
\bi_
\bn_
\ba_
\bt_
\bi_
\bo_
\bn_
\b-_
\br_
\be_
\ba_
\bl_
\bm = _
\bn_
\be_
\bx_
\bt_
\b-_
\bh_
\bo_
\bp_
\b-_
\br_
\be_
\ba_
\bl_
\bm
132 This is deprecated, see the capaths section below.
134 default_etypes = _
\be_
\bt_
\by_
\bp_
\be_
\bs _
\b._
\b._
\b.
135 A list of default encryption types to use.
137 default_etypes_des = _
\be_
\bt_
\by_
\bp_
\be_
\bs _
\b._
\b._
\b.
138 A list of default encryption types to use when re-
139 questing a DES credential.
141 default_keytab_name = _
\bk_
\be_
\by_
\bt_
\ba_
\bb
142 The keytab to use if no other is specified, default
143 is ``FILE:/etc/krb5.keytab''.
145 dns_lookup_kdc = _
\bb_
\bo_
\bo_
\bl_
\be_
\ba_
\bn
146 Use DNS SRV records to lookup KDC services loca-
149 dns_lookup_realm = _
\bb_
\bo_
\bo_
\bl_
\be_
\ba_
\bn
150 Use DNS TXT records to lookup domain to realm map-
153 kdc_timesync = _
\bb_
\bo_
\bo_
\bl_
\be_
\ba_
\bn
154 Try to keep track of the time differential between
155 the local machine and the KDC, and then compensate
156 for that when issuing requests.
158 max_retries = _
\bn_
\bu_
\bm_
\bb_
\be_
\br
159 The max number of times to try to contact each KDC.
161 ticket_lifetime = _
\bt_
\bi_
\bm_
\be
162 Default ticket lifetime.
164 renew_lifetime = _
\bt_
\bi_
\bm_
\be
165 Default renewable ticket lifetime.
167 forwardable = _
\bb_
\bo_
\bo_
\bl_
\be_
\ba_
\bn
168 When obtaining initial credentials, make the cre-
169 dentials forwardable. This option is also valid in
170 the [realms] section.
172 proxiable = _
\bb_
\bo_
\bo_
\bl_
\be_
\ba_
\bn
173 When obtaining initial credentials, make the cre-
174 dentials proxiable. This option is also valid in
175 the [realms] section.
177 verify_ap_req_nofail = _
\bb_
\bo_
\bo_
\bl_
\be_
\ba_
\bn
178 If enabled, failure to verify credentials against a
179 local key is a fatal error. The application has to
180 be able to read the corresponding service key for
181 this to work. Some applications, like su(1), en-
182 able this option unconditionally.
184 warn_pwexpire = _
\bt_
\bi_
\bm_
\be
185 How soon to warn for expiring password. Default is
188 http_proxy = _
\bp_
\br_
\bo_
\bx_
\by_
\b-_
\bs_
\bp_
\be_
\bc
189 A HTTP-proxy to use when talking to the KDC via
192 dns_proxy = _
\bp_
\br_
\bo_
\bx_
\by_
\b-_
\bs_
\bp_
\be_
\bc
193 Enable using DNS via HTTP.
195 extra_addresses = _
\ba_
\bd_
\bd_
\br_
\be_
\bs_
\bs _
\b._
\b._
\b.
196 A list of addresses to get tickets for along with
200 time_format = _
\bs_
\bt_
\br_
\bi_
\bn_
\bg
201 How to print time strings in logs, this string is
202 passed to strftime(3).
204 date_format = _
\bs_
\bt_
\br_
\bi_
\bn_
\bg
205 How to print date strings in logs, this string is
206 passed to strftime(3).
208 log_utc = _
\bb_
\bo_
\bo_
\bl_
\be_
\ba_
\bn
209 Write log-entries using UTC instead of your local
212 scan_interfaces = _
\bb_
\bo_
\bo_
\bl_
\be_
\ba_
\bn
213 Scan all network interfaces for addresses, as op-
214 posed to simply using the address associated with
215 the system's host name.
217 fcache_version = _
\bi_
\bn_
\bt
218 Use file credential cache format version specified.
220 krb4_get_tickets = _
\bb_
\bo_
\bo_
\bl_
\be_
\ba_
\bn
221 Also get Kerberos 4 tickets in k
\bki
\bin
\bni
\bit
\bt, l
\blo
\bog
\bgi
\bin
\bn, and
222 other programs. This option is also valid in the
225 fcc-mit-ticketflags = _
\bb_
\bo_
\bo_
\bl_
\be_
\ba_
\bn
226 Use MIT compatible format for file credential
227 cache. It's the field ticketflags that is stored
228 in reverse bit order for older than Heimdal 0.7.
229 Setting this flag to TRUE make it store the MIT
230 way, this is default for Heimdal 0.7.
233 This is a list of mappings from DNS domain to Kerberos realm.
234 Each binding in this section looks like:
238 The domain can be either a full name of a host or a trailing
239 component, in the latter case the domain-string should start
240 with a period. The realm may be the token `dns_locate', in
241 which case the actual realm will be determined using DNS (in-
242 dependently of the setting of the `dns_lookup_realm' option).
246 _
\bR_
\bE_
\bA_
\bL_
\bM = {
248 kdc = _
\b[_
\bs_
\be_
\br_
\bv_
\bi_
\bc_
\be_
\b/_
\b]_
\bh_
\bo_
\bs_
\bt_
\b[_
\b:_
\bp_
\bo_
\br_
\bt_
\b]
249 Specifies a list of kdcs for this realm.
250 If the optional _
\bp_
\bo_
\br_
\bt is absent, the de-
251 fault value for the ``kerberos/udp''
252 ``kerberos/tcp'', and ``http/tcp'' port
253 (depending on service) will be used.
254 The kdcs will be used in the order that
257 The optional _
\bs_
\be_
\br_
\bv_
\bi_
\bc_
\be specifies over what
258 medium the kdc should be contacted.
259 Possible services are ``udp'', ``tcp'',
260 and ``http''. Http can also be written
261 as ``http://''. Default service is
266 admin_server = _
\bh_
\bo_
\bs_
\bt_
\b[_
\b:_
\bp_
\bo_
\br_
\bt_
\b]
267 Specifies the admin server for this
268 realm, where all the modifications to
269 the database are performed.
271 kpasswd_server = _
\bh_
\bo_
\bs_
\bt_
\b[_
\b:_
\bp_
\bo_
\br_
\bt_
\b]
272 Points to the server where all the pass-
273 word changes are performed. If there is
274 no such entry, the kpasswd port on the
275 admin_server host will be tried.
277 krb524_server = _
\bh_
\bo_
\bs_
\bt_
\b[_
\b:_
\bp_
\bo_
\br_
\bt_
\b]
278 Points to the server that does 524 con-
279 versions. If it is not mentioned, the
280 krb524 port on the kdcs will be tried.
287 See krb5_425_conv_principal(3).
290 a boolan variable that defaults to
291 false. Old DCE secd (pre 1.1) might
292 need this to be true.
298 _
\bc_
\bl_
\bi_
\be_
\bn_
\bt_
\b-_
\br_
\be_
\ba_
\bl_
\bm = {
300 _
\bs_
\be_
\br_
\bv_
\be_
\br_
\b-_
\br_
\be_
\ba_
\bl_
\bm = _
\bh_
\bo_
\bp_
\b-_
\br_
\be_
\ba_
\bl_
\bm _
\b._
\b._
\b.
301 This serves two purposes. First the
302 first listed _
\bh_
\bo_
\bp_
\b-_
\br_
\be_
\ba_
\bl_
\bm tells a client
303 which realm it should contact in order
304 to ultimately obtain credentials for a
305 service in the _
\bs_
\be_
\br_
\bv_
\be_
\br_
\b-_
\br_
\be_
\ba_
\bl_
\bm. Secondly,
306 it tells the KDC (and other servers)
307 which realms are allowed in a multi-hop
308 traversal from _
\bc_
\bl_
\bi_
\be_
\bn_
\bt_
\b-_
\br_
\be_
\ba_
\bl_
\bm to _
\bs_
\be_
\br_
\bv_
\be_
\br_
\b-
309 _
\br_
\be_
\ba_
\bl_
\bm. Except for the client case, the
310 order of the realms are not important.
316 _
\be_
\bn_
\bt_
\bi_
\bt_
\by = _
\bd_
\be_
\bs_
\bt_
\bi_
\bn_
\ba_
\bt_
\bi_
\bo_
\bn
317 Specifies that _
\be_
\bn_
\bt_
\bi_
\bt_
\by should use the specified
318 destination for logging. See the krb5_openlog(3)
319 manual page for a list of defined destinations.
325 dbname = _
\bD_
\bA_
\bT_
\bA_
\bB_
\bA_
\bS_
\bE_
\bN_
\bA_
\bM_
\bE
326 Use this database for this realm.
328 realm = _
\bR_
\bE_
\bA_
\bL_
\bM
329 Specifies the realm that will be stored
333 mkey_file = _
\bF_
\bI_
\bL_
\bE_
\bN_
\bA_
\bM_
\bE
334 Use this keytab file for the master key
335 of this database. If not specified
336 _
\bD_
\bA_
\bT_
\bA_
\bB_
\bA_
\bS_
\bE_
\bN_
\bA_
\bM_
\bE.mkey will be used.
338 acl_file = PA FILENAME
339 Use this file for the ACL list of this
342 log_file = _
\bF_
\bI_
\bL_
\bE_
\bN_
\bA_
\bM_
\bE
343 Use this file as the log of changes per-
344 formed to the database. This file is
345 used by i
\bip
\bpr
\bro
\bop
\bpd
\bd-
\b-m
\bma
\bas
\bst
\bte
\ber
\br for propagating
350 max-request = _
\bS_
\bI_
\bZ_
\bE
351 Maximum size of a kdc request.
353 require-preauth = _
\bB_
\bO_
\bO_
\bL
354 If set pre-authentication is required. Since krb4
355 requests are not pre-authenticated they will be re-
358 ports = _
\bl_
\bi_
\bs_
\bt _
\bo_
\bf _
\bp_
\bo_
\br_
\bt_
\bs
359 List of ports the kdc should listen to.
361 addresses = _
\bl_
\bi_
\bs_
\bt _
\bo_
\bf _
\bi_
\bn_
\bt_
\be_
\br_
\bf_
\ba_
\bc_
\be_
\bs
362 List of addresses the kdc should bind to.
364 enable-kerberos4 = _
\bB_
\bO_
\bO_
\bL
365 Turn on Kerberos 4 support.
367 v4-realm = _
\bR_
\bE_
\bA_
\bL_
\bM
368 To what realm v4 requests should be mapped.
370 enable-524 = _
\bB_
\bO_
\bO_
\bL
371 Should the Kerberos 524 converting facility be
372 turned on. Default is same as _
\be_
\bn_
\ba_
\bb_
\bl_
\be_
\b-_
\bk_
\be_
\br_
\bb_
\be_
\br_
\bo_
\bs_
\b4.
374 enable-http = _
\bB_
\bO_
\bO_
\bL
375 Should the kdc answer kdc-requests over http.
377 enable-kaserver = _
\bB_
\bO_
\bO_
\bL
378 If this kdc should emulate the AFS kaserver.
380 check-ticket-addresses = _
\bB_
\bO_
\bO_
\bL
381 verify the addresses in the tickets used in tgs re-
384 allow-null-ticket-addresses = _
\bB_
\bO_
\bO_
\bL
385 Allow addresses-less tickets.
387 allow-anonymous = _
\bB_
\bO_
\bO_
\bL
388 If the kdc is allowed to hand out anonymous tick-
391 encode_as_rep_as_tgs_rep = _
\bB_
\bO_
\bO_
\bL
392 Encode as-rep as tgs-rep tobe compatible with mis-
393 takes older DCE secd did.
395 kdc_warn_pwexpire = _
\bT_
\bI_
\bM_
\bE
396 The time before expiration that the user should be
397 warned that her password is about to expire.
399 logging = _
\bL_
\bo_
\bg_
\bg_
\bi_
\bn_
\bg
400 What type of logging the kdc should use, see also
403 use_2b = _
\bp_
\br_
\bi_
\bn_
\bc_
\bi_
\bp_
\ba_
\bl _
\bl_
\bi_
\bs_
\bt
404 List of principals to use AFS 2b tokens for.
408 require-preauth = _
\bB_
\bO_
\bO_
\bL
409 If pre-authentication is required to talk to the
412 default_keys = _
\bk_
\be_
\by_
\bt_
\by_
\bp_
\be_
\bs_
\b._
\b._
\b.
413 for each entry in _
\bd_
\be_
\bf_
\ba_
\bu_
\bl_
\bt_
\b__
\bk_
\be_
\by_
\bs try to parse it as a
414 sequence of _
\be_
\bt_
\by_
\bp_
\be_
\b:_
\bs_
\ba_
\bl_
\bt_
\bt_
\by_
\bp_
\be_
\b:_
\bs_
\ba_
\bl_
\bt syntax of this if
417 [(des|des3|etype):](pw-salt|afs3-salt)[:string]
419 If _
\be_
\bt_
\by_
\bp_
\be is omitted it means everything, and if
420 string is omitted it means the default salt string
421 (for that principal and encryption type). Addi-
422 tional special values of keytypes are:
424 v5 The Kerberos 5 salt _
\bp_
\bw_
\b-_
\bs_
\ba_
\bl_
\bt
426 v4 The Kerberos 4 salt _
\bd_
\be_
\bs_
\b:_
\bp_
\bw_
\b-_
\bs_
\ba_
\bl_
\bt_
\b:
428 use_v4_salt = _
\bB_
\bO_
\bO_
\bL
429 When true, this is the same as
431 _
\bd_
\be_
\bf_
\ba_
\bu_
\bl_
\bt_
\b__
\bk_
\be_
\by_
\bs _
\b= _
\bd_
\be_
\bs_
\b3_
\b:_
\bp_
\bw_
\b-_
\bs_
\ba_
\bl_
\bt _
\bv_
\b4
433 and is only left for backwards compatibility.
435 E
\bEN
\bNV
\bVI
\bIR
\bRO
\bON
\bNM
\bME
\bEN
\bNT
\bT
436 KRB5_CONFIG points to the configuration file to read.
439 /etc/krb5.conf configuration file for Kerberos 5.
441 E
\bEX
\bXA
\bAM
\bMP
\bPL
\bLE
\bES
\bS
443 default_realm = FOO.SE
449 kdc = kerberos.foo.se
453 v4_instance_convert = {
456 default_domain = foo.se
459 kdc = FILE:/var/heimdal/kdc.log
461 default = SYSLOG:INFO:USER
463 D
\bDI
\bIA
\bAG
\bGN
\bNO
\bOS
\bST
\bTI
\bIC
\bCS
\bS
464 Since k
\bkr
\brb
\bb5
\b5.
\b.c
\bco
\bon
\bnf
\bf is read and parsed by the krb5 library, there is not a
465 lot of opportunities for programs to report parsing errors in any useful
466 format. To help overcome this problem, there is a program
467 v
\bve
\ber
\bri
\bif
\bfy
\by_
\b_k
\bkr
\brb
\bb5
\b5_
\b_c
\bco
\bon
\bnf
\bf that reads k
\bkr
\brb
\bb5
\b5.
\b.c
\bco
\bon
\bnf
\bf and tries to emit useful diagnos-
468 tics from parsing errors. Note that this program does not have any way
469 of knowing what options are actually used and thus cannot warn about un-
470 known or misspelled ones.
472 S
\bSE
\bEE
\bE A
\bAL
\bLS
\bSO
\bO
473 kinit(1), krb5_425_conv_principal(3), krb5_openlog(3), strftime(3),
476 HEIMDAL March 9, 2004 8