| blob | 7c7bc6d68d3d72e315bc16ed2552641e6f469812 |
2 KRB5.CONF(5) UNIX Programmer's Manual KRB5.CONF(5)
10 Kerberos 5 library, as well as for some programs.
12 The file consists of one or more sections, containing a number of bind-
13 ings. The value of each binding can be either a string or a list of oth-
14 er bindings. The grammar looks like:
16 file:
17 /* empty */
18 sections
20 sections:
21 section sections
22 section
24 section:
25 '[' section_name ']' bindings
27 section_name:
28 STRING
30 bindings:
31 binding bindings
32 binding
34 binding:
35 name '=' STRING
36 name '=' '{' bindings '}'
38 name:
39 STRING
41 STRINGs consists of one or more non-whitespace characters.
43 STRINGs that are specified later in this man-page uses the following no-
44 tation.
46 boolean
47 values can be either yes/true or no/false.
49 time
50 values can be a list of year, month, day, hour, min, second.
51 Example: 1 month 2 days 30 min.
53 etypes
54 valid encryption types are: des-cbc-crc, des-cbc-md4, des-cbc-
55 md5, des3-cbc-sha1, arcfour-hmac-md5, aes128-cts-hmac-sha1-96,
56 and aes256-cts-hmac-sha1-96 .
58 address
59 an address can be either a IPv4 or a IPv6 address.
61 Currently recognised sections and bindings are:
63 [appdefaults]
64 Specifies the default values to be used for Kerberos applica-
65 tions. You can specify defaults per application, realm, or a
67 combination of these. The preference order is:
73 The supported options are:
76 When obtaining initial credentials, make the cre-
77 dentials forwardable.
80 When obtaining initial credentials, make the cre-
81 dentials proxiable.
84 When obtaining initial credentials, request them
85 for an empty set of addresses, making the tickets
86 valid from any address.
89 Default ticket lifetime.
92 Default renewable ticket lifetime.
95 Use encryption, when available.
98 Forward credentials to remote host (for rsh(1),
99 telnet(1), etc).
101 [libdefaults]
104 Default realm to use, this is also known as your
105 ``local realm''. The default is the result of
106 k\bkr\brb\bb5\b5_\b_g\bge\bet\bt_\b_h\bho\bos\bst\bt_\b_r\bre\bea\bal\blm\bm(_\bl_\bo_\bc_\ba_\bl _\bh_\bo_\bs_\bt_\bn_\ba_\bm_\be).
109 Maximum time differential (in seconds) allowed when
110 comparing times. Default is 300 seconds (five min-
111 utes).
114 Maximum time to wait for a reply from the kdc, de-
115 fault is 3 seconds.
117 v4_name_convert
119 v4_instance_resolve
120 These are described in the krb5_425_conv_princi-
121 pal(3) manual page.
123 capath = {
125 _\bd_\be_\bs_\bt_\bi_\bn_\ba_\bt_\bi_\bo_\bn_\b-_\br_\be_\ba_\bl_\bm = _\bn_\be_\bx_\bt_\b-_\bh_\bo_\bp_\b-_\br_\be_\ba_\bl_\bm
127 ...
129 }
132 This is deprecated, see the capaths section below.
135 A list of default encryption types to use.
138 A list of default encryption types to use when re-
139 questing a DES credential.
142 The keytab to use if no other is specified, default
143 is ``FILE:/etc/krb5.keytab''.
146 Use DNS SRV records to lookup KDC services loca-
147 tion.
150 Use DNS TXT records to lookup domain to realm map-
151 pings.
154 Try to keep track of the time differential between
155 the local machine and the KDC, and then compensate
156 for that when issuing requests.
159 The max number of times to try to contact each KDC.
162 Default ticket lifetime.
165 Default renewable ticket lifetime.
168 When obtaining initial credentials, make the cre-
169 dentials forwardable. This option is also valid in
170 the [realms] section.
173 When obtaining initial credentials, make the cre-
174 dentials proxiable. This option is also valid in
175 the [realms] section.
178 If enabled, failure to verify credentials against a
179 local key is a fatal error. The application has to
180 be able to read the corresponding service key for
181 this to work. Some applications, like su(1), en-
182 able this option unconditionally.
185 How soon to warn for expiring password. Default is
186 seven days.
189 A HTTP-proxy to use when talking to the KDC via
190 HTTP.
193 Enable using DNS via HTTP.
196 A list of addresses to get tickets for along with
198 all local addresses.
201 How to print time strings in logs, this string is
202 passed to strftime(3).
205 How to print date strings in logs, this string is
206 passed to strftime(3).
209 Write log-entries using UTC instead of your local
210 time zone.
213 Scan all network interfaces for addresses, as op-
214 posed to simply using the address associated with
215 the system's host name.
218 Use file credential cache format version specified.
222 other programs. This option is also valid in the
223 [realms] section.
226 Use MIT compatible format for file credential
227 cache. It's the field ticketflags that is stored
228 in reverse bit order for older than Heimdal 0.7.
229 Setting this flag to TRUE make it store the MIT
230 way, this is default for Heimdal 0.7.
232 [domain_realm]
233 This is a list of mappings from DNS domain to Kerberos realm.
234 Each binding in this section looks like:
236 domain = realm
238 The domain can be either a full name of a host or a trailing
239 component, in the latter case the domain-string should start
240 with a period. The realm may be the token `dns_locate', in
241 which case the actual realm will be determined using DNS (in-
242 dependently of the setting of the `dns_lookup_realm' option).
244 [realms]
249 Specifies a list of kdcs for this realm.
251 fault value for the ``kerberos/udp''
252 ``kerberos/tcp'', and ``http/tcp'' port
253 (depending on service) will be used.
254 The kdcs will be used in the order that
255 they are specified.
258 medium the kdc should be contacted.
259 Possible services are ``udp'', ``tcp'',
260 and ``http''. Http can also be written
261 as ``http://''. Default service is
264 ``udp'' and ``tcp''.
267 Specifies the admin server for this
268 realm, where all the modifications to
269 the database are performed.
272 Points to the server where all the pass-
273 word changes are performed. If there is
274 no such entry, the kpasswd port on the
275 admin_server host will be tried.
278 Points to the server that does 524 con-
279 versions. If it is not mentioned, the
280 krb524 port on the kdcs will be tried.
282 v4_instance_convert
284 v4_name_convert
286 default_domain
287 See krb5_425_conv_principal(3).
289 tgs_require_subkey
290 a boolan variable that defaults to
291 false. Old DCE secd (pre 1.1) might
292 need this to be true.
294 }
296 [capaths]
300 _\bs_\be_\br_\bv_\be_\br_\b-_\br_\be_\ba_\bl_\bm = _\bh_\bo_\bp_\b-_\br_\be_\ba_\bl_\bm _\b._\b._\b.
301 This serves two purposes. First the
303 which realm it should contact in order
304 to ultimately obtain credentials for a
306 it tells the KDC (and other servers)
307 which realms are allowed in a multi-hop
310 order of the realms are not important.
312 _\b}
314 [logging]
318 destination for logging. See the krb5_openlog(3)
319 manual page for a list of defined destinations.
321 [kdc]
323 database = {
326 Use this database for this realm.
329 Specifies the realm that will be stored
331 in this database.
334 Use this keytab file for the master key
335 of this database. If not specified
338 acl_file = PA FILENAME
339 Use this file for the ACL list of this
340 database.
343 Use this file as the log of changes per-
344 formed to the database. This file is
346 changes to slaves.
348 }
351 Maximum size of a kdc request.
354 If set pre-authentication is required. Since krb4
355 requests are not pre-authenticated they will be re-
356 jected.
359 List of ports the kdc should listen to.
362 List of addresses the kdc should bind to.
365 Turn on Kerberos 4 support.
368 To what realm v4 requests should be mapped.
371 Should the Kerberos 524 converting facility be
375 Should the kdc answer kdc-requests over http.
378 If this kdc should emulate the AFS kaserver.
381 verify the addresses in the tickets used in tgs re-
382 quests.
385 Allow addresses-less tickets.
388 If the kdc is allowed to hand out anonymous tick-
389 ets.
392 Encode as-rep as tgs-rep tobe compatible with mis-
393 takes older DCE secd did.
396 The time before expiration that the user should be
397 warned that her password is about to expire.
400 What type of logging the kdc should use, see also
401 [logging]/kdc.
404 List of principals to use AFS 2b tokens for.
406 [kadmin]
409 If pre-authentication is required to talk to the
410 kadmin server.
414 sequence of _\be_\bt_\by_\bp_\be_\b:_\bs_\ba_\bl_\bt_\bt_\by_\bp_\be_\b:_\bs_\ba_\bl_\bt syntax of this if
415 something like:
417 [(des|des3|etype):](pw-salt|afs3-salt)[:string]
420 string is omitted it means the default salt string
421 (for that principal and encryption type). Addi-
422 tional special values of keytypes are:
429 When true, this is the same as
431 _\bd_\be_\bf_\ba_\bu_\bl_\bt_\b__\bk_\be_\by_\bs _\b= _\bd_\be_\bs_\b3_\b:_\bp_\bw_\b-_\bs_\ba_\bl_\bt _\bv_\b4
433 and is only left for backwards compatibility.
436 KRB5_CONFIG points to the configuration file to read.
439 /etc/krb5.conf configuration file for Kerberos 5.
442 [libdefaults]
443 default_realm = FOO.SE
444 [domain_realm]
445 .foo.se = FOO.SE
446 .bar.se = FOO.SE
447 [realms]
448 FOO.SE = {
449 kdc = kerberos.foo.se
450 v4_name_convert = {
451 rcmd = host
452 }
453 v4_instance_convert = {
454 xyz = xyz.bar.se
455 }
456 default_domain = foo.se
457 }
458 [logging]
459 kdc = FILE:/var/heimdal/kdc.log
460 kdc = SYSLOG:INFO
461 default = SYSLOG:INFO:USER
464 Since k\bkr\brb\bb5\b5.\b.c\bco\bon\bnf\bf is read and parsed by the krb5 library, there is not a
465 lot of opportunities for programs to report parsing errors in any useful
466 format. To help overcome this problem, there is a program
467 v\bve\ber\bri\bif\bfy\by_\b_k\bkr\brb\bb5\b5_\b_c\bco\bon\bnf\bf that reads k\bkr\brb\bb5\b5.\b.c\bco\bon\bnf\bf and tries to emit useful diagnos-
468 tics from parsing errors. Note that this program does not have any way
469 of knowing what options are actually used and thus cannot warn about un-
470 known or misspelled ones.
473 kinit(1), krb5_425_conv_principal(3), krb5_openlog(3), strftime(3),
474 verify_krb5_conf(8)
476 HEIMDAL March 9, 2004 8