'\" te
.\" Copyright 1987, 1989 by the Student Information Processing Board of the Massachusetts Institute of Technology.  For copying and distribution information,  please see the file kerberosv5/mit-sipb-copyright.h.
.\" Portions Copyright (c) 2004, Sun Microsystems, Inc.  All Rights Reserved
.\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License").  You may not use this file except in compliance with the License.
.\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.  See the License for the specific language governing permissions and limitations under the License.
.\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE.  If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
.TH WARN.CONF 5 "November 22, 2021"
.SH NAME
warn.conf \- Kerberos warning configuration file
.SH SYNOPSIS
.nf
/etc/krb5/warn.conf
.fi

.SH DESCRIPTION
The \fBwarn.conf\fR file contains configuration information specifying how
users will be warned by the \fBktkt_warnd\fR daemon about ticket expiration. In
addition, this file can be used to auto-renew the user's Ticket-Granting Ticket
(TGT) instead of warning the user. Credential expiration warnings and
auto-renew results are sent, by means of syslog, to \fBauth.notice\fR.
.sp
.LP
Each Kerberos client host must have a \fBwarn.conf\fR file in order for users
on that host to get Kerberos warnings from the client. Entries in the
\fBwarn.conf\fR file must have the following format:
.sp
.in +2
.nf
\fIprincipal\fR [renew[:\fIopt1\fR,...\fIoptN\fR]] syslog|terminal \fItime\fR
.fi
.in -2

.sp
.LP
or:
.sp
.in +2
.nf
\fIprincipal\fR [renew[:\fIopt1\fR,...\fIoptN\fR]] mail \fItime\fR [\fIemail address\fR]
.fi
.in -2

.sp
.ne 2
.na
\fB\fIprincipal\fR\fR
.ad
.RS 17n
Specifies the principal name to be warned. The asterisk (\fB*\fR) wildcard can
be used to specify groups of principals.
.RE

.sp
.ne 2
.na
\fB\fBrenew\fR\fR
.ad
.RS 17n
Automatically renew the credentials (TGT) until renewable lifetime expires.
This is equivalent to the user running \fBkinit\fR \fB-R\fR.
.sp
The renew options include:
.sp
.ne 2
.na
\fB\fBlog-success\fR\fR
.ad
.RS 15n
Log the result of the renew attempt on success using the specified method
(\fBsyslog\fR|\fBterminal\fR|\fBmail\fR).
.RE

.sp
.ne 2
.na
\fB\fBlog-failure\fR\fR
.ad
.RS 15n
Log the result of the renew attempt on failure using the specified method
(\fBsyslog\fR|\fBterminal\fR|\fBmail\fR). Some renew failure conditions are:
TGT renewable lifetime has expired, the KDCs are unavailable, or the cred cache
file has been removed.
.RE

.sp
.ne 2
.na
\fB\fBlog\fR\fR
.ad
.RS 15n
Same as specifying both \fBlog-success\fR and \fBlog-failure\fR.
.RE

.LP
Note -
.sp
.RS 2
If no log options are given, no logging is done.
.RE
.RE

.sp
.ne 2
.na
\fB\fBsyslog\fR\fR
.ad
.RS 17n
Sends the warnings to the system's syslog. Depending on the
\fB/etc/syslog.conf\fR file, syslog entries are written to the
\fB/var/adm/messages\fR file and/or displayed on the terminal.
.RE

.sp
.ne 2
.na
\fB\fBterminal\fR\fR
.ad
.RS 17n
Sends the warnings to display on the terminal.
.RE

.sp
.ne 2
.na
\fB\fBmail\fR\fR
.ad
.RS 17n
Sends the warnings as email to the address specified by \fIemail_address\fR.
.RE

.sp
.ne 2
.na
\fB\fItime\fR\fR
.ad
.RS 17n
Specifies how much time before the \fBTGT\fR expires when a warning should be
sent. The default time value is seconds, but you can specify \fBh\fR (hours)
and \fBm\fR (minutes) after the number to specify other time values.
.RE

.sp
.ne 2
.na
\fB\fIemail_address\fR\fR
.ad
.RS 17n
Specifies the email address at which to send the warnings. This field must be
specified only with the \fBmail\fR field.
.RE

.SH EXAMPLES
\fBExample 1 \fRSpecifying Warnings
.sp
.LP
The following \fBwarn.conf\fR entry

.sp
.in +2
.nf
\fB* syslog 5m\fR
.fi
.in -2
.sp

.sp
.LP
specifies that warnings will be sent to the syslog five minutes before the
expiration of the \fBTGT\fR for all principals. The form of the message is:

.sp
.in +2
.nf
jdb@EXAMPLE.COM: your kerberos credentials expire in 5 minutes
.fi
.in -2
.sp

.LP
\fBExample 2 \fRSpecifying Renewal
.sp
.LP
The following \fBwarn.conf\fR entry:

.sp
.in +2
.nf
* renew:log terminal 30m
.fi
.in -2

.sp
.LP
\&...specifies that renew results will be sent to the user's terminal 30
minutes before the expiration of the TGT for all principals. The form of the
message (on renew success) is:

.sp
.in +2
.nf
myname@EXAMPLE.COM: your kerberos credentials have been renewed
.fi
.in -2

.SH FILES
.ne 2
.na
\fB\fB/usr/lib/krb5/ktkt_warnd\fR\fR
.ad
.RS 28n
Kerberos warning daemon
.RE

.SH ATTRIBUTES
See \fBattributes\fR(7) for descriptions of the following attributes:
.sp

.sp
.TS
box;
c | c
l | l .
ATTRIBUTE TYPE	ATTRIBUTE VALUE
_
Interface Stability	Evolving
.TE

.SH SEE ALSO
.BR kdestroy (1),
.BR kinit (1),
.BR syslog.conf (5),
.BR utmpx (5),
.BR attributes (7),
.BR kerberos (7),
.BR pam_krb5 (7),
.BR ktkt_warnd (8)
.SH NOTES
The auto-renew of the TGT is attempted only if the user is logged-in, as
determined by examining \fButmpx\fR(5).