1b528cefcSMark Murray.\" $Id: krb5.conf.5,v 1.7 1999/11/04 01:57:28 assar Exp $ 2b528cefcSMark Murray.\" 3b528cefcSMark Murray.Dd April 11, 1999 4b528cefcSMark Murray.Dt KRB5.CONF 5 5b528cefcSMark Murray.Os HEIMDAL 6b528cefcSMark Murray.Sh NAME 7b528cefcSMark Murray.Nm /etc/krb5.conf 8b528cefcSMark Murray.Nd 9b528cefcSMark MurrayConfiguration file for Kerberos 5 10b528cefcSMark Murray.Sh DESCRIPTION 11b528cefcSMark MurrayThe 12b528cefcSMark Murray.Nm 13b528cefcSMark Murrayfile specifies several configuration parameters for the Kerberos 5 14b528cefcSMark Murraylibrary, as well as for some programs. 15b528cefcSMark Murray.Pp 16b528cefcSMark MurrayThe file consists of one or more sections, containing a number of 17b528cefcSMark Murraybindings. The value of each binding can be either a string or a list 18b528cefcSMark Murrayof other bindings. The grammar looks like: 19b528cefcSMark Murray.Bd -literal -offset indent 20b528cefcSMark Murrayfile: 21b528cefcSMark Murray /* empty */ 22b528cefcSMark Murray sections 23b528cefcSMark Murray 24b528cefcSMark Murraysections: 25b528cefcSMark Murray section sections 26b528cefcSMark Murray section 27b528cefcSMark Murray 28b528cefcSMark Murraysection: 29b528cefcSMark Murray '[' section_name ']' bindings 30b528cefcSMark Murray 31b528cefcSMark Murraysection_name: 32b528cefcSMark Murray STRING 33b528cefcSMark Murray 34b528cefcSMark Murraybindings: 35b528cefcSMark Murray binding bindings 36b528cefcSMark Murray binding 37b528cefcSMark Murray 38b528cefcSMark Murraybinding: 39b528cefcSMark Murray name '=' STRING 40b528cefcSMark Murray name '=' '{' bindings '}' 41b528cefcSMark Murray 42b528cefcSMark Murrayname: 43b528cefcSMark Murray STRING 44b528cefcSMark Murray 45b528cefcSMark Murray.Ed 46b528cefcSMark Murray.Li STRINGs 47b528cefcSMark Murrayconsists of one or more non-white space characters. 48b528cefcSMark MurrayCurrently recognised sections and bindings are: 49b528cefcSMark Murray 50b528cefcSMark Murray.Bl -tag -width "xxx" -offset indent 51b528cefcSMark Murray.It Li [libdefaults] 52b528cefcSMark Murray.Bl -tag -width "xxx" -offset indent 53b528cefcSMark Murray.It Li default_realm = Va REALM 54b528cefcSMark MurrayDefault realm to use, this is also known as your 55b528cefcSMark Murray.Dq local realm . 56b528cefcSMark MurrayThe default is the result of 57b528cefcSMark Murray.Fn krb5_get_host_realm "local hostname" . 58b528cefcSMark Murray.It Li clockskew = Va time 59b528cefcSMark MurrayMaximum time differential (in seconds) allowed when comparing 60b528cefcSMark Murraytimes. Default is 300 seconds (five minutes). 61b528cefcSMark Murray.It Li kdc_timeout = Va time 62b528cefcSMark MurrayMaximum time to wait for a reply from the kdc, default is 3 seconds. 63b528cefcSMark Murray.It v4_name_convert 64b528cefcSMark Murray.It v4_instance_resolve 65b528cefcSMark MurrayThese are decribed in the 66b528cefcSMark Murray.Xr krb5_425_conv_principal 3 67b528cefcSMark Murraymanual page. 68b528cefcSMark Murray.It Li capath = Va realm-routing-table 69b528cefcSMark Murray.It Li default_etypes = Va etypes... 70b528cefcSMark MurrayA list of default etypes to use. 71b528cefcSMark Murray.It Li default_etypes_des = Va etypes... 72b528cefcSMark MurrayA list of default etypes to use when requesting a DES credential. 73b528cefcSMark Murray.It Li default_keytab_name = Va keytab 74b528cefcSMark MurrayThe keytab to use if none other is specified, default is 75b528cefcSMark Murray.Dq FILE:/etc/krb5.keytab . 76b528cefcSMark Murray.It Li kdc_timesync = Va boolean 77b528cefcSMark MurrayTry to keep track of the time differential between the local machine 78b528cefcSMark Murrayand the KDC, and then compensate for that when issuing requests. 79b528cefcSMark Murray.It Li max_retries = Va number 80b528cefcSMark MurrayThe max number of times to try to contact each KDC. 81b528cefcSMark Murray.It Li ticket_lifetime = Va time 82b528cefcSMark MurrayDefault ticket lifetime. 83b528cefcSMark Murray.It Li renew_lifetime = Va time 84b528cefcSMark MurrayDefault renewable ticket lifetime. 85b528cefcSMark Murray.It Li verify_ap_req_nofail = Va boolean 86b528cefcSMark MurrayEnable to make a failure to verify obtained credentials 87b528cefcSMark Murraynon-fatal. This can be useful if there is no keytab on a host. 88b528cefcSMark Murray.It Li warn_pwexpire = Va time 89b528cefcSMark MurrayHow soon to warn for expiring password. Default is seven days. 90b528cefcSMark Murray.It Li http_proxy = Va proxy-spec 91b528cefcSMark MurrayA HTTP-proxy to use when talking to the KDC via HTTP. 92b528cefcSMark Murray.It Li dns_proxy = Va proxy-spec 93b528cefcSMark MurrayEnable using DNS via HTTP. 94b528cefcSMark Murray.It Li extra_addresses = Va address... 95b528cefcSMark MurrayA list of addresses to get tickets for along with all local addresses. 96b528cefcSMark Murray.It Li time_format = Va string 97b528cefcSMark MurrayHow to print time strings in logs, this string is passed to 98b528cefcSMark Murray.Xr strftime 3 . 99b528cefcSMark Murray.It Li log_utc = Va boolean 100b528cefcSMark MurrayWrite log-entries using UTC instead of your local time zone. 101b528cefcSMark Murray.El 102b528cefcSMark Murray.It Li [domain_realm] 103b528cefcSMark MurrayThis is a list of mappings from DNS domain to Kerberos realm. Each 104b528cefcSMark Murraybinding in this section looks like: 105b528cefcSMark Murray.Pp 106b528cefcSMark Murray.Dl domain = realm 107b528cefcSMark Murray.Pp 108b528cefcSMark MurrayThe domain can be either a full name of a host or a trailing 109b528cefcSMark Murraycomponent, in the latter case the domain-string should start with a 110b528cefcSMark Murrayperid. 111b528cefcSMark Murray.It Li [realms] 112b528cefcSMark Murray.Bl -tag -width "xxx" -offset indent 113b528cefcSMark Murray.It Va REALM Li = { 114b528cefcSMark Murray.Bl -tag -width "xxx" -offset indent 115b528cefcSMark Murray.It Li kdc = Va host[:port] 116b528cefcSMark MurraySpecifies a kdc for this realm. If the optional port is absent, the 117b528cefcSMark Murraydefault value for the 118b528cefcSMark Murray.Dq kerberos/udp 119b528cefcSMark Murrayservice will be used. 120b528cefcSMark Murray.It Li v4_instance_convert 121b528cefcSMark Murray.It Li v4_name_convert 122b528cefcSMark Murray.It Li default_domain 123b528cefcSMark MurraySee 124b528cefcSMark Murray.Xr krb5_425_conv_principal 3 . 125b528cefcSMark Murray.El 126b528cefcSMark Murray.It Li } 127b528cefcSMark Murray.El 128b528cefcSMark Murray.It Li [logging] 129b528cefcSMark Murray.Bl -tag -width "xxx" -offset indent 130b528cefcSMark Murray.It Va entity Li = Va destination 131b528cefcSMark MurraySpecifies that 132b528cefcSMark Murray.Va entity 133b528cefcSMark Murrayshould use the specified 134b528cefcSMark Murray.Li destination 135b528cefcSMark Murrayfor logging. See the 136b528cefcSMark Murray.Xr krb5_openlog 3 137b528cefcSMark Murraymanual page for a list of defined destinations. 138b528cefcSMark Murray.El 139b528cefcSMark Murray.El 140b528cefcSMark Murray.Sh EXAMPLE 141b528cefcSMark Murray.Bd -literal -offset indent 142b528cefcSMark Murray[lib_defaults] 143b528cefcSMark Murray default_domain = FOO.SE 144b528cefcSMark Murray[domain_realm] 145b528cefcSMark Murray .foo.se = FOO.SE 146b528cefcSMark Murray .bar.se = FOO.SE 147b528cefcSMark Murray[realms] 148b528cefcSMark Murray FOO.SE = { 149b528cefcSMark Murray kdc = kerberos.foo.se 150b528cefcSMark Murray v4_name_convert = { 151b528cefcSMark Murray rcmd = host 152b528cefcSMark Murray } 153b528cefcSMark Murray v4_instance_convert = { 154b528cefcSMark Murray xyz = xyz.bar.se 155b528cefcSMark Murray } 156b528cefcSMark Murray default_domain = foo.se 157b528cefcSMark Murray } 158b528cefcSMark Murray[logging] 159b528cefcSMark Murray kdc = FILE:/var/heimdal/kdc.log 160b528cefcSMark Murray kdc = SYSLOG:INFO 161b528cefcSMark Murray default = SYSLOG:INFO:USER 162b528cefcSMark Murray.Ed 163b528cefcSMark Murray.Sh SEE ALSO 164b528cefcSMark Murray.Xr krb5_openlog 3 , 165b528cefcSMark Murray.Xr krb5_425_conv_principal 3 , 166b528cefcSMark Murray.Xr strftime 3 , 167b528cefcSMark Murray.Xr Source tm 168