1.\" $Id: krb5.conf.5,v 1.12 2001/01/19 04:53:24 assar Exp $ 2.\" 3.Dd April 11, 1999 4.Dt KRB5.CONF 5 5.Os HEIMDAL 6.Sh NAME 7.Nm /etc/krb5.conf 8.Nd configuration file for Kerberos 5 9.Sh DESCRIPTION 10The 11.Nm 12file specifies several configuration parameters for the Kerberos 5 13library, as well as for some programs. 14.Pp 15The file consists of one or more sections, containing a number of 16bindings. The value of each binding can be either a string or a list 17of other bindings. The grammar looks like: 18.Bd -literal -offset indent 19file: 20 /* empty */ 21 sections 22 23sections: 24 section sections 25 section 26 27section: 28 '[' section_name ']' bindings 29 30section_name: 31 STRING 32 33bindings: 34 binding bindings 35 binding 36 37binding: 38 name '=' STRING 39 name '=' '{' bindings '}' 40 41name: 42 STRING 43 44.Ed 45.Li STRINGs 46consists of one or more non-white space characters. 47Currently recognised sections and bindings are: 48.Bl -tag -width "xxx" -offset indent 49.It Li [libdefaults] 50.Bl -tag -width "xxx" -offset indent 51.It Li default_realm = Va REALM 52Default realm to use, this is also known as your 53.Dq local realm . 54The default is the result of 55.Fn krb5_get_host_realm "local hostname" . 56.It Li clockskew = Va time 57Maximum time differential (in seconds) allowed when comparing 58times. Default is 300 seconds (five minutes). 59.It Li kdc_timeout = Va time 60Maximum time to wait for a reply from the kdc, default is 3 seconds. 61.It v4_name_convert 62.It v4_instance_resolve 63These are decribed in the 64.Xr krb5_425_conv_principal 3 65manual page. 66.It Li capath = { 67.Bl -tag -width "xxx" -offset indent 68.It Va destination-realm Li = Va next-hop-realm 69.It ... 70.El 71Normally, all requests to realms different from the one of the current 72client are sent to this KDC to get cross-realm tickets. 73If this KDC does not have a cross-realm key with the desired realm and 74the hierarchical path to that realm does not work, a path can be 75configured using this directive. 76The text shown above instructs the KDC to try to obtain a cross-realm 77ticket to 78.Va next-hop-realm 79when the desired realm is 80.Va destination-realm . 81This configuration should preferably be done on the KDC where it will 82help all its clients but can also be done on the client itself. 83.It Li } 84.It Li default_etypes = Va etypes... 85A list of default etypes to use. 86.It Li default_etypes_des = Va etypes... 87A list of default etypes to use when requesting a DES credential. 88.It Li default_keytab_name = Va keytab 89The keytab to use if none other is specified, default is 90.Dq FILE:/etc/krb5.keytab . 91.It Li kdc_timesync = Va boolean 92Try to keep track of the time differential between the local machine 93and the KDC, and then compensate for that when issuing requests. 94.It Li max_retries = Va number 95The max number of times to try to contact each KDC. 96.It Li ticket_lifetime = Va time 97Default ticket lifetime. 98.It Li renew_lifetime = Va time 99Default renewable ticket lifetime. 100.It Li verify_ap_req_nofail = Va boolean 101Enable to make a failure to verify obtained credentials 102non-fatal. This can be useful if there is no keytab on a host. 103.It Li warn_pwexpire = Va time 104How soon to warn for expiring password. Default is seven days. 105.It Li http_proxy = Va proxy-spec 106A HTTP-proxy to use when talking to the KDC via HTTP. 107.It Li dns_proxy = Va proxy-spec 108Enable using DNS via HTTP. 109.It Li extra_addresses = Va address... 110A list of addresses to get tickets for along with all local addresses. 111.It Li time_format = Va string 112How to print time strings in logs, this string is passed to 113.Xr strftime 3 . 114.It Li log_utc = Va boolean 115Write log-entries using UTC instead of your local time zone. 116.El 117.It Li [domain_realm] 118This is a list of mappings from DNS domain to Kerberos realm. Each 119binding in this section looks like: 120.Pp 121.Dl domain = realm 122.Pp 123The domain can be either a full name of a host or a trailing 124component, in the latter case the domain-string should start with a 125perid. 126.It Li [realms] 127.Bl -tag -width "xxx" -offset indent 128.It Va REALM Li = { 129.Bl -tag -width "xxx" -offset indent 130.It Li kdc = Va host[:port] 131Specifies a list of kdcs for this realm. If the optional port is absent, the 132default value for the 133.Dq kerberos/udp 134service will be used. 135The kdcs will be used in the order that they are specified. 136.It Li admin_server = Va host[:port] 137Specifies the admin server for this realm, where all the modifications 138to the database are perfomed. 139.It Li kpasswd_server = Va host[:port] 140Points to the server where all the password changes are perfomed. 141If there is no such entry, the kpasswd port on the admin_server host 142will be tried. 143.It Li v4_instance_convert 144.It Li v4_name_convert 145.It Li default_domain 146See 147.Xr krb5_425_conv_principal 3 . 148.El 149.It Li } 150.El 151.It Li [logging] 152.Bl -tag -width "xxx" -offset indent 153.It Va entity Li = Va destination 154Specifies that 155.Va entity 156should use the specified 157.Li destination 158for logging. See the 159.Xr krb5_openlog 3 160manual page for a list of defined destinations. 161.El 162.It Li [kdc] 163.Bl -tag -width "xxx" -offset indent 164.It database Li = { 165.Bl -tag -width "xxx" -offset indent 166.It dbname Li = Va DATABASENAME 167use this database for this realm. 168.It realm Li = Va REALM 169specifies the realm that will be stored in this database. 170.It mkey_file Li = Pa FILENAME 171use this keytab file for the master key of this database. 172If not specified 173.Va DATABASENAME Ns .mkey 174will be used. 175.It acl_file Li = PA FILENAME 176use this file for the ACL list of this database. 177.It log_file Li = Pa FILENAME 178use this file as the log of changes performed to the database. This 179file is used by 180.Nm ipropd-master 181for propagating changes to slaves. 182.El 183.It Li } 184.It max-request = Va SIZE 185Maximum size of a kdc request. 186.It require-preauth = Va BOOL 187If set pre-authentication is required. Since krb4 requests are not 188pre-authenticated they will be rejected. 189.It ports = Va "list of ports" 190list of ports the kdc should listen to. 191.It addresses = Va "list of interfaces" 192list of addresses the kdc should bind to. 193.It enable-kerberos4 = Va BOOL 194turn on kerberos4 support. 195.It v4-realm = Va REALM 196to what realm v4 requests should be mapped. 197.It enable-524 = Va BOOL 198should the Kerberos 524 converting facility be turned on. Default is same as 199.Va enable-kerberos4 . 200.It enable-http = Va BOOL 201should the kdc answer kdc-requests over http. 202.It enable-kaserver = Va BOOL 203if this kdc should emulate the AFS kaserver. 204.It check-ticket-addresses = Va BOOL 205verify the addresses in the tickets used in tgs requests. 206.\" XXX 207.It allow-null-ticket-addresses = Va BOOL 208allow addresses-less tickets. 209.\" XXX 210.It allow-anonymous = Va BOOL 211if the kdc is allowed to hand out anonymous tickets. 212.It encode_as_rep_as_tgs_rep = Va BOOL 213encode as-rep as tgs-rep tobe compatible with mistakes older DCE secd did. 214.\" XXX 215.It kdc_warn_pwexpire = Va TIME 216the time before expiration that the user should be warned that her 217password is about to expire. 218.It logging = Va Logging 219What type of logging the kdc should use, see also [logging]/kdc. 220.El 221.It Li [kadmin] 222.Bl -tag -width "xxx" -offset indent 223.It require-preauth = Va BOOL 224If pre-authentication is required to talk to the kadmin server. 225.It default_keys = Va keytypes... 226for each entry in 227.Va default_keys 228try to parse it as a sequence of 229.Va etype:salttype:salt 230syntax of this if something like: 231.Pp 232[(des|des3|etype):](pw-salt|afs3-salt)[:string] 233.Pp 234if 235.Ar etype 236is omitted it means everything, and if string is omitted is means the default string (for that principal). Additional special values of keyttypes are: 237.Bl -tag -width "xxx" -offset indent 238.It v5 239The kerberos 5 salt 240.Va pw-salt 241.It v4 242The kerberos 4 type 243.Va des:pw-salt: 244.El 245.It use_v4_salt = Va BOOL 246When true, this is the same as 247.Pp 248.Va default_keys = Va des3:pw-salt Va v4 249.Pp 250and is only left for backwards compatability. 251.El 252.El 253.Sh ENVIRONMENT 254.Ev KRB5_CONFIG 255points to the configuration file to read. 256.Sh EXAMPLE 257.Bd -literal -offset indent 258[lib_defaults] 259 default_domain = FOO.SE 260[domain_realm] 261 .foo.se = FOO.SE 262 .bar.se = FOO.SE 263[realms] 264 FOO.SE = { 265 kdc = kerberos.foo.se 266 v4_name_convert = { 267 rcmd = host 268 } 269 v4_instance_convert = { 270 xyz = xyz.bar.se 271 } 272 default_domain = foo.se 273 } 274[logging] 275 kdc = FILE:/var/heimdal/kdc.log 276 kdc = SYSLOG:INFO 277 default = SYSLOG:INFO:USER 278.Ed 279.Sh DIAGNOSTICS 280Since 281.Nm 282is read and parsed by the krb5 library, there is not a lot of 283opportunities for programs to report parsing errors in any useful 284format. 285To help overcome this problem, there is a program 286.Nm verify_krb5_conf 287that reads 288.Nm 289and tries to emit useful diagnostics from parsing errors. Note that 290this program does not have any way of knowing what options are 291actually used and thus cannot warn about unknown or misspelt ones. 292.Sh SEE ALSO 293.Xr verify_krb5_conf 8 , 294.Xr krb5_openlog 3 , 295.Xr krb5_425_conv_principal 3 , 296.Xr strftime 3 , 297.Xr Source tm 298