1.\" Copyright (c) 1999 - 2003 Kungliga Tekniska H�gskolan 2.\" (Royal Institute of Technology, Stockholm, Sweden). 3.\" All rights reserved. 4.\" 5.\" Redistribution and use in source and binary forms, with or without 6.\" modification, are permitted provided that the following conditions 7.\" are met: 8.\" 9.\" 1. Redistributions of source code must retain the above copyright 10.\" notice, this list of conditions and the following disclaimer. 11.\" 12.\" 2. Redistributions in binary form must reproduce the above copyright 13.\" notice, this list of conditions and the following disclaimer in the 14.\" documentation and/or other materials provided with the distribution. 15.\" 16.\" 3. Neither the name of the Institute nor the names of its contributors 17.\" may be used to endorse or promote products derived from this software 18.\" without specific prior written permission. 19.\" 20.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 21.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 24.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30.\" SUCH DAMAGE. 31.\" 32.\" $Id: krb5.conf.5,v 1.35 2003/04/16 13:26:13 lha Exp $ 33.\" 34.Dd April 11, 1999 35.Dt KRB5.CONF 5 36.Os HEIMDAL 37.Sh NAME 38.Nm /etc/krb5.conf 39.Nd configuration file for Kerberos 5 40.Sh DESCRIPTION 41The 42.Nm 43file specifies several configuration parameters for the Kerberos 5 44library, as well as for some programs. 45.Pp 46The file consists of one or more sections, containing a number of 47bindings. 48The value of each binding can be either a string or a list of other 49bindings. 50The grammar looks like: 51.Bd -literal -offset indent 52file: 53 /* empty */ 54 sections 55 56sections: 57 section sections 58 section 59 60section: 61 '[' section_name ']' bindings 62 63section_name: 64 STRING 65 66bindings: 67 binding bindings 68 binding 69 70binding: 71 name '=' STRING 72 name '=' '{' bindings '}' 73 74name: 75 STRING 76 77.Ed 78.Li STRINGs 79consists of one or more non-whitespace characters. 80.Pp 81STRINGs that are specified later in this man-page uses the following 82notation. 83.Bl -tag -width "xxx" -offset indent 84.It boolean 85values can be either yes/true or no/false. 86.It time 87values can be a list of year, month, day, hour, min, second. 88Example: 1 month 2 days 30 min. 89.It etypes 90valid encryption types are: des-cbc-crc, des-cbc-md4, des-cbc-md5, 91des3-cbc-sha1. 92.It address 93an address can be either a IPv4 or a IPv6 address. 94.El 95.Pp 96Currently recognised sections and bindings are: 97.Bl -tag -width "xxx" -offset indent 98.It Li [appdefaults] 99Specifies the default values to be used for Kerberos applications. 100You can specify defaults per application, realm, or a combination of 101these. 102The preference order is: 103.Bl -enum -compact 104.It 105.Va application Va realm Va option 106.It 107.Va application Va option 108.It 109.Va realm Va option 110.It 111.Va option 112.El 113.Pp 114The supported options are: 115.Bl -tag -width "xxx" -offset indent 116.It Li forwardable = Va boolean 117When obtaining initial credentials, make the credentials forwardable. 118.It Li proxiable = Va boolean 119When obtaining initial credentials, make the credentials proxiable. 120.It Li no-addresses = Va boolean 121When obtaining initial credentials, request them for an empty set of 122addresses, making the tickets valid from any address. 123.It Li ticket_lifetime = Va time 124Default ticket lifetime. 125.It Li renew_lifetime = Va time 126Default renewable ticket lifetime. 127.El 128.It Li [libdefaults] 129.Bl -tag -width "xxx" -offset indent 130.It Li default_realm = Va REALM 131Default realm to use, this is also known as your 132.Dq local realm . 133The default is the result of 134.Fn krb5_get_host_realm "local hostname" . 135.It Li clockskew = Va time 136Maximum time differential (in seconds) allowed when comparing 137times. 138Default is 300 seconds (five minutes). 139.It Li kdc_timeout = Va time 140Maximum time to wait for a reply from the kdc, default is 3 seconds. 141.It v4_name_convert 142.It v4_instance_resolve 143These are described in the 144.Xr krb5_425_conv_principal 3 145manual page. 146.It Li capath = { 147.Bl -tag -width "xxx" -offset indent 148.It Va destination-realm Li = Va next-hop-realm 149.It ... 150.El 151Normally, all requests to realms different from the one of the current 152client are sent to this KDC to get cross-realm tickets. 153If this KDC does not have a cross-realm key with the desired realm and 154the hierarchical path to that realm does not work, a path can be 155configured using this directive. 156The text shown above instructs the KDC to try to obtain a cross-realm 157ticket to 158.Va next-hop-realm 159when the desired realm is 160.Va destination-realm . 161This configuration should preferably be done on the KDC where it will 162help all its clients but can also be done on the client itself. 163.It Li } 164.It Li default_etypes = Va etypes... 165A list of default encryption types to use. 166.It Li default_etypes_des = Va etypes... 167A list of default encryption types to use when requesting a DES credential. 168.It Li default_keytab_name = Va keytab 169The keytab to use if no other is specified, default is 170.Dq FILE:/etc/krb5.keytab . 171.It Li dns_lookup_kdc = Va boolean 172Use DNS SRV records to lookup KDC services location. 173.It Li dns_lookup_realm = Va boolean 174Use DNS TXT records to lookup domain to realm mappings. 175.It Li kdc_timesync = Va boolean 176Try to keep track of the time differential between the local machine 177and the KDC, and then compensate for that when issuing requests. 178.It Li max_retries = Va number 179The max number of times to try to contact each KDC. 180.It Li ticket_lifetime = Va time 181Default ticket lifetime. 182.It Li renew_lifetime = Va time 183Default renewable ticket lifetime. 184.It Li forwardable = Va boolean 185When obtaining initial credentials, make the credentials forwardable. 186This option is also valid in the [realms] section. 187.It Li proxiable = Va boolean 188When obtaining initial credentials, make the credentials proxiable. 189This option is also valid in the [realms] section. 190.It Li verify_ap_req_nofail = Va boolean 191If enabled, failure to verify credentials against a local key is a 192fatal error. 193The application has to be able to read the corresponding service key 194for this to work. 195Some applications, like 196.Xr su 8 , 197enable this option unconditionally. 198.It Li warn_pwexpire = Va time 199How soon to warn for expiring password. 200Default is seven days. 201.It Li http_proxy = Va proxy-spec 202A HTTP-proxy to use when talking to the KDC via HTTP. 203.It Li dns_proxy = Va proxy-spec 204Enable using DNS via HTTP. 205.It Li extra_addresses = Va address... 206A list of addresses to get tickets for along with all local addresses. 207.It Li time_format = Va string 208How to print time strings in logs, this string is passed to 209.Xr strftime 3 . 210.It Li date_format = Va string 211How to print date strings in logs, this string is passed to 212.Xr strftime 3 . 213.It Li log_utc = Va boolean 214Write log-entries using UTC instead of your local time zone. 215.It Li scan_interfaces = Va boolean 216Scan all network interfaces for addresses, as opposed to simply using 217the address associated with the system's host name. 218.It Li fcache_version = Va int 219Use file credential cache format version specified. 220.It Li krb4_get_tickets = Va boolean 221Also get Kerberos 4 tickets in 222.Nm kinit , 223.Nm login , 224and other programs. 225This option is also valid in the [realms] section. 226.El 227.It Li [domain_realm] 228This is a list of mappings from DNS domain to Kerberos realm. 229Each binding in this section looks like: 230.Pp 231.Dl domain = realm 232.Pp 233The domain can be either a full name of a host or a trailing 234component, in the latter case the domain-string should start with a 235period. 236The realm may be the token `dns_locate', in which case the actual 237realm will be determined using DNS (independently of the setting 238of the `dns_lookup_realm' option). 239.It Li [realms] 240.Bl -tag -width "xxx" -offset indent 241.It Va REALM Li = { 242.Bl -tag -width "xxx" -offset indent 243.It Li kdc = Va [service/]host[:port] 244Specifies a list of kdcs for this realm. 245If the optional 246.Va port 247is absent, the 248default value for the 249.Dq kerberos/udp 250.Dq kerberos/tcp , 251and 252.Dq http/tcp 253port (depending on service) will be used. 254The kdcs will be used in the order that they are specified. 255.Pp 256The optional 257.Va service 258specifies over what medium the kdc should be 259contacted. 260Possible services are 261.Dq udp , 262.Dq tcp , 263and 264.Dq http . 265Http can also be written as 266.Dq http:// . 267Default service is 268.Dq udp 269and 270.Dq tcp . 271.It Li admin_server = Va host[:port] 272Specifies the admin server for this realm, where all the modifications 273to the database are performed. 274.It Li kpasswd_server = Va host[:port] 275Points to the server where all the password changes are performed. 276If there is no such entry, the kpasswd port on the admin_server host 277will be tried. 278.It Li krb524_server = Va host[:port] 279Points to the server that does 524 conversions. 280If it is not mentioned, the krb524 port on the kdcs will be tried. 281.It Li v4_instance_convert 282.It Li v4_name_convert 283.It Li default_domain 284See 285.Xr krb5_425_conv_principal 3 . 286.El 287.It Li } 288.El 289.It Li [logging] 290.Bl -tag -width "xxx" -offset indent 291.It Va entity Li = Va destination 292Specifies that 293.Va entity 294should use the specified 295.Li destination 296for logging. 297See the 298.Xr krb5_openlog 3 299manual page for a list of defined destinations. 300.El 301.It Li [kdc] 302.Bl -tag -width "xxx" -offset indent 303.It database Li = { 304.Bl -tag -width "xxx" -offset indent 305.It dbname Li = Va DATABASENAME 306Use this database for this realm. 307.It realm Li = Va REALM 308Specifies the realm that will be stored in this database. 309.It mkey_file Li = Pa FILENAME 310Use this keytab file for the master key of this database. 311If not specified 312.Va DATABASENAME Ns .mkey 313will be used. 314.It acl_file Li = PA FILENAME 315Use this file for the ACL list of this database. 316.It log_file Li = Pa FILENAME 317Use this file as the log of changes performed to the database. 318This file is used by 319.Nm ipropd-master 320for propagating changes to slaves. 321.El 322.It Li } 323.It max-request = Va SIZE 324Maximum size of a kdc request. 325.It require-preauth = Va BOOL 326If set pre-authentication is required. 327Since krb4 requests are not pre-authenticated they will be rejected. 328.It ports = Va "list of ports" 329List of ports the kdc should listen to. 330.It addresses = Va "list of interfaces" 331List of addresses the kdc should bind to. 332.It enable-kerberos4 = Va BOOL 333Turn on Kerberos 4 support. 334.It v4-realm = Va REALM 335To what realm v4 requests should be mapped. 336.It enable-524 = Va BOOL 337Should the Kerberos 524 converting facility be turned on. 338Default is same as 339.Va enable-kerberos4 . 340.It enable-http = Va BOOL 341Should the kdc answer kdc-requests over http. 342.It enable-kaserver = Va BOOL 343If this kdc should emulate the AFS kaserver. 344.It check-ticket-addresses = Va BOOL 345verify the addresses in the tickets used in tgs requests. 346.\" XXX 347.It allow-null-ticket-addresses = Va BOOL 348Allow addresses-less tickets. 349.\" XXX 350.It allow-anonymous = Va BOOL 351If the kdc is allowed to hand out anonymous tickets. 352.It encode_as_rep_as_tgs_rep = Va BOOL 353Encode as-rep as tgs-rep tobe compatible with mistakes older DCE secd did. 354.\" XXX 355.It kdc_warn_pwexpire = Va TIME 356The time before expiration that the user should be warned that her 357password is about to expire. 358.It logging = Va Logging 359What type of logging the kdc should use, see also [logging]/kdc. 360.It use_2b = Va principal list 361List of principals to use AFS 2b tokens for. 362.El 363.It Li [kadmin] 364.Bl -tag -width "xxx" -offset indent 365.It require-preauth = Va BOOL 366If pre-authentication is required to talk to the kadmin server. 367.It default_keys = Va keytypes... 368for each entry in 369.Va default_keys 370try to parse it as a sequence of 371.Va etype:salttype:salt 372syntax of this if something like: 373.Pp 374[(des|des3|etype):](pw-salt|afs3-salt)[:string] 375.Pp 376If 377.Ar etype 378is omitted it means everything, and if string is omitted it means the 379default salt string (for that principal and encryption type). 380Additional special values of keytypes are: 381.Bl -tag -width "xxx" -offset indent 382.It v5 383The Kerberos 5 salt 384.Va pw-salt 385.It v4 386The Kerberos 4 salt 387.Va des:pw-salt: 388.El 389.It use_v4_salt = Va BOOL 390When true, this is the same as 391.Pp 392.Va default_keys = Va des3:pw-salt Va v4 393.Pp 394and is only left for backwards compatibility. 395.El 396.El 397.Sh ENVIRONMENT 398.Ev KRB5_CONFIG 399points to the configuration file to read. 400.Sh EXAMPLE 401.Bd -literal -offset indent 402[libdefaults] 403 default_realm = FOO.SE 404[domain_realm] 405 .foo.se = FOO.SE 406 .bar.se = FOO.SE 407[realms] 408 FOO.SE = { 409 kdc = kerberos.foo.se 410 v4_name_convert = { 411 rcmd = host 412 } 413 v4_instance_convert = { 414 xyz = xyz.bar.se 415 } 416 default_domain = foo.se 417 } 418[logging] 419 kdc = FILE:/var/heimdal/kdc.log 420 kdc = SYSLOG:INFO 421 default = SYSLOG:INFO:USER 422.Ed 423.Sh DIAGNOSTICS 424Since 425.Nm 426is read and parsed by the krb5 library, there is not a lot of 427opportunities for programs to report parsing errors in any useful 428format. 429To help overcome this problem, there is a program 430.Nm verify_krb5_conf 431that reads 432.Nm 433and tries to emit useful diagnostics from parsing errors. 434Note that this program does not have any way of knowing what options 435are actually used and thus cannot warn about unknown or misspelled 436ones. 437.Sh SEE ALSO 438.Xr kinit 1 , 439.Xr krb5_425_conv_principal 3 , 440.Xr krb5_openlog 3 , 441.Xr strftime 3 , 442.Xr verify_krb5_conf 8 443