1.\" $Id: krb5.conf.5,v 1.7 1999/11/04 01:57:28 assar Exp $ 2.\" 3.Dd April 11, 1999 4.Dt KRB5.CONF 5 5.Os HEIMDAL 6.Sh NAME 7.Nm /etc/krb5.conf 8.Nd 9Configuration file for Kerberos 5 10.Sh DESCRIPTION 11The 12.Nm 13file specifies several configuration parameters for the Kerberos 5 14library, as well as for some programs. 15.Pp 16The file consists of one or more sections, containing a number of 17bindings. The value of each binding can be either a string or a list 18of other bindings. The grammar looks like: 19.Bd -literal -offset indent 20file: 21 /* empty */ 22 sections 23 24sections: 25 section sections 26 section 27 28section: 29 '[' section_name ']' bindings 30 31section_name: 32 STRING 33 34bindings: 35 binding bindings 36 binding 37 38binding: 39 name '=' STRING 40 name '=' '{' bindings '}' 41 42name: 43 STRING 44 45.Ed 46.Li STRINGs 47consists of one or more non-white space characters. 48Currently recognised sections and bindings are: 49 50.Bl -tag -width "xxx" -offset indent 51.It Li [libdefaults] 52.Bl -tag -width "xxx" -offset indent 53.It Li default_realm = Va REALM 54Default realm to use, this is also known as your 55.Dq local realm . 56The default is the result of 57.Fn krb5_get_host_realm "local hostname" . 58.It Li clockskew = Va time 59Maximum time differential (in seconds) allowed when comparing 60times. Default is 300 seconds (five minutes). 61.It Li kdc_timeout = Va time 62Maximum time to wait for a reply from the kdc, default is 3 seconds. 63.It v4_name_convert 64.It v4_instance_resolve 65These are decribed in the 66.Xr krb5_425_conv_principal 3 67manual page. 68.It Li capath = Va realm-routing-table 69.It Li default_etypes = Va etypes... 70A list of default etypes to use. 71.It Li default_etypes_des = Va etypes... 72A list of default etypes to use when requesting a DES credential. 73.It Li default_keytab_name = Va keytab 74The keytab to use if none other is specified, default is 75.Dq FILE:/etc/krb5.keytab . 76.It Li kdc_timesync = Va boolean 77Try to keep track of the time differential between the local machine 78and the KDC, and then compensate for that when issuing requests. 79.It Li max_retries = Va number 80The max number of times to try to contact each KDC. 81.It Li ticket_lifetime = Va time 82Default ticket lifetime. 83.It Li renew_lifetime = Va time 84Default renewable ticket lifetime. 85.It Li verify_ap_req_nofail = Va boolean 86Enable to make a failure to verify obtained credentials 87non-fatal. This can be useful if there is no keytab on a host. 88.It Li warn_pwexpire = Va time 89How soon to warn for expiring password. Default is seven days. 90.It Li http_proxy = Va proxy-spec 91A HTTP-proxy to use when talking to the KDC via HTTP. 92.It Li dns_proxy = Va proxy-spec 93Enable using DNS via HTTP. 94.It Li extra_addresses = Va address... 95A list of addresses to get tickets for along with all local addresses. 96.It Li time_format = Va string 97How to print time strings in logs, this string is passed to 98.Xr strftime 3 . 99.It Li log_utc = Va boolean 100Write log-entries using UTC instead of your local time zone. 101.El 102.It Li [domain_realm] 103This is a list of mappings from DNS domain to Kerberos realm. Each 104binding in this section looks like: 105.Pp 106.Dl domain = realm 107.Pp 108The domain can be either a full name of a host or a trailing 109component, in the latter case the domain-string should start with a 110perid. 111.It Li [realms] 112.Bl -tag -width "xxx" -offset indent 113.It Va REALM Li = { 114.Bl -tag -width "xxx" -offset indent 115.It Li kdc = Va host[:port] 116Specifies a kdc for this realm. If the optional port is absent, the 117default value for the 118.Dq kerberos/udp 119service will be used. 120.It Li v4_instance_convert 121.It Li v4_name_convert 122.It Li default_domain 123See 124.Xr krb5_425_conv_principal 3 . 125.El 126.It Li } 127.El 128.It Li [logging] 129.Bl -tag -width "xxx" -offset indent 130.It Va entity Li = Va destination 131Specifies that 132.Va entity 133should use the specified 134.Li destination 135for logging. See the 136.Xr krb5_openlog 3 137manual page for a list of defined destinations. 138.El 139.El 140.Sh EXAMPLE 141.Bd -literal -offset indent 142[lib_defaults] 143 default_domain = FOO.SE 144[domain_realm] 145 .foo.se = FOO.SE 146 .bar.se = FOO.SE 147[realms] 148 FOO.SE = { 149 kdc = kerberos.foo.se 150 v4_name_convert = { 151 rcmd = host 152 } 153 v4_instance_convert = { 154 xyz = xyz.bar.se 155 } 156 default_domain = foo.se 157 } 158[logging] 159 kdc = FILE:/var/heimdal/kdc.log 160 kdc = SYSLOG:INFO 161 default = SYSLOG:INFO:USER 162.Ed 163.Sh SEE ALSO 164.Xr krb5_openlog 3 , 165.Xr krb5_425_conv_principal 3 , 166.Xr strftime 3 , 167.Xr Source tm 168