1.. _kdc.conf(5): 2 3kdc.conf 4======== 5 6The kdc.conf file supplements :ref:`krb5.conf(5)` for programs which 7are typically only used on a KDC, such as the :ref:`krb5kdc(8)` and 8:ref:`kadmind(8)` daemons and the :ref:`kdb5_util(8)` program. 9Relations documented here may also be specified in krb5.conf; for the 10KDC programs mentioned, krb5.conf and kdc.conf will be merged into a 11single configuration profile. 12 13Normally, the kdc.conf file is found in the KDC state directory, 14|kdcdir|. You can override the default location by setting the 15environment variable **KRB5_KDC_PROFILE**. 16 17Please note that you need to restart the KDC daemon for any configuration 18changes to take effect. 19 20Structure 21--------- 22 23The kdc.conf file is set up in the same format as the 24:ref:`krb5.conf(5)` file. 25 26 27Sections 28-------- 29 30The kdc.conf file may contain the following sections: 31 32==================== ================================================= 33:ref:`kdcdefaults` Default values for KDC behavior 34:ref:`kdc_realms` Realm-specific database configuration and settings 35:ref:`dbdefaults` Default database settings 36:ref:`dbmodules` Per-database settings 37:ref:`logging` Controls how Kerberos daemons perform logging 38==================== ================================================= 39 40 41.. _kdcdefaults: 42 43[kdcdefaults] 44~~~~~~~~~~~~~ 45 46Some relations in the [kdcdefaults] section specify default values for 47realm variables, to be used if the [realms] subsection does not 48contain a relation for the tag. See the :ref:`kdc_realms` section for 49the definitions of these relations. 50 51* **host_based_services** 52* **kdc_listen** 53* **kdc_ports** 54* **kdc_tcp_listen** 55* **kdc_tcp_ports** 56* **no_host_referral** 57* **restrict_anonymous_to_tgt** 58 59The following [kdcdefaults] variables have no per-realm equivalent: 60 61**kdc_max_dgram_reply_size** 62 Specifies the maximum packet size that can be sent over UDP. The 63 default value is 4096 bytes. 64 65**kdc_tcp_listen_backlog** 66 (Integer.) Set the size of the listen queue length for the KDC 67 daemon. The value may be limited by OS settings. The default 68 value is 5. 69 70**spake_preauth_kdc_challenge** 71 (String.) Specifies the group for a SPAKE optimistic challenge. 72 See the **spake_preauth_groups** variable in :ref:`libdefaults` 73 for possible values. The default is not to issue an optimistic 74 challenge. (New in release 1.17.) 75 76 77.. _kdc_realms: 78 79[realms] 80~~~~~~~~ 81 82Each tag in the [realms] section is the name of a Kerberos realm. The 83value of the tag is a subsection where the relations define KDC 84parameters for that particular realm. The following example shows how 85to define one parameter for the ATHENA.MIT.EDU realm:: 86 87 [realms] 88 ATHENA.MIT.EDU = { 89 max_renewable_life = 7d 0h 0m 0s 90 } 91 92The following tags may be specified in a [realms] subsection: 93 94**acl_file** 95 (String.) Location of the access control list file that 96 :ref:`kadmind(8)` uses to determine which principals are allowed 97 which permissions on the Kerberos database. To operate without an 98 ACL file, set this relation to the empty string with ``acl_file = 99 ""``. The default value is |kdcdir|\ ``/kadm5.acl``. For more 100 information on Kerberos ACL file see :ref:`kadm5.acl(5)`. 101 102**database_module** 103 (String.) This relation indicates the name of the configuration 104 section under :ref:`dbmodules` for database-specific parameters 105 used by the loadable database library. The default value is the 106 realm name. If this configuration section does not exist, default 107 values will be used for all database parameters. 108 109**database_name** 110 (String, deprecated.) This relation specifies the location of the 111 Kerberos database for this realm, if the DB2 module is being used 112 and the :ref:`dbmodules` configuration section does not specify a 113 database name. The default value is |kdcdir|\ ``/principal``. 114 115**default_principal_expiration** 116 (:ref:`abstime` string.) Specifies the default expiration date of 117 principals created in this realm. The default value is 0, which 118 means no expiration date. 119 120**default_principal_flags** 121 (Flag string.) Specifies the default attributes of principals 122 created in this realm. The format for this string is a 123 comma-separated list of flags, with '+' before each flag that 124 should be enabled and '-' before each flag that should be 125 disabled. The **postdateable**, **forwardable**, **tgt-based**, 126 **renewable**, **proxiable**, **dup-skey**, **allow-tickets**, and 127 **service** flags default to enabled. 128 129 There are a number of possible flags: 130 131 **allow-tickets** 132 Enabling this flag means that the KDC will issue tickets for 133 this principal. Disabling this flag essentially deactivates 134 the principal within this realm. 135 136 **dup-skey** 137 Enabling this flag allows the KDC to issue user-to-user 138 service tickets for this principal. 139 140 **forwardable** 141 Enabling this flag allows the principal to obtain forwardable 142 tickets. 143 144 **hwauth** 145 If this flag is enabled, then the principal is required to 146 preauthenticate using a hardware device before receiving any 147 tickets. 148 149 **no-auth-data-required** 150 Enabling this flag prevents PAC or AD-SIGNEDPATH data from 151 being added to service tickets for the principal. 152 153 **ok-as-delegate** 154 If this flag is enabled, it hints the client that credentials 155 can and should be delegated when authenticating to the 156 service. 157 158 **ok-to-auth-as-delegate** 159 Enabling this flag allows the principal to use S4USelf tickets. 160 161 **postdateable** 162 Enabling this flag allows the principal to obtain postdateable 163 tickets. 164 165 **preauth** 166 If this flag is enabled on a client principal, then that 167 principal is required to preauthenticate to the KDC before 168 receiving any tickets. On a service principal, enabling this 169 flag means that service tickets for this principal will only 170 be issued to clients with a TGT that has the preauthenticated 171 bit set. 172 173 **proxiable** 174 Enabling this flag allows the principal to obtain proxy 175 tickets. 176 177 **pwchange** 178 Enabling this flag forces a password change for this 179 principal. 180 181 **pwservice** 182 If this flag is enabled, it marks this principal as a password 183 change service. This should only be used in special cases, 184 for example, if a user's password has expired, then the user 185 has to get tickets for that principal without going through 186 the normal password authentication in order to be able to 187 change the password. 188 189 **renewable** 190 Enabling this flag allows the principal to obtain renewable 191 tickets. 192 193 **service** 194 Enabling this flag allows the the KDC to issue service tickets 195 for this principal. In release 1.17 and later, user-to-user 196 service tickets are still allowed if the **dup-skey** flag is 197 set. 198 199 **tgt-based** 200 Enabling this flag allows a principal to obtain tickets based 201 on a ticket-granting-ticket, rather than repeating the 202 authentication process that was used to obtain the TGT. 203 204**dict_file** 205 (String.) Location of the dictionary file containing strings that 206 are not allowed as passwords. The file should contain one string 207 per line, with no additional whitespace. If none is specified or 208 if there is no policy assigned to the principal, no dictionary 209 checks of passwords will be performed. 210 211**disable_pac** 212 (Boolean value.) If true, the KDC will not issue PACs for this 213 realm, and S4U2Self and S4U2Proxy operations will be disabled. 214 The default is false, which will permit the KDC to issue PACs. 215 New in release 1.20. 216 217**encrypted_challenge_indicator** 218 (String.) Specifies the authentication indicator value that the KDC 219 asserts into tickets obtained using FAST encrypted challenge 220 pre-authentication. New in 1.16. 221 222**host_based_services** 223 (Whitespace- or comma-separated list.) Lists services which will 224 get host-based referral processing even if the server principal is 225 not marked as host-based by the client. 226 227**iprop_enable** 228 (Boolean value.) Specifies whether incremental database 229 propagation is enabled. The default value is false. 230 231**iprop_ulogsize** 232 (Integer.) Specifies the maximum number of log entries to be 233 retained for incremental propagation. The default value is 1000. 234 Prior to release 1.11, the maximum value was 2500. New in release 235 1.19. 236 237**iprop_master_ulogsize** 238 The name for **iprop_ulogsize** prior to release 1.19. Its value is 239 used as a fallback if **iprop_ulogsize** is not specified. 240 241**iprop_replica_poll** 242 (Delta time string.) Specifies how often the replica KDC polls 243 for new updates from the primary. The default value is ``2m`` 244 (that is, two minutes). New in release 1.17. 245 246**iprop_slave_poll** 247 (Delta time string.) The name for **iprop_replica_poll** prior to 248 release 1.17. Its value is used as a fallback if 249 **iprop_replica_poll** is not specified. 250 251**iprop_listen** 252 (Whitespace- or comma-separated list.) Specifies the iprop RPC 253 listening addresses and/or ports for the :ref:`kadmind(8)` daemon. 254 Each entry may be an interface address, a port number, or an 255 address and port number separated by a colon. If the address 256 contains colons, enclose it in square brackets. If no address is 257 specified, the wildcard address is used. If kadmind fails to bind 258 to any of the specified addresses, it will fail to start. The 259 default (when **iprop_enable** is true) is to bind to the wildcard 260 address at the port specified in **iprop_port**. New in release 261 1.15. 262 263**iprop_port** 264 (Port number.) Specifies the port number to be used for 265 incremental propagation. When **iprop_enable** is true, this 266 relation is required in the replica KDC configuration file, and 267 this relation or **iprop_listen** is required in the primary 268 configuration file, as there is no default port number. Port 269 numbers specified in **iprop_listen** entries will override this 270 port number for the :ref:`kadmind(8)` daemon. 271 272**iprop_resync_timeout** 273 (Delta time string.) Specifies the amount of time to wait for a 274 full propagation to complete. This is optional in configuration 275 files, and is used by replica KDCs only. The default value is 5 276 minutes (``5m``). New in release 1.11. 277 278**iprop_logfile** 279 (File name.) Specifies where the update log file for the realm 280 database is to be stored. The default is to use the 281 **database_name** entry from the realms section of the krb5 config 282 file, with ``.ulog`` appended. (NOTE: If **database_name** isn't 283 specified in the realms section, perhaps because the LDAP database 284 back end is being used, or the file name is specified in the 285 [dbmodules] section, then the hard-coded default for 286 **database_name** is used. Determination of the **iprop_logfile** 287 default value will not use values from the [dbmodules] section.) 288 289**kadmind_listen** 290 (Whitespace- or comma-separated list.) Specifies the kadmin RPC 291 listening addresses and/or ports for the :ref:`kadmind(8)` daemon. 292 Each entry may be an interface address, a port number, or an 293 address and port number separated by a colon. If the address 294 contains colons, enclose it in square brackets. If no address is 295 specified, the wildcard address is used. If kadmind fails to bind 296 to any of the specified addresses, it will fail to start. The 297 default is to bind to the wildcard address at the port specified 298 in **kadmind_port**, or the standard kadmin port (749). New in 299 release 1.15. 300 301**kadmind_port** 302 (Port number.) Specifies the port on which the :ref:`kadmind(8)` 303 daemon is to listen for this realm. Port numbers specified in 304 **kadmind_listen** entries will override this port number. The 305 assigned port for kadmind is 749, which is used by default. 306 307**key_stash_file** 308 (String.) Specifies the location where the master key has been 309 stored (via kdb5_util stash). The default is |kdcdir|\ 310 ``/.k5.REALM``, where *REALM* is the Kerberos realm. 311 312**kdc_listen** 313 (Whitespace- or comma-separated list.) Specifies the UDP 314 listening addresses and/or ports for the :ref:`krb5kdc(8)` daemon. 315 Each entry may be an interface address, a port number, or an 316 address and port number separated by a colon. If the address 317 contains colons, enclose it in square brackets. If no address is 318 specified, the wildcard address is used. If no port is specified, 319 the standard port (88) is used. If the KDC daemon fails to bind 320 to any of the specified addresses, it will fail to start. The 321 default is to bind to the wildcard address on the standard port. 322 New in release 1.15. 323 324**kdc_ports** 325 (Whitespace- or comma-separated list, deprecated.) Prior to 326 release 1.15, this relation lists the ports for the 327 :ref:`krb5kdc(8)` daemon to listen on for UDP requests. In 328 release 1.15 and later, it has the same meaning as **kdc_listen** 329 if that relation is not defined. 330 331**kdc_tcp_listen** 332 (Whitespace- or comma-separated list.) Specifies the TCP 333 listening addresses and/or ports for the :ref:`krb5kdc(8)` daemon. 334 Each entry may be an interface address, a port number, or an 335 address and port number separated by a colon. If the address 336 contains colons, enclose it in square brackets. If no address is 337 specified, the wildcard address is used. If no port is specified, 338 the standard port (88) is used. To disable listening on TCP, set 339 this relation to the empty string with ``kdc_tcp_listen = ""``. 340 If the KDC daemon fails to bind to any of the specified addresses, 341 it will fail to start. The default is to bind to the wildcard 342 address on the standard port. New in release 1.15. 343 344**kdc_tcp_ports** 345 (Whitespace- or comma-separated list, deprecated.) Prior to 346 release 1.15, this relation lists the ports for the 347 :ref:`krb5kdc(8)` daemon to listen on for UDP requests. In 348 release 1.15 and later, it has the same meaning as 349 **kdc_tcp_listen** if that relation is not defined. 350 351**kpasswd_listen** 352 (Comma-separated list.) Specifies the kpasswd listening addresses 353 and/or ports for the :ref:`kadmind(8)` daemon. Each entry may be 354 an interface address, a port number, or an address and port number 355 separated by a colon. If the address contains colons, enclose it 356 in square brackets. If no address is specified, the wildcard 357 address is used. If kadmind fails to bind to any of the specified 358 addresses, it will fail to start. The default is to bind to the 359 wildcard address at the port specified in **kpasswd_port**, or the 360 standard kpasswd port (464). New in release 1.15. 361 362**kpasswd_port** 363 (Port number.) Specifies the port on which the :ref:`kadmind(8)` 364 daemon is to listen for password change requests for this realm. 365 Port numbers specified in **kpasswd_listen** entries will override 366 this port number. The assigned port for password change requests 367 is 464, which is used by default. 368 369**master_key_name** 370 (String.) Specifies the name of the principal associated with the 371 master key. The default is ``K/M``. 372 373**master_key_type** 374 (Key type string.) Specifies the master key's key type. The 375 default value for this is |defmkey|. For a list of all possible 376 values, see :ref:`Encryption_types`. 377 378**max_life** 379 (:ref:`duration` string.) Specifies the maximum time period for 380 which a ticket may be valid in this realm. The default value is 381 24 hours. 382 383**max_renewable_life** 384 (:ref:`duration` string.) Specifies the maximum time period 385 during which a valid ticket may be renewed in this realm. 386 The default value is 0. 387 388**no_host_referral** 389 (Whitespace- or comma-separated list.) Lists services to block 390 from getting host-based referral processing, even if the client 391 marks the server principal as host-based or the service is also 392 listed in **host_based_services**. ``no_host_referral = *`` will 393 disable referral processing altogether. 394 395**reject_bad_transit** 396 (Boolean value.) If set to true, the KDC will check the list of 397 transited realms for cross-realm tickets against the transit path 398 computed from the realm names and the capaths section of its 399 :ref:`krb5.conf(5)` file; if the path in the ticket to be issued 400 contains any realms not in the computed path, the ticket will not 401 be issued, and an error will be returned to the client instead. 402 If this value is set to false, such tickets will be issued 403 anyways, and it will be left up to the application server to 404 validate the realm transit path. 405 406 If the disable-transited-check flag is set in the incoming 407 request, this check is not performed at all. Having the 408 **reject_bad_transit** option will cause such ticket requests to 409 be rejected always. 410 411 This transit path checking and config file option currently apply 412 only to TGS requests. 413 414 The default value is true. 415 416**restrict_anonymous_to_tgt** 417 (Boolean value.) If set to true, the KDC will reject ticket 418 requests from anonymous principals to service principals other 419 than the realm's ticket-granting service. This option allows 420 anonymous PKINIT to be enabled for use as FAST armor tickets 421 without allowing anonymous authentication to services. The 422 default value is false. New in release 1.9. 423 424**spake_preauth_indicator** 425 (String.) Specifies an authentication indicator value that the 426 KDC asserts into tickets obtained using SPAKE pre-authentication. 427 The default is not to add any indicators. This option may be 428 specified multiple times. New in release 1.17. 429 430**supported_enctypes** 431 (List of *key*:*salt* strings.) Specifies the default key/salt 432 combinations of principals for this realm. Any principals created 433 through :ref:`kadmin(1)` will have keys of these types. The 434 default value for this tag is |defkeysalts|. For lists of 435 possible values, see :ref:`Keysalt_lists`. 436 437 438.. _dbdefaults: 439 440[dbdefaults] 441~~~~~~~~~~~~ 442 443The [dbdefaults] section specifies default values for some database 444parameters, to be used if the [dbmodules] subsection does not contain 445a relation for the tag. See the :ref:`dbmodules` section for the 446definitions of these relations. 447 448* **ldap_kerberos_container_dn** 449* **ldap_kdc_dn** 450* **ldap_kdc_sasl_authcid** 451* **ldap_kdc_sasl_authzid** 452* **ldap_kdc_sasl_mech** 453* **ldap_kdc_sasl_realm** 454* **ldap_kadmind_dn** 455* **ldap_kadmind_sasl_authcid** 456* **ldap_kadmind_sasl_authzid** 457* **ldap_kadmind_sasl_mech** 458* **ldap_kadmind_sasl_realm** 459* **ldap_service_password_file** 460* **ldap_conns_per_server** 461 462 463.. _dbmodules: 464 465[dbmodules] 466~~~~~~~~~~~ 467 468The [dbmodules] section contains parameters used by the KDC database 469library and database modules. Each tag in the [dbmodules] section is 470the name of a Kerberos realm or a section name specified by a realm's 471**database_module** parameter. The following example shows how to 472define one database parameter for the ATHENA.MIT.EDU realm:: 473 474 [dbmodules] 475 ATHENA.MIT.EDU = { 476 disable_last_success = true 477 } 478 479The following tags may be specified in a [dbmodules] subsection: 480 481**database_name** 482 This DB2-specific tag indicates the location of the database in 483 the filesystem. The default is |kdcdir|\ ``/principal``. 484 485**db_library** 486 This tag indicates the name of the loadable database module. The 487 value should be ``db2`` for the DB2 module, ``klmdb`` for the LMDB 488 module, or ``kldap`` for the LDAP module. 489 490**disable_last_success** 491 If set to ``true``, suppresses KDC updates to the "Last successful 492 authentication" field of principal entries requiring 493 preauthentication. Setting this flag may improve performance. 494 (Principal entries which do not require preauthentication never 495 update the "Last successful authentication" field.). First 496 introduced in release 1.9. 497 498**disable_lockout** 499 If set to ``true``, suppresses KDC updates to the "Last failed 500 authentication" and "Failed password attempts" fields of principal 501 entries requiring preauthentication. Setting this flag may 502 improve performance, but also disables account lockout. First 503 introduced in release 1.9. 504 505**ldap_conns_per_server** 506 This LDAP-specific tag indicates the number of connections to be 507 maintained per LDAP server. 508 509**ldap_kdc_dn** and **ldap_kadmind_dn** 510 These LDAP-specific tags indicate the default DN for binding to 511 the LDAP server. The :ref:`krb5kdc(8)` daemon uses 512 **ldap_kdc_dn**, while the :ref:`kadmind(8)` daemon and other 513 administrative programs use **ldap_kadmind_dn**. The kadmind DN 514 must have the rights to read and write the Kerberos data in the 515 LDAP database. The KDC DN must have the same rights, unless 516 **disable_lockout** and **disable_last_success** are true, in 517 which case it only needs to have rights to read the Kerberos data. 518 These tags are ignored if a SASL mechanism is set with 519 **ldap_kdc_sasl_mech** or **ldap_kadmind_sasl_mech**. 520 521**ldap_kdc_sasl_mech** and **ldap_kadmind_sasl_mech** 522 These LDAP-specific tags specify the SASL mechanism (such as 523 ``EXTERNAL``) to use when binding to the LDAP server. New in 524 release 1.13. 525 526**ldap_kdc_sasl_authcid** and **ldap_kadmind_sasl_authcid** 527 These LDAP-specific tags specify the SASL authentication identity 528 to use when binding to the LDAP server. Not all SASL mechanisms 529 require an authentication identity. If the SASL mechanism 530 requires a secret (such as the password for ``DIGEST-MD5``), these 531 tags also determine the name within the 532 **ldap_service_password_file** where the secret is stashed. New 533 in release 1.13. 534 535**ldap_kdc_sasl_authzid** and **ldap_kadmind_sasl_authzid** 536 These LDAP-specific tags specify the SASL authorization identity 537 to use when binding to the LDAP server. In most circumstances 538 they do not need to be specified. New in release 1.13. 539 540**ldap_kdc_sasl_realm** and **ldap_kadmind_sasl_realm** 541 These LDAP-specific tags specify the SASL realm to use when 542 binding to the LDAP server. In most circumstances they do not 543 need to be set. New in release 1.13. 544 545**ldap_kerberos_container_dn** 546 This LDAP-specific tag indicates the DN of the container object 547 where the realm objects will be located. 548 549**ldap_servers** 550 This LDAP-specific tag indicates the list of LDAP servers that the 551 Kerberos servers can connect to. The list of LDAP servers is 552 whitespace-separated. The LDAP server is specified by a LDAP URI. 553 It is recommended to use ``ldapi:`` or ``ldaps:`` URLs to connect 554 to the LDAP server. 555 556**ldap_service_password_file** 557 This LDAP-specific tag indicates the file containing the stashed 558 passwords (created by ``kdb5_ldap_util stashsrvpw``) for the 559 **ldap_kdc_dn** and **ldap_kadmind_dn** objects, or for the 560 **ldap_kdc_sasl_authcid** or **ldap_kadmind_sasl_authcid** names 561 for SASL authentication. This file must be kept secure. 562 563**mapsize** 564 This LMDB-specific tag indicates the maximum size of the two 565 database environments in megabytes. The default value is 128. 566 Increase this value to address "Environment mapsize limit reached" 567 errors. New in release 1.17. 568 569**max_readers** 570 This LMDB-specific tag indicates the maximum number of concurrent 571 reading processes for the databases. The default value is 128. 572 New in release 1.17. 573 574**nosync** 575 This LMDB-specific tag can be set to improve the throughput of 576 kadmind and other administrative agents, at the expense of 577 durability (recent database changes may not survive a power outage 578 or other sudden reboot). It does not affect the throughput of the 579 KDC. The default value is false. New in release 1.17. 580 581**unlockiter** 582 If set to ``true``, this DB2-specific tag causes iteration 583 operations to release the database lock while processing each 584 principal. Setting this flag to ``true`` can prevent extended 585 blocking of KDC or kadmin operations when dumps of large databases 586 are in progress. First introduced in release 1.13. 587 588The following tag may be specified directly in the [dbmodules] 589section to control where database modules are loaded from: 590 591**db_module_dir** 592 This tag controls where the plugin system looks for database 593 modules. The value should be an absolute path. 594 595.. _logging: 596 597[logging] 598~~~~~~~~~ 599 600The [logging] section indicates how :ref:`krb5kdc(8)` and 601:ref:`kadmind(8)` perform logging. It may contain the following 602relations: 603 604**admin_server** 605 Specifies how :ref:`kadmind(8)` performs logging. 606 607**kdc** 608 Specifies how :ref:`krb5kdc(8)` performs logging. 609 610**default** 611 Specifies how either daemon performs logging in the absence of 612 relations specific to the daemon. 613 614**debug** 615 (Boolean value.) Specifies whether debugging messages are 616 included in log outputs other than SYSLOG. Debugging messages are 617 always included in the system log output because syslog performs 618 its own priority filtering. The default value is false. New in 619 release 1.15. 620 621Logging specifications may have the following forms: 622 623**FILE=**\ *filename* or **FILE:**\ *filename* 624 This value causes the daemon's logging messages to go to the 625 *filename*. If the ``=`` form is used, the file is overwritten. 626 If the ``:`` form is used, the file is appended to. 627 628**STDERR** 629 This value causes the daemon's logging messages to go to its 630 standard error stream. 631 632**CONSOLE** 633 This value causes the daemon's logging messages to go to the 634 console, if the system supports it. 635 636**DEVICE=**\ *<devicename>* 637 This causes the daemon's logging messages to go to the specified 638 device. 639 640**SYSLOG**\ [\ **:**\ *severity*\ [\ **:**\ *facility*\ ]] 641 This causes the daemon's logging messages to go to the system log. 642 643 For backward compatibility, a severity argument may be specified, 644 and must be specified in order to specify a facility. This 645 argument will be ignored. 646 647 The facility argument specifies the facility under which the 648 messages are logged. This may be any of the following facilities 649 supported by the syslog(3) call minus the LOG\_ prefix: **KERN**, 650 **USER**, **MAIL**, **DAEMON**, **AUTH**, **LPR**, **NEWS**, 651 **UUCP**, **CRON**, and **LOCAL0** through **LOCAL7**. If no 652 facility is specified, the default is **AUTH**. 653 654In the following example, the logging messages from the KDC will go to 655the console and to the system log under the facility LOG_DAEMON, and 656the logging messages from the administrative server will be appended 657to the file ``/var/adm/kadmin.log`` and sent to the device 658``/dev/tty04``. :: 659 660 [logging] 661 kdc = CONSOLE 662 kdc = SYSLOG:INFO:DAEMON 663 admin_server = FILE:/var/adm/kadmin.log 664 admin_server = DEVICE=/dev/tty04 665 666If no logging specification is given, the default is to use syslog. 667To disable logging entirely, specify ``default = DEVICE=/dev/null``. 668 669 670.. _otp: 671 672[otp] 673~~~~~ 674 675Each subsection of [otp] is the name of an OTP token type. The tags 676within the subsection define the configuration required to forward a 677One Time Password request to a RADIUS server. 678 679For each token type, the following tags may be specified: 680 681**server** 682 This is the server to send the RADIUS request to. It can be a 683 hostname with optional port, an ip address with optional port, or 684 a Unix domain socket address. The default is 685 |kdcdir|\ ``/<name>.socket``. 686 687**secret** 688 This tag indicates a filename (which may be relative to |kdcdir|) 689 containing the secret used to encrypt the RADIUS packets. The 690 secret should appear in the first line of the file by itself; 691 leading and trailing whitespace on the line will be removed. If 692 the value of **server** is a Unix domain socket address, this tag 693 is optional, and an empty secret will be used if it is not 694 specified. Otherwise, this tag is required. 695 696**timeout** 697 An integer which specifies the time in seconds during which the 698 KDC should attempt to contact the RADIUS server. This tag is the 699 total time across all retries and should be less than the time 700 which an OTP value remains valid for. The default is 5 seconds. 701 702**retries** 703 This tag specifies the number of retries to make to the RADIUS 704 server. The default is 3 retries (4 tries). 705 706**strip_realm** 707 If this tag is ``true``, the principal without the realm will be 708 passed to the RADIUS server. Otherwise, the realm will be 709 included. The default value is ``true``. 710 711**indicator** 712 This tag specifies an authentication indicator to be included in 713 the ticket if this token type is used to authenticate. This 714 option may be specified multiple times. (New in release 1.14.) 715 716In the following example, requests are sent to a remote server via UDP:: 717 718 [otp] 719 MyRemoteTokenType = { 720 server = radius.mydomain.com:1812 721 secret = SEmfiajf42$ 722 timeout = 15 723 retries = 5 724 strip_realm = true 725 } 726 727An implicit default token type named ``DEFAULT`` is defined for when 728the per-principal configuration does not specify a token type. Its 729configuration is shown below. You may override this token type to 730something applicable for your situation:: 731 732 [otp] 733 DEFAULT = { 734 strip_realm = false 735 } 736 737PKINIT options 738-------------- 739 740.. note:: 741 742 The following are pkinit-specific options. These values may 743 be specified in [kdcdefaults] as global defaults, or within 744 a realm-specific subsection of [realms]. Also note that a 745 realm-specific value over-rides, does not add to, a generic 746 [kdcdefaults] specification. The search order is: 747 7481. realm-specific subsection of [realms]:: 749 750 [realms] 751 EXAMPLE.COM = { 752 pkinit_anchors = FILE:/usr/local/example.com.crt 753 } 754 7552. generic value in the [kdcdefaults] section:: 756 757 [kdcdefaults] 758 pkinit_anchors = DIR:/usr/local/generic_trusted_cas/ 759 760For information about the syntax of some of these options, see 761:ref:`Specifying PKINIT identity information <pkinit_identity>` in 762:ref:`krb5.conf(5)`. 763 764**pkinit_anchors** 765 Specifies the location of trusted anchor (root) certificates which 766 the KDC trusts to sign client certificates. This option is 767 required if pkinit is to be supported by the KDC. This option may 768 be specified multiple times. 769 770**pkinit_dh_min_bits** 771 Specifies the minimum number of bits the KDC is willing to accept 772 for a client's Diffie-Hellman key. The default is 2048. 773 774**pkinit_allow_upn** 775 Specifies that the KDC is willing to accept client certificates 776 with the Microsoft UserPrincipalName (UPN) Subject Alternative 777 Name (SAN). This means the KDC accepts the binding of the UPN in 778 the certificate to the Kerberos principal name. The default value 779 is false. 780 781 Without this option, the KDC will only accept certificates with 782 the id-pkinit-san as defined in :rfc:`4556`. There is currently 783 no option to disable SAN checking in the KDC. 784 785**pkinit_eku_checking** 786 This option specifies what Extended Key Usage (EKU) values the KDC 787 is willing to accept in client certificates. The values 788 recognized in the kdc.conf file are: 789 790 **kpClientAuth** 791 This is the default value and specifies that client 792 certificates must have the id-pkinit-KPClientAuth EKU as 793 defined in :rfc:`4556`. 794 795 **scLogin** 796 If scLogin is specified, client certificates with the 797 Microsoft Smart Card Login EKU (id-ms-kp-sc-logon) will be 798 accepted. 799 800 **none** 801 If none is specified, then client certificates will not be 802 checked to verify they have an acceptable EKU. The use of 803 this option is not recommended. 804 805**pkinit_identity** 806 Specifies the location of the KDC's X.509 identity information. 807 This option is required if pkinit is to be supported by the KDC. 808 809**pkinit_indicator** 810 Specifies an authentication indicator to include in the ticket if 811 pkinit is used to authenticate. This option may be specified 812 multiple times. (New in release 1.14.) 813 814**pkinit_pool** 815 Specifies the location of intermediate certificates which may be 816 used by the KDC to complete the trust chain between a client's 817 certificate and a trusted anchor. This option may be specified 818 multiple times. 819 820**pkinit_revoke** 821 Specifies the location of Certificate Revocation List (CRL) 822 information to be used by the KDC when verifying the validity of 823 client certificates. This option may be specified multiple times. 824 825**pkinit_require_crl_checking** 826 The default certificate verification process will always check the 827 available revocation information to see if a certificate has been 828 revoked. If a match is found for the certificate in a CRL, 829 verification fails. If the certificate being verified is not 830 listed in a CRL, or there is no CRL present for its issuing CA, 831 and **pkinit_require_crl_checking** is false, then verification 832 succeeds. 833 834 However, if **pkinit_require_crl_checking** is true and there is 835 no CRL information available for the issuing CA, then verification 836 fails. 837 838 **pkinit_require_crl_checking** should be set to true if the 839 policy is such that up-to-date CRLs must be present for every CA. 840 841**pkinit_require_freshness** 842 Specifies whether to require clients to include a freshness token 843 in PKINIT requests. The default value is false. (New in release 844 1.17.) 845 846.. _Encryption_types: 847 848Encryption types 849---------------- 850 851Any tag in the configuration files which requires a list of encryption 852types can be set to some combination of the following strings. 853Encryption types marked as "weak" and "deprecated" are available for 854compatibility but not recommended for use. 855 856==================================================== ========================================================= 857des3-cbc-raw Triple DES cbc mode raw (weak) 858des3-cbc-sha1 des3-hmac-sha1 des3-cbc-sha1-kd Triple DES cbc mode with HMAC/sha1 (deprecated) 859aes256-cts-hmac-sha1-96 aes256-cts aes256-sha1 AES-256 CTS mode with 96-bit SHA-1 HMAC 860aes128-cts-hmac-sha1-96 aes128-cts aes128-sha1 AES-128 CTS mode with 96-bit SHA-1 HMAC 861aes256-cts-hmac-sha384-192 aes256-sha2 AES-256 CTS mode with 192-bit SHA-384 HMAC 862aes128-cts-hmac-sha256-128 aes128-sha2 AES-128 CTS mode with 128-bit SHA-256 HMAC 863arcfour-hmac rc4-hmac arcfour-hmac-md5 RC4 with HMAC/MD5 (deprecated) 864arcfour-hmac-exp rc4-hmac-exp arcfour-hmac-md5-exp Exportable RC4 with HMAC/MD5 (weak) 865camellia256-cts-cmac camellia256-cts Camellia-256 CTS mode with CMAC 866camellia128-cts-cmac camellia128-cts Camellia-128 CTS mode with CMAC 867des3 The triple DES family: des3-cbc-sha1 868aes The AES family: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, aes256-cts-hmac-sha384-192, and aes128-cts-hmac-sha256-128 869rc4 The RC4 family: arcfour-hmac 870camellia The Camellia family: camellia256-cts-cmac and camellia128-cts-cmac 871==================================================== ========================================================= 872 873The string **DEFAULT** can be used to refer to the default set of 874types for the variable in question. Types or families can be removed 875from the current list by prefixing them with a minus sign ("-"). 876Types or families can be prefixed with a plus sign ("+") for symmetry; 877it has the same meaning as just listing the type or family. For 878example, "``DEFAULT -rc4``" would be the default set of encryption 879types with RC4 types removed, and "``des3 DEFAULT``" would be the 880default set of encryption types with triple DES types moved to the 881front. 882 883While **aes128-cts** and **aes256-cts** are supported for all Kerberos 884operations, they are not supported by very old versions of our GSSAPI 885implementation (krb5-1.3.1 and earlier). Services running versions of 886krb5 without AES support must not be given keys of these encryption 887types in the KDC database. 888 889The **aes128-sha2** and **aes256-sha2** encryption types are new in 890release 1.15. Services running versions of krb5 without support for 891these newer encryption types must not be given keys of these 892encryption types in the KDC database. 893 894 895.. _Keysalt_lists: 896 897Keysalt lists 898------------- 899 900Kerberos keys for users are usually derived from passwords. Kerberos 901commands and configuration parameters that affect generation of keys 902take lists of enctype-salttype ("keysalt") pairs, known as *keysalt 903lists*. Each keysalt pair is an enctype name followed by a salttype 904name, in the format *enc*:*salt*. Individual keysalt list members are 905separated by comma (",") characters or space characters. For example:: 906 907 kadmin -e aes256-cts:normal,aes128-cts:normal 908 909would start up kadmin so that by default it would generate 910password-derived keys for the **aes256-cts** and **aes128-cts** 911encryption types, using a **normal** salt. 912 913To ensure that people who happen to pick the same password do not have 914the same key, Kerberos 5 incorporates more information into the key 915using something called a salt. The supported salt types are as 916follows: 917 918================= ============================================ 919normal default for Kerberos Version 5 920norealm same as the default, without using realm information 921onlyrealm uses only realm information as the salt 922special generate a random salt 923================= ============================================ 924 925 926Sample kdc.conf File 927-------------------- 928 929Here's an example of a kdc.conf file:: 930 931 [kdcdefaults] 932 kdc_listen = 88 933 kdc_tcp_listen = 88 934 [realms] 935 ATHENA.MIT.EDU = { 936 kadmind_port = 749 937 max_life = 12h 0m 0s 938 max_renewable_life = 7d 0h 0m 0s 939 master_key_type = aes256-cts-hmac-sha1-96 940 supported_enctypes = aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal 941 database_module = openldap_ldapconf 942 } 943 944 [logging] 945 kdc = FILE:/usr/local/var/krb5kdc/kdc.log 946 admin_server = FILE:/usr/local/var/krb5kdc/kadmin.log 947 948 [dbdefaults] 949 ldap_kerberos_container_dn = cn=krbcontainer,dc=mit,dc=edu 950 951 [dbmodules] 952 openldap_ldapconf = { 953 db_library = kldap 954 disable_last_success = true 955 ldap_kdc_dn = "cn=krbadmin,dc=mit,dc=edu" 956 # this object needs to have read rights on 957 # the realm container and principal subtrees 958 ldap_kadmind_dn = "cn=krbadmin,dc=mit,dc=edu" 959 # this object needs to have read and write rights on 960 # the realm container and principal subtrees 961 ldap_service_password_file = /etc/kerberos/service.keyfile 962 ldap_servers = ldaps://kerberos.mit.edu 963 ldap_conns_per_server = 5 964 } 965 966 967FILES 968------ 969 970|kdcdir|\ ``/kdc.conf`` 971 972 973SEE ALSO 974--------- 975 976:ref:`krb5.conf(5)`, :ref:`krb5kdc(8)`, :ref:`kadm5.acl(5)` 977