source: heimdal/trunk/lib/krb5/krb5.conf.cat5@ 5

Last change on this file since 5 was 1, checked in by Paul Smedley, 10 years ago

Initial commit of Heimdal 1.5.3
File size: 27.7 KB
Line 
1
2KRB5.CONF(5) BSD File Formats Manual KRB5.CONF(5)
3
4NNAAMMEE
5 kkrrbb55..ccoonnff -- configuration file for Kerberos 5
6
7SSYYNNOOPPSSIISS
8 ##iinncclluuddee <<kkrrbb55..hh>>
9
10DDEESSCCRRIIPPTTIIOONN
11 The kkrrbb55..ccoonnff file specifies several configuration parameters for the
12 Kerberos 5 library, as well as for some programs.
13
14 The file consists of one or more sections, containing a number of bind-
15 ings. The value of each binding can be either a string or a list of
16 other bindings. The grammar looks like:
17
18 file:
19 /* empty */
20 sections
21
22 sections:
23 section sections
24 section
25
26 section:
27 '[' section_name ']' bindings
28
29 section_name:
30 STRING
31
32 bindings:
33 binding bindings
34 binding
35
36 binding:
37 name '=' STRING
38 name '=' '{' bindings '}'
39
40 name:
41 STRING
42
43 STRINGs consists of one or more non-whitespace characters.
44
45 STRINGs that are specified later in this man-page uses the following
46 notation.
47
48 boolean
49 values can be either yes/true or no/false.
50
51 time
52 values can be a list of year, month, day, hour, min, second.
53 Example: 1 month 2 days 30 min. If no unit is given, seconds
54 is assumed.
55
56 etypes
57 valid encryption types are: des-cbc-crc, des-cbc-md4, des-cbc-
58 md5, des3-cbc-sha1, arcfour-hmac-md5, aes128-cts-hmac-sha1-96,
59 and aes256-cts-hmac-sha1-96 .
60
61 address
62 an address can be either a IPv4 or a IPv6 address.
63
64 Currently recognised sections and bindings are:
65
66 [appdefaults]
67 Specifies the default values to be used for Kerberos applica-
68 tions. You can specify defaults per application, realm, or a
69 combination of these. The preference order is:
70 1. _a_p_p_l_i_c_a_t_i_o_n _r_e_a_l_m _o_p_t_i_o_n
71 2. _a_p_p_l_i_c_a_t_i_o_n _o_p_t_i_o_n
72 3. _r_e_a_l_m _o_p_t_i_o_n
73 4. _o_p_t_i_o_n
74
75 The supported options are:
76
77 forwardable = _b_o_o_l_e_a_n
78 When obtaining initial credentials, make the cre-
79 dentials forwardable.
80
81 proxiable = _b_o_o_l_e_a_n
82 When obtaining initial credentials, make the cre-
83 dentials proxiable.
84
85 no-addresses = _b_o_o_l_e_a_n
86 When obtaining initial credentials, request them
87 for an empty set of addresses, making the tickets
88 valid from any address.
89
90 ticket_lifetime = _t_i_m_e
91 Default ticket lifetime.
92
93 renew_lifetime = _t_i_m_e
94 Default renewable ticket lifetime.
95
96 encrypt = _b_o_o_l_e_a_n
97 Use encryption, when available.
98
99 forward = _b_o_o_l_e_a_n
100 Forward credentials to remote host (for rsh(1),
101 telnet(1), etc).
102
103 [libdefaults]
104
105 default_realm = _R_E_A_L_M
106 Default realm to use, this is also known as your
107 ``local realm''. The default is the result of
108 kkrrbb55__ggeett__hhoosstt__rreeaallmm(_l_o_c_a_l _h_o_s_t_n_a_m_e).
109
110 allow_weak_crypto = _b_o_o_l_e_a_n
111 is weaks crypto algorithms allowed to be used,
112 among others, DES is considered weak.
113
114 clockskew = _t_i_m_e
115 Maximum time differential (in seconds) allowed when
116 comparing times. Default is 300 seconds (five min-
117 utes).
118
119 kdc_timeout = _t_i_m_e
120 Maximum time to wait for a reply from the kdc,
121 default is 3 seconds.
122
123 v4_name_convert
124
125 v4_instance_resolve
126 These are described in the
127 krb5_425_conv_principal(3) manual page.
128
129 capath = {
130
131 _d_e_s_t_i_n_a_t_i_o_n_-_r_e_a_l_m = _n_e_x_t_-_h_o_p_-_r_e_a_l_m
132
133 ...
134
135 }
136 This is deprecated, see the capaths section below.
137
138 default_cc_type = _c_c_t_y_p_e
139 sets the default credentials type.
140
141 default_cc_name = _c_c_n_a_m_e
142 the default credentials cache name. If you want to
143 change the type only use default_cc_type. The
144 string can contain variables that are expanded on
145 runtime. Only support variable now is %{uid} that
146 expands to the current user id.
147
148 default_etypes = _e_t_y_p_e_s _._._.
149 A list of default encryption types to use.
150 (Default: all enctypes if allow_weak_crypto = TRUE,
151 else all enctypes except single DES enctypes.)
152
153 default_as_etypes = _e_t_y_p_e_s _._._.
154 A list of default encryption types to use in AS
155 requests. (Default: the value of default_etypes.)
156
157 default_tgs_etypes = _e_t_y_p_e_s _._._.
158 A list of default encryption types to use in TGS
159 requests. (Default: the value of default_etypes.)
160
161 default_etypes_des = _e_t_y_p_e_s _._._.
162 A list of default encryption types to use when
163 requesting a DES credential.
164
165 default_keytab_name = _k_e_y_t_a_b
166 The keytab to use if no other is specified, default
167 is ``FILE:/etc/krb5.keytab''.
168
169 dns_lookup_kdc = _b_o_o_l_e_a_n
170 Use DNS SRV records to lookup KDC services loca-
171 tion.
172
173 dns_lookup_realm = _b_o_o_l_e_a_n
174 Use DNS TXT records to lookup domain to realm map-
175 pings.
176
177 kdc_timesync = _b_o_o_l_e_a_n
178 Try to keep track of the time differential between
179 the local machine and the KDC, and then compensate
180 for that when issuing requests.
181
182 max_retries = _n_u_m_b_e_r
183 The max number of times to try to contact each KDC.
184
185 large_msg_size = _n_u_m_b_e_r
186 The threshold where protocols with tiny maximum
187 message sizes are not considered usable to send
188 messages to the KDC.
189
190 ticket_lifetime = _t_i_m_e
191 Default ticket lifetime.
192
193 renew_lifetime = _t_i_m_e
194 Default renewable ticket lifetime.
195
196 forwardable = _b_o_o_l_e_a_n
197 When obtaining initial credentials, make the cre-
198 dentials forwardable. This option is also valid in
199 the [realms] section.
200
201 proxiable = _b_o_o_l_e_a_n
202 When obtaining initial credentials, make the cre-
203 dentials proxiable. This option is also valid in
204 the [realms] section.
205
206 verify_ap_req_nofail = _b_o_o_l_e_a_n
207 If enabled, failure to verify credentials against a
208 local key is a fatal error. The application has to
209 be able to read the corresponding service key for
210 this to work. Some applications, like su(1),
211 enable this option unconditionally.
212
213 warn_pwexpire = _t_i_m_e
214 How soon to warn for expiring password. Default is
215 seven days.
216
217 http_proxy = _p_r_o_x_y_-_s_p_e_c
218 A HTTP-proxy to use when talking to the KDC via
219 HTTP.
220
221 dns_proxy = _p_r_o_x_y_-_s_p_e_c
222 Enable using DNS via HTTP.
223
224 extra_addresses = _a_d_d_r_e_s_s _._._.
225 A list of addresses to get tickets for along with
226 all local addresses.
227
228 time_format = _s_t_r_i_n_g
229 How to print time strings in logs, this string is
230 passed to strftime(3).
231
232 date_format = _s_t_r_i_n_g
233 How to print date strings in logs, this string is
234 passed to strftime(3).
235
236 log_utc = _b_o_o_l_e_a_n
237 Write log-entries using UTC instead of your local
238 time zone.
239
240 scan_interfaces = _b_o_o_l_e_a_n
241 Scan all network interfaces for addresses, as
242 opposed to simply using the address associated with
243 the system's host name.
244
245 fcache_version = _i_n_t
246 Use file credential cache format version specified.
247
248 krb4_get_tickets = _b_o_o_l_e_a_n
249 Also get Kerberos 4 tickets in kkiinniitt, llooggiinn, and
250 other programs. This option is also valid in the
251 [realms] section.
252
253 fcc-mit-ticketflags = _b_o_o_l_e_a_n
254 Use MIT compatible format for file credential
255 cache. It's the field ticketflags that is stored
256 in reverse bit order for older than Heimdal 0.7.
257 Setting this flag to TRUE make it store the MIT
258 way, this is default for Heimdal 0.7.
259
260 check-rd-req-server
261 If set to "ignore", the framework will ignore any
262 the server input to krb5_rd_req(3,) this is very
263 useful when the GSS-API server input the wrong
264 server name into the gss_accept_sec_context call.
265
266 [domain_realm]
267 This is a list of mappings from DNS domain to Kerberos realm.
268 Each binding in this section looks like:
269
270 domain = realm
271
272 The domain can be either a full name of a host or a trailing
273 component, in the latter case the domain-string should start
274 with a period. The trailing component only matches hosts that
275 are in the same domain, ie ``.example.com'' matches
276 ``foo.example.com'', but not ``foo.test.example.com''.
277
278 The realm may be the token `dns_locate', in which case the
279 actual realm will be determined using DNS (independently of
280 the setting of the `dns_lookup_realm' option).
281
282 [realms]
283
284 _R_E_A_L_M = {
285
286 kdc = _[_s_e_r_v_i_c_e_/_]_h_o_s_t_[_:_p_o_r_t_]
287 Specifies a list of kdcs for this realm.
288 If the optional _p_o_r_t is absent, the
289 default value for the ``kerberos/udp''
290 ``kerberos/tcp'', and ``http/tcp'' port
291 (depending on service) will be used.
292 The kdcs will be used in the order that
293 they are specified.
294
295 The optional _s_e_r_v_i_c_e specifies over what
296 medium the kdc should be contacted.
297 Possible services are ``udp'', ``tcp'',
298 and ``http''. Http can also be written
299 as ``http://''. Default service is
300 ``udp'' and ``tcp''.
301
302 admin_server = _h_o_s_t_[_:_p_o_r_t_]
303 Specifies the admin server for this
304 realm, where all the modifications to
305 the database are performed.
306
307 kpasswd_server = _h_o_s_t_[_:_p_o_r_t_]
308 Points to the server where all the pass-
309 word changes are performed. If there is
310 no such entry, the kpasswd port on the
311 admin_server host will be tried.
312
313 krb524_server = _h_o_s_t_[_:_p_o_r_t_]
314 Points to the server that does 524 con-
315 versions. If it is not mentioned, the
316 krb524 port on the kdcs will be tried.
317
318 v4_instance_convert
319
320 v4_name_convert
321
322 default_domain
323 See krb5_425_conv_principal(3).
324
325 tgs_require_subkey
326 a boolan variable that defaults to
327 false. Old DCE secd (pre 1.1) might
328 need this to be true.
329
330 }
331
332 [capaths]
333
334 _c_l_i_e_n_t_-_r_e_a_l_m = {
335
336 _s_e_r_v_e_r_-_r_e_a_l_m = _h_o_p_-_r_e_a_l_m _._._.
337 This serves two purposes. First the
338 first listed _h_o_p_-_r_e_a_l_m tells a client
339 which realm it should contact in order
340 to ultimately obtain credentials for a
341 service in the _s_e_r_v_e_r_-_r_e_a_l_m. Secondly,
342 it tells the KDC (and other servers)
343 which realms are allowed in a multi-hop
344 traversal from _c_l_i_e_n_t_-_r_e_a_l_m to
345 _s_e_r_v_e_r_-_r_e_a_l_m. Except for the client
346 case, the order of the realms are not
347 important.
348
349 _}
350
351 [logging]
352
353 _e_n_t_i_t_y = _d_e_s_t_i_n_a_t_i_o_n
354 Specifies that _e_n_t_i_t_y should use the specified
355 destination for logging. See the krb5_openlog(3)
356 manual page for a list of defined destinations.
357
358 [kdc]
359
360 database = {
361
362 dbname = _D_A_T_A_B_A_S_E_N_A_M_E
363 Use this database for this realm. See
364 the info documetation how to configure
365 different database backends.
366
367 realm = _R_E_A_L_M
368 Specifies the realm that will be stored
369 in this database. It realm isn't set,
370 it will used as the default database,
371 there can only be one entry that doesn't
372 have a realm stanza.
373
374 mkey_file = _F_I_L_E_N_A_M_E
375 Use this keytab file for the master key
376 of this database. If not specified
377 _D_A_T_A_B_A_S_E_N_A_M_E.mkey will be used.
378
379 acl_file = PA FILENAME
380 Use this file for the ACL list of this
381 database.
382
383 log_file = _F_I_L_E_N_A_M_E
384 Use this file as the log of changes per-
385 formed to the database. This file is
386 used by iipprrooppdd--mmaasstteerr for propagating
387 changes to slaves.
388
389 }
390
391 max-request = _S_I_Z_E
392 Maximum size of a kdc request.
393
394 require-preauth = _B_O_O_L
395 If set pre-authentication is required. Since krb4
396 requests are not pre-authenticated they will be
397 rejected.
398
399 ports = _l_i_s_t _o_f _p_o_r_t_s
400 List of ports the kdc should listen to.
401
402 addresses = _l_i_s_t _o_f _i_n_t_e_r_f_a_c_e_s
403 List of addresses the kdc should bind to.
404
405 enable-kerberos4 = _B_O_O_L
406 Turn on Kerberos 4 support.
407
408 v4-realm = _R_E_A_L_M
409 To what realm v4 requests should be mapped.
410
411 enable-524 = _B_O_O_L
412 Should the Kerberos 524 converting facility be
413 turned on. Default is the same as
414 _e_n_a_b_l_e_-_k_e_r_b_e_r_o_s_4.
415
416 enable-http = _B_O_O_L
417 Should the kdc answer kdc-requests over http.
418
419 enable-kaserver = _B_O_O_L
420 If this kdc should emulate the AFS kaserver.
421
422 tgt-use-strongest-session-key = _B_O_O_L
423 If this is TRUE then the KDC will prefer the
424 strongest key from the client's AS-REQ or TGS-REQ
425 enctype list for the ticket session key that is
426 supported by the KDC and the target principal when
427 the target principal is a krbtgt principal. Else
428 it will prefer the first key from the client's AS-
429 REQ enctype list that is also supported by the KDC
430 and the target principal. Defaults to TRUE.
431
432 svc-use-strongest-session-key = _B_O_O_L
433 Like tgt-use-strongest-session-key, but applies to
434 the session key enctype of tickets for services
435 other than krbtgt principals. Defaults to TRUE.
436
437 preauth-use-strongest-session-key = _B_O_O_L
438 If TRUE then select the strongest possible enctype
439 from the client's AS-REQ for PA-ETYPE-INFO2 (i.e.,
440 for password-based pre-authentication). Else pick
441 the first supported enctype from the client's AS-
442 REQ. Defaults to TRUE.
443
444 use-strongest-server-key = _B_O_O_L
445 If TRUE then the KDC picks, for the ticket
446 encrypted part's key, the first supported enctype
447 from the target service principal's hdb entry's
448 current keyset. Else the KDC picks the first sup-
449 ported enctype from the target service principal's
450 hdb entry's current keyset. Defaults to TRUE.
451
452 check-ticket-addresses = _B_O_O_L
453 Verify the addresses in the tickets used in tgs
454 requests.
455
456 allow-null-ticket-addresses = _B_O_O_L
457 Allow address-less tickets.
458
459 allow-anonymous = _B_O_O_L
460 If the kdc is allowed to hand out anonymous tick-
461 ets.
462
463 encode_as_rep_as_tgs_rep = _B_O_O_L
464 Encode as-rep as tgs-rep tobe compatible with mis-
465 takes older DCE secd did.
466
467 kdc_warn_pwexpire = _T_I_M_E
468 The time before expiration that the user should be
469 warned that her password is about to expire.
470
471 logging = _L_o_g_g_i_n_g
472 What type of logging the kdc should use, see also
473 [logging]/kdc.
474
475 use_2b = {
476
477 _p_r_i_n_c_i_p_a_l = _B_O_O_L
478 boolean value if the 524 daemon should
479 return AFS 2b tokens for _p_r_i_n_c_i_p_a_l.
480
481 ...
482
483 }
484
485 hdb-ldap-structural-object _s_t_r_u_c_t_u_r_a_l _o_b_j_e_c_t
486 If the LDAP backend is used for storing principals,
487 this is the structural object that will be used
488 when creating and when reading objects. The
489 default value is account .
490
491 hdb-ldap-create-base _c_r_e_a_t_i_o_n _d_n
492 is the dn that will be appended to the principal
493 when creating entries. Default value is the search
494 dn.
495
496 enable-digest = _B_O_O_L
497 Should the kdc answer digest requests. The default
498 is FALSE.
499
500 digests_allowed = _l_i_s_t _o_f _d_i_g_e_s_t_s
501 Specifies the digests the kdc will reply to. The
502 default is ntlm-v2.
503
504 [kadmin]
505
506 require-preauth = _B_O_O_L
507 If pre-authentication is required to talk to the
508 kadmin server.
509
510 password_lifetime = _t_i_m_e
511 If a principal already have its password set for
512 expiration, this is the time it will be valid for
513 after a change.
514
515 default_keys = _k_e_y_t_y_p_e_s_._._.
516 For each entry in _d_e_f_a_u_l_t___k_e_y_s try to parse it as a
517 sequence of _e_t_y_p_e_:_s_a_l_t_t_y_p_e_:_s_a_l_t syntax of this if
518 something like:
519
520 [(des|des3|etype):](pw-salt|afs3-salt)[:string]
521
522 If _e_t_y_p_e is omitted it means everything, and if
523 string is omitted it means the default salt string
524 (for that principal and encryption type). Addi-
525 tional special values of keytypes are:
526
527 v5 The Kerberos 5 salt _p_w_-_s_a_l_t
528
529 v4 The Kerberos 4 salt _d_e_s_:_p_w_-_s_a_l_t_:
530
531 use_v4_salt = _B_O_O_L
532 When true, this is the same as
533
534 _d_e_f_a_u_l_t___k_e_y_s _= _d_e_s_3_:_p_w_-_s_a_l_t _v_4
535
536 and is only left for backwards compatibility.
537
538 [password_quality]
539 Check the Password quality assurance in the info documentation
540 for more information.
541
542 check_library = _l_i_b_r_a_r_y_-_n_a_m_e
543 Library name that contains the password check_func-
544 tion
545
546 check_function = _f_u_n_c_t_i_o_n_-_n_a_m_e
547 Function name for checking passwords in
548 check_library
549
550 policy_libraries = _l_i_b_r_a_r_y_1 _._._. _l_i_b_r_a_r_y_N
551 List of libraries that can do password policy
552 checks
553
554 policies = _p_o_l_i_c_y_1 _._._. _p_o_l_i_c_y_N
555 List of policy names to apply to the password.
556 Builtin policies are among other minimum-length,
557 character-class, external-check.
558
559EENNVVIIRROONNMMEENNTT
560 KRB5_CONFIG points to the configuration file to read.
561
562FFIILLEESS
563 /etc/krb5.conf configuration file for Kerberos 5.
564
565EEXXAAMMPPLLEESS
566 [libdefaults]
567 default_realm = FOO.SE
568 [domain_realm]
569 .foo.se = FOO.SE
570 .bar.se = FOO.SE
571 [realms]
572 FOO.SE = {
573 kdc = kerberos.foo.se
574 v4_name_convert = {
575 rcmd = host
576 }
577 v4_instance_convert = {
578 xyz = xyz.bar.se
579 }
580 default_domain = foo.se
581 }
582 [logging]
583 kdc = FILE:/var/heimdal/kdc.log
584 kdc = SYSLOG:INFO
585 default = SYSLOG:INFO:USER
586
587DDIIAAGGNNOOSSTTIICCSS
588 Since kkrrbb55..ccoonnff is read and parsed by the krb5 library, there is not a
589 lot of opportunities for programs to report parsing errors in any useful
590 format. To help overcome this problem, there is a program
591 vveerriiffyy__kkrrbb55__ccoonnff that reads kkrrbb55..ccoonnff and tries to emit useful diagnos-
592 tics from parsing errors. Note that this program does not have any way
593 of knowing what options are actually used and thus cannot warn about
594 unknown or misspelled ones.
595
596SSEEEE AALLSSOO
597 kinit(1), krb5_425_conv_principal(3), krb5_openlog(3), strftime(3),
598 verify_krb5_conf(8)
599
600HEIMDAL May 4, 2005 HEIMDAL
Note: See TracBrowser for help on using the repository browser.