1.\" $Id: krb5.conf.5,v 1.25 2002/08/28 15:33:59 nectar Exp $
2.\"
3.Dd April 11, 1999
4.Dt KRB5.CONF 5
5.Os HEIMDAL
6.Sh NAME
7.Nm /etc/krb5.conf
8.Nd configuration file for Kerberos 5
9.Sh DESCRIPTION
10The
11.Nm
12file specifies several configuration parameters for the Kerberos 5
13library, as well as for some programs.
14.Pp
15The file consists of one or more sections, containing a number of
16bindings. The value of each binding can be either a string or a list
17of other bindings. The grammar looks like:
18.Bd -literal -offset indent
19file:
20 /* empty */
21 sections
22
23sections:
24 section sections
25 section
--- 12 unchanged lines hidden (view full) ---
38 name '=' STRING
39 name '=' '{' bindings '}'
40
41name:
42 STRING
43
44.Ed
45.Li STRINGs
46consists of one or more non-white space characters.
47Currently recognised sections and bindings are:
48.Bl -tag -width "xxx" -offset indent
49.It Li [appdefaults]
50Specifies the default values to be used for Kerberos applications.
51You can specify defaults per application, realm, or a combination of
52these. The preference order is:
53.Bl -enum -compact
54.It
55.Va application Va realm Va option
56.It
57.Va application Va option
58.It
59.Va realm Va option
60.It
--- 18 unchanged lines hidden (view full) ---
79.Bl -tag -width "xxx" -offset indent
80.It Li default_realm = Va REALM
81Default realm to use, this is also known as your
82.Dq local realm .
83The default is the result of
84.Fn krb5_get_host_realm "local hostname" .
85.It Li clockskew = Va time
86Maximum time differential (in seconds) allowed when comparing
87times. Default is 300 seconds (five minutes).
88.It Li kdc_timeout = Va time
89Maximum time to wait for a reply from the kdc, default is 3 seconds.
90.It v4_name_convert
91.It v4_instance_resolve
92These are decribed in the
93.Xr krb5_425_conv_principal 3
94manual page.
95.It Li capath = {
96.Bl -tag -width "xxx" -offset indent
97.It Va destination-realm Li = Va next-hop-realm
98.It ...
99.El
100Normally, all requests to realms different from the one of the current
--- 5 unchanged lines hidden (view full) ---
106ticket to
107.Va next-hop-realm
108when the desired realm is
109.Va destination-realm .
110This configuration should preferably be done on the KDC where it will
111help all its clients but can also be done on the client itself.
112.It Li }
113.It Li default_etypes = Va etypes...
114A list of default etypes to use.
115.It Li default_etypes_des = Va etypes...
116A list of default etypes to use when requesting a DES credential.
117.It Li default_keytab_name = Va keytab
118The keytab to use if none other is specified, default is
119.Dq FILE:/etc/krb5.keytab .
120.It Li dns_lookup_kdc = Va boolean
121Use DNS SRV records to lookup KDC services location.
122.It Li dns_lookup_realm = Va boolean
123Use DNS TXT records to lookup domain to realm mappings.
124.It Li kdc_timesync = Va boolean
125Try to keep track of the time differential between the local machine
126and the KDC, and then compensate for that when issuing requests.
--- 6 unchanged lines hidden (view full) ---
133.It Li forwardable = Va boolean
134When obtaining initial credentials, make the credentials forwardable.
135This option is also valid in the [realms] section.
136.It Li proxiable = Va boolean
137When obtaining initial credentials, make the credentials proxiable.
138This option is also valid in the [realms] section.
139.It Li verify_ap_req_nofail = Va boolean
140If enabled, failure to verify credentials against a local key is a
141fatal error. The application has to be able to read the corresponding
142service key for this to work. Some applications, like
143.Xr su 8 ,
144enable this option unconditionally.
145.It Li warn_pwexpire = Va time
146How soon to warn for expiring password. Default is seven days.
147.It Li http_proxy = Va proxy-spec
148A HTTP-proxy to use when talking to the KDC via HTTP.
149.It Li dns_proxy = Va proxy-spec
150Enable using DNS via HTTP.
151.It Li extra_addresses = Va address...
152A list of addresses to get tickets for along with all local addresses.
153.It Li time_format = Va string
154How to print time strings in logs, this string is passed to
--- 11 unchanged lines hidden (view full) ---
166.It Li krb4_get_tickets = Va boolean
167Also get Kerberos 4 tickets in
168.Nm kinit ,
169.Nm login ,
170and other programs.
171This option is also valid in the [realms] section.
172.El
173.It Li [domain_realm]
174This is a list of mappings from DNS domain to Kerberos realm. Each
175binding in this section looks like:
176.Pp
177.Dl domain = realm
178.Pp
179The domain can be either a full name of a host or a trailing
180component, in the latter case the domain-string should start with a
181perid.
182The realm may be the token `dns_locate', in which case the actual
183realm will be determined using DNS (independently of the setting
184of the `dns_lookup_realm' option).
185.It Li [realms]
186.Bl -tag -width "xxx" -offset indent
187.It Va REALM Li = {
188.Bl -tag -width "xxx" -offset indent
189.It Li kdc = Va host[:port]
190Specifies a list of kdcs for this realm. If the optional port is absent, the
191default value for the
192.Dq kerberos/udp
193service will be used.
194The kdcs will be used in the order that they are specified.
195.It Li admin_server = Va host[:port]
196Specifies the admin server for this realm, where all the modifications
197to the database are perfomed.
198.It Li kpasswd_server = Va host[:port]
199Points to the server where all the password changes are perfomed.
200If there is no such entry, the kpasswd port on the admin_server host
201will be tried.
202.It Li krb524_server = Va Host[:port]
203Points to the server that does 524 conversions. If it is not
204mentioned, the krb524 port on the kdcs will be tried.
205.It Li v4_instance_convert
206.It Li v4_name_convert
207.It Li default_domain
208See
209.Xr krb5_425_conv_principal 3 .
210.El
211.It Li }
212.El
213.It Li [logging]
214.Bl -tag -width "xxx" -offset indent
215.It Va entity Li = Va destination
216Specifies that
217.Va entity
218should use the specified
219.Li destination
220for logging. See the
221.Xr krb5_openlog 3
222manual page for a list of defined destinations.
223.El
224.It Li [kdc]
225.Bl -tag -width "xxx" -offset indent
226.It database Li = {
227.Bl -tag -width "xxx" -offset indent
228.It dbname Li = Va DATABASENAME
229use this database for this realm.
230.It realm Li = Va REALM
231specifies the realm that will be stored in this database.
232.It mkey_file Li = Pa FILENAME
233use this keytab file for the master key of this database.
234If not specified
235.Va DATABASENAME Ns .mkey
236will be used.
237.It acl_file Li = PA FILENAME
238use this file for the ACL list of this database.
239.It log_file Li = Pa FILENAME
240use this file as the log of changes performed to the database. This
241file is used by
242.Nm ipropd-master
243for propagating changes to slaves.
244.El
245.It Li }
246.It max-request = Va SIZE
247Maximum size of a kdc request.
248.It require-preauth = Va BOOL
249If set pre-authentication is required. Since krb4 requests are not
250pre-authenticated they will be rejected.
251.It ports = Va "list of ports"
252list of ports the kdc should listen to.
253.It addresses = Va "list of interfaces"
254list of addresses the kdc should bind to.
255.It enable-kerberos4 = Va BOOL
256turn on kerberos4 support.
257.It v4-realm = Va REALM
258to what realm v4 requests should be mapped.
259.It enable-524 = Va BOOL
260should the Kerberos 524 converting facility be turned on. Default is same as
261.Va enable-kerberos4 .
262.It enable-http = Va BOOL
263should the kdc answer kdc-requests over http.
264.It enable-kaserver = Va BOOL
265if this kdc should emulate the AFS kaserver.
266.It check-ticket-addresses = Va BOOL
267verify the addresses in the tickets used in tgs requests.
268.\" XXX
269.It allow-null-ticket-addresses = Va BOOL
270allow addresses-less tickets.
271.\" XXX
272.It allow-anonymous = Va BOOL
273if the kdc is allowed to hand out anonymous tickets.
274.It encode_as_rep_as_tgs_rep = Va BOOL
275encode as-rep as tgs-rep tobe compatible with mistakes older DCE secd did.
276.\" XXX
277.It kdc_warn_pwexpire = Va TIME
278the time before expiration that the user should be warned that her
279password is about to expire.
280.It logging = Va Logging
281What type of logging the kdc should use, see also [logging]/kdc.
282.El
283.It Li [kadmin]
284.Bl -tag -width "xxx" -offset indent
285.It require-preauth = Va BOOL
286If pre-authentication is required to talk to the kadmin server.
287.It default_keys = Va keytypes...
288for each entry in
289.Va default_keys
290try to parse it as a sequence of
291.Va etype:salttype:salt
292syntax of this if something like:
293.Pp
294[(des|des3|etype):](pw-salt|afs3-salt)[:string]
295.Pp
296if
297.Ar etype
298is omitted it means everything, and if string is omitted is means the default string (for that principal). Additional special values of keyttypes are:
299.Bl -tag -width "xxx" -offset indent
300.It v5
301The kerberos 5 salt
302.Va pw-salt
303.It v4
304The kerberos 4 type
305.Va des:pw-salt:
306.El
307.It use_v4_salt = Va BOOL
308When true, this is the same as
309.Pp
310.Va default_keys = Va des3:pw-salt Va v4
311.Pp
312and is only left for backwards compatability.
313.El
314.El
315.Sh ENVIRONMENT
316.Ev KRB5_CONFIG
317points to the configuration file to read.
318.Sh EXAMPLE
319.Bd -literal -offset indent
320[libdefaults]
--- 22 unchanged lines hidden (view full) ---
343.Nm
344is read and parsed by the krb5 library, there is not a lot of
345opportunities for programs to report parsing errors in any useful
346format.
347To help overcome this problem, there is a program
348.Nm verify_krb5_conf
349that reads
350.Nm
351and tries to emit useful diagnostics from parsing errors. Note that
352this program does not have any way of knowing what options are
353actually used and thus cannot warn about unknown or misspelled ones.
354.Sh SEE ALSO
355.Xr kinit 1 ,
356.Xr krb5_425_conv_principal 3 ,
357.Xr krb5_openlog 3 ,
358.Xr strftime 3 ,
359.Xr verify_krb5_conf 8
2.\"
3.Dd April 11, 1999
4.Dt KRB5.CONF 5
5.Os HEIMDAL
6.Sh NAME
7.Nm /etc/krb5.conf
8.Nd configuration file for Kerberos 5
9.Sh DESCRIPTION
10The
11.Nm
12file specifies several configuration parameters for the Kerberos 5
13library, as well as for some programs.
14.Pp
15The file consists of one or more sections, containing a number of
16bindings. The value of each binding can be either a string or a list
17of other bindings. The grammar looks like:
18.Bd -literal -offset indent
19file:
20 /* empty */
21 sections
22
23sections:
24 section sections
25 section
--- 12 unchanged lines hidden (view full) ---
38 name '=' STRING
39 name '=' '{' bindings '}'
40
41name:
42 STRING
43
44.Ed
45.Li STRINGs
46consists of one or more non-white space characters.
47Currently recognised sections and bindings are:
48.Bl -tag -width "xxx" -offset indent
49.It Li [appdefaults]
50Specifies the default values to be used for Kerberos applications.
51You can specify defaults per application, realm, or a combination of
52these. The preference order is:
53.Bl -enum -compact
54.It
55.Va application Va realm Va option
56.It
57.Va application Va option
58.It
59.Va realm Va option
60.It
--- 18 unchanged lines hidden (view full) ---
79.Bl -tag -width "xxx" -offset indent
80.It Li default_realm = Va REALM
81Default realm to use, this is also known as your
82.Dq local realm .
83The default is the result of
84.Fn krb5_get_host_realm "local hostname" .
85.It Li clockskew = Va time
86Maximum time differential (in seconds) allowed when comparing
87times. Default is 300 seconds (five minutes).
88.It Li kdc_timeout = Va time
89Maximum time to wait for a reply from the kdc, default is 3 seconds.
90.It v4_name_convert
91.It v4_instance_resolve
92These are decribed in the
93.Xr krb5_425_conv_principal 3
94manual page.
95.It Li capath = {
96.Bl -tag -width "xxx" -offset indent
97.It Va destination-realm Li = Va next-hop-realm
98.It ...
99.El
100Normally, all requests to realms different from the one of the current
--- 5 unchanged lines hidden (view full) ---
106ticket to
107.Va next-hop-realm
108when the desired realm is
109.Va destination-realm .
110This configuration should preferably be done on the KDC where it will
111help all its clients but can also be done on the client itself.
112.It Li }
113.It Li default_etypes = Va etypes...
114A list of default etypes to use.
115.It Li default_etypes_des = Va etypes...
116A list of default etypes to use when requesting a DES credential.
117.It Li default_keytab_name = Va keytab
118The keytab to use if none other is specified, default is
119.Dq FILE:/etc/krb5.keytab .
120.It Li dns_lookup_kdc = Va boolean
121Use DNS SRV records to lookup KDC services location.
122.It Li dns_lookup_realm = Va boolean
123Use DNS TXT records to lookup domain to realm mappings.
124.It Li kdc_timesync = Va boolean
125Try to keep track of the time differential between the local machine
126and the KDC, and then compensate for that when issuing requests.
--- 6 unchanged lines hidden (view full) ---
133.It Li forwardable = Va boolean
134When obtaining initial credentials, make the credentials forwardable.
135This option is also valid in the [realms] section.
136.It Li proxiable = Va boolean
137When obtaining initial credentials, make the credentials proxiable.
138This option is also valid in the [realms] section.
139.It Li verify_ap_req_nofail = Va boolean
140If enabled, failure to verify credentials against a local key is a
141fatal error. The application has to be able to read the corresponding
142service key for this to work. Some applications, like
143.Xr su 8 ,
144enable this option unconditionally.
145.It Li warn_pwexpire = Va time
146How soon to warn for expiring password. Default is seven days.
147.It Li http_proxy = Va proxy-spec
148A HTTP-proxy to use when talking to the KDC via HTTP.
149.It Li dns_proxy = Va proxy-spec
150Enable using DNS via HTTP.
151.It Li extra_addresses = Va address...
152A list of addresses to get tickets for along with all local addresses.
153.It Li time_format = Va string
154How to print time strings in logs, this string is passed to
--- 11 unchanged lines hidden (view full) ---
166.It Li krb4_get_tickets = Va boolean
167Also get Kerberos 4 tickets in
168.Nm kinit ,
169.Nm login ,
170and other programs.
171This option is also valid in the [realms] section.
172.El
173.It Li [domain_realm]
174This is a list of mappings from DNS domain to Kerberos realm. Each
175binding in this section looks like:
176.Pp
177.Dl domain = realm
178.Pp
179The domain can be either a full name of a host or a trailing
180component, in the latter case the domain-string should start with a
181perid.
182The realm may be the token `dns_locate', in which case the actual
183realm will be determined using DNS (independently of the setting
184of the `dns_lookup_realm' option).
185.It Li [realms]
186.Bl -tag -width "xxx" -offset indent
187.It Va REALM Li = {
188.Bl -tag -width "xxx" -offset indent
189.It Li kdc = Va host[:port]
190Specifies a list of kdcs for this realm. If the optional port is absent, the
191default value for the
192.Dq kerberos/udp
193service will be used.
194The kdcs will be used in the order that they are specified.
195.It Li admin_server = Va host[:port]
196Specifies the admin server for this realm, where all the modifications
197to the database are perfomed.
198.It Li kpasswd_server = Va host[:port]
199Points to the server where all the password changes are perfomed.
200If there is no such entry, the kpasswd port on the admin_server host
201will be tried.
202.It Li krb524_server = Va Host[:port]
203Points to the server that does 524 conversions. If it is not
204mentioned, the krb524 port on the kdcs will be tried.
205.It Li v4_instance_convert
206.It Li v4_name_convert
207.It Li default_domain
208See
209.Xr krb5_425_conv_principal 3 .
210.El
211.It Li }
212.El
213.It Li [logging]
214.Bl -tag -width "xxx" -offset indent
215.It Va entity Li = Va destination
216Specifies that
217.Va entity
218should use the specified
219.Li destination
220for logging. See the
221.Xr krb5_openlog 3
222manual page for a list of defined destinations.
223.El
224.It Li [kdc]
225.Bl -tag -width "xxx" -offset indent
226.It database Li = {
227.Bl -tag -width "xxx" -offset indent
228.It dbname Li = Va DATABASENAME
229use this database for this realm.
230.It realm Li = Va REALM
231specifies the realm that will be stored in this database.
232.It mkey_file Li = Pa FILENAME
233use this keytab file for the master key of this database.
234If not specified
235.Va DATABASENAME Ns .mkey
236will be used.
237.It acl_file Li = PA FILENAME
238use this file for the ACL list of this database.
239.It log_file Li = Pa FILENAME
240use this file as the log of changes performed to the database. This
241file is used by
242.Nm ipropd-master
243for propagating changes to slaves.
244.El
245.It Li }
246.It max-request = Va SIZE
247Maximum size of a kdc request.
248.It require-preauth = Va BOOL
249If set pre-authentication is required. Since krb4 requests are not
250pre-authenticated they will be rejected.
251.It ports = Va "list of ports"
252list of ports the kdc should listen to.
253.It addresses = Va "list of interfaces"
254list of addresses the kdc should bind to.
255.It enable-kerberos4 = Va BOOL
256turn on kerberos4 support.
257.It v4-realm = Va REALM
258to what realm v4 requests should be mapped.
259.It enable-524 = Va BOOL
260should the Kerberos 524 converting facility be turned on. Default is same as
261.Va enable-kerberos4 .
262.It enable-http = Va BOOL
263should the kdc answer kdc-requests over http.
264.It enable-kaserver = Va BOOL
265if this kdc should emulate the AFS kaserver.
266.It check-ticket-addresses = Va BOOL
267verify the addresses in the tickets used in tgs requests.
268.\" XXX
269.It allow-null-ticket-addresses = Va BOOL
270allow addresses-less tickets.
271.\" XXX
272.It allow-anonymous = Va BOOL
273if the kdc is allowed to hand out anonymous tickets.
274.It encode_as_rep_as_tgs_rep = Va BOOL
275encode as-rep as tgs-rep tobe compatible with mistakes older DCE secd did.
276.\" XXX
277.It kdc_warn_pwexpire = Va TIME
278the time before expiration that the user should be warned that her
279password is about to expire.
280.It logging = Va Logging
281What type of logging the kdc should use, see also [logging]/kdc.
282.El
283.It Li [kadmin]
284.Bl -tag -width "xxx" -offset indent
285.It require-preauth = Va BOOL
286If pre-authentication is required to talk to the kadmin server.
287.It default_keys = Va keytypes...
288for each entry in
289.Va default_keys
290try to parse it as a sequence of
291.Va etype:salttype:salt
292syntax of this if something like:
293.Pp
294[(des|des3|etype):](pw-salt|afs3-salt)[:string]
295.Pp
296if
297.Ar etype
298is omitted it means everything, and if string is omitted is means the default string (for that principal). Additional special values of keyttypes are:
299.Bl -tag -width "xxx" -offset indent
300.It v5
301The kerberos 5 salt
302.Va pw-salt
303.It v4
304The kerberos 4 type
305.Va des:pw-salt:
306.El
307.It use_v4_salt = Va BOOL
308When true, this is the same as
309.Pp
310.Va default_keys = Va des3:pw-salt Va v4
311.Pp
312and is only left for backwards compatability.
313.El
314.El
315.Sh ENVIRONMENT
316.Ev KRB5_CONFIG
317points to the configuration file to read.
318.Sh EXAMPLE
319.Bd -literal -offset indent
320[libdefaults]
--- 22 unchanged lines hidden (view full) ---
343.Nm
344is read and parsed by the krb5 library, there is not a lot of
345opportunities for programs to report parsing errors in any useful
346format.
347To help overcome this problem, there is a program
348.Nm verify_krb5_conf
349that reads
350.Nm
351and tries to emit useful diagnostics from parsing errors. Note that
352this program does not have any way of knowing what options are
353actually used and thus cannot warn about unknown or misspelled ones.
354.Sh SEE ALSO
355.Xr kinit 1 ,
356.Xr krb5_425_conv_principal 3 ,
357.Xr krb5_openlog 3 ,
358.Xr strftime 3 ,
359.Xr verify_krb5_conf 8