krb5.conf.5 (102644) | krb5.conf.5 (120945) |
---|---|
1.\" $Id: krb5.conf.5,v 1.25 2002/08/28 15:33:59 nectar Exp $ | 1.\" Copyright (c) 1999 - 2003 Kungliga Tekniska H�gskolan 2.\" (Royal Institute of Technology, Stockholm, Sweden). 3.\" All rights reserved. |
2.\" | 4.\" |
5.\" Redistribution and use in source and binary forms, with or without 6.\" modification, are permitted provided that the following conditions 7.\" are met: 8.\" 9.\" 1. Redistributions of source code must retain the above copyright 10.\" notice, this list of conditions and the following disclaimer. 11.\" 12.\" 2. Redistributions in binary form must reproduce the above copyright 13.\" notice, this list of conditions and the following disclaimer in the 14.\" documentation and/or other materials provided with the distribution. 15.\" 16.\" 3. Neither the name of the Institute nor the names of its contributors 17.\" may be used to endorse or promote products derived from this software 18.\" without specific prior written permission. 19.\" 20.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 21.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 24.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30.\" SUCH DAMAGE. 31.\" 32.\" $Id: krb5.conf.5,v 1.35 2003/04/16 13:26:13 lha Exp $ 33.\" |
|
3.Dd April 11, 1999 4.Dt KRB5.CONF 5 5.Os HEIMDAL 6.Sh NAME 7.Nm /etc/krb5.conf 8.Nd configuration file for Kerberos 5 9.Sh DESCRIPTION 10The 11.Nm 12file specifies several configuration parameters for the Kerberos 5 13library, as well as for some programs. 14.Pp 15The file consists of one or more sections, containing a number of | 34.Dd April 11, 1999 35.Dt KRB5.CONF 5 36.Os HEIMDAL 37.Sh NAME 38.Nm /etc/krb5.conf 39.Nd configuration file for Kerberos 5 40.Sh DESCRIPTION 41The 42.Nm 43file specifies several configuration parameters for the Kerberos 5 44library, as well as for some programs. 45.Pp 46The file consists of one or more sections, containing a number of |
16bindings. The value of each binding can be either a string or a list 17of other bindings. The grammar looks like: | 47bindings. 48The value of each binding can be either a string or a list of other 49bindings. 50The grammar looks like: |
18.Bd -literal -offset indent 19file: 20 /* empty */ 21 sections 22 23sections: 24 section sections 25 section --- 12 unchanged lines hidden (view full) --- 38 name '=' STRING 39 name '=' '{' bindings '}' 40 41name: 42 STRING 43 44.Ed 45.Li STRINGs | 51.Bd -literal -offset indent 52file: 53 /* empty */ 54 sections 55 56sections: 57 section sections 58 section --- 12 unchanged lines hidden (view full) --- 71 name '=' STRING 72 name '=' '{' bindings '}' 73 74name: 75 STRING 76 77.Ed 78.Li STRINGs |
46consists of one or more non-white space characters. | 79consists of one or more non-whitespace characters. 80.Pp 81STRINGs that are specified later in this man-page uses the following 82notation. 83.Bl -tag -width "xxx" -offset indent 84.It boolean 85values can be either yes/true or no/false. 86.It time 87values can be a list of year, month, day, hour, min, second. 88Example: 1 month 2 days 30 min. 89.It etypes 90valid encryption types are: des-cbc-crc, des-cbc-md4, des-cbc-md5, 91des3-cbc-sha1. 92.It address 93an address can be either a IPv4 or a IPv6 address. 94.El 95.Pp |
47Currently recognised sections and bindings are: 48.Bl -tag -width "xxx" -offset indent 49.It Li [appdefaults] 50Specifies the default values to be used for Kerberos applications. 51You can specify defaults per application, realm, or a combination of | 96Currently recognised sections and bindings are: 97.Bl -tag -width "xxx" -offset indent 98.It Li [appdefaults] 99Specifies the default values to be used for Kerberos applications. 100You can specify defaults per application, realm, or a combination of |
52these. The preference order is: | 101these. 102The preference order is: |
53.Bl -enum -compact 54.It 55.Va application Va realm Va option 56.It 57.Va application Va option 58.It 59.Va realm Va option 60.It --- 18 unchanged lines hidden (view full) --- 79.Bl -tag -width "xxx" -offset indent 80.It Li default_realm = Va REALM 81Default realm to use, this is also known as your 82.Dq local realm . 83The default is the result of 84.Fn krb5_get_host_realm "local hostname" . 85.It Li clockskew = Va time 86Maximum time differential (in seconds) allowed when comparing | 103.Bl -enum -compact 104.It 105.Va application Va realm Va option 106.It 107.Va application Va option 108.It 109.Va realm Va option 110.It --- 18 unchanged lines hidden (view full) --- 129.Bl -tag -width "xxx" -offset indent 130.It Li default_realm = Va REALM 131Default realm to use, this is also known as your 132.Dq local realm . 133The default is the result of 134.Fn krb5_get_host_realm "local hostname" . 135.It Li clockskew = Va time 136Maximum time differential (in seconds) allowed when comparing |
87times. Default is 300 seconds (five minutes). | 137times. 138Default is 300 seconds (five minutes). |
88.It Li kdc_timeout = Va time 89Maximum time to wait for a reply from the kdc, default is 3 seconds. 90.It v4_name_convert 91.It v4_instance_resolve | 139.It Li kdc_timeout = Va time 140Maximum time to wait for a reply from the kdc, default is 3 seconds. 141.It v4_name_convert 142.It v4_instance_resolve |
92These are decribed in the | 143These are described in the |
93.Xr krb5_425_conv_principal 3 94manual page. 95.It Li capath = { 96.Bl -tag -width "xxx" -offset indent 97.It Va destination-realm Li = Va next-hop-realm 98.It ... 99.El 100Normally, all requests to realms different from the one of the current --- 5 unchanged lines hidden (view full) --- 106ticket to 107.Va next-hop-realm 108when the desired realm is 109.Va destination-realm . 110This configuration should preferably be done on the KDC where it will 111help all its clients but can also be done on the client itself. 112.It Li } 113.It Li default_etypes = Va etypes... | 144.Xr krb5_425_conv_principal 3 145manual page. 146.It Li capath = { 147.Bl -tag -width "xxx" -offset indent 148.It Va destination-realm Li = Va next-hop-realm 149.It ... 150.El 151Normally, all requests to realms different from the one of the current --- 5 unchanged lines hidden (view full) --- 157ticket to 158.Va next-hop-realm 159when the desired realm is 160.Va destination-realm . 161This configuration should preferably be done on the KDC where it will 162help all its clients but can also be done on the client itself. 163.It Li } 164.It Li default_etypes = Va etypes... |
114A list of default etypes to use. | 165A list of default encryption types to use. |
115.It Li default_etypes_des = Va etypes... | 166.It Li default_etypes_des = Va etypes... |
116A list of default etypes to use when requesting a DES credential. | 167A list of default encryption types to use when requesting a DES credential. |
117.It Li default_keytab_name = Va keytab | 168.It Li default_keytab_name = Va keytab |
118The keytab to use if none other is specified, default is | 169The keytab to use if no other is specified, default is |
119.Dq FILE:/etc/krb5.keytab . 120.It Li dns_lookup_kdc = Va boolean 121Use DNS SRV records to lookup KDC services location. 122.It Li dns_lookup_realm = Va boolean 123Use DNS TXT records to lookup domain to realm mappings. 124.It Li kdc_timesync = Va boolean 125Try to keep track of the time differential between the local machine 126and the KDC, and then compensate for that when issuing requests. --- 6 unchanged lines hidden (view full) --- 133.It Li forwardable = Va boolean 134When obtaining initial credentials, make the credentials forwardable. 135This option is also valid in the [realms] section. 136.It Li proxiable = Va boolean 137When obtaining initial credentials, make the credentials proxiable. 138This option is also valid in the [realms] section. 139.It Li verify_ap_req_nofail = Va boolean 140If enabled, failure to verify credentials against a local key is a | 170.Dq FILE:/etc/krb5.keytab . 171.It Li dns_lookup_kdc = Va boolean 172Use DNS SRV records to lookup KDC services location. 173.It Li dns_lookup_realm = Va boolean 174Use DNS TXT records to lookup domain to realm mappings. 175.It Li kdc_timesync = Va boolean 176Try to keep track of the time differential between the local machine 177and the KDC, and then compensate for that when issuing requests. --- 6 unchanged lines hidden (view full) --- 184.It Li forwardable = Va boolean 185When obtaining initial credentials, make the credentials forwardable. 186This option is also valid in the [realms] section. 187.It Li proxiable = Va boolean 188When obtaining initial credentials, make the credentials proxiable. 189This option is also valid in the [realms] section. 190.It Li verify_ap_req_nofail = Va boolean 191If enabled, failure to verify credentials against a local key is a |
141fatal error. The application has to be able to read the corresponding 142service key for this to work. Some applications, like | 192fatal error. 193The application has to be able to read the corresponding service key 194for this to work. 195Some applications, like |
143.Xr su 8 , 144enable this option unconditionally. 145.It Li warn_pwexpire = Va time | 196.Xr su 8 , 197enable this option unconditionally. 198.It Li warn_pwexpire = Va time |
146How soon to warn for expiring password. Default is seven days. | 199How soon to warn for expiring password. 200Default is seven days. |
147.It Li http_proxy = Va proxy-spec 148A HTTP-proxy to use when talking to the KDC via HTTP. 149.It Li dns_proxy = Va proxy-spec 150Enable using DNS via HTTP. 151.It Li extra_addresses = Va address... 152A list of addresses to get tickets for along with all local addresses. 153.It Li time_format = Va string 154How to print time strings in logs, this string is passed to --- 11 unchanged lines hidden (view full) --- 166.It Li krb4_get_tickets = Va boolean 167Also get Kerberos 4 tickets in 168.Nm kinit , 169.Nm login , 170and other programs. 171This option is also valid in the [realms] section. 172.El 173.It Li [domain_realm] | 201.It Li http_proxy = Va proxy-spec 202A HTTP-proxy to use when talking to the KDC via HTTP. 203.It Li dns_proxy = Va proxy-spec 204Enable using DNS via HTTP. 205.It Li extra_addresses = Va address... 206A list of addresses to get tickets for along with all local addresses. 207.It Li time_format = Va string 208How to print time strings in logs, this string is passed to --- 11 unchanged lines hidden (view full) --- 220.It Li krb4_get_tickets = Va boolean 221Also get Kerberos 4 tickets in 222.Nm kinit , 223.Nm login , 224and other programs. 225This option is also valid in the [realms] section. 226.El 227.It Li [domain_realm] |
174This is a list of mappings from DNS domain to Kerberos realm. Each 175binding in this section looks like: | 228This is a list of mappings from DNS domain to Kerberos realm. 229Each binding in this section looks like: |
176.Pp 177.Dl domain = realm 178.Pp 179The domain can be either a full name of a host or a trailing 180component, in the latter case the domain-string should start with a | 230.Pp 231.Dl domain = realm 232.Pp 233The domain can be either a full name of a host or a trailing 234component, in the latter case the domain-string should start with a |
181perid. | 235period. |
182The realm may be the token `dns_locate', in which case the actual 183realm will be determined using DNS (independently of the setting 184of the `dns_lookup_realm' option). 185.It Li [realms] 186.Bl -tag -width "xxx" -offset indent 187.It Va REALM Li = { 188.Bl -tag -width "xxx" -offset indent | 236The realm may be the token `dns_locate', in which case the actual 237realm will be determined using DNS (independently of the setting 238of the `dns_lookup_realm' option). 239.It Li [realms] 240.Bl -tag -width "xxx" -offset indent 241.It Va REALM Li = { 242.Bl -tag -width "xxx" -offset indent |
189.It Li kdc = Va host[:port] 190Specifies a list of kdcs for this realm. If the optional port is absent, the | 243.It Li kdc = Va [service/]host[:port] 244Specifies a list of kdcs for this realm. 245If the optional 246.Va port 247is absent, the |
191default value for the 192.Dq kerberos/udp | 248default value for the 249.Dq kerberos/udp |
193service will be used. | 250.Dq kerberos/tcp , 251and 252.Dq http/tcp 253port (depending on service) will be used. |
194The kdcs will be used in the order that they are specified. | 254The kdcs will be used in the order that they are specified. |
255.Pp 256The optional 257.Va service 258specifies over what medium the kdc should be 259contacted. 260Possible services are 261.Dq udp , 262.Dq tcp , 263and 264.Dq http . 265Http can also be written as 266.Dq http:// . 267Default service is 268.Dq udp 269and 270.Dq tcp . |
|
195.It Li admin_server = Va host[:port] 196Specifies the admin server for this realm, where all the modifications | 271.It Li admin_server = Va host[:port] 272Specifies the admin server for this realm, where all the modifications |
197to the database are perfomed. | 273to the database are performed. |
198.It Li kpasswd_server = Va host[:port] | 274.It Li kpasswd_server = Va host[:port] |
199Points to the server where all the password changes are perfomed. | 275Points to the server where all the password changes are performed. |
200If there is no such entry, the kpasswd port on the admin_server host 201will be tried. | 276If there is no such entry, the kpasswd port on the admin_server host 277will be tried. |
202.It Li krb524_server = Va Host[:port] 203Points to the server that does 524 conversions. If it is not 204mentioned, the krb524 port on the kdcs will be tried. | 278.It Li krb524_server = Va host[:port] 279Points to the server that does 524 conversions. 280If it is not mentioned, the krb524 port on the kdcs will be tried. |
205.It Li v4_instance_convert 206.It Li v4_name_convert 207.It Li default_domain 208See 209.Xr krb5_425_conv_principal 3 . 210.El 211.It Li } 212.El 213.It Li [logging] 214.Bl -tag -width "xxx" -offset indent 215.It Va entity Li = Va destination 216Specifies that 217.Va entity 218should use the specified 219.Li destination | 281.It Li v4_instance_convert 282.It Li v4_name_convert 283.It Li default_domain 284See 285.Xr krb5_425_conv_principal 3 . 286.El 287.It Li } 288.El 289.It Li [logging] 290.Bl -tag -width "xxx" -offset indent 291.It Va entity Li = Va destination 292Specifies that 293.Va entity 294should use the specified 295.Li destination |
220for logging. See the | 296for logging. 297See the |
221.Xr krb5_openlog 3 222manual page for a list of defined destinations. 223.El 224.It Li [kdc] 225.Bl -tag -width "xxx" -offset indent 226.It database Li = { 227.Bl -tag -width "xxx" -offset indent 228.It dbname Li = Va DATABASENAME | 298.Xr krb5_openlog 3 299manual page for a list of defined destinations. 300.El 301.It Li [kdc] 302.Bl -tag -width "xxx" -offset indent 303.It database Li = { 304.Bl -tag -width "xxx" -offset indent 305.It dbname Li = Va DATABASENAME |
229use this database for this realm. | 306Use this database for this realm. |
230.It realm Li = Va REALM | 307.It realm Li = Va REALM |
231specifies the realm that will be stored in this database. | 308Specifies the realm that will be stored in this database. |
232.It mkey_file Li = Pa FILENAME | 309.It mkey_file Li = Pa FILENAME |
233use this keytab file for the master key of this database. | 310Use this keytab file for the master key of this database. |
234If not specified 235.Va DATABASENAME Ns .mkey 236will be used. 237.It acl_file Li = PA FILENAME | 311If not specified 312.Va DATABASENAME Ns .mkey 313will be used. 314.It acl_file Li = PA FILENAME |
238use this file for the ACL list of this database. | 315Use this file for the ACL list of this database. |
239.It log_file Li = Pa FILENAME | 316.It log_file Li = Pa FILENAME |
240use this file as the log of changes performed to the database. This 241file is used by | 317Use this file as the log of changes performed to the database. 318This file is used by |
242.Nm ipropd-master 243for propagating changes to slaves. 244.El 245.It Li } 246.It max-request = Va SIZE 247Maximum size of a kdc request. 248.It require-preauth = Va BOOL | 319.Nm ipropd-master 320for propagating changes to slaves. 321.El 322.It Li } 323.It max-request = Va SIZE 324Maximum size of a kdc request. 325.It require-preauth = Va BOOL |
249If set pre-authentication is required. Since krb4 requests are not 250pre-authenticated they will be rejected. | 326If set pre-authentication is required. 327Since krb4 requests are not pre-authenticated they will be rejected. |
251.It ports = Va "list of ports" | 328.It ports = Va "list of ports" |
252list of ports the kdc should listen to. | 329List of ports the kdc should listen to. |
253.It addresses = Va "list of interfaces" | 330.It addresses = Va "list of interfaces" |
254list of addresses the kdc should bind to. | 331List of addresses the kdc should bind to. |
255.It enable-kerberos4 = Va BOOL | 332.It enable-kerberos4 = Va BOOL |
256turn on kerberos4 support. | 333Turn on Kerberos 4 support. |
257.It v4-realm = Va REALM | 334.It v4-realm = Va REALM |
258to what realm v4 requests should be mapped. | 335To what realm v4 requests should be mapped. |
259.It enable-524 = Va BOOL | 336.It enable-524 = Va BOOL |
260should the Kerberos 524 converting facility be turned on. Default is same as | 337Should the Kerberos 524 converting facility be turned on. 338Default is same as |
261.Va enable-kerberos4 . 262.It enable-http = Va BOOL | 339.Va enable-kerberos4 . 340.It enable-http = Va BOOL |
263should the kdc answer kdc-requests over http. | 341Should the kdc answer kdc-requests over http. |
264.It enable-kaserver = Va BOOL | 342.It enable-kaserver = Va BOOL |
265if this kdc should emulate the AFS kaserver. | 343If this kdc should emulate the AFS kaserver. |
266.It check-ticket-addresses = Va BOOL 267verify the addresses in the tickets used in tgs requests. 268.\" XXX 269.It allow-null-ticket-addresses = Va BOOL | 344.It check-ticket-addresses = Va BOOL 345verify the addresses in the tickets used in tgs requests. 346.\" XXX 347.It allow-null-ticket-addresses = Va BOOL |
270allow addresses-less tickets. | 348Allow addresses-less tickets. |
271.\" XXX 272.It allow-anonymous = Va BOOL | 349.\" XXX 350.It allow-anonymous = Va BOOL |
273if the kdc is allowed to hand out anonymous tickets. | 351If the kdc is allowed to hand out anonymous tickets. |
274.It encode_as_rep_as_tgs_rep = Va BOOL | 352.It encode_as_rep_as_tgs_rep = Va BOOL |
275encode as-rep as tgs-rep tobe compatible with mistakes older DCE secd did. | 353Encode as-rep as tgs-rep tobe compatible with mistakes older DCE secd did. |
276.\" XXX 277.It kdc_warn_pwexpire = Va TIME | 354.\" XXX 355.It kdc_warn_pwexpire = Va TIME |
278the time before expiration that the user should be warned that her | 356The time before expiration that the user should be warned that her |
279password is about to expire. 280.It logging = Va Logging 281What type of logging the kdc should use, see also [logging]/kdc. | 357password is about to expire. 358.It logging = Va Logging 359What type of logging the kdc should use, see also [logging]/kdc. |
360.It use_2b = Va principal list 361List of principals to use AFS 2b tokens for. |
|
282.El 283.It Li [kadmin] 284.Bl -tag -width "xxx" -offset indent 285.It require-preauth = Va BOOL 286If pre-authentication is required to talk to the kadmin server. 287.It default_keys = Va keytypes... 288for each entry in 289.Va default_keys 290try to parse it as a sequence of 291.Va etype:salttype:salt 292syntax of this if something like: 293.Pp 294[(des|des3|etype):](pw-salt|afs3-salt)[:string] 295.Pp | 362.El 363.It Li [kadmin] 364.Bl -tag -width "xxx" -offset indent 365.It require-preauth = Va BOOL 366If pre-authentication is required to talk to the kadmin server. 367.It default_keys = Va keytypes... 368for each entry in 369.Va default_keys 370try to parse it as a sequence of 371.Va etype:salttype:salt 372syntax of this if something like: 373.Pp 374[(des|des3|etype):](pw-salt|afs3-salt)[:string] 375.Pp |
296if | 376If |
297.Ar etype | 377.Ar etype |
298is omitted it means everything, and if string is omitted is means the default string (for that principal). Additional special values of keyttypes are: | 378is omitted it means everything, and if string is omitted it means the 379default salt string (for that principal and encryption type). 380Additional special values of keytypes are: |
299.Bl -tag -width "xxx" -offset indent 300.It v5 | 381.Bl -tag -width "xxx" -offset indent 382.It v5 |
301The kerberos 5 salt | 383The Kerberos 5 salt |
302.Va pw-salt 303.It v4 | 384.Va pw-salt 385.It v4 |
304The kerberos 4 type | 386The Kerberos 4 salt |
305.Va des:pw-salt: 306.El 307.It use_v4_salt = Va BOOL 308When true, this is the same as 309.Pp 310.Va default_keys = Va des3:pw-salt Va v4 311.Pp | 387.Va des:pw-salt: 388.El 389.It use_v4_salt = Va BOOL 390When true, this is the same as 391.Pp 392.Va default_keys = Va des3:pw-salt Va v4 393.Pp |
312and is only left for backwards compatability. | 394and is only left for backwards compatibility. |
313.El 314.El 315.Sh ENVIRONMENT 316.Ev KRB5_CONFIG 317points to the configuration file to read. 318.Sh EXAMPLE 319.Bd -literal -offset indent 320[libdefaults] --- 22 unchanged lines hidden (view full) --- 343.Nm 344is read and parsed by the krb5 library, there is not a lot of 345opportunities for programs to report parsing errors in any useful 346format. 347To help overcome this problem, there is a program 348.Nm verify_krb5_conf 349that reads 350.Nm | 395.El 396.El 397.Sh ENVIRONMENT 398.Ev KRB5_CONFIG 399points to the configuration file to read. 400.Sh EXAMPLE 401.Bd -literal -offset indent 402[libdefaults] --- 22 unchanged lines hidden (view full) --- 425.Nm 426is read and parsed by the krb5 library, there is not a lot of 427opportunities for programs to report parsing errors in any useful 428format. 429To help overcome this problem, there is a program 430.Nm verify_krb5_conf 431that reads 432.Nm |
351and tries to emit useful diagnostics from parsing errors. Note that 352this program does not have any way of knowing what options are 353actually used and thus cannot warn about unknown or misspelled ones. | 433and tries to emit useful diagnostics from parsing errors. 434Note that this program does not have any way of knowing what options 435are actually used and thus cannot warn about unknown or misspelled 436ones. |
354.Sh SEE ALSO 355.Xr kinit 1 , 356.Xr krb5_425_conv_principal 3 , 357.Xr krb5_openlog 3 , 358.Xr strftime 3 , 359.Xr verify_krb5_conf 8 | 437.Sh SEE ALSO 438.Xr kinit 1 , 439.Xr krb5_425_conv_principal 3 , 440.Xr krb5_openlog 3 , 441.Xr strftime 3 , 442.Xr verify_krb5_conf 8 |