Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
KRB5.CONF(5)		    BSD	File Formats Manual		  KRB5.CONF(5)

     /etc/krb5.conf -- configuration file for Kerberos 5

     The /etc/krb5.conf	file specifies several configuration parameters	for
     the Kerberos 5 library, as	well as	for some programs.

     The file consists of one or more sections,	containing a number of bind-
     ings. The value of	each binding can be either a string or a list of other
     bindings. The grammar looks like:

		   /* empty */

		   section sections

		   '[' section_name ']'	bindings


		   binding bindings

		   name	'=' STRING
		   name	'=' '{'	bindings '}'


     STRINGs consists of one or	more non-white space characters.  Currently
     recognised	sections and bindings are:

		Specifies the default values to	be used	for Kerberos applica-
		tions.	You can	specify	defaults per application, realm, or a
		combination of these.  The preference order is:
		1.   application realm option
		2.   application option
		3.   realm option
		4.   option

		The supported options are:

		      forwardable = boolean
			   When	obtaining initial credentials, make the	cre-
			   dentials forwardable.

		      proxiable	= boolean
			   When	obtaining initial credentials, make the	cre-
			   dentials proxiable.

		      no-addresses = boolean
			   When	obtaining initial credentials, request them
			   for an empty	set of addresses, making the tickets
			   valid from any address.

		      ticket_lifetime =	time
			   Default ticket lifetime.

		      renew_lifetime = time
			   Default renewable ticket lifetime.


		      default_realm = REALM
			   Default realm to use, this is also known as your
			   "local realm".  The default is the result of
			   krb5_get_host_realm(local hostname).

		      clockskew	= time
			   Maximum time	differential (in seconds) allowed when
			   comparing times. Default is 300 seconds (five min-

		      kdc_timeout = time
			   Maximum time	to wait	for a reply from the kdc, de-
			   fault is 3 seconds.


			   These are decribed in the
			   krb5_425_conv_principal(3) manual page.

		      capath = {

				 destination-realm = next-hop-realm

			   Normally, all requests to realms different from the
			   one of the current client are sent to this KDC to
			   get cross-realm tickets.  If	this KDC does not have
			   a cross-realm key with the desired realm and	the
			   hierarchical	path to	that realm does	not work, a
			   path	can be configured using	this directive.	 The
			   text	shown above instructs the KDC to try to	obtain
			   a cross-realm ticket	to next-hop-realm when the de-
			   sired realm is destination-realm.  This configura-
			   tion	should preferably be done on the KDC where it
			   will	help all its clients but can also be done on
			   the client itself.


		      default_etypes = etypes...
			   A list of default etypes to use.

		      default_etypes_des = etypes...
			   A list of default etypes to use when	requesting a
			   DES credential.

		      default_keytab_name = keytab
			   The keytab to use if	none other is specified, de-
			   fault is "FILE:/etc/krb5.keytab".

		      dns_lookup_kdc = boolean
			   Use DNS SRV records to lookup KDC services loca-

		      dns_lookup_realm = boolean
			   Use DNS TXT records to lookup domain	to realm map-

		      kdc_timesync = boolean
			   Try to keep track of	the time differential between
			   the local machine and the KDC, and then compensate
			   for that when issuing requests.

		      max_retries = number
			   The max number of times to try to contact each KDC.

		      ticket_lifetime =	time
			   Default ticket lifetime.

		      renew_lifetime = time
			   Default renewable ticket lifetime.

		      forwardable = boolean
			   When	obtaining initial credentials, make the	cre-
			   dentials forwardable.  This option is also valid in
			   the [realms]	section.

		      proxiable	= boolean
			   When	obtaining initial credentials, make the	cre-
			   dentials proxiable.	This option is also valid in
			   the [realms]	section.

		      verify_ap_req_nofail = boolean
			   If enabled, failure to verify credentials against a
			   local key is	a fatal	error. The application has to
			   be able to read the corresponding service key for
			   this	to work. Some applications, like su(8),	enable
			   this	option unconditionally.

		      warn_pwexpire = time
			   How soon to warn for	expiring password. Default is
			   seven days.

		      http_proxy = proxy-spec
			   A HTTP-proxy	to use when talking to the KDC via

		      dns_proxy	= proxy-spec
			   Enable using	DNS via	HTTP.

		      extra_addresses =	address...
			   A list of addresses to get tickets for along	with
			   all local addresses.

		      time_format = string
			   How to print	time strings in	logs, this string is
			   passed to strftime(3).

		      date_format = string
			   How to print	date strings in	logs, this string is
			   passed to strftime(3).

		      log_utc =	boolean
			   Write log-entries using UTC instead of your local
			   time	zone.

		      scan_interfaces =	boolean
			   Scan	all network interfaces for addresses, as op-
			   posed to simply using the address associated	with
			   the system's	host name.

		      fcache_version = int
			   Use file credential cache format version specified.

		      krb4_get_tickets = boolean
			   Also	get Kerberos 4 tickets in kinit, login,	and
			   other programs.  This option	is also	valid in the
			   [realms] section.

		This is	a list of mappings from	DNS domain to Kerberos realm.
		Each binding in	this section looks like:

		      domain = realm

		The domain can be either a full	name of	a host or a trailing
		component, in the latter case the domain-string	should start
		with a perid.  The realm may be	the token `dns_locate',	in
		which case the actual realm will be determined using DNS (in-
		dependently of the setting of the `dns_lookup_realm' option).


		      REALM = {

				 kdc = host[:port]
				      Specifies	a list of kdcs for this	realm.
				      If the optional port is absent, the de-
				      fault value for the "kerberos/udp" ser-
				      vice will	be used.  The kdcs will	be
				      used in the order	that they are speci-

				 admin_server =	host[:port]
				      Specifies	the admin server for this
				      realm, where all the modifications to
				      the database are perfomed.

				 kpasswd_server	= host[:port]
				      Points to	the server where all the pass-
				      word changes are perfomed.  If there is
				      no such entry, the kpasswd port on the
				      admin_server host	will be	tried.

				 krb524_server = Host[:port]
				      Points to	the server that	does 524 con-
				      versions.	 If it is not mentioned, the
				      krb524 port on the kdcs will be tried.



				      See krb5_425_conv_principal(3).



		      entity = destination
			   Specifies that entity should	use the	specified
			   destination for logging. See	the krb5_openlog(3)
			   manual page for a list of defined destinations.


		      database = {

				 dbname	= DATABASENAME
				      use this database	for this realm.

				 realm = REALM
				      specifies	the realm that will be stored
				      in this database.

				 mkey_file = FILENAME
				      use this keytab file for the master key
				      of this database.	 If not	specified
				      DATABASENAME.mkey	will be	used.

				 acl_file = PA FILENAME
				      use this file for	the ACL	list of	this

				 log_file = FILENAME
				      use this file as the log of changes per-
				      formed to	the database.  This file is
				      used by ipropd-master for	propagating
				      changes to slaves.


		      max-request = SIZE
			   Maximum size	of a kdc request.

		      require-preauth =	BOOL
			   If set pre-authentication is	required. Since	krb4
			   requests are	not pre-authenticated they will	be re-

		      ports = list of ports
			   list	of ports the kdc should	listen to.

		      addresses	= list of interfaces
			   list	of addresses the kdc should bind to.

		      enable-kerberos4 = BOOL
			   turn	on kerberos4 support.

		      v4-realm = REALM
			   to what realm v4 requests should be mapped.

		      enable-524 = BOOL
			   should the Kerberos 524 converting facility be
			   turned on. Default is same as enable-kerberos4.

		      enable-http = BOOL
			   should the kdc answer kdc-requests over http.

		      enable-kaserver =	BOOL
			   if this kdc should emulate the AFS kaserver.

		      check-ticket-addresses = BOOL
			   verify the addresses	in the tickets used in tgs re-

		      allow-null-ticket-addresses = BOOL
			   allow addresses-less	tickets.

		      allow-anonymous =	BOOL
			   if the kdc is allowed to hand out anonymous tick-

		      encode_as_rep_as_tgs_rep = BOOL
			   encode as-rep as tgs-rep tobe compatible with mis-
			   takes older DCE secd	did.

		      kdc_warn_pwexpire	= TIME
			   the time before expiration that the user should be
			   warned that her password is about to	expire.

		      logging =	Logging
			   What	type of	logging	the kdc	should use, see	also


		      require-preauth =	BOOL
			   If pre-authentication is required to	talk to	the
			   kadmin server.

		      default_keys = keytypes...
			   for each entry in default_keys try to parse it as a
			   sequence of etype:salttype:salt syntax of this if
			   something like:


			   if etype is omitted it means	everything, and	if
			   string is omitted is	means the default string (for
			   that	principal). Additional special values of keyt-
			   types are:

				 v5   The kerberos 5 salt pw-salt

				 v4   The kerberos 4 type des:pw-salt:

		      use_v4_salt = BOOL
			   When	true, this is the same as

			   default_keys	= des3:pw-salt v4

			   and is only left for	backwards compatability.

     KRB5_CONFIG points	to the configuration file to read.

		   default_realm = FOO.SE
	   [domain_realm] = FOO.SE = FOO.SE
		   FOO.SE = {
			   kdc =
			   v4_name_convert = {
				   rcmd	= host
			   v4_instance_convert = {
				   xyz =
			   default_domain =
		   kdc = FILE:/var/heimdal/kdc.log
		   kdc = SYSLOG:INFO
		   default = SYSLOG:INFO:USER

     Since /etc/krb5.conf is read and parsed by	the krb5 library, there	is not
     a lot of opportunities for	programs to report parsing errors in any use-
     ful format.  To help overcome this	problem, there is a program
     verify_krb5_conf that reads /etc/krb5.conf	and tries to emit useful diag-
     nostics from parsing errors.  Note	that this program does not have	any
     way of knowing what options are actually used and thus cannot warn	about
     unknown or	misspelled ones.

     kinit(1), krb5_425_conv_principal(3), krb5_openlog(3), strftime(3),

HEIMDAL				April 11, 1999			       HEIMDAL


Want to link to this manual page? Use this URL:

home | help