1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
|
.\" $Id: kdc.8,v 1.3 1997/08/09 00:20:38 joda Exp $
.\"
.Dd July 27, 1997
.Dt KDC 8
.Os HEIMDAL
.Sh NAME
.Nm kdc
.Nd
Kerberos 5 server
.Sh SYNOPSIS
.Nm
.Op Fl c Ar file
.Op Fl -config-file= Ns Ar file
.Op Fl k Ar file
.Op Fl -key-file= Ns Ar file
.Op Fl p
.Op Fl -no-require-preauth
.Op Fl r Ar realm
.Op Fl -v4-realm= Ns Ar realm
.Sh DESCRIPTION
.Nm
serves requests for tickets. When it starts, it first checks the flags
passed, any options that are not specified with a command line flag is
taken from a config file, or from a default compiled-in value.
.Pp
Options supported:
.Bl -tag -width Ds
.It Fl c Ar file
.It Fl -config-file= Ns Ar file
Specifies the location of the config file, the default is
.Pa /var/heimdal/kdc.conf .
This is the only value that can't be specified in the config file.
.It Fl k Ar file
.It Fl -key-file= Ns Ar file
The location of the master-key file. All keys in the database is
encrypted with this master key. The use of a master key is currently
optional, so there is no default.
.Em "Don't specify a master key file if your database is not encrypted."
.It Fl p
.It Fl -no-require-preauth
Turn off the requirement for pre-autentication in the initial
AS-REQ. The use of pre-authentication makes it more difficult to do
offline password attacks. You might want to turn it off if you have
clients that doesn't do pre-authentication. Since the version 4
protocol doesn't support any pre-authentication, so serving version 4
clients is just about the same as not requiring pre-athentication. The
default is to require pre-authentication.
.It Fl r Ar realm
.It Fl -v4-realm= Ns Ar realm
What realm this server should act as when dealing with version 4
requests. The database can contain any number of realms, but since the
version 4 protocol doesn't contain a realm for the server, it must be
explicitly specified. The default is whatever is returned by
.Fn krb_get_lrealm .
This option is only availabe if the KDC has been compiled with version
4 support.
.El
.Pp
All activities , are logged to one or more destinations, see
.Xr krb5.conf 5 ,
and
.Xr krb5_openlog 3 .
The entity used for logging is
.Nm kdc .
.Sh CONFIGURATION FILE
The configuration file has the same syntax as the
.Pa krb5.conf
file (you can actually put the configuration in
.Pa /etc/krb5.conf ,
and then start the KDC with
.Fl -config-file= Ns Ar /etc/krb5.conf ) .
All options should be in a section called
.Dq kdc .
Options are called the same as the long option name, and takes the
same arguments. The only difference is the pre-authentication flag,
that has to be specified as:
.Pp
.Dl require-preauth = no
.Pp
(in fact you can specify the option as
.Fl -require-preauth=no ) .
.Pp
An example of a config file:
.Bd -literal -offset indent
[kdc]
require-preauth = no
v4-realm = FOO.SE
key-file = /key-file
.Ed
.Sh SEE ALSO
.Xr kinit 1
|
