1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
|
.\" $Id: krb5.conf.5,v 1.7 1999/11/04 01:57:28 assar Exp $
.\"
.Dd April 11, 1999
.Dt KRB5.CONF 5
.Os HEIMDAL
.Sh NAME
.Nm /etc/krb5.conf
.Nd
Configuration file for Kerberos 5
.Sh DESCRIPTION
The
.Nm
file specifies several configuration parameters for the Kerberos 5
library, as well as for some programs.
.Pp
The file consists of one or more sections, containing a number of
bindings. The value of each binding can be either a string or a list
of other bindings. The grammar looks like:
.Bd -literal -offset indent
file:
/* empty */
sections
sections:
section sections
section
section:
'[' section_name ']' bindings
section_name:
STRING
bindings:
binding bindings
binding
binding:
name '=' STRING
name '=' '{' bindings '}'
name:
STRING
.Ed
.Li STRINGs
consists of one or more non-white space characters.
Currently recognised sections and bindings are:
.Bl -tag -width "xxx" -offset indent
.It Li [libdefaults]
.Bl -tag -width "xxx" -offset indent
.It Li default_realm = Va REALM
Default realm to use, this is also known as your
.Dq local realm .
The default is the result of
.Fn krb5_get_host_realm "local hostname" .
.It Li clockskew = Va time
Maximum time differential (in seconds) allowed when comparing
times. Default is 300 seconds (five minutes).
.It Li kdc_timeout = Va time
Maximum time to wait for a reply from the kdc, default is 3 seconds.
.It v4_name_convert
.It v4_instance_resolve
These are decribed in the
.Xr krb5_425_conv_principal 3
manual page.
.It Li capath = Va realm-routing-table
.It Li default_etypes = Va etypes...
A list of default etypes to use.
.It Li default_etypes_des = Va etypes...
A list of default etypes to use when requesting a DES credential.
.It Li default_keytab_name = Va keytab
The keytab to use if none other is specified, default is
.Dq FILE:/etc/krb5.keytab .
.It Li kdc_timesync = Va boolean
Try to keep track of the time differential between the local machine
and the KDC, and then compensate for that when issuing requests.
.It Li max_retries = Va number
The max number of times to try to contact each KDC.
.It Li ticket_lifetime = Va time
Default ticket lifetime.
.It Li renew_lifetime = Va time
Default renewable ticket lifetime.
.It Li verify_ap_req_nofail = Va boolean
Enable to make a failure to verify obtained credentials
non-fatal. This can be useful if there is no keytab on a host.
.It Li warn_pwexpire = Va time
How soon to warn for expiring password. Default is seven days.
.It Li http_proxy = Va proxy-spec
A HTTP-proxy to use when talking to the KDC via HTTP.
.It Li dns_proxy = Va proxy-spec
Enable using DNS via HTTP.
.It Li extra_addresses = Va address...
A list of addresses to get tickets for along with all local addresses.
.It Li time_format = Va string
How to print time strings in logs, this string is passed to
.Xr strftime 3 .
.It Li log_utc = Va boolean
Write log-entries using UTC instead of your local time zone.
.El
.It Li [domain_realm]
This is a list of mappings from DNS domain to Kerberos realm. Each
binding in this section looks like:
.Pp
.Dl domain = realm
.Pp
The domain can be either a full name of a host or a trailing
component, in the latter case the domain-string should start with a
perid.
.It Li [realms]
.Bl -tag -width "xxx" -offset indent
.It Va REALM Li = {
.Bl -tag -width "xxx" -offset indent
.It Li kdc = Va host[:port]
Specifies a kdc for this realm. If the optional port is absent, the
default value for the
.Dq kerberos/udp
service will be used.
.It Li v4_instance_convert
.It Li v4_name_convert
.It Li default_domain
See
.Xr krb5_425_conv_principal 3 .
.El
.It Li }
.El
.It Li [logging]
.Bl -tag -width "xxx" -offset indent
.It Va entity Li = Va destination
Specifies that
.Va entity
should use the specified
.Li destination
for logging. See the
.Xr krb5_openlog 3
manual page for a list of defined destinations.
.El
.El
.Sh EXAMPLE
.Bd -literal -offset indent
[lib_defaults]
default_domain = FOO.SE
[domain_realm]
.foo.se = FOO.SE
.bar.se = FOO.SE
[realms]
FOO.SE = {
kdc = kerberos.foo.se
v4_name_convert = {
rcmd = host
}
v4_instance_convert = {
xyz = xyz.bar.se
}
default_domain = foo.se
}
[logging]
kdc = FILE:/var/heimdal/kdc.log
kdc = SYSLOG:INFO
default = SYSLOG:INFO:USER
.Ed
.Sh SEE ALSO
.Xr krb5_openlog 3 ,
.Xr krb5_425_conv_principal 3 ,
.Xr strftime 3 ,
.Xr Source tm
|
