298 lines
8.6 KiB
Groff
298 lines
8.6 KiB
Groff
.\" $Id: krb5.conf.5,v 1.12 2001/01/19 04:53:24 assar Exp $
|
|
.\"
|
|
.Dd April 11, 1999
|
|
.Dt KRB5.CONF 5
|
|
.Os HEIMDAL
|
|
.Sh NAME
|
|
.Nm /etc/krb5.conf
|
|
.Nd configuration file for Kerberos 5
|
|
.Sh DESCRIPTION
|
|
The
|
|
.Nm
|
|
file specifies several configuration parameters for the Kerberos 5
|
|
library, as well as for some programs.
|
|
.Pp
|
|
The file consists of one or more sections, containing a number of
|
|
bindings. The value of each binding can be either a string or a list
|
|
of other bindings. The grammar looks like:
|
|
.Bd -literal -offset indent
|
|
file:
|
|
/* empty */
|
|
sections
|
|
|
|
sections:
|
|
section sections
|
|
section
|
|
|
|
section:
|
|
'[' section_name ']' bindings
|
|
|
|
section_name:
|
|
STRING
|
|
|
|
bindings:
|
|
binding bindings
|
|
binding
|
|
|
|
binding:
|
|
name '=' STRING
|
|
name '=' '{' bindings '}'
|
|
|
|
name:
|
|
STRING
|
|
|
|
.Ed
|
|
.Li STRINGs
|
|
consists of one or more non-white space characters.
|
|
Currently recognised sections and bindings are:
|
|
.Bl -tag -width "xxx" -offset indent
|
|
.It Li [libdefaults]
|
|
.Bl -tag -width "xxx" -offset indent
|
|
.It Li default_realm = Va REALM
|
|
Default realm to use, this is also known as your
|
|
.Dq local realm .
|
|
The default is the result of
|
|
.Fn krb5_get_host_realm "local hostname" .
|
|
.It Li clockskew = Va time
|
|
Maximum time differential (in seconds) allowed when comparing
|
|
times. Default is 300 seconds (five minutes).
|
|
.It Li kdc_timeout = Va time
|
|
Maximum time to wait for a reply from the kdc, default is 3 seconds.
|
|
.It v4_name_convert
|
|
.It v4_instance_resolve
|
|
These are decribed in the
|
|
.Xr krb5_425_conv_principal 3
|
|
manual page.
|
|
.It Li capath = {
|
|
.Bl -tag -width "xxx" -offset indent
|
|
.It Va destination-realm Li = Va next-hop-realm
|
|
.It ...
|
|
.El
|
|
Normally, all requests to realms different from the one of the current
|
|
client are sent to this KDC to get cross-realm tickets.
|
|
If this KDC does not have a cross-realm key with the desired realm and
|
|
the hierarchical path to that realm does not work, a path can be
|
|
configured using this directive.
|
|
The text shown above instructs the KDC to try to obtain a cross-realm
|
|
ticket to
|
|
.Va next-hop-realm
|
|
when the desired realm is
|
|
.Va destination-realm .
|
|
This configuration should preferably be done on the KDC where it will
|
|
help all its clients but can also be done on the client itself.
|
|
.It Li }
|
|
.It Li default_etypes = Va etypes...
|
|
A list of default etypes to use.
|
|
.It Li default_etypes_des = Va etypes...
|
|
A list of default etypes to use when requesting a DES credential.
|
|
.It Li default_keytab_name = Va keytab
|
|
The keytab to use if none other is specified, default is
|
|
.Dq FILE:/etc/krb5.keytab .
|
|
.It Li kdc_timesync = Va boolean
|
|
Try to keep track of the time differential between the local machine
|
|
and the KDC, and then compensate for that when issuing requests.
|
|
.It Li max_retries = Va number
|
|
The max number of times to try to contact each KDC.
|
|
.It Li ticket_lifetime = Va time
|
|
Default ticket lifetime.
|
|
.It Li renew_lifetime = Va time
|
|
Default renewable ticket lifetime.
|
|
.It Li verify_ap_req_nofail = Va boolean
|
|
Enable to make a failure to verify obtained credentials
|
|
non-fatal. This can be useful if there is no keytab on a host.
|
|
.It Li warn_pwexpire = Va time
|
|
How soon to warn for expiring password. Default is seven days.
|
|
.It Li http_proxy = Va proxy-spec
|
|
A HTTP-proxy to use when talking to the KDC via HTTP.
|
|
.It Li dns_proxy = Va proxy-spec
|
|
Enable using DNS via HTTP.
|
|
.It Li extra_addresses = Va address...
|
|
A list of addresses to get tickets for along with all local addresses.
|
|
.It Li time_format = Va string
|
|
How to print time strings in logs, this string is passed to
|
|
.Xr strftime 3 .
|
|
.It Li log_utc = Va boolean
|
|
Write log-entries using UTC instead of your local time zone.
|
|
.El
|
|
.It Li [domain_realm]
|
|
This is a list of mappings from DNS domain to Kerberos realm. Each
|
|
binding in this section looks like:
|
|
.Pp
|
|
.Dl domain = realm
|
|
.Pp
|
|
The domain can be either a full name of a host or a trailing
|
|
component, in the latter case the domain-string should start with a
|
|
perid.
|
|
.It Li [realms]
|
|
.Bl -tag -width "xxx" -offset indent
|
|
.It Va REALM Li = {
|
|
.Bl -tag -width "xxx" -offset indent
|
|
.It Li kdc = Va host[:port]
|
|
Specifies a list of kdcs for this realm. If the optional port is absent, the
|
|
default value for the
|
|
.Dq kerberos/udp
|
|
service will be used.
|
|
The kdcs will be used in the order that they are specified.
|
|
.It Li admin_server = Va host[:port]
|
|
Specifies the admin server for this realm, where all the modifications
|
|
to the database are perfomed.
|
|
.It Li kpasswd_server = Va host[:port]
|
|
Points to the server where all the password changes are perfomed.
|
|
If there is no such entry, the kpasswd port on the admin_server host
|
|
will be tried.
|
|
.It Li v4_instance_convert
|
|
.It Li v4_name_convert
|
|
.It Li default_domain
|
|
See
|
|
.Xr krb5_425_conv_principal 3 .
|
|
.El
|
|
.It Li }
|
|
.El
|
|
.It Li [logging]
|
|
.Bl -tag -width "xxx" -offset indent
|
|
.It Va entity Li = Va destination
|
|
Specifies that
|
|
.Va entity
|
|
should use the specified
|
|
.Li destination
|
|
for logging. See the
|
|
.Xr krb5_openlog 3
|
|
manual page for a list of defined destinations.
|
|
.El
|
|
.It Li [kdc]
|
|
.Bl -tag -width "xxx" -offset indent
|
|
.It database Li = {
|
|
.Bl -tag -width "xxx" -offset indent
|
|
.It dbname Li = Va DATABASENAME
|
|
use this database for this realm.
|
|
.It realm Li = Va REALM
|
|
specifies the realm that will be stored in this database.
|
|
.It mkey_file Li = Pa FILENAME
|
|
use this keytab file for the master key of this database.
|
|
If not specified
|
|
.Va DATABASENAME Ns .mkey
|
|
will be used.
|
|
.It acl_file Li = PA FILENAME
|
|
use this file for the ACL list of this database.
|
|
.It log_file Li = Pa FILENAME
|
|
use this file as the log of changes performed to the database. This
|
|
file is used by
|
|
.Nm ipropd-master
|
|
for propagating changes to slaves.
|
|
.El
|
|
.It Li }
|
|
.It max-request = Va SIZE
|
|
Maximum size of a kdc request.
|
|
.It require-preauth = Va BOOL
|
|
If set pre-authentication is required. Since krb4 requests are not
|
|
pre-authenticated they will be rejected.
|
|
.It ports = Va "list of ports"
|
|
list of ports the kdc should listen to.
|
|
.It addresses = Va "list of interfaces"
|
|
list of addresses the kdc should bind to.
|
|
.It enable-kerberos4 = Va BOOL
|
|
turn on kerberos4 support.
|
|
.It v4-realm = Va REALM
|
|
to what realm v4 requests should be mapped.
|
|
.It enable-524 = Va BOOL
|
|
should the Kerberos 524 converting facility be turned on. Default is same as
|
|
.Va enable-kerberos4 .
|
|
.It enable-http = Va BOOL
|
|
should the kdc answer kdc-requests over http.
|
|
.It enable-kaserver = Va BOOL
|
|
if this kdc should emulate the AFS kaserver.
|
|
.It check-ticket-addresses = Va BOOL
|
|
verify the addresses in the tickets used in tgs requests.
|
|
.\" XXX
|
|
.It allow-null-ticket-addresses = Va BOOL
|
|
allow addresses-less tickets.
|
|
.\" XXX
|
|
.It allow-anonymous = Va BOOL
|
|
if the kdc is allowed to hand out anonymous tickets.
|
|
.It encode_as_rep_as_tgs_rep = Va BOOL
|
|
encode as-rep as tgs-rep tobe compatible with mistakes older DCE secd did.
|
|
.\" XXX
|
|
.It kdc_warn_pwexpire = Va TIME
|
|
the time before expiration that the user should be warned that her
|
|
password is about to expire.
|
|
.It logging = Va Logging
|
|
What type of logging the kdc should use, see also [logging]/kdc.
|
|
.El
|
|
.It Li [kadmin]
|
|
.Bl -tag -width "xxx" -offset indent
|
|
.It require-preauth = Va BOOL
|
|
If pre-authentication is required to talk to the kadmin server.
|
|
.It default_keys = Va keytypes...
|
|
for each entry in
|
|
.Va default_keys
|
|
try to parse it as a sequence of
|
|
.Va etype:salttype:salt
|
|
syntax of this if something like:
|
|
.Pp
|
|
[(des|des3|etype):](pw-salt|afs3-salt)[:string]
|
|
.Pp
|
|
if
|
|
.Ar etype
|
|
is omitted it means everything, and if string is omitted is means the default string (for that principal). Additional special values of keyttypes are:
|
|
.Bl -tag -width "xxx" -offset indent
|
|
.It v5
|
|
The kerberos 5 salt
|
|
.Va pw-salt
|
|
.It v4
|
|
The kerberos 4 type
|
|
.Va des:pw-salt:
|
|
.El
|
|
.It use_v4_salt = Va BOOL
|
|
When true, this is the same as
|
|
.Pp
|
|
.Va default_keys = Va des3:pw-salt Va v4
|
|
.Pp
|
|
and is only left for backwards compatability.
|
|
.El
|
|
.El
|
|
.Sh ENVIRONMENT
|
|
.Ev KRB5_CONFIG
|
|
points to the configuration file to read.
|
|
.Sh EXAMPLE
|
|
.Bd -literal -offset indent
|
|
[lib_defaults]
|
|
default_domain = FOO.SE
|
|
[domain_realm]
|
|
.foo.se = FOO.SE
|
|
.bar.se = FOO.SE
|
|
[realms]
|
|
FOO.SE = {
|
|
kdc = kerberos.foo.se
|
|
v4_name_convert = {
|
|
rcmd = host
|
|
}
|
|
v4_instance_convert = {
|
|
xyz = xyz.bar.se
|
|
}
|
|
default_domain = foo.se
|
|
}
|
|
[logging]
|
|
kdc = FILE:/var/heimdal/kdc.log
|
|
kdc = SYSLOG:INFO
|
|
default = SYSLOG:INFO:USER
|
|
.Ed
|
|
.Sh DIAGNOSTICS
|
|
Since
|
|
.Nm
|
|
is read and parsed by the krb5 library, there is not a lot of
|
|
opportunities for programs to report parsing errors in any useful
|
|
format.
|
|
To help overcome this problem, there is a program
|
|
.Nm verify_krb5_conf
|
|
that reads
|
|
.Nm
|
|
and tries to emit useful diagnostics from parsing errors. Note that
|
|
this program does not have any way of knowing what options are
|
|
actually used and thus cannot warn about unknown or misspelt ones.
|
|
.Sh SEE ALSO
|
|
.Xr verify_krb5_conf 8 ,
|
|
.Xr krb5_openlog 3 ,
|
|
.Xr krb5_425_conv_principal 3 ,
|
|
.Xr strftime 3 ,
|
|
.Xr Source tm
|