KRB5.CONF(5) | File Formats Manual | KRB5.CONF(5) |
krb5.conf
—
configuration file for Kerberos 5
#include
<krb5.h>
The krb5.conf
file specifies several
configuration parameters for the Kerberos 5 library, as well as for some
programs.
The file consists of one or more sections, containing a number of bindings. The value of each binding can be either a string or a list of other bindings. The grammar looks like:
file: /* empty */ sections sections: section sections section section: '[' section_name ']' bindings section_name: STRING bindings: binding bindings binding binding: name '=' STRING name '=' '{' bindings '}' name: STRING
STRINGs
consists of one or more non-whitespace
characters.
STRINGs that are specified later in this man-page uses the following notation.
Currently recognised sections and bindings are:
[appdefaults]
The supported options are:
forwardable
=
booleanproxiable
=
booleanno-addresses
=
booleanticket_lifetime
=
timerenew_lifetime
=
timeencrypt
=
booleanforward
=
boolean[libdefaults]
default_realm
=
REALMkrb5_get_host_realm
(local
hostname).allow_weak_crypto
=
booleanclockskew
=
timekdc_timeout
=
timecapath
= {
=
next-hop-realm}
capaths
section
below.default_cc_type
=
cctypedefault_cc_name
=
ccnamedefault_cc_type
. The string can
contain variables that are expanded on runtime. The Only supported
variable currently is %{uid}
which expands to
the current user id.default_etypes
=
etypes ...default_as_etypes
=
etypes ...default_tgs_etypes
=
etypes ...default_etypes_des
=
etypes ...default_keytab_name
=
keytabdns_lookup_kdc
=
booleandns_lookup_realm
=
booleankdc_timesync
=
booleanmax_retries
=
numberlarge_msg_size
=
numberticket_lifetime
=
timerenew_lifetime
=
timeforwardable
=
booleanproxiable
=
booleanverify_ap_req_nofail
=
booleanwarn_pwexpire
=
timehttp_proxy
=
proxy-specdns_proxy
=
proxy-specextra_addresses
=
address ...time_format
=
stringdate_format
=
stringlog_utc
=
booleanscan_interfaces
=
booleanfcache_version
=
intfcc-mit-ticketflags
=
booleanTRUE
makes it store
the MIT way, this is default for Heimdal 0.7.check-rd-req-server
k5login_directory
=
directorykuserok
=
rule ...kuserok
=
DENYkuserok
=
SIMPLEkuserok
=
SYSTEM-K5LOGIN[:directory]kuserok
=
USER-K5LOGINaname2lname-text-db
=
filenamefcache_strict_checking
name_canon_rules
=
rulesNOTE: Name canonicalization rules are an experimental feature.
The first token is a rule type, one of: as-is, qualify, or nss.
Any remaining tokens must be options tokens: use_fast (use FAST to protect TGS exchanges; currently not supported), use_dnssec (use DNSSEC to protect hostname lookups; currently not supported), ccache_only , use_referrals, no_referrals, lookup_realm, mindots=N, maxdots=N, order=N, domain= domain, realm= realm, match_domain= domain, and match_realm= realm.
When trying to obtain a service ticket for a host-based service principal name, name canonicalization rules are applied to that name in the order given, one by one, until one succeds (a service ticket is obtained), or all fail. Similarly when acquiring GSS initiator credentials from a keytab, and when comparing a non-canonical GSS name to a canonical one.
For each rule the system checks that the hostname has at least mindots periods (if given) in it, at most maxdots periods (if given), that the hostname ends in the given match_domain (if given), and that the realm of the principal matches the match_realm (if given).
As-is rules leave the hostname unmodified but may set a realm. Qualify rules qualify the hostname with the given domain and also may set the realm. The nss rule uses the system resolver to lookup the host's canonical name and is usually not secure. Note that using the nss rule type implies having to have principal aliases in the HDB (though not necessarily in keytabs).
The empty realm denotes "ask the client's realm's TGS". The empty realm may be set as well as matched.
The order in which rules are applied is as follows: first all the rules with explicit order then all other rules in the order in which they appear. If any two rules have the same explicit order, their order of appearance in krb5.conf breaks the tie. Explicitly specifying order can be useful where tools read and write the configuration file without preserving parameter order.
Malformed rules are ignored.
allow_hierarchical_capaths
=
boolean[domain_realm]
domain = realm
The domain can be either a full name of a host or a trailing component, in the latter case the domain-string should start with a period. The trailing component only matches hosts that are in the same domain, ie “.example.com” matches “foo.example.com”, but not “foo.test.example.com”.
The realm may be the token `dns_locate', in which case the actual realm will be determined using DNS (independently of the setting of the `dns_lookup_realm' option).
[realms]
=
{
kdc
=
[service/]host[:port]The optional service specifies over what medium the kdc should be contacted. Possible services are “udp”, “tcp”, and “http”. Http can also be written as “http://”. Default service is “udp” and “tcp”.
admin_server
=
host[:port]kpasswd_server
=
host[:port]tgs_require_subkey
auth_to_local_names
= {
}
auth_to_local
= HEIMDAL_DEFAULT
auth_to_local
= DEFAULT
auth_to_local
= DB:/path/to/db.txt
auth_to_local
= DB:/path/to/db
auth_to_local
= RULE:...
auth_to_local
= NONE
}
[capaths]
= {
=
hop-realm ...[logging]
=
destinationdestination
for logging. See the
krb5_openlog(3) manual page for a list of defined
destinations.[kdc]
database
= {
dbname
=
[DATBASETYPE:]DATABASENAMErealm
=
REALMrealm
stanza.mkey_file
=
FILENAMEacl_file
= PA FILENAME
log_file
=
FILENAMEipropd-master
for
propagating changes to slaves. It is also used by
kadmind
and kadmin
(when used with the -l
option), and by all
applications using libkadm5
with the local
backend, for two-phase commit functionality. Slaves also use this.
Setting this to /dev/null
disables
two-phase commit and incremental propagation. Use
iprop-log
to show the contents of this log
file.log-max-size
=
number}
max-request
=
SIZErequire-preauth
=
BOOLports
=
list of portsaddresses
=
list of interfacesenable-http
=
BOOLtgt-use-strongest-session-key
=
BOOLsvc-use-strongest-session-key
=
BOOLpreauth-use-strongest-session-key
=
BOOLuse-strongest-server-key
=
BOOLcheck-ticket-addresses
=
BOOLallow-null-ticket-addresses
=
BOOLallow-anonymous
=
BOOLencode_as_rep_as_tgs_rep
=
BOOLkdc_warn_pwexpire
=
TIMElogging
=
Logginghdb-ldap-structural-object
structural objecthdb-ldap-create-base
creation dnenable-digest
=
BOOLdigests_allowed
=
list of digestsntlm-v2
.kx509_ca
=
filerequire_initial_kca_tickets
=
booleankca_service
service principal be INITIAL. This
may be set on a per-realm basis as well as globally. Defaults to true
for the global setting.kx509_include_pkinit_san
=
booleanid-pkinit-san
certificate
extension. This can be set on a per-realm basis as well as globally.
Defaults to true for the global setting.kx509_template
=
filekx509
, kx509_template
,
kx509_include_pkinit_san
, and
require_initial_kca_tickets
parameters may be set
on a per-realm basis as well.[kadmin]
password_lifetime
=
timedefault_keys
=
keytypes...[(des|des3|etype):](pw-salt|afs3-salt)[:string]
If etype is omitted it means everything, and if string is omitted it means the default salt string (for that principal and encryption type). Additional special values of keytypes are:
v5
default_key_rules
=
{=
keytypes...}
prune-key-history
=
BOOLuse_v4_salt
=
BOOLdefault_keys = des3:pw-salt v4
and is only left for backwards compatibility.
[password_quality]
check_library
=
library-namecheck_function
=
function-namepolicy_libraries
=
library1 ... libraryNpolicies
=
policy1 ... policyNKRB5_CONFIG
points to the configuration
file to read.
[libdefaults] default_realm = FOO.SE name_canon_rules = as-is:realm=FOO.SE name_canon_rules = qualify:domain=foo.se:realm=FOO.SE name_canon_rules = qualify:domain=bar.se:realm=FOO.SE name_canon_rules = nss [domain_realm] .foo.se = FOO.SE .bar.se = FOO.SE [realms] FOO.SE = { kdc = kerberos.foo.se default_domain = foo.se } [logging] kdc = FILE:/var/heimdal/kdc.log kdc = SYSLOG:INFO default = SYSLOG:INFO:USER [kadmin] default_key_rules = { */ppp@* = arcfour-hmac-md5:pw-salt }
Since krb5.conf
is read and parsed by the
krb5 library, there is not a lot of opportunities for programs to report
parsing errors in any useful format. To help overcome this problem, there is
a program verify_krb5_conf
that reads
krb5.conf
and tries to emit useful diagnostics from
parsing errors. Note that this program does not have any way of knowing what
options are actually used and thus cannot warn about unknown or misspelled
ones.
May 4, 2005 | HEIMDAL |