1 .\" Copyright 1995 by the Massachusetts Institute of Technology.
3 .\" Export of this software from the United States of America may
4 .\" require a specific license from the United States Government.
5 .\" It is the responsibility of any person or organization contemplating
6 .\" export to obtain such a license before exporting.
8 .\" WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
9 .\" distribute this software and its documentation for any purpose and
10 .\" without fee is hereby granted, provided that the above copyright
11 .\" notice appear in all copies and that both that copyright notice and
12 .\" this permission notice appear in supporting documentation, and that
13 .\" the name of M.I.T. not be used in advertising or publicity pertaining
14 .\" to distribution of the software without specific, written prior
15 .\" permission. Furthermore if you modify this software you must label
16 .\" your software as modified software and not distribute it in such a
17 .\" fashion that it might be confused with the original M.I.T. software.
18 .\" M.I.T. makes no representations about the suitability of
19 .\" this software for any purpose. It is provided "as is" without express
20 .\" or implied warranty.
24 krb5.conf \- Kerberos configuration file
27 contains configuration information needed by the Kerberos V5 library.
28 This includes information describing the default Kerberos realm, and the
29 location of the Kerberos key distribution centers for known realms.
33 file uses an INI-style format. Sections are delimited by square braces;
34 within each section, there are relations where tags can be assigned to
35 have specific values. Tags can also contain a subsection, which
36 contains further relations or subsections. A tag can be assigned to
37 multiple values. Here is an example of the INI-style format used by
50 subtag1 = subtag_value_a
51 subtag1 = subtag_value_b
52 subtag2 = subtag_value_c
55 subtag1 = subtag_value_d
56 subtag2 = subtag_value_e
63 The following sections are currently used in the
67 Contains various default values used by the Kerberos V5 library.
70 Contains default values used by the Kerberos V5 login program,
74 Contains default values that can be used by Kerberos V5 applications.
77 Contains subsections keyed by Kerberos realm names which describe where
78 to find the Kerberos servers for a particular realm, and other
79 realm-specific information.
82 Contains relations which map subdomains and domain names to Kerberos
83 realm names. This is used by programs to determine what realm a host
84 should be in, given its fully qualified domain name.
87 Contains relations which determine how Kerberos entities are to perform
91 Contains the authentication paths used with non-hierarchical
92 cross-realm. Entries in the section are used by the client to determine
93 the intermediate realms which may be used in cross-realm
94 authentication. It is also used by the end-service when checking the
95 transited field for trusted intermediate realms.
98 Contains default values for database specific parameters.
101 Contains database specific parameters used by the database library.
103 Each of these sections will be covered in more details in the following
105 .SH LIBDEFAULTS SECTION
106 The following relations are defined in the [libdefaults] section:
108 .IP default_keytab_name
109 This relation specifies the default keytab name to be used by
110 application severs such as telnetd and rlogind. The default is
111 "/etc/krb5.keytab". This formerly defaulted to "/etc/v5srvtab", but
112 was changed to the current value.
115 This relation identifies the default realm to be used in a client host's
118 .IP default_tgs_enctypes
119 This relation identifies the supported list of session key encryption
120 types that should be returned by the KDC. The list may be delimited with
121 commas or whitespace.
123 .IP default_tkt_enctypes
124 This relation identifies the supported list of session key encryption
125 types that should be requested by the client, in the same format.
127 .IP permitted_enctypes
128 This relation identifies the permitted list of session key encryption
132 This relation sets the maximum allowable amount of clockskew in seconds
133 that the library will tolerate before assuming that a Kerberos message
134 is invalid. The default value is 300 seconds, or five minutes.
137 If the value of this relation is non-zero (the default), the library
138 will compute the difference between the system clock and the time
139 returned by the KDC and in order to correct for an inaccurate system
140 clock. This corrective factor is only used by the Kerberos library.
142 .IP kdc_req_checksum_type
143 For compatability with DCE security servers which do not support the
144 default CKSUMTYPE_RSA_MD5 used by this version of Kerberos. Use a value
145 of 2 to use the CKSUMTYPE_RSA_MD4 instead. This applies to DCE 1.1 and
146 earlier. This value is only used for DES keys; other keys use the
147 preferred checksum type for those keys.
149 .IP ap_req_checksum_type
150 If set this variable controls what ap-req checksum will be used in authenticators. This variable should be unset so the appropriate checksum for the encryption key in use will be used. This can be set if backward compatibility requires a specific checksum type.
152 .IP safe_checksum_type
153 This allows you to set the preferred keyed-checksum type for use in KRB_SAFE
154 messages. The default value for this type is CKSUMTYPE_RSA_MD5_DES.
155 For compatibility with applications linked against DCE version 1.1 or
157 libraries, use a value of 3 to use the CKSUMTYPE_RSA_MD4_DES
158 instead. This field is ignored when its value is incompatible with
159 the session key type.
161 .IP preferred_preauth_types
162 This allows you to set the preferred preauthentication types which the
163 client will attempt before others which may be advertised by a KDC. The
164 default value for this setting is "17, 16, 15, 14", which forces libkrb5
165 to attempt to use PKINIT if it is supported.
168 User this parameter on systems which are DCE clients, to specify the
169 type of cache to be created by kinit, or when forwarded tickets are
170 received. DCE and Kerberos can share the cache, but some versions of DCE
171 do not support the default cache as created by this version of
172 Kerberos. Use a value of 1 on DCE 1.0.3a systems, and a value of 2 on
176 Indicate whether DNS SRV records shoud be used to locate the KDCs and
177 other servers for a realm, if they are not listed in the information
178 for the realm. The default is to use these records.
181 Indicate whether DNS TXT records should be used to determine the Kerberos
182 realm of a host. The default is not to use these records.
185 General flag controlling the use of DNS for Kerberos information. If both
186 of the preceding options are specified, this option has no effect.
188 .IP realm_try_domains
189 Indicate whether a host's domain components should be used to
190 determine the Kerberos realm of the host. The value of this variable
191 is an integer: -1 means not to search, 0 means to try the host's
192 domain itself, 1 means to also try the domain's immediate parent, and
193 so forth. The library's usual mechanism for locating Kerberos realms
194 is used to determine whether a domain is a valid realm--which may
195 involve consulting DNS if dns_lookup_kdc is set. The default is not
196 to search domain components.
199 This allows a computer to use multiple local addresses, in order to
200 allow Kerberos to work in a network that uses NATs. The addresses should
201 be in a comma-separated list.
203 .IP udp_preference_limit
204 When sending a message to the KDC, the library will try using TCP
205 before UDP if the size of the message is above "udp_preference_limit".
206 If the message is smaller than "udp_preference_limit", then UDP will be
207 tried before TCP. Regardless of the size, both protocols will be
208 tried if the first attempt fails.
210 .IP verify_ap_req_nofail
211 If this flag is set, then an attempt to get initial credentials will
212 fail if the client machine does not have a keytab. The default for the
216 The value of this tag is the default renewable lifetime for initial
217 tickets. The default value for the tag is 0.
220 Setting this flag causes the initial Kerberos ticket to be addressless.
221 The default for the flag is true.
224 If this flag is set, initial tickets by default will be forwardable.
225 The default value for this flag is false.
228 If this flag is set, initial tickets by default will be proxiable.
229 The default value for this flag is false.
231 .SH APPDEFAULTS SECTION
233 Each tag in the [appdefaults] section names a Kerberos V5 application
234 or an option that is used by some Kerberos V5 application[s]. The
235 four ways that you can set values for options are as follows, in
236 decreasing order of precedence:
266 The [login] section is used to configure the behavior of the Kerberos V5
269 Refer to the manual entry for
271 for a description of the relations allowed in this section.
273 Each tag in the [realms] section of the file names a Kerberos realm.
274 The value of the tag is a subsection where the relations in that
275 subsection define the properties of that particular realm. For example:
282 admin_server = KERBEROS.MIT.EDU
283 default_domain = MIT.EDU
284 database_module = ldapconf
285 v4_instance_convert = {
287 lithium = lithium.lcs.mit.edu
289 v4_realm = LCS.MIT.EDU
295 For each realm, the following tags may be specified in the realm's
299 The value of this relation is the name of a host running a KDC for that
300 realm. An optional port number (preceded by a colon) may be appended to
301 the hostname. This tag should generally be used only if the realm
302 administrator has not made the information available through DNS.
305 This relation identifies the host where the administration server is
306 running. Typically this is the Master Kerberos server.
309 This relation indicates the name of the configuration section under dbmodules
310 for database specific parameters used by the loadable database library.
313 This relation identifies the default domain for which hosts in this
314 realm are assumed to be in. This is needed for translating V4 principal
315 names (which do not contain a domain name) to V5 principal names (which
318 .IP v4_instance_convert
319 This subsection allows the administrator to configure exceptions to the
320 default_domain mapping rule. It contains V4 instances (the tag name)
321 which should be translated to some specific hostname (the tag value) as
322 the second component in a Kerberos V5 principal name.
325 This relation is used by the krb524 library routines when converting
326 a V5 principal name to a V4 principal name. It is used when V4 realm
327 name and the V5 realm are not the same, but still share the same
328 principal names and passwords. The tag value is the Kerberos V4 realm
331 .IP auth_to_local_names
332 This subsection allows you to set explicit mappings from principal
333 names to local user names. The tag is the mapping name, and the value
334 is the corresponding local user name.
337 This tag allows you to set a general rule for mapping principal names
338 to local user names. It will be used if there is not an explicit
339 mapping for the principal name that is being translated. The possible
345 The principal will be looked up in the database <filename>.
346 Support for this is not currently compiled in by default.
350 The local name will be formulated from <exp>.
354 The principal name will be used as the local name. If the
355 principal has more than one component or is not in the default
356 realm, this rule is not applicable and the conversion will fail.
359 .SH DOMAIN_REALM SECTION
361 The [domain_realm] section provides a translation from a hostname to the
362 Kerberos realm name for the services provided by that host.
364 The tag name can be a hostname, or a domain name, where domain names are
365 indicated by a prefix of a period ('.') character. The value of the
366 relation is the Kerberos realm name for that particular host or domain.
367 Host names and domain names should be in lower case.
369 If no translation entry applies, the host's realm is considered to be
370 the hostname's domain portion converted to upper case. For example, the
371 following [domain_realm] section:
377 .mit.edu = ATHENA.MIT.EDU
378 mit.edu = ATHENA.MIT.EDU
379 dodo.mit.edu = SMS_TEST.MIT.EDU
380 .ucsc.edu = CATS.UCSC.EDU
384 maps dodo.mit.edu into the SMS_TEST.MIT.EDU realm, all other hosts in
385 the MIT.EDU domain to the ATHENA.MIT.EDU realm, and all hosts in the
386 UCSC.EDU domain into the CATS.UCSC.EDU realm. ucbvax.berkeley.edu would
387 be mapped by the default rules to the BERKELEY.EDU realm, while
388 sage.lcs.mit.edu would be mapped to the LCS.MIT.EDU realm.
392 The [logging] section indicates how a particular entity is to perform
393 its logging. The relations specified in this section assign one or more
394 values to the entity name.
396 Currently, the following entities are used:
398 These entries specify how the KDC is to perform its logging.
400 These entries specify how the administrative server is to perform its logging.
402 These entries specify how to perform logging in the absence of explicit
403 specifications otherwise.
405 Values are of the following forms:
408 This value causes the entity's logging messages to go to the specified
411 form is used, then the file is overwritten. Otherwise, the file is
414 This value causes the entity's logging messages to go to its standard
417 This value causes the entity's logging messages to go to the console, if
418 the system supports it.
419 .IP DEVICE=<devicename>
420 This causes the entity's logging messages to go to the specified device.
421 .IP SYSLOG[:<severity>[:<facility>]]
422 This causes the entity's logging messages to go to the system log.
426 argument specifies the default severity of system log messages. This
427 may be any of the following severities supported by the
429 call minus the LOG_ prefix: LOG_EMERG, LOG_ALERT, LOG_CRIT, LOG_ERR,
430 LOG_WARNING, LOG_NOTICE, LOG_INFO, and LOG_DEBUG. For example, to
431 specify LOG_CRIT severity, one would use CRIT for
436 argument specifies the facility under which the messages are logged.
437 This may be any of the following facilities supported by the
439 call minus the LOG_ prefix: LOG_KERN, LOG_USER, LOG_MAIL, LOG_DAEMON,
440 LOG_AUTH, LOG_LPR, LOG_NEWS, LOG_UUCP, LOG_CRON, and LOG_LOCAL0 through
445 is specified, the default is ERR, and if no
447 is specified, the default is AUTH.
449 In the following example, the logging messages from the KDC will go to
450 the console and to the system log under the facility LOG_DAEMON with
451 default severity of LOG_INFO; and the logging messages from the
452 administrative server will be appended to the file /var/adm/kadmin.log
453 and sent to the device /dev/tty04.
459 kdc = SYSLOG:INFO:DAEMON
460 admin_server = FILE:/var/adm/kadmin.log
461 admin_server = DEVICE=/dev/tty04
468 Cross-realm authentication is typically organized hierarchically. This
469 hierarchy is based on the name of the realm, which thus imposes
470 restrictions on the choice of realm names, and on who may participate in
471 a cross-realm authentication. A non hierarchical orgization may be used,
472 but requires a database to construct the authentication paths between
473 the realms. This section defines that database.
475 A client will use this section to find the authentication path between
476 its realm and the realm of the server. The server will use this section
477 to verify the authentication path used be the client, by checking the
478 transited field of the received ticket.
480 There is a tag name for each participating realm, and each tag has
481 subtags for each of the realms. The value of the subtags is an
482 intermediate realm which may participate in the cross-realm
483 authentication. The subtags may be repeated if there is more then one
484 intermediate realm. A value of "." means that the two realms share keys
485 directly, and no intermediate realms should be allowed to participate.
487 There are n**2 possible entries in this table, but only those entries
488 which will be needed on the client or the server need to be present. The
489 client needs a tag for its local realm, with subtags for all the realms
490 of servers it will need to authenticate with. A server needs a tag for
491 each realm of the clients it will serve.
493 For example, ANL.GOV, PNL.GOV, and NERSC.GOV all wish to use the ES.NET
494 realm as an intermediate realm. ANL has a sub realm of TEST.ANL.GOV
495 which will authenticate with NERSC.GOV but not PNL.GOV. The [capath]
496 section for ANL.GOV systems would look like this:
522 The [capath] section of the configuration file used on NERSC.GOV systems
523 would look like this:
530 TEST.ANL.GOV = ES.NET
531 TEST.ANL.GOV = ANL.GOV
551 In the above examples, the ordering is not important, except when the
552 same subtag name is used more then once. The client will use this to
553 determing the path. (It is not important to the server, since the
554 transited field is not sorted.)
556 If this section is not present, or if the client or server cannot find a
557 client/server path, then normal hierarchical orginization is assumed.
559 This feature is not currently supported by DCE. DCE security servers can
560 be used with Kerberized clients and servers, but versions prior to DCE
561 1.1 did not fill in the transited field, and should be used with
564 .SH DATABASE DEFAULT SECTION
566 The [dbdefaults] section indicates default values for the database specific parameters.
567 It can also specify the configuration section under dbmodules for database
568 specific parameters used by the loadable database library.
571 The following tags are used in this section:
573 This relation indicates the name of the configuration section under dbmodules
574 for database specific parameters used by the loadable database library.
576 .IP ldap_kerberos_container_dn
577 This LDAP specific tag indicates the DN of the container object where the realm
578 objects will be located. This value is used if no object DN is mentioned in the
579 configuration section under dbmodules.
582 This LDAP specific tag indicates the default bind DN for the KDC server.
583 The KDC server does a login to the directory as this object. This value is used if
584 no object DN is mentioned in the configuration section under dbmodules.
587 This LDAP specific tag indicates the default bind DN for the
588 Administration server. The Administration server does a login to the directory
589 as this object. This value is used if no object DN is mentioned in
590 the configuration section under dbmodules.
592 .IP ldap_service_password_file
593 This LDAP specific tag indicates the file containing the stashed passwords for the
594 objects used for starting the Kerberos servers. This value is used if no
595 service password file is mentioned in the configuration section under dbmodules.
598 This LDAP specific tag indicates the list of LDAP servers. The list of LDAP servers
599 is whitespace-separated. The LDAP server is specified by a LDAP URI.
600 This value is used if no LDAP servers are mentioned in the configuration
601 section under dbmodules.
603 .IP ldap_conns_per_server
604 This LDAP specific tag indicates the number of connections to be maintained per
605 LDAP server. This value is used if the number of connections per LDAP server are not
606 mentioned in the configuration section under dbmodules. The default value is 5.
608 .SH DATABASE MODULE SECTION
609 Each tag in the [dbmodules] section of the file names a configuration section
610 for database specific parameters that can be referred to by a realm.
611 The value of the tag is a subsection where the relations in that subsection
612 define the database specific parameters.
615 For each section, the following tags may be specified in the subsection:
618 This tag indicates the name of the loadable database library.
619 The value should be db2 for db2 database and kldap for LDAP database.
621 .IP ldap_kerberos_container_dn
622 This LDAP specific tag indicates the DN of the container object where the realm
623 objects will be located.
626 This LDAP specific tag indicates the bind DN for the KDC server.
627 The KDC does a login to the directory as this object.
630 This LDAP specific tag indicates the bind DN for the Administration server.
631 The Administration server does a login to the directory
634 .IP ldap_service_password_file
635 This LDAP specific tag indicates the file containing the stashed passwords for the
636 objects used for starting the Kerberos servers.
639 This LDAP specific tag indicates the list of LDAP servers. The list of LDAP servers
640 is whitespace-separated. The LDAP server is specified by a LDAP URI.
642 .IP ldap_conns_per_server
643 This LDAP specific tag indicates the number of connections to be maintained per