The krb5.conf file is set up in the style of a Windows INI file.
Sections are headed by the section name, in square brackets. Each
-section may contain zero or more relations, of the form::
+section may contain zero or more relations, of the form:
+
+ ::
foo = bar
-or::
+or
+ ::
fubar = {
foo = bar
configuration file nor any other configuration file will be checked
for any other values for this tag.
-For example, if you have the following lines::
+For example, if you have the following lines:
+ ::
foo = bar*
foo = baz
then the second value of ``foo`` (``baz``) would never be read.
The krb5.conf file can include other files using either of the
-following directives at the beginning of a line::
+following directives at the beginning of a line:
+
+ ::
include FILENAME
includedir DIRNAME
The krb5.conf file can specify that configuration should be obtained
from a loadable module, rather than the file itself, using the
following directive at the beginning of a line before any section
-headers::
+headers:
+
+ ::
module MODULEPATH:RESIDUAL
**default_realm**
Identifies the default Kerberos realm for the client. Set its
value to your Kerberos realm. If this is not specified and the
- TXT record lookup is enabled (see :ref:`udns_label`), then that
+ TXT record lookup is enabled (see :ref:`using_dns`), then that
information will be used to determine the default realm. If this
tag is not set in this configuration file and there is no DNS
information found, then an error will be returned.
If set, the library will look for a local user's k5login file
within the named directory, with a filename corresponding to the
local username. If not set, the library will look for k5login
- files in the user's home directory, with the filename
- .k5login. For security reasons, .k5login files must be owned by
+ files in the user's home directory, with the filename .k5login.
+ For security reasons, .k5login files must be owned by
the local user or by root.
**kdc_default_options**
default realm, this rule is not applicable and the conversion
will fail.
- For example::
+ For example:
+ ::
[realms]
ATHENA.MIT.EDU = {
be able to communicate with the KDC for each realm, this tag must
be given a value in each realm subsection in the configuration
file, or there must be DNS SRV records specifying the KDCs (see
- :ref:`udns_label`).
+ :ref:`using_dns`).
**kpasswd_server**
Points to the server where all the password changes are performed.
If no translation entry applies, the host's realm is considered to be
the hostname's domain portion converted to upper case. For example,
-the following [domain_realm] section::
+the following [domain_realm] section:
+
+ ::
[domain_realm]
crash.mit.edu = TEST.ATHENA.MIT.EDU
the console and to the system log under the facility LOG_DAEMON with
default severity of LOG_INFO; and the logging messages from the
administrative server will be appended to the file
-``/var/adm/kadmin.log`` and sent to the device ``/dev/tty04``.::
+``/var/adm/kadmin.log`` and sent to the device ``/dev/tty04``.
+
+ ::
[logging]
kdc = CONSOLE
use the ``ES.NET`` realm as an intermediate realm. ``ANL`` has a sub
realm of ``TEST.ANL.GOV`` which will authenticate with ``NERSC.GOV``
but not ``PNL.GOV``. The [capaths] section for ``ANL.GOV`` systems
-would look like this::
+would look like this:
+
+ ::
[capaths]
ANL.GOV = {
}
The [capaths] section of the configuration file used on ``NERSC.GOV``
-systems would look like this::
+systems would look like this:
+
+ ::
[capaths]
NERSC.GOV = {
or an option that is used by some Kerberos V5 application[s]. The
value of the tag defines the default behaviors for that application.
-For example::
+For example:
+ ::
[appdefaults]
telnet = {
does not add to, a generic [libdefaults] specification. The
search order is:
-1. realm-specific subsection of [libdefaults] ::
+1. realm-specific subsection of [libdefaults] :
+ ::
- [libdefaults]
- EXAMPLE.COM = {
- pkinit_anchors = FILE\:/usr/local/example.com.crt
- }
+ [libdefaults]
+ EXAMPLE.COM = {
+ pkinit_anchors = FILE\:/usr/local/example.com.crt
+ }
-2. realm-specific value in the [realms] section, ::
+2. realm-specific value in the [realms] section,
+ ::
- [realms]
- OTHERREALM.ORG = {
- pkinit_anchors = FILE\:/usr/local/otherrealm.org.crt
- }
+ [realms]
+ OTHERREALM.ORG = {
+ pkinit_anchors = FILE\:/usr/local/otherrealm.org.crt
+ }
-3. generic value in the [libdefaults] section. ::
+3. generic value in the [libdefaults] section.
+ ::
- [libdefaults]
- pkinit_anchors = DIR\:/usr/local/generic_trusted_cas/
+ [libdefaults]
+ pkinit_anchors = DIR\:/usr/local/generic_trusted_cas/
Specifying pkinit identity information
* digitalSignature
* keyEncipherment
- Examples::
+ Examples:
+ ::
pkinit_cert_match = ||<SUBJECT>.*DoE.*<SAN>.*@EXAMPLE.COM
pkinit_cert_match = &&<EKU>msScLogin,clientAuth<ISSUER>.*DoE.*
The default is false.
-.. _krb5_conf_sample_label:
-
Sample krb5.conf file
---------------------
-Here is an example of a generic krb5.conf file::
+Here is an example of a generic krb5.conf file:
+ ::
[libdefaults]
default_realm = ATHENA.MIT.EDU