Many of the kadmin commands take a duration or time as an
argument. The date can appear in a wide variety of formats, such as:
+
::
1 month ago
Normally, kpropd is invoked out of inetd(8). This is done by adding
a line to the ``/etc/inetd.conf`` file which looks like this:
+
::
kprop stream tcp nowait root /usr/local/sbin/kpropd kpropd
**-v**
Display individual attributes per update. An example of the
output generated for one entry:
+
::
Update Entry
The realms are listed on the command line. Per-realm options that can
be specified on the command line pertain for each realm that follows
it and are superseded by subsequent definitions of the same option.
+
For example:
::
sserver is normally invoked out of inetd(8), using a line in
``/etc/inetd.conf`` that looks like this:
+
::
sample stream tcp nowait root /usr/local/sbin/sserver sserver
Since ``sample`` is normally not a port defined in ``/etc/services``,
you will usually have to add a line to ``/etc/services`` which looks
like this:
+
::
sample 13135/tcp
1. realm-specific subsection of [realms],
::
- [realms]
- EXAMPLE.COM = {
- pkinit_anchors = FILE\:/usr/local/example.com.crt
- }
+ [realms]
+ EXAMPLE.COM = {
+ pkinit_anchors = FILE\:/usr/local/example.com.crt
+ }
2. generic value in the [kdcdefaults] section.
::
- [kdcdefaults]
- pkinit_anchors = DIR\:/usr/local/generic_trusted_cas/
+ [kdcdefaults]
+ pkinit_anchors = DIR\:/usr/local/generic_trusted_cas/
For information about the syntax of some of these options, see pkinit
identity syntax.
The krb5.conf file is set up in the style of a Windows INI file.
Sections are headed by the section name, in square brackets. Each
section may contain zero or more relations, of the form:
+
::
foo = bar
The krb5.conf file can include other files using either of the
following directives at the beginning of a line:
+
::
include FILENAME
from a loadable module, rather than the file itself, using the
following directive at the beginning of a line before any section
headers:
+
::
module MODULEPATH:RESIDUAL
If set, the library will look for a local user's k5login file
within the named directory, with a filename corresponding to the
local username. If not set, the library will look for k5login
- files in the user's home directory, with the filename
- .k5login. For security reasons, .k5login files must be owned by
+ files in the user's home directory, with the filename .k5login.
+ For security reasons, .k5login files must be owned by
the local user or by root.
**kdc_default_options**
If no translation entry applies, the host's realm is considered to be
the hostname's domain portion converted to upper case. For example,
the following [domain_realm] section:
+
::
[domain_realm]
default severity of LOG_INFO; and the logging messages from the
administrative server will be appended to the file
``/var/adm/kadmin.log`` and sent to the device ``/dev/tty04``.
+
::
[logging]
realm of ``TEST.ANL.GOV`` which will authenticate with ``NERSC.GOV``
but not ``PNL.GOV``. The [capaths] section for ``ANL.GOV`` systems
would look like this:
+
::
[capaths]
The [capaths] section of the configuration file used on ``NERSC.GOV``
systems would look like this:
+
::
[capaths]
1. realm-specific subsection of [libdefaults] :
::
- [libdefaults]
- EXAMPLE.COM = {
- pkinit_anchors = FILE\:/usr/local/example.com.crt
- }
+ [libdefaults]
+ EXAMPLE.COM = {
+ pkinit_anchors = FILE\:/usr/local/example.com.crt
+ }
2. realm-specific value in the [realms] section,
::
- [realms]
- OTHERREALM.ORG = {
- pkinit_anchors = FILE\:/usr/local/otherrealm.org.crt
- }
+ [realms]
+ OTHERREALM.ORG = {
+ pkinit_anchors = FILE\:/usr/local/otherrealm.org.crt
+ }
3. generic value in the [libdefaults] section.
::
- [libdefaults]
- pkinit_anchors = DIR\:/usr/local/generic_trusted_cas/
+ [libdefaults]
+ pkinit_anchors = DIR\:/usr/local/generic_trusted_cas/
Specifying pkinit identity information
the principal ``alice/root@EXAMPLE.COM`` if the server host is within
a servers subdomain, and the principal ``alice/mail@EXAMPLE.COM`` when
accessing the IMAP service on ``mail.example.com``:
+
::
alice@KRBTEST.COM realm=KRBTEST.COM
Suppose the user ``alice`` had a .k5login file in her home directory
containing the following line:
+
::
bob@FOOBAR.ORG
Let us further suppose that ``alice`` is a system administrator.
Alice and the other system administrators would have their principals
in root's .k5login file on each host:
+
::
alice@BLEEP.COM
requests a ticket with the lifetime lifetime. The
value for lifetime must be followed immediately by one
of the following delimiters:
+
::
s seconds
**-f**
Shows the flags present in the credentials, using the following
abbreviations:
+
::
F Forwardable
The target cache name is automatically set to ``krb5cc_<target
uid>.(gen_sym())``, where gen_sym generates a new number such that
the resulting cache does not already exist. For example:
+
::
krb5cc_1984.2
ksu proceeds exactly the same as if it was invoked without the
**-e** option, except instead of executing the target shell, ksu
executes the specified command. Example of usage:
+
::
ksu bob -e ls -lag
principal name followed by a ``*`` means that the user is
authorized to execute any command. Thus, in the following
example:
+
::
jqpublic@USC.EDU ls mail /local/kerberos/klist
The **-a** option can be used to simulate the **-e** option if
used as follows:
+
::
-a -c [command [arguments]].
channel, the password may get exposed.
**PRINC_LOOK_AHEAD**
-
During the resolution of the default principal name,
- **PRINC_LOOK_AHEAD** enables ksu to find principal names in the
- .k5users file as described in the OPTIONS section (see **-n**
- option).
+ **PRINC_LOOK_AHEAD** enables ksu to find principal names in
+ the .k5users file as described in the OPTIONS section
+ (see **-n** option).
**CMD_PATH**
Specifies a list of directories containing programs that users are
projects / krb5.git / commitdiff