# If false, no module index is generated.
#latex_domain_indices = True
+rst_epilog='''
+.. |bindir| replace:: ``/usr/local/bin``
+.. |sbindir| replace:: ``/usr/local/sbin``
+.. |libdir| replace:: ``/usr/local/lib``
+.. |kdcdir| replace:: ``/usr/local/var/krb5kdc``
+.. |keytab| replace:: ``/etc/krb5.keytab``
+.. |krb5conf| replace:: ``/etc/krb5.conf``
+.. |defkeysalts| replace:: ``aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal des3-cbc-sha1:normal arcfour-hmac-md5:normal``
+.. |defetypes| replace:: ``aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des-cbc-md4``
+.. |defmkey| replace:: ``aes256-cts-hmac-sha1-96``
+'''
# -- Options for manual page output --------------------------------------------
kadmind's ACL (access control list) tells it which principals are
allowed to perform administration actions. The pathname to the
ACL file can be specified with the **acl_file** kdc.conf variable;
- by default, it is ``/usr/local/var/krb5kdc/kadm5.acl``. The
- syntax of the ACL file is specified in the ACL FILE SYNTAX section
- below.
+ by default, it is |kdcdir|\ ``/kadm5.acl``. The syntax of the ACL
+ file is specified in the ACL FILE SYNTAX section below.
If the kadmind ACL file is modified, the kadmind daemon needs to
be restarted for changes to take effect.
**-f** *file*
Specifies the filename where the dumped principal database file is
to be found; by default the dumped database file is normally
- ``/usr/local/var/krb5kdc/slave_datatrans``.
+ |kdcdir|\ ``/slave_datatrans``.
**-P** *port*
Specifies the port to use to contact the :ref:`kpropd(8)` server
**-f** *file*
Specifies the filename where the dumped principal database file is
- to be stored; by default the dumped database file is
- ``/usr/local/var/krb5kdc/from_master``.
+ to be stored; by default the dumped database file is |kdcdir|\
+ ``/from_master``.
**-p**
Allows the user to specify the pathname to the :ref:`kdb5_util(8)`
- program; by default the pathname used is
- ``/usr/local/sbin/kdb5_util``.
+ program; by default the pathname used is |sbindir|\
+ ``/kdb5_util``.
**-S**
Turn on standalone mode. Normally, kpropd is invoked out of
**-a** *acl_file*
Allows the user to specify the path to the kpropd.acl file; by
- default the path used is ``/usr/local/var/krb5kdc/kpropd.acl``.
+ default the path used is |kdcdir|\ ``/kpropd.acl``.
ENVIRONMENT
sserver will require that there be a keytab entry for the service
``sample/hostname.domain.name@REALM.NAME``. This keytab is generated
using the :ref:`kadmin(1)` program. The keytab file is usually
-installed as ``/etc/krb5.keytab``.
+installed as |keytab|.
The **-S** option allows for a different keytab than the default.
Relations documented here may also be specified in krb5.conf.
Normally, the kdc.conf file is found in the KDC state directory,
-``/usr/local/var/krb5kdc``. You can override the default location by
-setting the environment variable **KRB5_KDC_PROFILE**.
+|kdcdir|. You can override the default location by setting the
+environment variable **KRB5_KDC_PROFILE**.
Structure
(String.) Location of the access control list file that
:ref:`kadmind(8)` uses to determine which principals are allowed
which permissions on the database. The default value is
- ``/usr/local/var/krb5kdc/kadm5.acl``.
+ |kdcdir|\ ``/kadm5.acl``.
**database_module**
This relation indicates the name of the configuration section
**database_module** is specified for the realm and the
corresponding module contains a **database_name** parameter, that
value will take precedence over this one. The default value is
- ``/usr/local/var/krb5kdc/principal``.
+ |kdcdir|\ ``/principal``.
**default_principal_expiration**
(Absolute time string.) Specifies the default expiration date of
**key_stash_file**
(String.) Specifies the location where the master key has been
- stored (via kdb5_util stash). The default is
- ``/usr/local/var/krb5kdc/.k5.REALM``, where *REALM* is the
- Kerberos realm.
+ stored (via kdb5_util stash). The default is |kdcdir|\
+ ``/.k5.REALM``, where *REALM* is the Kerberos realm.
**kdc_ports**
(Whitespace- or comma-separated list.) Lists the ports on which
**master_key_type**
(Key type string.) Specifies the master key's key type. The
- default value for this is ``aes256-cts``. For a list of all
- possible values, see :ref:`Encryption_and_salt_types`.
+ default value for this is |defmkey|. For a list of all possible
+ values, see :ref:`Encryption_and_salt_types`.
**max_life**
(Delta time string.) Specifies the maximum time period for which
(List of *key*:*salt* strings.) Specifies the default key/salt
combinations of principals for this realm. Any principals created
through :ref:`kadmin(1)` will have keys of these types. The
- default value for this tag is ``aes256-cts-hmac-sha1-96:normal
- aes128-cts-hmac-sha1-96:normal des3-cbc-sha1:normal
- arcfour-hmac-md5:normal``. For lists of possible values, see
- :ref:`Encryption_and_salt_types`.
+ default value for this tag is |defkeysalts|. For lists of
+ possible values, see :ref:`Encryption_and_salt_types`.
.. _logging:
**database_name**
This DB2-specific tag indicates the location of the database in
- the filesystem. The default is
- ``/usr/local/var/krb5kdc/principal``.
+ the filesystem. The default is |kdcdir|\ ``/principal``.
**db_library**
This tag indicates the name of the loadable database module. The
FILES
------
-``/usr/local/var/krb5kdc/kdc.conf``
+|kdcdir|\ ``/kdc.conf``
SEE ALSO
**default_keytab_name**
This relation specifies the default keytab name to be used by
application servers such as telnetd and rlogind. The default is
- ``/etc/krb5.keytab``.
+ |keytab|.
**default_realm**
Identifies the default Kerberos realm for the client. Set its
should be returned by the KDC. The list may be delimited with
commas or whitespace. See :ref:`Encryption_and_salt_types` in
:ref:`kdc.conf(5)` for a list of the accepted values for this tag.
- The default value is ``aes256-cts-hmac-sha1-96
- aes128-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5 des-cbc-crc
- des-cbc-md5 des-cbc-md4``, but single-DES encryption types will be
- implicitly removed from this list if the value of
+ The default value is |defetypes|, but single-DES encryption types
+ will be implicitly removed from this list if the value of
**allow_weak_crypto** is false.
**default_tkt_enctypes**
Identifies the supported list of session key encryption types that
should be requested by the client. The format is the same as for
default_tgs_enctypes. The default value for this tag is
- ``aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1
- arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des-cbc-md4``, but
- single-DES encryption types will be implicitly removed from this
- list if the value of **allow_weak_crypto** is false.
+ |defetypes|, but single-DES encryption types will be implicitly
+ removed from this list if the value of **allow_weak_crypto** is
+ false.
**dns_lookup_kdc**
Indicate whether DNS SRV records should be used to locate the KDCs
**permitted_enctypes**
Identifies all encryption types that are permitted for use in
session key encryption. The default value for this tag is
- ``aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1
- arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des-cbc-md4``, but
- single-DES encryption types will be implicitly removed from this
- list if the value of **allow_weak_crypto** is false.
+ |defetypes|, but single-DES encryption types will be implicitly
+ removed from this list if the value of **allow_weak_crypto** is
+ false.
**plugin_base_dir**
If set, determines the base directory where krb5 plugins are
FILES
-----
-``/etc/krb5.conf``
+|krb5conf|
SEE ALSO
::
- shell% /usr/local/sbin/kdb5_util -r ATHENA.MIT.EDU create -s
+ shell% kdb5_util -r ATHENA.MIT.EDU create -s
kdb5_util: No such file or directory while setting active database to'/usr/local/var/krb5kdc/principal'
Initializing database '/usr/local/var/krb5kdc/principal' for realm 'ATHENA.MIT.EDU',
master key name 'K/M@ATHENA.MIT.EDU'
Re-enter KDC database master key to verify: <= Type it again.
shell%
- shell% /usr/local/sbin/kdb5_util -r ATHENA.MIT.EDU destroy
+ shell% kdb5_util -r ATHENA.MIT.EDU destroy
kdb5_util: Deleting KDC database stored in /usr/local/var/krb5kdc/principal, are you sure (type yes to confirm)? <== yes
OK, deleting database '/usr/local/var/krb5kdc/principal'...
shell%
``kiprop/hostname`` (where *hostname* is the lowercase,
fully-qualified, canonical name for the host) registered in the
Kerberos database, and have keys for that principal stored in the
-default keytab file (``/etc/krb5.keytab``).
+default keytab file (|keytab|).
On the master KDC side, the ``kiprop/hostname`` principal must be
listed in the kadmind ACL file kadm5.acl, and given the **p**
update log and the per-slave kprop dump files. In the MIT
implementation, the pathname for the update log is specified in the
config file, and the per-slave dump files are stored in
-``/usr/local/var/krb5kdc/slave_datatrans_hostname``.
+|kdcdir|\ ``/slave_datatrans_hostname``.
For historical reasons, modules to control how KDC servers are located
are registered simply by placing the shared object or DLL into the
"libkrb5" subdirectory of the krb5 plugin directory, which defaults to
-``/usr/local/lib/krb5/plugins``. For example, Samba's winbind krb5
+|libdir|\ ``/krb5/plugins``. For example, Samba's winbind krb5
locator plugin would be registered by placing its shared object in
-``/usr/local/lib/krb5/plugins/libkrb5/winbind_krb5_locator.so``.
+|libdir|\ ``/krb5/plugins/libkrb5/winbind_krb5_locator.so``.
GSSAPI mechanism modules
---------------
All Kerberos server machines need a keytab file to authenticate to the
-KDC. By default on UNIX-like systems this file is named
-``/etc/krb5.keytab``. The keytab file is an local copy of the host's
-key. The keytab file is a potential point of entry for a break-in,
-and if compromised, would allow unrestricted access to its host. The
-keytab file should be readable only by root, and should exist only on
-the machine's local disk. The file should not be part of any backup
-of the machine, unless access to the backup data is secured as tightly
-as access to the machine's root password.
+KDC. By default on UNIX-like systems this file is named |keytab|.
+The keytab file is an local copy of the host's key. The keytab file
+is a potential point of entry for a break-in, and if compromised,
+would allow unrestricted access to its host. The keytab file should
+be readable only by root, and should exist only on the machine's local
+disk. The file should not be part of any backup of the machine,
+unless access to the backup data is secured as tightly as access to
+the machine's root password.
In order to generate a keytab for a host, the host must have a
principal in the Kerberos database. The procedure for adding hosts to
pop, the administrator ``joeadmin`` would issue the command (on
``trillium.mit.edu``)::
- trillium% /usr/local/sbin/kadmin
+ trillium% kadmin
kadmin5: ktadd host/trillium.mit.edu ftp/trillium.mit.edu pop/trillium.mit.edu
kadmin: Entry for principal host/trillium.mit.edu@ATHENA.MIT.EDU with
kvno 3, encryption type DES-CBC-CRC added to keytab
and how to close them.
We recommend that backups of secure machines exclude the keytab file
-(``/etc/krb5.keytab``). If this is not possible, the backups should
-at least be done locally, rather than over a network, and the backup
-tapes should be physically secured.
+(|keytab|). If this is not possible, the backups should at least be
+done locally, rather than over a network, and the backup tapes should
+be physically secured.
The keytab file and any programs run by root, including the Kerberos
V5 binaries, should be kept on local disk. The keytab file should be
The Kerberized client programs include :ref:`kinit(1)`,
:ref:`klist(1)`, :ref:`kdestroy(1)`, and :ref:`kpasswd(1)`. All of
-these programs are in the directory ``/usr/local/bin``.
+these programs are in the directory |bindir|.
You can often integrate Kerberos with the login system on client
machines, typically through the use of PAM. The details vary by
stash file on the master KDC, using the :ref:`kdb5_util(8)` command.
Replace ``ATHENA.MIT.EDU`` with the name of your Kerberos realm::
- shell% /usr/local/sbin/kdb5_util create -r ATHENA.MIT.EDU -s
+ shell% kdb5_util create -r ATHENA.MIT.EDU -s
Initializing database '/usr/local/var/krb5kdc/principal' for realm 'ATHENA.MIT.EDU',
master key name 'K/M@ATHENA.MIT.EDU'
Re-enter KDC database master key to verify: <= Type it again.
shell%
-This will create five files in the directory specified in your
-:ref:`kdc.conf(5)` file (the default location is
-``/usr/local/var/krb5kdc`` directory; see :ref:`mitK5defaults`):
+This will create five files in |kdcdir| (or at the locations specified
+in :ref:`kdc.conf(5)`):
* two Kerberos database files, ``principal``, and ``principal.ok``
* the Kerberos administrative database file, ``principal.kadm5``
* the administrative database lock file, ``principal.kadm5.lock``
-* the stash file, in this example ``.k5.ATHENA.MIT.EDU`` (by default
- it is ``.k5.`` prefix followed by the realm name of the database).
- If you do not want a stash file, run the above command without the
- **-s** option.
+* the stash file, in this example ``.k5.ATHENA.MIT.EDU``. If you do
+ not want a stash file, run the above command without the **-s**
+ option.
For more information on administrating Kerberos database see
:ref:`db_operations`.
Kerberos principal of at least one of the administrators into it.
This file is used by the :ref:`kadmind(8)` daemon to control which
principals may view and make privileged modifications to the Kerberos
-database files. The filename should match the value you have set for
-**acl_file** (see :ref:`kdc_realms`) in your :ref:`kdc.conf(5)` file.
-The default file name is ``/usr/local/var/krb5kdc/kadm5.acl`` (See
-:ref:`mitK5defaults`).
+database files. The ACL filename is determined by the **acl_file**
+variable in :ref:`kdc.conf(5)`; the default is |kdcdir|\
+``/kadm5.acl``.
The format of the file is::
In the following example, the administrative principal ``admin/admin``
is created::
- shell% /usr/local/sbin/kadmin.local
+ shell% kadmin.local
kadmin.local: addprinc admin/admin@ATHENA.MIT.EDU
(:ref:`krb5kdc(8)`) and administrative daemons on the Master KDC. To
do so, type::
- shell% /usr/local/sbin/krb5kdc
- shell% /usr/local/sbin/kadmind
+ shell% krb5kdc
+ shell% kadmind
Each server daemon will fork and run in the background.
against the principals that you have created on the previous step
(:ref:`addadmin_kdb`). Run::
- shell% /usr/local/bin/kinit admin/admin@ATHENA.MIT.EDU
+ shell% kinit admin/admin@ATHENA.MIT.EDU
Install the slave KDCs
if the master KDC were called ``kerberos.mit.edu``, and you had a
slave KDC named ``kerberos-1.mit.edu``, you would type the following::
- shell% /usr/local/bin/kadmin
+ shell% kadmin
kadmin: addprinc -randkey host/kerberos.mit.edu
NOTICE: no policy specified for "host/kerberos.mit.edu@ATHENA.MIT.EDU"; assigning "default"
Principal "host/kerberos.mit.edu@ATHENA.MIT.EDU" created.
First, create a dump file of the database on the master KDC, as
follows::
- shell% /usr/local/sbin/kdb5_util dump /usr/local/var/krb5kdc/slave_datatrans
+ shell% kdb5_util dump /usr/local/var/krb5kdc/slave_datatrans
Then, manually propagate the database to each slave KDC, as in the
following example::
- shell% /usr/local/sbin/kprop -f /usr/local/var/krb5kdc/slave_datatrans kerberos-1.mit.edu
+ shell% kprop -f /usr/local/var/krb5kdc/slave_datatrans kerberos-1.mit.edu
Database propagation to kerberos-1.mit.edu: SUCCEEDED
kdclist = "kerberos-1.mit.edu kerberos-2.mit.edu"
- /usr/local/sbin/kdb5_util dump /usr/local/var/krb5kdc/slave_datatrans
+ kdb5_util dump /usr/local/var/krb5kdc/slave_datatrans
for kdc in $kdclist
do
- /usr/local/sbin/kprop -f /usr/local/var/krb5kdc/slave_datatrans $kdc
+ kprop -f /usr/local/var/krb5kdc/slave_datatrans $kdc
done
You will need to set up a cron job to run this script at the intervals
Now that the slave KDC has a copy of the Kerberos database, you can
start the krb5kdc daemon::
- shell% /usr/local/sbin/krb5kdc
+ shell% krb5kdc
As with the master KDC, you will probably want to add this command to
the KDCs' ``/etc/rc`` or ``/etc/inittab`` files, so they will start
The simplest choice is to pass **GSS_C_NO_CREDENTIAL** as the acceptor
credential. In this case, clients may authenticate to any service
-principal in the default keytab (typically ``/etc/krb5.keytab``, or
-the value of the **KRB5_KTNAME** environment variable). This is the
-recommended approach if the server application has no specific
-requirements to the contrary.
+principal in the default keytab (typically |keytab|, or the value of
+the **KRB5_KTNAME** environment variable). This is the recommended
+approach if the server application has no specific requirements to the
+contrary.
A server may acquire an acceptor credential with gss_acquire_cred_ and
a *cred_usage* of **GSS_C_ACCEPT** or **GSS_C_BOTH**. If the
**DEFAULT_PROFILE_PATH**
The pathname to the file which contains the profiles for the known
- realms, their KDCs, etc. The default value is ``/etc/krb5.conf``.
+ realms, their KDCs, etc. The default value is |krb5conf|.
**DEFAULT_KEYTAB_NAME**
The type and pathname to the default server keytab file. The
- default is ``/etc/krb5.keytab``.
+ default is |keytab|.
**DEFAULT_KDC_ENCTYPE**
- The default encryption type for the KDC. The default value is
- ``aes256-cts-hmac-sha1-96``.
+ The default encryption type for the KDC database master key. The
+ default value is |defmkey|.
**KDCRCACHE**
The name of the replay cache used by the KDC. The default value
is ``krb5kdc_rcache``.
``/var/tmp``.
**DEFAULT_KDB_FILE**
The location of the default database. The default value is
- ``/usr/local/var/krb5kdc/principal``.
+ |kdcdir|\ ``/principal``.
default location of Kerberos 5 credentials cache ([*uid*] is the
decimal UID of the user).
-``/etc/krb5.keytab``
+|keytab|
default location for the local host's keytab.
Default location of Kerberos 5 credentials cache ([uid] is the
decimal UID of the user).
-``/etc/krb5.keytab``
+|keytab|
Default location for the local host's keytab file.
projects / krb5.git / commitdiff