From 3a9063d6c46fbcad013c41f4832e9e6714df6547 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Wed, 3 Aug 2011 03:41:35 +0000 Subject: [PATCH] Fix several krb5.conf doc inconsistencies ldap_servers was incorrectly documented as ldap_server in the admin guide. realm_try_domains and preferred_preauth_types were documented in the man page but not the admin guide. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25068 dc483132-0cff-0310-8789-dd5450dbe970 --- doc/admin.texinfo | 20 +++++++++++++++++-- .../krb_admins/conf_files/krb5_conf.rst | 8 ++++++-- 2 files changed, 24 insertions(+), 4 deletions(-) diff --git a/doc/admin.texinfo b/doc/admin.texinfo index fd9892183..1930e33f5 100644 --- a/doc/admin.texinfo +++ b/doc/admin.texinfo @@ -533,6 +533,12 @@ HMAC SHA1 DES3 Microsoft MD5 HMAC checksum type @end table +@itemx preferred_preauth_types +This allows you to set the preferred preauthentication types which the +client will attempt before others which may be advertised by a KDC. The +default value for this setting is "17, 16, 15, 14", which forces libkrb5 +to attempt to use PKINIT if it is supported. + @comment see lib/krb5/ccache/fcc.h @itemx ccache_type Use this parameter on systems which are DCE clients, to specify the @@ -585,6 +591,16 @@ has no effect. General flag controlling the use of DNS for Kerberos information. If both of the preceding options are specified, this option has no effect. +@itemx realm_try_domains +Indicate whether a host's domain components should be used to determine +the Kerberos realm of the host. The value of this variable is an +integer: -1 means not to search, 0 means to try the host's domain +itself, 1 means to also try the domain's immediate parent, and so forth. +The library's usual mechanism for locating Kerberos realms is used to +determine whether a domain is a valid realm--which may involve +consulting DNS if dns_lookup_kdc is set. The default is not to search +domain components. + @itemx extra_addresses This allows a computer to use multiple local addresses, in order to allow Kerberos to work in a network that uses NATs. The addresses @@ -1066,7 +1082,7 @@ This LDAP specific tag indicates the default bind DN for the Administration serv This LDAP specific tag indicates the file containing the stashed passwords (created by @code{kdb5_ldap_util stashsrvpw}) for the objects used by the Kerberos servers to bind to the LDAP server. This file must be kept secure. This value is used if no service password file is mentioned in the configuration section under [dbmodules]. -@itemx ldap_server +@itemx ldap_servers This LDAP specific tag indicates the list of LDAP servers that the Kerberos servers can connect to. The list of LDAP servers is whitespace-separated. The LDAP server is specified by a LDAP URI. This value is used if no LDAP servers are mentioned in the configuration section under [dbmodules]. It is recommended to use the ldapi:// or ldaps:// interface and not to use ldap:// interface. @@ -1114,7 +1130,7 @@ This LDAP specific tag indicates the default bind DN for the Administration serv @itemx ldap_service_password_file This LDAP specific tag indicates the file containing the stashed passwords (created by @code{kdb5_ldap_util stashsrvpw}) for the objects used by the Kerberos servers to bind to the LDAP server. This file must be kept secure. -@itemx ldap_server +@itemx ldap_servers This LDAP specific tag indicates the list of LDAP servers that the Kerberos servers can connect to. The list of LDAP servers is whitespace-separated. The LDAP server is specified by a LDAP URI. It is recommended to use ldapi:// or ldaps:// interface to connect to the LDAP server. @itemx ldap_conns_per_server diff --git a/doc/rst_source/krb_admins/conf_files/krb5_conf.rst b/doc/rst_source/krb_admins/conf_files/krb5_conf.rst index 549660683..42f9a68f9 100644 --- a/doc/rst_source/krb_admins/conf_files/krb5_conf.rst +++ b/doc/rst_source/krb_admins/conf_files/krb5_conf.rst @@ -115,6 +115,8 @@ kdc_timesync -138 Microsoft MD5 HMAC checksum type +preferred_preauth_types + This allows you to set the preferred preauthentication types which the client will attempt before others which may be advertised by a KDC. The default value for this setting is "17, 16, 15, 14", which forces libkrb5 to attempt to use PKINIT if it is supported. ccache_type Use this parameter on systems which are DCE clients, to specify the type of cache to be created by kinit, or when forwarded tickets are received. DCE and Kerberos can share the cache, but some versions of DCE do not support the default cache as created by this version of Kerberos. Use a value of 1 on DCE 1.0.3a systems, and a value of 2 on DCE 1.1 systems. The default value is 4. dns_lookup_kdc @@ -133,6 +135,8 @@ dns_fallback General flag controlling the use of DNS for Kerberos information. If both of the preceding options are specified, this option has no effect. extra_addresses This allows a computer to use multiple local addresses, in order to allow Kerberos to work in a network that uses NATs. The addresses should be in a comma-separated list. +realm_try_domains + Indicate whether a host's domain components should be used to determine the Kerberos realm of the host. The value of this variable is an integer: -1 means not to search, 0 means to try the host's domain itself, 1 means to also try the domain's immediate parent, and so forth. The library's usual mechanism for locating Kerberos realms is used to determine whether a domain is a valid realm--which may involve consulting DNS if dns_lookup_kdc is set. The default is not to search domain components. udp_preference_limit When sending a message to the KDC, the library will try using TCP before UDP if the size of the message is above udp_preference_list. If the message is smaller than udp_preference_list, then UDP will be tried before TCP. Regardless of the size, both protocols will be tried if the first attempt fails. verify_ap_req_nofail @@ -393,7 +397,7 @@ ldap_kadmind_dn This LDAP specific tag indicates the default bind DN for the Administration server. The administration server does a login to the directory as this object. This object should have the rights to read and write the Kerberos data in the LDAP database. This value is used if the bind DN for the Administration server is not mentioned in the configuration section under dbmodules_. ldap_service_password_file This LDAP specific tag indicates the file containing the stashed passwords (created by kdb5_ldap_util stashsrvpw) for the objects used by the Kerberos servers to bind to the LDAP server. This file must be kept secure. This value is used if no service password file is mentioned in the configuration section under dbmodules_. -ldap_server +ldap_servers This LDAP specific tag indicates the list of LDAP servers that the Kerberos servers can connect to. The list of LDAP servers is whitespace-separated. The LDAP server is specified by a LDAP URI. This value is used if no LDAP servers are mentioned in the configuration section under dbmodules_. It is recommended to use the *ldapi://* or *ldaps://* interface and not to use *ldap://* interface. ldap_conns_per_server This LDAP specific tag indicates the number of connections to be maintained per LDAP server. This value is used if the number of connections per LDAP server are not mentioned in the configuration section under dbmodules_. The default value is 5. @@ -423,7 +427,7 @@ ldap_kadmind_dn This LDAP specific tag indicates the default bind DN for the Administration server. The administration server does a login to the directory as this object. This object should have the rights to read and write the Kerberos data in the LDAP database. ldap_service_password_file This LDAP specific tag indicates the file containing the stashed passwords (created by *kdb5_ldap_util stashsrvpw*) for the objects used by the Kerberos servers to bind to the LDAP server. This file must be kept secure. -ldap_server +ldap_servers This LDAP specific tag indicates the list of LDAP servers that the Kerberos servers can connect to. The list of LDAP servers is whitespace-separated. The LDAP server is specified by a LDAP URI. It is recommended to use *ldapi://* or *ldaps://* interface to connect to the LDAP server. ldap_conns_per_server This LDAP specific tags indicates the number of connections to be maintained per LDAP server. -- 2.26.2