From b10cde566da9ddd8e6c7c04880a31293a9aeae53 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Thu, 22 Mar 2012 17:28:34 +0000 Subject: [PATCH] Use substitutions in RST docs Create an rst_epilog variable defining substitutions for pathnames and default enctypes, and use them in the RST source files. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25784 dc483132-0cff-0310-8789-dd5450dbe970 --- doc/rst_source/conf.py | 11 +++++ .../krb_admins/admin_commands/kadmind.rst | 5 +-- .../krb_admins/admin_commands/kprop.rst | 2 +- .../krb_admins/admin_commands/kpropd.rst | 10 ++--- .../krb_admins/admin_commands/sserver.rst | 2 +- .../krb_admins/conf_files/kdc_conf.rst | 28 ++++++------- .../krb_admins/conf_files/krb5_conf.rst | 24 +++++------ doc/rst_source/krb_admins/database.rst | 8 ++-- doc/rst_source/krb_admins/host_config.rst | 4 +- .../krb_admins/install_appl_srv.rst | 24 +++++------ doc/rst_source/krb_admins/install_clients.rst | 2 +- doc/rst_source/krb_admins/install_kdc.rst | 41 +++++++++---------- doc/rst_source/krb_appldev/gssapi.rst | 8 ++-- doc/rst_source/krb_build/osconf.rst | 10 ++--- .../krb_users/user_commands/kinit.rst | 2 +- .../krb_users/user_commands/klist.rst | 2 +- 16 files changed, 91 insertions(+), 92 deletions(-) diff --git a/doc/rst_source/conf.py b/doc/rst_source/conf.py index 7fb269ed1..7afbddb36 100644 --- a/doc/rst_source/conf.py +++ b/doc/rst_source/conf.py @@ -212,6 +212,17 @@ latex_documents = [ # If false, no module index is generated. #latex_domain_indices = True +rst_epilog=''' +.. |bindir| replace:: ``/usr/local/bin`` +.. |sbindir| replace:: ``/usr/local/sbin`` +.. |libdir| replace:: ``/usr/local/lib`` +.. |kdcdir| replace:: ``/usr/local/var/krb5kdc`` +.. |keytab| replace:: ``/etc/krb5.keytab`` +.. |krb5conf| replace:: ``/etc/krb5.conf`` +.. |defkeysalts| replace:: ``aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal des3-cbc-sha1:normal arcfour-hmac-md5:normal`` +.. |defetypes| replace:: ``aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des-cbc-md4`` +.. |defmkey| replace:: ``aes256-cts-hmac-sha1-96`` +''' # -- Options for manual page output -------------------------------------------- diff --git a/doc/rst_source/krb_admins/admin_commands/kadmind.rst b/doc/rst_source/krb_admins/admin_commands/kadmind.rst index 2b047ce31..bb858f4ca 100644 --- a/doc/rst_source/krb_admins/admin_commands/kadmind.rst +++ b/doc/rst_source/krb_admins/admin_commands/kadmind.rst @@ -38,9 +38,8 @@ ACL file kadmind's ACL (access control list) tells it which principals are allowed to perform administration actions. The pathname to the ACL file can be specified with the **acl_file** kdc.conf variable; - by default, it is ``/usr/local/var/krb5kdc/kadm5.acl``. The - syntax of the ACL file is specified in the ACL FILE SYNTAX section - below. + by default, it is |kdcdir|\ ``/kadm5.acl``. The syntax of the ACL + file is specified in the ACL FILE SYNTAX section below. If the kadmind ACL file is modified, the kadmind daemon needs to be restarted for changes to take effect. diff --git a/doc/rst_source/krb_admins/admin_commands/kprop.rst b/doc/rst_source/krb_admins/admin_commands/kprop.rst index 2bd7ba6f4..726c8cc2f 100644 --- a/doc/rst_source/krb_admins/admin_commands/kprop.rst +++ b/doc/rst_source/krb_admins/admin_commands/kprop.rst @@ -33,7 +33,7 @@ OPTIONS **-f** *file* Specifies the filename where the dumped principal database file is to be found; by default the dumped database file is normally - ``/usr/local/var/krb5kdc/slave_datatrans``. + |kdcdir|\ ``/slave_datatrans``. **-P** *port* Specifies the port to use to contact the :ref:`kpropd(8)` server diff --git a/doc/rst_source/krb_admins/admin_commands/kpropd.rst b/doc/rst_source/krb_admins/admin_commands/kpropd.rst index 3b20fe676..555ec3cfa 100644 --- a/doc/rst_source/krb_admins/admin_commands/kpropd.rst +++ b/doc/rst_source/krb_admins/admin_commands/kpropd.rst @@ -64,13 +64,13 @@ OPTIONS **-f** *file* Specifies the filename where the dumped principal database file is - to be stored; by default the dumped database file is - ``/usr/local/var/krb5kdc/from_master``. + to be stored; by default the dumped database file is |kdcdir|\ + ``/from_master``. **-p** Allows the user to specify the pathname to the :ref:`kdb5_util(8)` - program; by default the pathname used is - ``/usr/local/sbin/kdb5_util``. + program; by default the pathname used is |sbindir|\ + ``/kdb5_util``. **-S** Turn on standalone mode. Normally, kpropd is invoked out of @@ -91,7 +91,7 @@ OPTIONS **-a** *acl_file* Allows the user to specify the path to the kpropd.acl file; by - default the path used is ``/usr/local/var/krb5kdc/kpropd.acl``. + default the path used is |kdcdir|\ ``/kpropd.acl``. ENVIRONMENT diff --git a/doc/rst_source/krb_admins/admin_commands/sserver.rst b/doc/rst_source/krb_admins/admin_commands/sserver.rst index 2df577342..61826dfaf 100644 --- a/doc/rst_source/krb_admins/admin_commands/sserver.rst +++ b/doc/rst_source/krb_admins/admin_commands/sserver.rst @@ -25,7 +25,7 @@ The service name used by sserver and sclient is sample. Hence, sserver will require that there be a keytab entry for the service ``sample/hostname.domain.name@REALM.NAME``. This keytab is generated using the :ref:`kadmin(1)` program. The keytab file is usually -installed as ``/etc/krb5.keytab``. +installed as |keytab|. The **-S** option allows for a different keytab than the default. diff --git a/doc/rst_source/krb_admins/conf_files/kdc_conf.rst b/doc/rst_source/krb_admins/conf_files/kdc_conf.rst index 1a3bb451d..a84c702f0 100644 --- a/doc/rst_source/krb_admins/conf_files/kdc_conf.rst +++ b/doc/rst_source/krb_admins/conf_files/kdc_conf.rst @@ -9,8 +9,8 @@ are typically only used on a KDC, such as the :ref:`krb5kdc(8)` and Relations documented here may also be specified in krb5.conf. Normally, the kdc.conf file is found in the KDC state directory, -``/usr/local/var/krb5kdc``. You can override the default location by -setting the environment variable **KRB5_KDC_PROFILE**. +|kdcdir|. You can override the default location by setting the +environment variable **KRB5_KDC_PROFILE**. Structure @@ -71,7 +71,7 @@ subsection: (String.) Location of the access control list file that :ref:`kadmind(8)` uses to determine which principals are allowed which permissions on the database. The default value is - ``/usr/local/var/krb5kdc/kadm5.acl``. + |kdcdir|\ ``/kadm5.acl``. **database_module** This relation indicates the name of the configuration section @@ -84,7 +84,7 @@ subsection: **database_module** is specified for the realm and the corresponding module contains a **database_name** parameter, that value will take precedence over this one. The default value is - ``/usr/local/var/krb5kdc/principal``. + |kdcdir|\ ``/principal``. **default_principal_expiration** (Absolute time string.) Specifies the default expiration date of @@ -222,9 +222,8 @@ subsection: **key_stash_file** (String.) Specifies the location where the master key has been - stored (via kdb5_util stash). The default is - ``/usr/local/var/krb5kdc/.k5.REALM``, where *REALM* is the - Kerberos realm. + stored (via kdb5_util stash). The default is |kdcdir|\ + ``/.k5.REALM``, where *REALM* is the Kerberos realm. **kdc_ports** (Whitespace- or comma-separated list.) Lists the ports on which @@ -250,8 +249,8 @@ subsection: **master_key_type** (Key type string.) Specifies the master key's key type. The - default value for this is ``aes256-cts``. For a list of all - possible values, see :ref:`Encryption_and_salt_types`. + default value for this is |defmkey|. For a list of all possible + values, see :ref:`Encryption_and_salt_types`. **max_life** (Delta time string.) Specifies the maximum time period for which @@ -303,10 +302,8 @@ subsection: (List of *key*:*salt* strings.) Specifies the default key/salt combinations of principals for this realm. Any principals created through :ref:`kadmin(1)` will have keys of these types. The - default value for this tag is ``aes256-cts-hmac-sha1-96:normal - aes128-cts-hmac-sha1-96:normal des3-cbc-sha1:normal - arcfour-hmac-md5:normal``. For lists of possible values, see - :ref:`Encryption_and_salt_types`. + default value for this tag is |defkeysalts|. For lists of + possible values, see :ref:`Encryption_and_salt_types`. .. _logging: @@ -418,8 +415,7 @@ the subsection: **database_name** This DB2-specific tag indicates the location of the database in - the filesystem. The default is - ``/usr/local/var/krb5kdc/principal``. + the filesystem. The default is |kdcdir|\ ``/principal``. **db_library** This tag indicates the name of the loadable database module. The @@ -669,7 +665,7 @@ Here's an example of a kdc.conf file: FILES ------ -``/usr/local/var/krb5kdc/kdc.conf`` +|kdcdir|\ ``/kdc.conf`` SEE ALSO diff --git a/doc/rst_source/krb_admins/conf_files/krb5_conf.rst b/doc/rst_source/krb_admins/conf_files/krb5_conf.rst index 16b122a12..de7da29fd 100644 --- a/doc/rst_source/krb_admins/conf_files/krb5_conf.rst +++ b/doc/rst_source/krb_admins/conf_files/krb5_conf.rst @@ -135,7 +135,7 @@ The libdefaults section may contain any of the following relations: **default_keytab_name** This relation specifies the default keytab name to be used by application servers such as telnetd and rlogind. The default is - ``/etc/krb5.keytab``. + |keytab|. **default_realm** Identifies the default Kerberos realm for the client. Set its @@ -148,20 +148,17 @@ The libdefaults section may contain any of the following relations: should be returned by the KDC. The list may be delimited with commas or whitespace. See :ref:`Encryption_and_salt_types` in :ref:`kdc.conf(5)` for a list of the accepted values for this tag. - The default value is ``aes256-cts-hmac-sha1-96 - aes128-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5 des-cbc-crc - des-cbc-md5 des-cbc-md4``, but single-DES encryption types will be - implicitly removed from this list if the value of + The default value is |defetypes|, but single-DES encryption types + will be implicitly removed from this list if the value of **allow_weak_crypto** is false. **default_tkt_enctypes** Identifies the supported list of session key encryption types that should be requested by the client. The format is the same as for default_tgs_enctypes. The default value for this tag is - ``aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 - arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des-cbc-md4``, but - single-DES encryption types will be implicitly removed from this - list if the value of **allow_weak_crypto** is false. + |defetypes|, but single-DES encryption types will be implicitly + removed from this list if the value of **allow_weak_crypto** is + false. **dns_lookup_kdc** Indicate whether DNS SRV records should be used to locate the KDCs @@ -258,10 +255,9 @@ The libdefaults section may contain any of the following relations: **permitted_enctypes** Identifies all encryption types that are permitted for use in session key encryption. The default value for this tag is - ``aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 - arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des-cbc-md4``, but - single-DES encryption types will be implicitly removed from this - list if the value of **allow_weak_crypto** is false. + |defetypes|, but single-DES encryption types will be implicitly + removed from this list if the value of **allow_weak_crypto** is + false. **plugin_base_dir** If set, determines the base directory where krb5 plugins are @@ -1037,7 +1033,7 @@ Here is an example of a generic krb5.conf file: FILES ----- -``/etc/krb5.conf`` +|krb5conf| SEE ALSO diff --git a/doc/rst_source/krb_admins/database.rst b/doc/rst_source/krb_admins/database.rst index 9cca18893..f73e4b938 100644 --- a/doc/rst_source/krb_admins/database.rst +++ b/doc/rst_source/krb_admins/database.rst @@ -534,7 +534,7 @@ Examples :: - shell% /usr/local/sbin/kdb5_util -r ATHENA.MIT.EDU create -s + shell% kdb5_util -r ATHENA.MIT.EDU create -s kdb5_util: No such file or directory while setting active database to'/usr/local/var/krb5kdc/principal' Initializing database '/usr/local/var/krb5kdc/principal' for realm 'ATHENA.MIT.EDU', master key name 'K/M@ATHENA.MIT.EDU' @@ -544,7 +544,7 @@ Examples Re-enter KDC database master key to verify: <= Type it again. shell% - shell% /usr/local/sbin/kdb5_util -r ATHENA.MIT.EDU destroy + shell% kdb5_util -r ATHENA.MIT.EDU destroy kdb5_util: Deleting KDC database stored in /usr/local/var/krb5kdc/principal, are you sure (type yes to confirm)? <== yes OK, deleting database '/usr/local/var/krb5kdc/principal'... shell% @@ -813,7 +813,7 @@ Both master and slave sides must have a principal named ``kiprop/hostname`` (where *hostname* is the lowercase, fully-qualified, canonical name for the host) registered in the Kerberos database, and have keys for that principal stored in the -default keytab file (``/etc/krb5.keytab``). +default keytab file (|keytab|). On the master KDC side, the ``kiprop/hostname`` principal must be listed in the kadmind ACL file kadm5.acl, and given the **p** @@ -868,4 +868,4 @@ The Sun implementation hard-codes pathnames in ``/var/krb5`` for the update log and the per-slave kprop dump files. In the MIT implementation, the pathname for the update log is specified in the config file, and the per-slave dump files are stored in -``/usr/local/var/krb5kdc/slave_datatrans_hostname``. +|kdcdir|\ ``/slave_datatrans_hostname``. diff --git a/doc/rst_source/krb_admins/host_config.rst b/doc/rst_source/krb_admins/host_config.rst index d7e5dac03..08a5378b4 100644 --- a/doc/rst_source/krb_admins/host_config.rst +++ b/doc/rst_source/krb_admins/host_config.rst @@ -71,9 +71,9 @@ KDC location modules For historical reasons, modules to control how KDC servers are located are registered simply by placing the shared object or DLL into the "libkrb5" subdirectory of the krb5 plugin directory, which defaults to -``/usr/local/lib/krb5/plugins``. For example, Samba's winbind krb5 +|libdir|\ ``/krb5/plugins``. For example, Samba's winbind krb5 locator plugin would be registered by placing its shared object in -``/usr/local/lib/krb5/plugins/libkrb5/winbind_krb5_locator.so``. +|libdir|\ ``/krb5/plugins/libkrb5/winbind_krb5_locator.so``. GSSAPI mechanism modules diff --git a/doc/rst_source/krb_admins/install_appl_srv.rst b/doc/rst_source/krb_admins/install_appl_srv.rst index 239ddf4e4..9e76e2074 100644 --- a/doc/rst_source/krb_admins/install_appl_srv.rst +++ b/doc/rst_source/krb_admins/install_appl_srv.rst @@ -22,14 +22,14 @@ The keytab file --------------- All Kerberos server machines need a keytab file to authenticate to the -KDC. By default on UNIX-like systems this file is named -``/etc/krb5.keytab``. The keytab file is an local copy of the host's -key. The keytab file is a potential point of entry for a break-in, -and if compromised, would allow unrestricted access to its host. The -keytab file should be readable only by root, and should exist only on -the machine's local disk. The file should not be part of any backup -of the machine, unless access to the backup data is secured as tightly -as access to the machine's root password. +KDC. By default on UNIX-like systems this file is named |keytab|. +The keytab file is an local copy of the host's key. The keytab file +is a potential point of entry for a break-in, and if compromised, +would allow unrestricted access to its host. The keytab file should +be readable only by root, and should exist only on the machine's local +disk. The file should not be part of any backup of the machine, +unless access to the backup data is secured as tightly as access to +the machine's root password. In order to generate a keytab for a host, the host must have a principal in the Kerberos database. The procedure for adding hosts to @@ -43,7 +43,7 @@ For example, to generate a keytab file to allow the host pop, the administrator ``joeadmin`` would issue the command (on ``trillium.mit.edu``):: - trillium% /usr/local/sbin/kadmin + trillium% kadmin kadmin5: ktadd host/trillium.mit.edu ftp/trillium.mit.edu pop/trillium.mit.edu kadmin: Entry for principal host/trillium.mit.edu@ATHENA.MIT.EDU with kvno 3, encryption type DES-CBC-CRC added to keytab @@ -73,9 +73,9 @@ every possible attack, but it is worth noting some of the larger holes and how to close them. We recommend that backups of secure machines exclude the keytab file -(``/etc/krb5.keytab``). If this is not possible, the backups should -at least be done locally, rather than over a network, and the backup -tapes should be physically secured. +(|keytab|). If this is not possible, the backups should at least be +done locally, rather than over a network, and the backup tapes should +be physically secured. The keytab file and any programs run by root, including the Kerberos V5 binaries, should be kept on local disk. The keytab file should be diff --git a/doc/rst_source/krb_admins/install_clients.rst b/doc/rst_source/krb_admins/install_clients.rst index 4d954a246..3100ff3a9 100644 --- a/doc/rst_source/krb_admins/install_clients.rst +++ b/doc/rst_source/krb_admins/install_clients.rst @@ -3,7 +3,7 @@ Installing and configuring UNIX client machines The Kerberized client programs include :ref:`kinit(1)`, :ref:`klist(1)`, :ref:`kdestroy(1)`, and :ref:`kpasswd(1)`. All of -these programs are in the directory ``/usr/local/bin``. +these programs are in the directory |bindir|. You can often integrate Kerberos with the login system on client machines, typically through the use of PAM. The details vary by diff --git a/doc/rst_source/krb_admins/install_kdc.rst b/doc/rst_source/krb_admins/install_kdc.rst index 2589831f6..1b9c899b4 100644 --- a/doc/rst_source/krb_admins/install_kdc.rst +++ b/doc/rst_source/krb_admins/install_kdc.rst @@ -173,7 +173,7 @@ The following is an example of how to create a Kerberos database and stash file on the master KDC, using the :ref:`kdb5_util(8)` command. Replace ``ATHENA.MIT.EDU`` with the name of your Kerberos realm:: - shell% /usr/local/sbin/kdb5_util create -r ATHENA.MIT.EDU -s + shell% kdb5_util create -r ATHENA.MIT.EDU -s Initializing database '/usr/local/var/krb5kdc/principal' for realm 'ATHENA.MIT.EDU', master key name 'K/M@ATHENA.MIT.EDU' @@ -183,17 +183,15 @@ Replace ``ATHENA.MIT.EDU`` with the name of your Kerberos realm:: Re-enter KDC database master key to verify: <= Type it again. shell% -This will create five files in the directory specified in your -:ref:`kdc.conf(5)` file (the default location is -``/usr/local/var/krb5kdc`` directory; see :ref:`mitK5defaults`): +This will create five files in |kdcdir| (or at the locations specified +in :ref:`kdc.conf(5)`): * two Kerberos database files, ``principal``, and ``principal.ok`` * the Kerberos administrative database file, ``principal.kadm5`` * the administrative database lock file, ``principal.kadm5.lock`` -* the stash file, in this example ``.k5.ATHENA.MIT.EDU`` (by default - it is ``.k5.`` prefix followed by the realm name of the database). - If you do not want a stash file, run the above command without the - **-s** option. +* the stash file, in this example ``.k5.ATHENA.MIT.EDU``. If you do + not want a stash file, run the above command without the **-s** + option. For more information on administrating Kerberos database see :ref:`db_operations`. @@ -208,10 +206,9 @@ Next, you need create an Access Control List (ACL) file and put the Kerberos principal of at least one of the administrators into it. This file is used by the :ref:`kadmind(8)` daemon to control which principals may view and make privileged modifications to the Kerberos -database files. The filename should match the value you have set for -**acl_file** (see :ref:`kdc_realms`) in your :ref:`kdc.conf(5)` file. -The default file name is ``/usr/local/var/krb5kdc/kadm5.acl`` (See -:ref:`mitK5defaults`). +database files. The ACL filename is determined by the **acl_file** +variable in :ref:`kdc.conf(5)`; the default is |kdcdir|\ +``/kadm5.acl``. The format of the file is:: @@ -326,7 +323,7 @@ to the ACL file (see :ref:`admin_acl`). In the following example, the administrative principal ``admin/admin`` is created:: - shell% /usr/local/sbin/kadmin.local + shell% kadmin.local kadmin.local: addprinc admin/admin@ATHENA.MIT.EDU @@ -346,8 +343,8 @@ At this point, you are ready to start the Kerberos KDC (:ref:`krb5kdc(8)`) and administrative daemons on the Master KDC. To do so, type:: - shell% /usr/local/sbin/krb5kdc - shell% /usr/local/sbin/kadmind + shell% krb5kdc + shell% kadmind Each server daemon will fork and run in the background. @@ -372,7 +369,7 @@ As an additional verification, check if :ref:`kinit(1)` succeeds against the principals that you have created on the previous step (:ref:`addadmin_kdb`). Run:: - shell% /usr/local/bin/kinit admin/admin@ATHENA.MIT.EDU + shell% kinit admin/admin@ATHENA.MIT.EDU Install the slave KDCs @@ -400,7 +397,7 @@ host principal for each of the KDCs' ``host`` services. For example, if the master KDC were called ``kerberos.mit.edu``, and you had a slave KDC named ``kerberos-1.mit.edu``, you would type the following:: - shell% /usr/local/bin/kadmin + shell% kadmin kadmin: addprinc -randkey host/kerberos.mit.edu NOTICE: no policy specified for "host/kerberos.mit.edu@ATHENA.MIT.EDU"; assigning "default" Principal "host/kerberos.mit.edu@ATHENA.MIT.EDU" created. @@ -496,12 +493,12 @@ Propagate the database to each slave KDC First, create a dump file of the database on the master KDC, as follows:: - shell% /usr/local/sbin/kdb5_util dump /usr/local/var/krb5kdc/slave_datatrans + shell% kdb5_util dump /usr/local/var/krb5kdc/slave_datatrans Then, manually propagate the database to each slave KDC, as in the following example:: - shell% /usr/local/sbin/kprop -f /usr/local/var/krb5kdc/slave_datatrans kerberos-1.mit.edu + shell% kprop -f /usr/local/var/krb5kdc/slave_datatrans kerberos-1.mit.edu Database propagation to kerberos-1.mit.edu: SUCCEEDED @@ -517,11 +514,11 @@ following is an example of a Bourne shell script that will do this. kdclist = "kerberos-1.mit.edu kerberos-2.mit.edu" - /usr/local/sbin/kdb5_util dump /usr/local/var/krb5kdc/slave_datatrans + kdb5_util dump /usr/local/var/krb5kdc/slave_datatrans for kdc in $kdclist do - /usr/local/sbin/kprop -f /usr/local/var/krb5kdc/slave_datatrans $kdc + kprop -f /usr/local/var/krb5kdc/slave_datatrans $kdc done You will need to set up a cron job to run this script at the intervals @@ -530,7 +527,7 @@ you decided on earlier (see :ref:`db_prop`). Now that the slave KDC has a copy of the Kerberos database, you can start the krb5kdc daemon:: - shell% /usr/local/sbin/krb5kdc + shell% krb5kdc As with the master KDC, you will probably want to add this command to the KDCs' ``/etc/rc`` or ``/etc/inittab`` files, so they will start diff --git a/doc/rst_source/krb_appldev/gssapi.rst b/doc/rst_source/krb_appldev/gssapi.rst index cb21f6873..f96d60d2b 100644 --- a/doc/rst_source/krb_appldev/gssapi.rst +++ b/doc/rst_source/krb_appldev/gssapi.rst @@ -23,10 +23,10 @@ authenticated to by the client, if the krb5 mechanism is used. The simplest choice is to pass **GSS_C_NO_CREDENTIAL** as the acceptor credential. In this case, clients may authenticate to any service -principal in the default keytab (typically ``/etc/krb5.keytab``, or -the value of the **KRB5_KTNAME** environment variable). This is the -recommended approach if the server application has no specific -requirements to the contrary. +principal in the default keytab (typically |keytab|, or the value of +the **KRB5_KTNAME** environment variable). This is the recommended +approach if the server application has no specific requirements to the +contrary. A server may acquire an acceptor credential with gss_acquire_cred_ and a *cred_usage* of **GSS_C_ACCEPT** or **GSS_C_BOTH**. If the diff --git a/doc/rst_source/krb_build/osconf.rst b/doc/rst_source/krb_build/osconf.rst index 80d362bcc..d78713033 100644 --- a/doc/rst_source/krb_build/osconf.rst +++ b/doc/rst_source/krb_build/osconf.rst @@ -11,13 +11,13 @@ interesting variables. **DEFAULT_PROFILE_PATH** The pathname to the file which contains the profiles for the known - realms, their KDCs, etc. The default value is ``/etc/krb5.conf``. + realms, their KDCs, etc. The default value is |krb5conf|. **DEFAULT_KEYTAB_NAME** The type and pathname to the default server keytab file. The - default is ``/etc/krb5.keytab``. + default is |keytab|. **DEFAULT_KDC_ENCTYPE** - The default encryption type for the KDC. The default value is - ``aes256-cts-hmac-sha1-96``. + The default encryption type for the KDC database master key. The + default value is |defmkey|. **KDCRCACHE** The name of the replay cache used by the KDC. The default value is ``krb5kdc_rcache``. @@ -26,4 +26,4 @@ interesting variables. ``/var/tmp``. **DEFAULT_KDB_FILE** The location of the default database. The default value is - ``/usr/local/var/krb5kdc/principal``. + |kdcdir|\ ``/principal``. diff --git a/doc/rst_source/krb_users/user_commands/kinit.rst b/doc/rst_source/krb_users/user_commands/kinit.rst index ea1ee3a90..fe413fbb3 100644 --- a/doc/rst_source/krb_users/user_commands/kinit.rst +++ b/doc/rst_source/krb_users/user_commands/kinit.rst @@ -208,7 +208,7 @@ FILES default location of Kerberos 5 credentials cache ([*uid*] is the decimal UID of the user). -``/etc/krb5.keytab`` +|keytab| default location for the local host's keytab. diff --git a/doc/rst_source/krb_users/user_commands/klist.rst b/doc/rst_source/krb_users/user_commands/klist.rst index 594a77142..5a9a076f4 100644 --- a/doc/rst_source/krb_users/user_commands/klist.rst +++ b/doc/rst_source/krb_users/user_commands/klist.rst @@ -115,7 +115,7 @@ FILES Default location of Kerberos 5 credentials cache ([uid] is the decimal UID of the user). -``/etc/krb5.keytab`` +|keytab| Default location for the local host's keytab file. -- 2.26.2