uses to determine which principals are allowed which permissions on the
database. The default is @code{@value{DefaultAclFile}}.
-@itemx admin_keytab
-(String.) Location of the keytab file that the legacy administration
-daemons @code{kadmind4} and @code{v5passwdd} use to authenticate to
-the database. The default is @code{@value{DefaultAdminKeytab}}.
-
@itemx default_principal_expiration
(Absolute time string.) Specifies the default expiration date of
principals created in this realm. The default value for this tag is
some of which are optional. See the CONFIGURATION VALUES section
below.
-keytab
- kadmind requires a keytab containing correct entries for the
- ``kadmin/admin`` and ``kadmin/changepw`` principals for every
- realm that kadmind will answer requests for. The keytab can be
- created with the :ref:`kadmin(1)` client. The location of the
- keytab is determined by the **admin_keytab** configuration
- variable (see CONFIGURATION VALUES).
-
ACL file
kadmind's ACL (access control list) tells it which principals are
allowed to perform KADM5 administration actions. The path of the
**acl_file**
The path of kadmind's ACL file. **Mandatory**. No default.
-**admin_keytab**
- The name of the keytab containing entries for the principals
- ``kadmin/admin`` and ``kadmin/changepw`` in each realm that
- kadmind will serve. The default is the value of the KRB5_KTNAME
- environment variable, if defined. **Mandatory**.
-
**dict_file**
The path of kadmind's password dictionary. A principal with any
password policy will not be allowed to select any password in the
which permissions on the database. The default is
``/usr/local/var/krb5kdc/kadm5.acl``.
-**admin_keytab**
- (String.) Location of the keytab file that the legacy
- administration daemons kadmind4 and v5passwdd use to authenticate
- to the database. The default is
- ``/usr/local/var/krb5kdc/kadm5.keytab``.
-
**database_name**
This string specifies the location of the Kerberos database for
this realm.
# explicitly configure the following four values:
# database_name = /var/krb5kdc/principal
# key_stash_file = /var/krb5kdc/.k5.ATHENA.MIT.EDU
- # admin_keytab = FILE:/var/krb5kdc/kadm5.keytab
# acl_file = /var/krb5kdc/kadm5.acl
}
.. note:: You have to have write permission on the target directories
(these directories must exist) used by **database_name**,
- **key_stash_file**, **admin_keytab**, and **acl_file**.
+ **key_stash_file**, and **acl_file**.
.. _create_db:
[realms]
ATHENA.MIT.EDU = {
database_name = /usr/local/var/krb5kdc/principal
- admin_keytab = FILE:/usr/local/var/krb5kdc/kadm5.keytab
acl_file = /usr/local/var/krb5kdc/kadm5.acl
key_stash_file = /usr/local/var/krb5kdc/.k5.ATHENA.MIT.EDU
kdc_ports = 750,88
kadmin uses to determine which principals are allowed which permissions
on the database. The default value is /usr/local/var/krb5kdc/kadm5.acl.
-.IP admin_keytab
-This
-.B string
-Specifies the location of the keytab file that kadmin uses to
-authenticate to the database. The default value is
-/usr/local/var/krb5kdc/kadm5.keytab.
-
.IP database_name
This
.B string
/* cofiguration variables */
#define KRB5_CONF_ACL_FILE "acl_file"
-#define KRB5_CONF_ADMIN_KEYTAB "admin_keytab"
#define KRB5_CONF_ADMIN_SERVER "admin_server"
#define KRB5_CONF_ALLOW_WEAK_CRYPTO "allow_weak_crypto"
#define KRB5_CONF_AP_REQ_CHECKSUM_TYPE "ap_req_checksum_type"
mandatory and some of which are optional. See the CONFIGURATION VALUES
section below.
.TP
-keytab
-.B Kadmind
-requires a keytab containing correct entries for the
-.I kadmin/admin
-and
-.I kadmin/changepw
-principals for every realm that kadmind will answer requests for. The
-keytab can be created with the
-.IR kadmin (8)
-client. The location of the keytab is determined by the
-.I admin_keytab
-configuration variable (see CONFIGURATION VALUES).
-.TP
ACL file
.BR Kadmind 's
ACL (access control list) tells it which principals are allowed to
password policy will not be allowed to select any password in the
dictionary. Optional. No default.
.TP
-admin_keytab
-The name of the keytab containing entries for the principals
-.I kadmin/admin
-and
-.I kadmin/changepw
-in each realm that
-.B kadmind
-will serve. The default is the value of the
-.SM KRB5_KTNAME
-environment variable, if defined. Mandatory.
-.TP
kadmind_port
The
.SM TCP
__REALM__ = {
profile = __K5ROOT__/krb5.conf
database_name = __K5ROOT__/kdb5
- admin_keytab = __K5ROOT__/ovsec_adm.srvtab
key_stash_file = __K5ROOT__/.k5.__REALM__
acl_file = __K5ROOT__/ovsec_adm.acl
dict_file = __K5ROOT__/ovsec_adm.dict
"KADM5_CONFIG_ADBNAME" {set params [lreplace $params 5 5 $value]}
"KADM5_CONFIG_ADB_LOCKFILE" {
set params [lreplace $params 6 6 $value]}
- "KADM5_CONFIG_ADMIN_KEYTAB" {
- set params [lreplace $params 7 7 $value]}
"KADM5_CONFIG_ACL_FILE" {set params [lreplace $params 8 8 $value]}
"KADM5_CONFIG_DICT_FILE" {
set params [lreplace $params 9 9 $value]}
{"KADM5_CONFIG_MAX_RLIFE", KADM5_CONFIG_MAX_RLIFE},
{"KADM5_CONFIG_EXPIRATION", KADM5_CONFIG_EXPIRATION},
{"KADM5_CONFIG_FLAGS", KADM5_CONFIG_FLAGS},
- {"KADM5_CONFIG_ADMIN_KEYTAB", KADM5_CONFIG_ADMIN_KEYTAB},
{"KADM5_CONFIG_STASH_FILE", KADM5_CONFIG_STASH_FILE},
{"KADM5_CONFIG_ENCTYPE", KADM5_CONFIG_ENCTYPE},
{"KADM5_CONFIG_ADBNAME", KADM5_CONFIG_ADBNAME},
}
/* Ignore argv[5], which used to set the admin_dbname field. */
/* Ignore argv[6], which used to set the admin_lockfile field. */
- if ((retcode = parse_str(interp, argv[7], ¶ms->admin_keytab)) != TCL_OK) {
- Tcl_AppendElement(interp, "while parsing admin_keytab name");
- retcode = TCL_ERROR;
- goto finished;
- }
+ /* Ignore argv[7], which used to set the admin_keytab field. */
if ((retcode = parse_str(interp, argv[8], ¶ms->acl_file)) != TCL_OK) {
Tcl_AppendElement(interp, "while parsing acl_file name");
retcode = TCL_ERROR;
#define KADM5_CONFIG_MAX_RLIFE 0x00000010
#define KADM5_CONFIG_EXPIRATION 0x00000020
#define KADM5_CONFIG_FLAGS 0x00000040
-#define KADM5_CONFIG_ADMIN_KEYTAB 0x00000080
+/*#define KADM5_CONFIG_ADMIN_KEYTAB 0x00000080*/
#define KADM5_CONFIG_STASH_FILE 0x00000100
#define KADM5_CONFIG_ENCTYPE 0x00000200
#define KADM5_CONFIG_ADBNAME 0x00000400
file. */
char * dbname;
- char * admin_keytab;
char * acl_file;
char * dict_file;
GET_STRING_PARAM(dbname, KADM5_CONFIG_DBNAME, KRB5_CONF_DATABASE_NAME,
DEFAULT_KDB_FILE);
- /* Get the value for the admin (policy) database lock file*/
- if (!GET_STRING_PARAM(admin_keytab, KADM5_CONFIG_ADMIN_KEYTAB,
- KRB5_CONF_ADMIN_KEYTAB, NULL)) {
- const char *s = getenv("KRB5_KTNAME");
- if (s == NULL)
- s = DEFAULT_KADM5_KEYTAB;
- params.admin_keytab = strdup(s);
- if (params.admin_keytab)
- params.mask |= KADM5_CONFIG_ADMIN_KEYTAB;
- }
-
/* Get the name of the acl file */
GET_STRING_PARAM(acl_file, KADM5_CONFIG_ACL_FILE, KRB5_CONF_ACL_FILE,
DEFAULT_KADM5_ACL_FILE);
free(params->stash_file);
free(params->keysalts);
free(params->admin_server);
- free(params->admin_keytab);
free(params->dict_file);
free(params->acl_file);
free(params->realm);
#define ILLEGAL_PARAMS (KADM5_CONFIG_DBNAME | KADM5_CONFIG_ADBNAME | \
KADM5_CONFIG_ADB_LOCKFILE | \
KADM5_CONFIG_ACL_FILE | KADM5_CONFIG_DICT_FILE \
- | KADM5_CONFIG_ADMIN_KEYTAB | \
- KADM5_CONFIG_STASH_FILE | \
+ | KADM5_CONFIG_STASH_FILE | \
KADM5_CONFIG_MKEY_NAME | KADM5_CONFIG_ENCTYPE \
| KADM5_CONFIG_MAX_LIFE | \
KADM5_CONFIG_MAX_RLIFE | \
of variable settings in this file, some of which are mandatory and some of which are optional.
See the CONFIGURATION VALUES section below.
.TP
-.B \fIkeytab\fP
-.sp
-Kadmind requires a keytab containing correct entries for the kadmin/admin and kadmin/changepw principals for every realm that
-\fIkadmind\fP will answer requests for. The keytab can be created with the kadmin(8) client.
-The location of the keytab is determined by the \fIadmin_keytab\fP configuration variable (see CONFIGURATION VALUES).
-.TP
.B \fIACL\fP file
.sp
\fIkadmind\fP\(aqs \fIACL\fP (access control list) tells it which principals are allowed to perform KADM5 administration actions.
.sp
The path of \fIkadmind\fP\(aqs \fIACL\fP file. \fBMandatory\fP. No default.
.TP
-.B \fBadmin_keytab\fP
-.sp
-The name of the keytab containing entries for the principals kadmin/admin and kadmin/changepw in each realm that \fIkadmind\fP will
-serve. The default is the value of the KRB5_KTNAME environment variable, if defined. \fBMandatory\fP.
-.TP
.B \fBdict_file\fP
.sp
The path of \fIkadmind\fP\(aqs password dictionary. A principal with any password policy will not be allowed to select any password in
.sp
(String.) Location of the access control list (acl) file that kadmin uses to determine which principals are allowed which permissions on the database. The default is \fI/usr/local/var/krb5kdc/kadm5.acl\fP.
.TP
-.B \fBadmin_keytab\fP
-.sp
-(String.) Location of the keytab file that the legacy administration daemons kadmind4 and v5passwdd use to authenticate to the database. The default is \fI/usr/local/var/krb5kdc/kadm5.keytab\fP.
-.TP
.B \fBdatabase_name\fP
.sp
This string specifies the location of the Kerberos database for this realm.
[realms]
Y.COM = {
database_name = %(tier2)s/principal
- admin_keytab = FILE:%(tier2)s/kadm5.keytab
acl_file = %(tier2)s/kadm5.acl
key_stash_file = %(tier2)s/.k5.ATHENA.MIT.EDU
kdc_ports = 7777
[realms]
Z.COM = {
database_name = %(tier1)s/principal
- admin_keytab = FILE:%(tier1)s/kadm5.keytab
acl_file = %(tier1)s/kadm5.acl
key_stash_file = %(tier1)s/.k5.ATHENA.MIT.EDU
kdc_ports = 7778
database_name = %(sandir)s/krb5kdc/principal
acl_file = %(sandir)s/kadm5.acl
key_stash_file = %(sandir)s/krb5kdc/.k5.EXAMPLE.ORG
- admin_keytab = FILE:%(sandir)s/krb5kdc/kadm5.keytab
kdc_ports = 8888
kpasswd_port = 8887
kadmind_port = 8886
projects / krb5.git / commitdiff