Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
KRB5.CONF(5)		    BSD	File Formats Manual		  KRB5.CONF(5)

     krb5.conf -- configuration	file for Kerberos 5

     #include <krb5.h>

     The krb5.conf file	specifies several configuration	parameters for the
     Kerberos 5	library, as well as for	some programs.

     The file consists of one or more sections,	containing a number of bind-
     ings.  The	value of each binding can be either a string or	a list of
     other bindings.  The grammar looks	like:

		   /* empty */

		   section sections

		   '[' section_name ']'	bindings


		   binding bindings

		   name	'=' STRING
		   name	'=' '{'	bindings '}'


     STRINGs consists of one or	more non-whitespace characters.

     STRINGs that are specified	later in this man-page uses the	following no-

		values can be either yes/true or no/false.

		values can be a	list of	year, month, day, hour,	min, second.
		Example: 1 month 2 days	30 min.	 If no unit is given, seconds
		is assumed.

		valid encryption types are: des-cbc-crc, des-cbc-md4, des-cbc-
		md5, des3-cbc-sha1, arcfour-hmac-md5, aes128-cts-hmac-sha1-96,
		and aes256-cts-hmac-sha1-96 .

		an address can be either a IPv4	or a IPv6 address.

     Currently recognised sections and bindings	are:

		Specifies the default values to	be used	for Kerberos applica-
		tions.	You can	specify	defaults per application, realm, or a
		combination of these.  The preference order is:
		1.   application realm option
		2.   application option
		3.   realm option
		4.   option

		The supported options are:

		      forwardable = boolean
			   When	obtaining initial credentials, make the	cre-
			   dentials forwardable.

		      proxiable	= boolean
			   When	obtaining initial credentials, make the	cre-
			   dentials proxiable.

		      no-addresses = boolean
			   When	obtaining initial credentials, request them
			   for an empty	set of addresses, making the tickets
			   valid from any address.

		      ticket_lifetime =	time
			   Default ticket lifetime.

		      renew_lifetime = time
			   Default renewable ticket lifetime.

		      encrypt =	boolean
			   Use encryption, when	available.

		      forward =	boolean
			   Forward credentials to remote host (for rsh(1),
			   telnet(1), etc).


		      default_realm = REALM
			   Default realm to use, this is also known as your
			   "local realm".  The default is the result of
			   krb5_get_host_realm(local hostname).

		      clockskew	= time
			   Maximum time	differential (in seconds) allowed when
			   comparing times.  Default is	300 seconds (five min-

		      kdc_timeout = time
			   Maximum time	to wait	for a reply from the kdc, de-
			   fault is 3 seconds.


			   These are described in the
			   krb5_425_conv_principal(3) manual page.

		      capath = {

				 destination-realm = next-hop-realm


			   This	is deprecated, see the capaths section below.

		      default_cc_name =	ccname
			   the default credentials cache name.	The string can
			   contain variables that are expanded on runtime.
			   Only	support	variable now is	%{uid} that expands to
			   the current user id.

		      default_etypes = etypes ...
			   A list of default encryption	types to use.

		      default_etypes_des = etypes ...
			   A list of default encryption	types to use when re-
			   questing a DES credential.

		      default_keytab_name = keytab
			   The keytab to use if	no other is specified, default
			   is "FILE:/etc/krb5.keytab".

		      dns_lookup_kdc = boolean
			   Use DNS SRV records to lookup KDC services loca-

		      dns_lookup_realm = boolean
			   Use DNS TXT records to lookup domain	to realm map-

		      kdc_timesync = boolean
			   Try to keep track of	the time differential between
			   the local machine and the KDC, and then compensate
			   for that when issuing requests.

		      max_retries = number
			   The max number of times to try to contact each KDC.

		      large_msg_size = number
			   The threshold where protocols with tiny maximum
			   message sizes are not considered usable to send
			   messages to the KDC.

		      ticket_lifetime =	time
			   Default ticket lifetime.

		      renew_lifetime = time
			   Default renewable ticket lifetime.

		      forwardable = boolean
			   When	obtaining initial credentials, make the	cre-
			   dentials forwardable.  This option is also valid in
			   the [realms]	section.

		      proxiable	= boolean
			   When	obtaining initial credentials, make the	cre-
			   dentials proxiable.	This option is also valid in
			   the [realms]	section.

		      verify_ap_req_nofail = boolean
			   If enabled, failure to verify credentials against a
			   local key is	a fatal	error.	The application	has to
			   be able to read the corresponding service key for
			   this	to work.  Some applications, like su(1), en-
			   able	this option unconditionally.

		      warn_pwexpire = time
			   How soon to warn for	expiring password.  Default is
			   seven days.

		      http_proxy = proxy-spec
			   A HTTP-proxy	to use when talking to the KDC via

		      dns_proxy	= proxy-spec
			   Enable using	DNS via	HTTP.

		      extra_addresses =	address	...
			   A list of addresses to get tickets for along	with
			   all local addresses.

		      time_format = string
			   How to print	time strings in	logs, this string is
			   passed to strftime(3).

		      date_format = string
			   How to print	date strings in	logs, this string is
			   passed to strftime(3).

		      log_utc =	boolean
			   Write log-entries using UTC instead of your local
			   time	zone.

		      scan_interfaces =	boolean
			   Scan	all network interfaces for addresses, as op-
			   posed to simply using the address associated	with
			   the system's	host name.

		      fcache_version = int
			   Use file credential cache format version specified.

		      krb4_get_tickets = boolean
			   Also	get Kerberos 4 tickets in kinit, login,	and
			   other programs.  This option	is also	valid in the
			   [realms] section.

		      fcc-mit-ticketflags = boolean
			   Use MIT compatible format for file credential
			   cache.  It's	the field ticketflags that is stored
			   in reverse bit order	for older than Heimdal 0.7.
			   Setting this	flag to	TRUE make it store the MIT
			   way,	this is	default	for Heimdal 0.7.

		This is	a list of mappings from	DNS domain to Kerberos realm.
		Each binding in	this section looks like:

		      domain = realm

		The domain can be either a full	name of	a host or a trailing
		component, in the latter case the domain-string	should start
		with a period.	The trailing component only matches hosts that
		are in the same	domain,	ie "" matches
		"", but not "".

		The realm may be the token `dns_locate', in which case the ac-
		tual realm will	be determined using DNS	(independently of the
		setting	of the `dns_lookup_realm' option).


		      REALM = {

				 kdc = [service/]host[:port]
				      Specifies	a list of kdcs for this	realm.
				      If the optional port is absent, the de-
				      fault value for the "kerberos/udp"
				      "kerberos/tcp", and "http/tcp" port (de-
				      pending on service) will be used.	 The
				      kdcs will	be used	in the order that they
				      are specified.

				      The optional service specifies over what
				      medium the kdc should be contacted.
				      Possible services	are "udp", "tcp", and
				      "http".  Http can	also be	written	as
				      "http://".  Default service is "udp" and

				 admin_server =	host[:port]
				      Specifies	the admin server for this
				      realm, where all the modifications to
				      the database are performed.

				 kpasswd_server	= host[:port]
				      Points to	the server where all the pass-
				      word changes are performed.  If there is
				      no such entry, the kpasswd port on the
				      admin_server host	will be	tried.

				 krb524_server = host[:port]
				      Points to	the server that	does 524 con-
				      versions.	 If it is not mentioned, the
				      krb524 port on the kdcs will be tried.



				      See krb5_425_conv_principal(3).

				      a	boolan variable	that defaults to
				      false.  Old DCE secd (pre	1.1) might
				      need this	to be true.



		      client-realm = {

				 server-realm =	hop-realm ...
				      This serves two purposes.	First the
				      first listed hop-realm tells a client
				      which realm it should contact in order
				      to ultimately obtain credentials for a
				      service in the server-realm.  Secondly,
				      it tells the KDC (and other servers)
				      which realms are allowed in a multi-hop
				      traversal	from client-realm to
				      server-realm.  Except for	the client
				      case, the	order of the realms are	not



		      entity = destination
			   Specifies that entity should	use the	specified
			   destination for logging.  See the krb5_openlog(3)
			   manual page for a list of defined destinations.


		      database = {

				 dbname	= DATABASENAME
				      Use this database	for this realm.	 See
				      the info documetation how	to configure
				      diffrent database	backends.

				 realm = REALM
				      Specifies	the realm that will be stored
				      in this database.	 It realm isn't	set,
				      it will used as the default database,
				      there can	only be	one entry that doesn't
				      have a realm stanza.

				 mkey_file = FILENAME
				      Use this keytab file for the master key
				      of this database.	 If not	specified
				      DATABASENAME.mkey	will be	used.

				 acl_file = PA FILENAME
				      Use this file for	the ACL	list of	this

				 log_file = FILENAME
				      Use this file as the log of changes per-
				      formed to	the database.  This file is
				      used by ipropd-master for	propagating
				      changes to slaves.


		      max-request = SIZE
			   Maximum size	of a kdc request.

		      require-preauth =	BOOL
			   If set pre-authentication is	required.  Since krb4
			   requests are	not pre-authenticated they will	be re-

		      ports = list of ports
			   List	of ports the kdc should	listen to.

		      addresses	= list of interfaces
			   List	of addresses the kdc should bind to.

		      enable-kerberos4 = BOOL
			   Turn	on Kerberos 4 support.

		      v4-realm = REALM
			   To what realm v4 requests should be mapped.

		      enable-524 = BOOL
			   Should the Kerberos 524 converting facility be
			   turned on.  Default is the same as

		      enable-http = BOOL
			   Should the kdc answer kdc-requests over http.

		      enable-kaserver =	BOOL
			   If this kdc should emulate the AFS kaserver.

		      check-ticket-addresses = BOOL
			   Verify the addresses	in the tickets used in tgs re-

		      allow-null-ticket-addresses = BOOL
			   Allow address-less tickets.

		      allow-anonymous =	BOOL
			   If the kdc is allowed to hand out anonymous tick-

		      encode_as_rep_as_tgs_rep = BOOL
			   Encode as-rep as tgs-rep tobe compatible with mis-
			   takes older DCE secd	did.

		      kdc_warn_pwexpire	= TIME
			   The time before expiration that the user should be
			   warned that her password is about to	expire.

		      logging =	Logging
			   What	type of	logging	the kdc	should use, see	also

		      use_2b = {

				 principal = BOOL
				      boolean value if the 524 daemon should
				      return AFS 2b tokens for principal.



		      hdb-ldap-structural-object structural object
			   If the LDAP backend is used for storing principals,
			   this	is the structural object that will be used
			   when	creating and when reading objects.  The	de-
			   fault value is account .

		      hdb-ldap-create-base creation dn
			   is the dn that will be appended to the principal
			   when	creating entries.  Default value is the	search


		      require-preauth =	BOOL
			   If pre-authentication is required to	talk to	the
			   kadmin server.

		      password_lifetime	= time
			   If a	principal already have its password set	for
			   expiration, this is the time	it will	be valid for
			   after a change.

		      default_keys = keytypes...
			   For each entry in default_keys try to parse it as a
			   sequence of etype:salttype:salt syntax of this if
			   something like:


			   If etype is omitted it means	everything, and	if
			   string is omitted it	means the default salt string
			   (for	that principal and encryption type).  Addi-
			   tional special values of keytypes are:

				 v5   The Kerberos 5 salt pw-salt

				 v4   The Kerberos 4 salt des:pw-salt:

		      use_v4_salt = BOOL
			   When	true, this is the same as

			   default_keys	= des3:pw-salt v4

			   and is only left for	backwards compatibility.

		Check the Password quality assurance in	the info documentation
		for more information.

		      check_library = library-name
			   Library name	that contains the password check_func-

		      check_function = function-name
			   Function name for checking passwords	in check_li-

		      policy_libraries = library1 ... libraryN
			   List	of libraries that can do password policy

		      policies = policy1 ... policyN
			   List	of policy names	to apply to the	password.
			   Builtin policies are	among other minimum-length,
			   character-class, external-check.

     KRB5_CONFIG points	to the configuration file to read.

     /etc/krb5.conf  configuration file	for Kerberos 5.

		   default_realm = FOO.SE
	   [domain_realm] = FOO.SE = FOO.SE
		   FOO.SE = {
			   kdc =
			   v4_name_convert = {
				   rcmd	= host
			   v4_instance_convert = {
				   xyz =
			   default_domain =
		   kdc = FILE:/var/heimdal/kdc.log
		   kdc = SYSLOG:INFO
		   default = SYSLOG:INFO:USER

     Since krb5.conf is	read and parsed	by the krb5 library, there is not a
     lot of opportunities for programs to report parsing errors	in any useful
     format.  To help overcome this problem, there is a	program
     verify_krb5_conf that reads krb5.conf and tries to	emit useful diagnos-
     tics from parsing errors.	Note that this program does not	have any way
     of	knowing	what options are actually used and thus	cannot warn about un-
     known or misspelled ones.

     kinit(1), krb5_425_conv_principal(3), krb5_openlog(3), strftime(3),

HEIMDAL				  May 4, 2005			       HEIMDAL


Want to link to this manual page? Use this URL:

home | help