1KDC.CONF(5) MIT Kerberos KDC.CONF(5)
2
6 kdc.conf - Kerberos V5 KDC configuration file
7 The kdc.conf file supplements krb5.conf(5) for programs which are typi‐
9 cally only used on a KDC, such as the krb5kdc(8) and kadmind(8) daemons
10 and the kdb5_util(8) program. Relations documented here may also be
11 specified in krb5.conf; for the KDC programs mentioned, krb5.conf and
12 kdc.conf will be merged into a single configuration profile.
13 Normally, the kdc.conf file is found in the KDC state directory,
15 /var/kerberos/krb5kdc. You can override the default location by set‐
16 ting the environment variable KRB5_KDC_PROFILE.
17 Please note that you need to restart the KDC daemon for any configura‐
19 tion changes to take effect.
20
22 The kdc.conf file is set up in the same format as the krb5.conf(5)
23 file.
24
26 The kdc.conf file may contain the following sections:
27 ┌──────────────┬────────────────────────────┐
29 │[kdcdefaults] │ Default values for KDC │
30 │ │ behavior │
31 ├──────────────┼────────────────────────────┤
32 │[realms] │ Realm-specific database │
33 │ │ configuration and settings │
34 ├──────────────┼────────────────────────────┤
35 │[dbdefaults] │ Default database settings │
36 ├──────────────┼────────────────────────────┤
37 │[dbmodules] │ Per-database settings │
38 ├──────────────┼────────────────────────────┤
39 │[logging] │ Controls how Kerberos dae‐ │
40 │ │ mons perform logging │
41 └──────────────┴────────────────────────────┘
42 [kdcdefaults]
44 With two exceptions, relations in the [kdcdefaults] section specify
45 default values for realm variables, to be used if the [realms] subsec‐
46 tion does not contain a relation for the tag. See the [realms] section
47 for the definitions of these relations.
48 · host_based_services
50 · kdc_listen
52 · kdc_ports
54 · kdc_tcp_listen
56 · kdc_tcp_ports
58 · no_host_referral
60 · restrict_anonymous_to_tgt
62 kdc_max_dgram_reply_size
64 Specifies the maximum packet size that can be sent over UDP.
65 The default value is 4096 bytes.
66 kdc_tcp_listen_backlog
68 (Integer.) Set the size of the listen queue length for the KDC
69 daemon. The value may be limited by OS settings. The default
70 value is 5.
71 [realms]
73 Each tag in the [realms] section is the name of a Kerberos realm. The
74 value of the tag is a subsection where the relations define KDC parame‐
75 ters for that particular realm. The following example shows how to
76 define one parameter for the ATHENA.MIT.EDU realm:
77 [realms]
79 ATHENA.MIT.EDU = {
80 max_renewable_life = 7d 0h 0m 0s
81 }
82 The following tags may be specified in a [realms] subsection:
84 acl_file
86 (String.) Location of the access control list file that kad‐
87 mind(8) uses to determine which principals are allowed which
88 permissions on the Kerberos database. The default value is
89 /var/kerberos/krb5kdc/kadm5.acl. For more information on Ker‐
90 beros ACL file see kadm5.acl(5).
91 database_module
93 (String.) This relation indicates the name of the configuration
94 section under [dbmodules] for database-specific parameters used
95 by the loadable database library. The default value is the
96 realm name. If this configuration section does not exist,
97 default values will be used for all database parameters.
98 database_name
100 (String, deprecated.) This relation specifies the location of
101 the Kerberos database for this realm, if the DB2 module is being
102 used and the [dbmodules] configuration section does not specify
103 a database name. The default value is /var/ker‐
104 beros/krb5kdc/principal.
105 default_principal_expiration
107 (abstime string.) Specifies the default expiration date of
108 principals created in this realm. The default value is 0, which
109 means no expiration date.
110 default_principal_flags
112 (Flag string.) Specifies the default attributes of principals
113 created in this realm. The format for this string is a
114 comma-separated list of flags, with '+' before each flag that
115 should be enabled and '-' before each flag that should be dis‐
116 abled. The postdateable, forwardable, tgt-based, renewable,
117 proxiable, dup-skey, allow-tickets, and service flags default to
118 enabled.
119 There are a number of possible flags:
121 allow-tickets
123 Enabling this flag means that the KDC will issue tickets
124 for this principal. Disabling this flag essentially
125 deactivates the principal within this realm.
126 dup-skey
128 Enabling this flag allows the principal to obtain a ses‐
129 sion key for another user, permitting user-to-user
130 authentication for this principal.
131 forwardable
133 Enabling this flag allows the principal to obtain for‐
134 wardable tickets.
135 hwauth If this flag is enabled, then the principal is required
137 to preauthenticate using a hardware device before receiv‐
138 ing any tickets.
139 no-auth-data-required
141 Enabling this flag prevents PAC or AD-SIGNEDPATH data
142 from being added to service tickets for the principal.
143 ok-as-delegate
145 If this flag is enabled, it hints the client that creden‐
146 tials can and should be delegated when authenticating to
147 the service.
148 ok-to-auth-as-delegate
150 Enabling this flag allows the principal to use S4USelf
151 tickets.
152 postdateable
154 Enabling this flag allows the principal to obtain post‐
155 dateable tickets.
156 preauth
158 If this flag is enabled on a client principal, then that
159 principal is required to preauthenticate to the KDC
160 before receiving any tickets. On a service principal,
161 enabling this flag means that service tickets for this
162 principal will only be issued to clients with a TGT that
163 has the preauthenticated bit set.
164 proxiable
166 Enabling this flag allows the principal to obtain proxy
167 tickets.
168 pwchange
170 Enabling this flag forces a password change for this
171 principal.
172 pwservice
174 If this flag is enabled, it marks this principal as a
175 password change service. This should only be used in
176 special cases, for example, if a user's password has
177 expired, then the user has to get tickets for that prin‐
178 cipal without going through the normal password authenti‐
179 cation in order to be able to change the password.
180 renewable
182 Enabling this flag allows the principal to obtain renew‐
183 able tickets.
184 service
186 Enabling this flag allows the the KDC to issue service
187 tickets for this principal.
188 tgt-based
190 Enabling this flag allows a principal to obtain tickets
191 based on a ticket-granting-ticket, rather than repeating
192 the authentication process that was used to obtain the
193 TGT.
194 dict_file
196 (String.) Location of the dictionary file containing strings
197 that are not allowed as passwords. The file should contain one
198 string per line, with no additional whitespace. If none is
199 specified or if there is no policy assigned to the principal, no
200 dictionary checks of passwords will be performed.
201 host_based_services
203 (Whitespace- or comma-separated list.) Lists services which
204 will get host-based referral processing even if the server prin‐
205 cipal is not marked as host-based by the client.
206 iprop_enable
208 (Boolean value.) Specifies whether incremental database propa‐
209 gation is enabled. The default value is false.
210 iprop_master_ulogsize
212 (Integer.) Specifies the maximum number of log entries to be
213 retained for incremental propagation. The default value is
214 1000. Prior to release 1.11, the maximum value was 2500.
215 iprop_slave_poll
217 (Delta time string.) Specifies how often the slave KDC polls
218 for new updates from the master. The default value is 2m (that
219 is, two minutes).
220 iprop_listen
222 (Whitespace- or comma-separated list.) Specifies the iprop RPC
223 listening addresses and/or ports for the kadmind(8) daemon.
224 Each entry may be an interface address, a port number, or an
225 address and port number separated by a colon. If the address
226 contains colons, enclose it in square brackets. If no address
227 is specified, the wildcard address is used. If kadmind fails to
228 bind to any of the specified addresses, it will fail to start.
229 The default (when iprop_enable is true) is to bind to the wild‐
230 card address at the port specified in iprop_port. New in
231 release 1.15.
232 iprop_port
234 (Port number.) Specifies the port number to be used for incre‐
235 mental propagation. When iprop_enable is true, this relation is
236 required in the slave configuration file, and this relation or
237 iprop_listen is required in the master configuration file, as
238 there is no default port number. Port numbers specified in
239 iprop_listen entries will override this port number for the kad‐
240 mind(8) daemon.
241 iprop_resync_timeout
243 (Delta time string.) Specifies the amount of time to wait for a
244 full propagation to complete. This is optional in configuration
245 files, and is used by slave KDCs only. The default value is 5
246 minutes (5m). New in release 1.11.
247 iprop_logfile
249 (File name.) Specifies where the update log file for the realm
250 database is to be stored. The default is to use the data‐
251 base_name entry from the realms section of the krb5 config file,
252 with .ulog appended. (NOTE: If database_name isn't specified in
253 the realms section, perhaps because the LDAP database back end
254 is being used, or the file name is specified in the [dbmodules]
255 section, then the hard-coded default for database_name is used.
256 Determination of the iprop_logfile default value will not use
257 values from the [dbmodules] section.)
258 kadmind_listen
260 (Whitespace- or comma-separated list.) Specifies the kadmin RPC
261 listening addresses and/or ports for the kadmind(8) daemon.
262 Each entry may be an interface address, a port number, or an
263 address and port number separated by a colon. If the address
264 contains colons, enclose it in square brackets. If no address
265 is specified, the wildcard address is used. If kadmind fails to
266 bind to any of the specified addresses, it will fail to start.
267 The default is to bind to the wildcard address at the port spec‐
268 ified in kadmind_port, or the standard kadmin port (749). New
269 in release 1.15.
270 kadmind_port
272 (Port number.) Specifies the port on which the kadmind(8) dae‐
273 mon is to listen for this realm. Port numbers specified in kad‐
274 mind_listen entries will override this port number. The
275 assigned port for kadmind is 749, which is used by default.
276 key_stash_file
278 (String.) Specifies the location where the master key has been
279 stored (via kdb5_util stash). The default is /var/ker‐
280 beros/krb5kdc/.k5.REALM, where REALM is the Kerberos realm.
281 kdc_listen
283 (Whitespace- or comma-separated list.) Specifies the UDP lis‐
284 tening addresses and/or ports for the krb5kdc(8) daemon. Each
285 entry may be an interface address, a port number, or an address
286 and port number separated by a colon. If the address contains
287 colons, enclose it in square brackets. If no address is speci‐
288 fied, the wildcard address is used. If no port is specified,
289 the standard port (88) is used. If the KDC daemon fails to bind
290 to any of the specified addresses, it will fail to start. The
291 default is to bind to the wildcard address on the standard port.
292 New in release 1.15.
293 kdc_ports
295 (Whitespace- or comma-separated list, deprecated.) Prior to
296 release 1.15, this relation lists the ports for the krb5kdc(8)
297 daemon to listen on for UDP requests. In release 1.15 and
298 later, it has the same meaning as kdc_listen if that relation is
299 not defined.
300 kdc_tcp_listen
302 (Whitespace- or comma-separated list.) Specifies the TCP lis‐
303 tening addresses and/or ports for the krb5kdc(8) daemon. Each
304 entry may be an interface address, a port number, or an address
305 and port number separated by a colon. If the address contains
306 colons, enclose it in square brackets. If no address is speci‐
307 fied, the wildcard address is used. If no port is specified,
308 the standard port (88) is used. To disable listening on TCP,
309 set this relation to the empty string with kdc_tcp_listen = "".
310 If the KDC daemon fails to bind to any of the specified
311 addresses, it will fail to start. The default is to bind to the
312 wildcard address on the standard port. New in release 1.15.
313 kdc_tcp_ports
315 (Whitespace- or comma-separated list, deprecated.) Prior to
316 release 1.15, this relation lists the ports for the krb5kdc(8)
317 daemon to listen on for UDP requests. In release 1.15 and
318 later, it has the same meaning as kdc_tcp_listen if that rela‐
319 tion is not defined.
320 kpasswd_listen
322 (Comma-separated list.) Specifies the kpasswd listening
323 addresses and/or ports for the kadmind(8) daemon. Each entry
324 may be an interface address, a port number, or an address and
325 port number separated by a colon. If the address contains
326 colons, enclose it in square brackets. If no address is speci‐
327 fied, the wildcard address is used. If kadmind fails to bind to
328 any of the specified addresses, it will fail to start. The
329 default is to bind to the wildcard address at the port specified
330 in kpasswd_port, or the standard kpasswd port (464). New in
331 release 1.15.
332 kpasswd_port
334 (Port number.) Specifies the port on which the kadmind(8) dae‐
335 mon is to listen for password change requests for this realm.
336 Port numbers specified in kpasswd_listen entries will override
337 this port number. The assigned port for password change
338 requests is 464, which is used by default.
339 master_key_name
341 (String.) Specifies the name of the principal associated with
342 the master key. The default is K/M.
343 master_key_type
345 (Key type string.) Specifies the master key's key type. The
346 default value for this is aes256-cts-hmac-sha1-96. For a list
347 of all possible values, see Encryption types.
348 max_life
350 (duration string.) Specifies the maximum time period for which
351 a ticket may be valid in this realm. The default value is 24
352 hours.
353 max_renewable_life
355 (duration string.) Specifies the maximum time period during
356 which a valid ticket may be renewed in this realm. The default
357 value is 0.
358 no_host_referral
360 (Whitespace- or comma-separated list.) Lists services to block
361 from getting host-based referral processing, even if the client
362 marks the server principal as host-based or the service is also
363 listed in host_based_services. no_host_referral = * will dis‐
364 able referral processing altogether.
365 des_crc_session_supported
367 (Boolean value). If set to true, the KDC will assume that ser‐
368 vice principals support des-cbc-crc for session key enctype
369 negotiation purposes. If allow_weak_crypto in libdefaults is
370 false, or if des-cbc-crc is not a permitted enctype, then this
371 variable has no effect. Defaults to true. New in release 1.11.
372 reject_bad_transit
374 (Boolean value.) If set to true, the KDC will check the list of
375 transited realms for cross-realm tickets against the transit
376 path computed from the realm names and the capaths section of
377 its krb5.conf(5) file; if the path in the ticket to be issued
378 contains any realms not in the computed path, the ticket will
379 not be issued, and an error will be returned to the client
380 instead. If this value is set to false, such tickets will be
381 issued anyways, and it will be left up to the application server
382 to validate the realm transit path.
383 If the disable-transited-check flag is set in the incoming
385 request, this check is not performed at all. Having the
386 reject_bad_transit option will cause such ticket requests to be
387 rejected always.
388 This transit path checking and config file option currently
390 apply only to TGS requests.
391 The default value is true.
393 restrict_anonymous_to_tgt
395 (Boolean value.) If set to true, the KDC will reject ticket
396 requests from anonymous principals to service principals other
397 than the realm's ticket-granting service. This option allows
398 anonymous PKINIT to be enabled for use as FAST armor tickets
399 without allowing anonymous authentication to services. The
400 default value is false. New in release 1.9.
401 supported_enctypes
403 (List of key:salt strings.) Specifies the default key/salt com‐
404 binations of principals for this realm. Any principals created
405 through kadmin(1) will have keys of these types. The default
406 value for this tag is aes256-cts-hmac-sha1-96:normal
407 aes128-cts-hmac-sha1-96:normal des3-cbc-sha1:normal arc‐
408 four-hmac-md5:normal. For lists of possible values, see Keysalt
409 lists.
410 [dbdefaults]
412 The [dbdefaults] section specifies default values for some database
413 parameters, to be used if the [dbmodules] subsection does not contain a
414 relation for the tag. See the [dbmodules] section for the definitions
415 of these relations.
416 · ldap_kerberos_container_dn
418 · ldap_kdc_dn
420 · ldap_kdc_sasl_authcid
422 · ldap_kdc_sasl_authzid
424 · ldap_kdc_sasl_mech
426 · ldap_kdc_sasl_realm
428 · ldap_kadmind_dn
430 · ldap_kadmind_sasl_authcid
432 · ldap_kadmind_sasl_authzid
434 · ldap_kadmind_sasl_mech
436 · ldap_kadmind_sasl_realm
438 · ldap_service_password_file
440 · ldap_servers
442 · ldap_conns_per_server
444 [dbmodules]
446 The [dbmodules] section contains parameters used by the KDC database
447 library and database modules. Each tag in the [dbmodules] section is
448 the name of a Kerberos realm or a section name specified by a realm's
449 database_module parameter. The following example shows how to define
450 one database parameter for the ATHENA.MIT.EDU realm:
451 [dbmodules]
453 ATHENA.MIT.EDU = {
454 disable_last_success = true
455 }
456 The following tags may be specified in a [dbmodules] subsection:
458 database_name
460 This DB2-specific tag indicates the location of the database in
461 the filesystem. The default is /var/kerberos/krb5kdc/principal.
462 db_library
464 This tag indicates the name of the loadable database module.
465 The value should be db2 for the DB2 module and kldap for the
466 LDAP module.
467 disable_last_success
469 If set to true, suppresses KDC updates to the "Last successful
470 authentication" field of principal entries requiring preauthen‐
471 tication. Setting this flag may improve performance. (Princi‐
472 pal entries which do not require preauthentication never update
473 the "Last successful authentication" field.). First introduced
474 in release 1.9.
475 disable_lockout
477 If set to true, suppresses KDC updates to the "Last failed
478 authentication" and "Failed password attempts" fields of princi‐
479 pal entries requiring preauthentication. Setting this flag may
480 improve performance, but also disables account lockout. First
481 introduced in release 1.9.
482 ldap_conns_per_server
484 This LDAP-specific tag indicates the number of connections to be
485 maintained per LDAP server.
486 ldap_kdc_dn and ldap_kadmind_dn
488 These LDAP-specific tags indicate the default DN for binding to
489 the LDAP server. The krb5kdc(8) daemon uses ldap_kdc_dn, while
490 the kadmind(8) daemon and other administrative programs use
491 ldap_kadmind_dn. The kadmind DN must have the rights to read
492 and write the Kerberos data in the LDAP database. The KDC DN
493 must have the same rights, unless disable_lockout and dis‐
494 able_last_success are true, in which case it only needs to have
495 rights to read the Kerberos data. These tags are ignored if a
496 SASL mechanism is set with ldap_kdc_sasl_mech or ldap_kad‐
497 mind_sasl_mech.
498 ldap_kdc_sasl_mech and ldap_kadmind_sasl_mech
500 These LDAP-specific tags specify the SASL mechanism (such as
501 EXTERNAL) to use when binding to the LDAP server. New in
502 release 1.13.
503 ldap_kdc_sasl_authcid and ldap_kadmind_sasl_authcid
505 These LDAP-specific tags specify the SASL authentication iden‐
506 tity to use when binding to the LDAP server. Not all SASL mech‐
507 anisms require an authentication identity. If the SASL mecha‐
508 nism requires a secret (such as the password for DIGEST-MD5),
509 these tags also determine the name within the ldap_service_pass‐
510 word_file where the secret is stashed. New in release 1.13.
511 ldap_kdc_sasl_authzid and ldap_kadmind_sasl_authzid
513 These LDAP-specific tags specify the SASL authorization identity
514 to use when binding to the LDAP server. In most circumstances
515 they do not need to be specified. New in release 1.13.
516 ldap_kdc_sasl_realm and ldap_kadmind_sasl_realm
518 These LDAP-specific tags specify the SASL realm to use when
519 binding to the LDAP server. In most circumstances they do not
520 need to be set. New in release 1.13.
521 ldap_kerberos_container_dn
523 This LDAP-specific tag indicates the DN of the container object
524 where the realm objects will be located.
525 ldap_servers
527 This LDAP-specific tag indicates the list of LDAP servers that
528 the Kerberos servers can connect to. The list of LDAP servers
529 is whitespace-separated. The LDAP server is specified by a LDAP
530 URI. It is recommended to use ldapi: or ldaps: URLs to connect
531 to the LDAP server.
532 ldap_service_password_file
534 This LDAP-specific tag indicates the file containing the stashed
535 passwords (created by kdb5_ldap_util stashsrvpw) for the
536 ldap_kdc_dn and ldap_kadmind_dn objects, or for the
537 ldap_kdc_sasl_authcid or ldap_kadmind_sasl_authcid names for
538 SASL authentication. This file must be kept secure.
539 unlockiter
541 If set to true, this DB2-specific tag causes iteration opera‐
542 tions to release the database lock while processing each princi‐
543 pal. Setting this flag to true can prevent extended blocking of
544 KDC or kadmin operations when dumps of large databases are in
545 progress. First introduced in release 1.13.
546 The following tag may be specified directly in the [dbmodules] section
548 to control where database modules are loaded from:
549 db_module_dir
551 This tag controls where the plugin system looks for database
552 modules. The value should be an absolute path.
553 [logging]
555 The [logging] section indicates how krb5kdc(8) and kadmind(8) perform
556 logging. It may contain the following relations:
557 admin_server
559 Specifies how kadmind(8) performs logging.
560 kdc Specifies how krb5kdc(8) performs logging.
562 default
564 Specifies how either daemon performs logging in the absence of
565 relations specific to the daemon.
566 debug (Boolean value.) Specifies whether debugging messages are
568 included in log outputs other than SYSLOG. Debugging messages
569 are always included in the system log output because syslog per‐
570 forms its own priority filtering. The default value is false.
571 New in release 1.15.
572 Logging specifications may have the following forms:
574 FILE=filename or FILE:filename
576 This value causes the daemon's logging messages to go to the
577 filename. If the = form is used, the file is overwritten. If
578 the : form is used, the file is appended to.
579 STDERR This value causes the daemon's logging messages to go to its
581 standard error stream.
582 CONSOLE
584 This value causes the daemon's logging messages to go to the
585 console, if the system supports it.
586 DEVICE=<devicename>
588 This causes the daemon's logging messages to go to the specified
589 device.
590 SYSLOG[:severity[:facility]]
592 This causes the daemon's logging messages to go to the system
593 log.
594 The severity argument specifies the default severity of system
596 log messages. This may be any of the following severities sup‐
597 ported by the syslog(3) call, minus the LOG_ prefix: EMERG,
598 ALERT, CRIT, ERR, WARNING, NOTICE, INFO, and DEBUG.
599 The facility argument specifies the facility under which the
601 messages are logged. This may be any of the following facili‐
602 ties supported by the syslog(3) call minus the LOG_ prefix:
603 KERN, USER, MAIL, DAEMON, AUTH, LPR, NEWS, UUCP, CRON, and
604 LOCAL0 through LOCAL7.
605 If no severity is specified, the default is ERR. If no facility
607 is specified, the default is AUTH.
608 In the following example, the logging messages from the KDC will go to
610 the console and to the system log under the facility LOG_DAEMON with
611 default severity of LOG_INFO; and the logging messages from the admin‐
612 istrative server will be appended to the file /var/adm/kadmin.log and
613 sent to the device /dev/tty04.
614 [logging]
616 kdc = CONSOLE
617 kdc = SYSLOG:INFO:DAEMON
618 admin_server = FILE:/var/adm/kadmin.log
619 admin_server = DEVICE=/dev/tty04
620 [otp]
622 Each subsection of [otp] is the name of an OTP token type. The tags
623 within the subsection define the configuration required to forward a
624 One Time Password request to a RADIUS server.
625 For each token type, the following tags may be specified:
627 server This is the server to send the RADIUS request to. It can be a
629 hostname with optional port, an ip address with optional port,
630 or a Unix domain socket address. The default is /var/ker‐
631 beros/krb5kdc/<name>.socket.
632 secret This tag indicates a filename (which may be relative to
634 /var/kerberos/krb5kdc) containing the secret used to encrypt the
635 RADIUS packets. The secret should appear in the first line of
636 the file by itself; leading and trailing whitespace on the line
637 will be removed. If the value of server is a Unix domain socket
638 address, this tag is optional, and an empty secret will be used
639 if it is not specified. Otherwise, this tag is required.
640 timeout
642 An integer which specifies the time in seconds during which the
643 KDC should attempt to contact the RADIUS server. This tag is
644 the total time across all retries and should be less than the
645 time which an OTP value remains valid for. The default is 5
646 seconds.
647 retries
649 This tag specifies the number of retries to make to the RADIUS
650 server. The default is 3 retries (4 tries).
651 strip_realm
653 If this tag is true, the principal without the realm will be
654 passed to the RADIUS server. Otherwise, the realm will be
655 included. The default value is true.
656 indicator
658 This tag specifies an authentication indicator to be included in
659 the ticket if this token type is used to authenticate. This
660 option may be specified multiple times. (New in release 1.14.)
661 In the following example, requests are sent to a remote server via UDP:
663 [otp]
665 MyRemoteTokenType = {
666 server = radius.mydomain.com:1812
667 secret = SEmfiajf42$
668 timeout = 15
669 retries = 5
670 strip_realm = true
671 }
672 An implicit default token type named DEFAULT is defined for when the
674 per-principal configuration does not specify a token type. Its config‐
675 uration is shown below. You may override this token type to something
676 applicable for your situation:
677 [otp]
679 DEFAULT = {
680 strip_realm = false
681 }
682
684 NOTE:
685 The following are pkinit-specific options. These values may be
686 specified in [kdcdefaults] as global defaults, or within a
687 realm-specific subsection of [realms]. Also note that a realm-spe‐
688 cific value over-rides, does not add to, a generic [kdcdefaults]
689 specification. The search order is:
690 1. realm-specific subsection of [realms]:
692 [realms]
694 EXAMPLE.COM = {
695 pkinit_anchors = FILE:/usr/local/example.com.crt
696 }
697 2. generic value in the [kdcdefaults] section:
699 [kdcdefaults]
701 pkinit_anchors = DIR:/usr/local/generic_trusted_cas/
702 For information about the syntax of some of these options, see Specify‐
704 ing PKINIT identity information in krb5.conf(5).
705 pkinit_anchors
707 Specifies the location of trusted anchor (root) certificates
708 which the KDC trusts to sign client certificates. This option
709 is required if pkinit is to be supported by the KDC. This
710 option may be specified multiple times.
711 pkinit_dh_min_bits
713 Specifies the minimum number of bits the KDC is willing to
714 accept for a client's Diffie-Hellman key. The default is 2048.
715 pkinit_allow_upn
717 Specifies that the KDC is willing to accept client certificates
718 with the Microsoft UserPrincipalName (UPN) Subject Alternative
719 Name (SAN). This means the KDC accepts the binding of the UPN
720 in the certificate to the Kerberos principal name. The default
721 value is false.
722 Without this option, the KDC will only accept certificates with
724 the id-pkinit-san as defined in RFC 4556. There is currently no
725 option to disable SAN checking in the KDC.
726 pkinit_eku_checking
728 This option specifies what Extended Key Usage (EKU) values the
729 KDC is willing to accept in client certificates. The values
730 recognized in the kdc.conf file are:
731 kpClientAuth
733 This is the default value and specifies that client cer‐
734 tificates must have the id-pkinit-KPClientAuth EKU as
735 defined in RFC 4556.
736 scLogin
738 If scLogin is specified, client certificates with the Mi‐
739 crosoft Smart Card Login EKU (id-ms-kp-sc-logon) will be
740 accepted.
741 none If none is specified, then client certificates will not
743 be checked to verify they have an acceptable EKU. The
744 use of this option is not recommended.
745 pkinit_identity
747 Specifies the location of the KDC's X.509 identity information.
748 This option is required if pkinit is to be supported by the KDC.
749 pkinit_indicator
751 Specifies an authentication indicator to include in the ticket
752 if pkinit is used to authenticate. This option may be specified
753 multiple times. (New in release 1.14.)
754 pkinit_pool
756 Specifies the location of intermediate certificates which may be
757 used by the KDC to complete the trust chain between a client's
758 certificate and a trusted anchor. This option may be specified
759 multiple times.
760 pkinit_revoke
762 Specifies the location of Certificate Revocation List (CRL)
763 information to be used by the KDC when verifying the validity of
764 client certificates. This option may be specified multiple
765 times.
766 pkinit_require_crl_checking
768 The default certificate verification process will always check
769 the available revocation information to see if a certificate has
770 been revoked. If a match is found for the certificate in a CRL,
771 verification fails. If the certificate being verified is not
772 listed in a CRL, or there is no CRL present for its issuing CA,
773 and pkinit_require_crl_checking is false, then verification suc‐
774 ceeds.
775 However, if pkinit_require_crl_checking is true and there is no
777 CRL information available for the issuing CA, then verification
778 fails.
779 pkinit_require_crl_checking should be set to true if the policy
781 is such that up-to-date CRLs must be present for every CA.
782
784 Any tag in the configuration files which requires a list of encryption
785 types can be set to some combination of the following strings. Encryp‐
786 tion types marked as "weak" are available for compatibility but not
787 recommended for use.
788 ┌───────────────────────────┬────────────────────────────┐
790 │des-cbc-crc │ DES cbc mode with CRC-32 │
791 │ │ (weak) │
792 ├───────────────────────────┼────────────────────────────┤
793 │des-cbc-md4 │ DES cbc mode with RSA-MD4 │
794 │ │ (weak) │
795 ├───────────────────────────┼────────────────────────────┤
796 │des-cbc-md5 │ DES cbc mode with RSA-MD5 │
797 │ │ (weak) │
798 ├───────────────────────────┼────────────────────────────┤
799 │des-cbc-raw │ DES cbc mode raw (weak) │
800 ├───────────────────────────┼────────────────────────────┤
801 │des3-cbc-raw │ Triple DES cbc mode raw │
802 │ │ (weak) │
803 ├───────────────────────────┼────────────────────────────┤
804 │des3-cbc-sha1 │ Triple DES cbc mode with │
805 │des3-hmac-sha1 │ HMAC/sha1 │
806 │des3-cbc-sha1-kd │ │
807 ├───────────────────────────┼────────────────────────────┤
808 │des-hmac-sha1 │ DES with HMAC/sha1 (weak) │
809 ├───────────────────────────┼────────────────────────────┤
810 │aes256-cts-hmac-sha1-96 │ AES-256 CTS mode with │
811 │aes256-cts aes256-sha1 │ 96-bit SHA-1 HMAC │
812 ├───────────────────────────┼────────────────────────────┤
813 │aes128-cts-hmac-sha1-96 │ AES-128 CTS mode with │
814 │aes128-cts aes128-sha1 │ 96-bit SHA-1 HMAC │
815 ├───────────────────────────┼────────────────────────────┤
816 │aes256-cts-hmac-sha384-192 │ AES-256 CTS mode with │
817 │aes256-sha2 │ 192-bit SHA-384 HMAC │
818 ├───────────────────────────┼────────────────────────────┤
819 │aes128-cts-hmac-sha256-128 │ AES-128 CTS mode with │
820 │aes128-sha2 │ 128-bit SHA-256 HMAC │
821 ├───────────────────────────┼────────────────────────────┤
822 │arcfour-hmac rc4-hmac arc‐ │ RC4 with HMAC/MD5 │
823 │four-hmac-md5 │ │
824 ├───────────────────────────┼────────────────────────────┤
825 │arcfour-hmac-exp │ Exportable RC4 with │
826 │rc4-hmac-exp arc‐ │ HMAC/MD5 (weak) │
827 │four-hmac-md5-exp │ │
828 ├───────────────────────────┼────────────────────────────┤
829 │camellia256-cts-cmac │ Camellia-256 CTS mode with │
830 │camellia256-cts │ CMAC │
831 ├───────────────────────────┼────────────────────────────┤
832 │camellia128-cts-cmac │ Camellia-128 CTS mode with │
833 │camellia128-cts │ CMAC │
834 ├───────────────────────────┼────────────────────────────┤
835 │des │ The DES family: │
836 │ │ des-cbc-crc, des-cbc-md5, │
837 │ │ and des-cbc-md4 (weak) │
838 ├───────────────────────────┼────────────────────────────┤
839 │des3 │ The triple DES family: │
840 │ │ des3-cbc-sha1 │
841 ├───────────────────────────┼────────────────────────────┤
842 │aes │ The AES family: │
843 │ │ aes256-cts-hmac-sha1-96 │
844 │ │ and │
845 │ │ aes128-cts-hmac-sha1-96 │
846 ├───────────────────────────┼────────────────────────────┤
847 │rc4 │ The RC4 family: arc‐ │
848 │ │ four-hmac │
849 ├───────────────────────────┼────────────────────────────┤
850 │camellia │ The Camellia family: │
851 │ │ camellia256-cts-cmac and │
852 │ │ camellia128-cts-cmac │
853 └───────────────────────────┴────────────────────────────┘
854 The string DEFAULT can be used to refer to the default set of types for
856 the variable in question. Types or families can be removed from the
857 current list by prefixing them with a minus sign ("-"). Types or fami‐
858 lies can be prefixed with a plus sign ("+") for symmetry; it has the
859 same meaning as just listing the type or family. For example, "DEFAULT
860 -des" would be the default set of encryption types with DES types
861 removed, and "des3 DEFAULT" would be the default set of encryption
862 types with triple DES types moved to the front.
863 While aes128-cts and aes256-cts are supported for all Kerberos opera‐
865 tions, they are not supported by very old versions of our GSSAPI imple‐
866 mentation (krb5-1.3.1 and earlier). Services running versions of krb5
867 without AES support must not be given keys of these encryption types in
868 the KDC database.
869 The aes128-sha2 and aes256-sha2 encryption types are new in release
871 1.15. Services running versions of krb5 without support for these
872 newer encryption types must not be given keys of these encryption types
873 in the KDC database.
874
876 Kerberos keys for users are usually derived from passwords. Kerberos
877 commands and configuration parameters that affect generation of keys
878 take lists of enctype-salttype ("keysalt") pairs, known as keysalt
879 lists. Each keysalt pair is an enctype name followed by a salttype
880 name, in the format enc:salt. Individual keysalt list members are sep‐
881 arated by comma (",") characters or space characters. For example:
882 kadmin -e aes256-cts:normal,aes128-cts:normal
884 would start up kadmin so that by default it would generate pass‐
886 word-derived keys for the aes256-cts and aes128-cts encryption types,
887 using a normal salt.
888 To ensure that people who happen to pick the same password do not have
890 the same key, Kerberos 5 incorporates more information into the key
891 using something called a salt. The supported salt types are as fol‐
892 lows:
893 ┌──────────┬────────────────────────────┐
895 │normal │ default for Kerberos Ver‐ │
896 │ │ sion 5 │
897 ├──────────┼────────────────────────────┤
898 │v4 │ the only type used by Ker‐ │
899 │ │ beros Version 4 (no salt) │
900 ├──────────┼────────────────────────────┤
901 │norealm │ same as the default, with‐ │
902 │ │ out using realm informa‐ │
903 │ │ tion │
904 ├──────────┼────────────────────────────┤
905 │onlyrealm │ uses only realm informa‐ │
906 │ │ tion as the salt │
907 ├──────────┼────────────────────────────┤
908 │afs3 │ AFS version 3, only used │
909 │ │ for compatibility with │
910 │ │ Kerberos 4 in AFS │
911 ├──────────┼────────────────────────────┤
912 │special │ generate a random salt │
913 └──────────┴────────────────────────────┘
914
916 Here's an example of a kdc.conf file:
917 [kdcdefaults]
919 kdc_listen = 88
920 kdc_tcp_listen = 88
921 [realms]
922 ATHENA.MIT.EDU = {
923 kadmind_port = 749
924 max_life = 12h 0m 0s
925 max_renewable_life = 7d 0h 0m 0s
926 master_key_type = aes256-cts-hmac-sha1-96
927 supported_enctypes = aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal
928 database_module = openldap_ldapconf
929 }
930 [logging]
932 kdc = FILE:/usr/local/var/krb5kdc/kdc.log
933 admin_server = FILE:/usr/local/var/krb5kdc/kadmin.log
934 [dbdefaults]
936 ldap_kerberos_container_dn = cn=krbcontainer,dc=mit,dc=edu
937 [dbmodules]
939 openldap_ldapconf = {
940 db_library = kldap
941 disable_last_success = true
942 ldap_kdc_dn = "cn=krbadmin,dc=mit,dc=edu"
943 # this object needs to have read rights on
944 # the realm container and principal subtrees
945 ldap_kadmind_dn = "cn=krbadmin,dc=mit,dc=edu"
946 # this object needs to have read and write rights on
947 # the realm container and principal subtrees
948 ldap_service_password_file = /etc/kerberos/service.keyfile
949 ldap_servers = ldaps://kerberos.mit.edu
950 ldap_conns_per_server = 5
951 }
952
954 /var/kerberos/krb5kdc/kdc.conf
955
957 krb5.conf(5), krb5kdc(8), kadm5.acl(5)
958
960 MIT
961
963 1985-2017, MIT
9641.15.1 KDC.CONF(5)