1KRB5.CONF(5)                     MIT Kerberos                     KRB5.CONF(5)
2
3
4

NAME

6       krb5.conf - Kerberos configuration file
7
8       The krb5.conf file contains Kerberos configuration information, includ‐
9       ing the locations of KDCs and admin servers for the Kerberos realms  of
10       interest, defaults for the current realm and for Kerberos applications,
11       and mappings of hostnames onto Kerberos realms.  Normally,  you  should
12       install  your  krb5.conf  file in the directory /etc.  You can override
13       the default location by setting the environment  variable  KRB5_CONFIG.
14       Multiple colon-separated filenames may be specified in KRB5_CONFIG; all
15       files which are present will be read.  Starting in release 1.14, direc‐
16       tory  names  can also be specified in KRB5_CONFIG; all files within the
17       directory  whose  names  consist  solely  of  alphanumeric  characters,
18       dashes, or underscores will be read.
19

STRUCTURE

21       The krb5.conf file is set up in the style of a Windows INI file.  Lines
22       beginning with '#' or  ';'  (possibly  after  initial  whitespace)  are
23       ignored  as  comments.   Sections  are  headed  by the section name, in
24       square brackets.  Each section may contain zero or more  relations,  of
25       the form:
26
27          foo = bar
28
29       or:
30
31          fubar = {
32              foo = bar
33              baz = quux
34          }
35
36       Placing  a  '*'  at  the end of a line indicates that this is the final
37       value for the tag.  This means that neither the remainder of this  con‐
38       figuration  file  nor  any other configuration file will be checked for
39       any other values for this tag.
40
41       For example, if you have the following lines:
42
43          foo = bar*
44          foo = baz
45
46       then the second value of foo (baz) would never be read.
47
48       The krb5.conf file can include other files using either of the  follow‐
49       ing directives at the beginning of a line:
50
51          include FILENAME
52          includedir DIRNAME
53
54       FILENAME  or  DIRNAME  should  be  an  absolute path. The named file or
55       directory must exist and be readable.  Including a  directory  includes
56       all  files  within the directory whose names consist solely of alphanu‐
57       meric characters, dashes, or underscores.  Starting  in  release  1.15,
58       files  with  names ending in ".conf" are also included, unless the name
59       begins with ".".  Included profile files are syntactically  independent
60       of  their  parents,  so  each  included  file must begin with a section
61       header.  Starting in release  1.17,  files  are  read  in  alphanumeric
62       order; in previous releases, they may be read in any order.
63
64       The  krb5.conf  file  can specify that configuration should be obtained
65       from a loadable module, rather than the file itself, using the  follow‐
66       ing directive at the beginning of a line before any section headers:
67
68          module MODULEPATH:RESIDUAL
69
70       MODULEPATH  may  be  relative to the library path of the krb5 installa‐
71       tion, or it may be an absolute path.  RESIDUAL is provided to the  mod‐
72       ule  at  initialization  time.   If  krb5.conf uses a module directive,
73       kdc.conf(5) should also use one if it exists.
74

SECTIONS

76       The krb5.conf file may contain the following sections:
77
78                    ┌───────────────┬────────────────────────────┐
79[libdefaults]  │ Settings used by the  Ker‐ │
80                    │               │ beros V5 library           │
81                    ├───────────────┼────────────────────────────┤
82[realms]       │ Realm-specific     contact │
83                    │               │ information and settings   │
84                    ├───────────────┼────────────────────────────┤
85[domain_realm] │ Maps server  hostnames  to │
86                    │               │ Kerberos realms            │
87                    ├───────────────┼────────────────────────────┤
88[capaths]      │ Authentication  paths  for │
89                    │               │ non-hierarchical           │
90                    │               │ cross-realm                │
91                    ├───────────────┼────────────────────────────┤
92[appdefaults]  │ Settings used by some Ker‐ │
93                    │               │ beros V5 applications      │
94                    ├───────────────┼────────────────────────────┤
95[plugins]      │ Controls   plugin   module │
96                    │               │ registration               │
97                    └───────────────┴────────────────────────────┘
98
99       Additionally,  krb5.conf  may include any of the relations described in
100       kdc.conf(5), but it is not a recommended practice.
101
102   [libdefaults]
103       The libdefaults section may contain any of the following relations:
104
105       allow_weak_crypto
106              If this flag is set to false, then  weak  encryption  types  (as
107              noted  in  Encryption_types in kdc.conf(5)) will be filtered out
108              of the  lists  default_tgs_enctypes,  default_tkt_enctypes,  and
109              permitted_enctypes.   The  default  value for this tag is false,
110              which may cause authentication failures in existing Kerberos in‐
111              frastructures  that  do  not  support  strong  crypto.  Users in
112              affected environments should set this tag to  true  until  their
113              infrastructure adopts stronger ciphers.
114
115       ap_req_checksum_type
116              An integer which specifies the type of AP-REQ checksum to use in
117              authenticators.  This variable should be unset so the  appropri‐
118              ate  checksum  for the encryption key in use will be used.  This
119              can be set if backward compatibility requires a specific  check‐
120              sum  type.   See  the kdc_req_checksum_type configuration option
121              for the possible values and their meanings.
122
123       canonicalize
124              If this flag is set to true, initial ticket requests to the  KDC
125              will  request canonicalization of the client principal name, and
126              answers with different  client  principals  than  the  requested
127              principal will be accepted.  The default value is false.
128
129       ccache_type
130              This  parameter  determines the format of credential cache types
131              created by kinit(1) or other programs.  The default value is  4,
132              which represents the most current format.  Smaller values can be
133              used for compatibility with very old implementations of Kerberos
134              which interact with credential caches on the same host.
135
136       clockskew
137              Sets  the  maximum allowable amount of clockskew in seconds that
138              the library will tolerate before assuming that a  Kerberos  mes‐
139              sage is invalid.  The default value is 300 seconds, or five min‐
140              utes.
141
142              The clockskew setting is also used when evaluating ticket  start
143              and  expiration  times.   For example, tickets that have reached
144              their expiration time can still be used (and renewed if they are
145              renewable tickets) if they have been expired for a shorter dura‐
146              tion than the clockskew setting.
147
148       default_ccache_name
149              This relation specifies  the  name  of  the  default  credential
150              cache.   The  default is FILE:/tmp/krb5cc_%{uid}.  This relation
151              is subject to parameter expansion (see below).  New  in  release
152              1.11.
153
154       default_client_keytab_name
155              This  relation  specifies  the  name  of  the default keytab for
156              obtaining client credentials.   The  default  is  FILE:/var/ker‐
157              beros/krb5/user/%{euid}/client.keytab.  This relation is subject
158              to parameter expansion (see below).  New in release 1.11.
159
160       default_keytab_name
161              This relation specifies the default keytab name to  be  used  by
162              application    servers   such   as   sshd.    The   default   is
163              FILE:/etc/krb5.keytab.  This relation is  subject  to  parameter
164              expansion (see below).
165
166       default_realm
167              Identifies  the  default Kerberos realm for the client.  Set its
168              value to your Kerberos realm.  If this value is not set, then  a
169              realm  must  be  specified  with  every  Kerberos principal when
170              invoking programs such as kinit(1).
171
172       default_tgs_enctypes
173              Identifies the supported list of session  key  encryption  types
174              that  the  client should request when making a TGS-REQ, in order
175              of preference from highest to lowest.  The list may be delimited
176              with  commas or whitespace.  See Encryption_types in kdc.conf(5)
177              for a list of the accepted values for  this  tag.   The  default
178              value    is    aes256-cts-hmac-sha1-96   aes128-cts-hmac-sha1-96
179              aes256-cts-hmac-sha384-192            aes128-cts-hmac-sha256-128
180              des3-cbc-sha1   arcfour-hmac-md5   camellia256-cts-cmac   camel‐
181              lia128-cts-cmac des-cbc-crc des-cbc-md5  des-cbc-md4,  but  sin‐
182              gle-DES  encryption  types  will be implicitly removed from this
183              list if the value of allow_weak_crypto is false.
184
185              Do not set this unless required for specific  backward  compati‐
186              bility  purposes;  stale  values  of  this  setting  can prevent
187              clients from taking advantage of new stronger enctypes when  the
188              libraries are upgraded.
189
190       default_tkt_enctypes
191              Identifies  the  supported  list of session key encryption types
192              that the client should request when making an AS-REQ,  in  order
193              of preference from highest to lowest.  The format is the same as
194              for default_tgs_enctypes.  The default value  for  this  tag  is
195              aes256-cts-hmac-sha1-96                  aes128-cts-hmac-sha1-96
196              aes256-cts-hmac-sha384-192            aes128-cts-hmac-sha256-128
197              des3-cbc-sha1   arcfour-hmac-md5   camellia256-cts-cmac   camel‐
198              lia128-cts-cmac des-cbc-crc des-cbc-md5  des-cbc-md4,  but  sin‐
199              gle-DES  encryption  types  will be implicitly removed from this
200              list if the value of allow_weak_crypto is false.
201
202              Do not set this unless required for specific  backward  compati‐
203              bility  purposes;  stale  values  of  this  setting  can prevent
204              clients from taking advantage of new stronger enctypes when  the
205              libraries are upgraded.
206
207       dns_canonicalize_hostname
208              Indicate whether name lookups will be used to canonicalize host‐
209              names for use in service principal names.  Setting this flag  to
210              false  can  improve  security  by  reducing reliance on DNS, but
211              means  that  short  hostnames  will  not  be  canonicalized   to
212              fully-qualified hostnames.  The default value is true.
213
214       dns_lookup_kdc
215              Indicate  whether  DNS  SRV records should be used to locate the
216              KDCs and other servers for a realm, if they are  not  listed  in
217              the  krb5.conf  information  for  the  realm.   (Note  that  the
218              admin_server entry must be in the krb5.conf realm information in
219              order  to  contact  kadmind,  because the DNS implementation for
220              kadmin is incomplete.)
221
222              Enabling this option does open up a  type  of  denial-of-service
223              attack,  if  someone spoofs the DNS records and redirects you to
224              another server.  However, it's no worse than a  denial  of  ser‐
225              vice,  because  that  fake KDC will be unable to decode anything
226              you send it (besides the initial ticket request,  which  has  no
227              encrypted  data),  and  anything  the fake KDC sends will not be
228              trusted without verification using some  secret  that  it  won't
229              know.
230
231       dns_uri_lookup
232              Indicate  whether  DNS  URI records should be used to locate the
233              KDCs and other servers for a realm, if they are  not  listed  in
234              the  krb5.conf  information for the realm.  SRV records are used
235              as a fallback if no URI records were found.  The  default  value
236              is true.  New in release 1.15.
237
238       err_fmt
239              This  relation allows for custom error message formatting.  If a
240              value is set, error messages will be formatted by substituting a
241              normal  error  message  for  %M  and an error code for %C in the
242              value.
243
244       extra_addresses
245              This allows a computer to use multiple local addresses, in order
246              to  allow  Kerberos  to  work  in a network that uses NATs while
247              still using address-restricted tickets.  The addresses should be
248              in  a  comma-separated list.  This option has no effect if noad‐
249              dresses is true.
250
251       forwardable
252              If this flag is true, initial tickets  will  be  forwardable  by
253              default, if allowed by the KDC.  The default value is false.
254
255       ignore_acceptor_hostname
256              When  accepting  GSSAPI or krb5 security contexts for host-based
257              service principals, ignore any hostname passed  by  the  calling
258              application,  and  allow  clients to authenticate to any service
259              principal in the keytab matching the service name and realm name
260              (if  given).   This option can improve the administrative flexi‐
261              bility of server applications on  multihomed  hosts,  but  could
262              compromise  the  security  of virtual hosting environments.  The
263              default value is false.  New in release 1.10.
264
265       k5login_authoritative
266              If this flag is true, principals  must  be  listed  in  a  local
267              user's k5login file to be granted login access, if a .k5login(5)
268              file exists.  If this flag is false, a principal  may  still  be
269              granted  login access through other mechanisms even if a k5login
270              file exists but does not list the principal.  The default  value
271              is true.
272
273       k5login_directory
274              If  set,  the  library will look for a local user's k5login file
275              within the named directory, with a filename corresponding to the
276              local  username.   If not set, the library will look for k5login
277              files in the user's home directory, with the filename  .k5login.
278              For  security reasons, .k5login files must be owned by the local
279              user or by root.
280
281       kcm_mach_service
282              On macOS only, determines the name of the bootstrap service used
283              to contact the KCM daemon for the KCM credential cache type.  If
284              the value is -, Mach RPC will not be used  to  contact  the  KCM
285              daemon.  The default value is org.h5l.kcm.
286
287       kcm_socket
288              Determines the path to the Unix domain socket used to access the
289              KCM daemon for the KCM credential cache type.  If the  value  is
290              -,  Unix domain sockets will not be used to contact the KCM dae‐
291              mon.  The default value is /var/run/.heim_org.h5l.kcm-socket.
292
293       kdc_default_options
294              Default KDC options (Xored for multiple values) when  requesting
295              initial   tickets.    By   default   it  is  set  to  0x00000010
296              (KDC_OPT_RENEWABLE_OK).
297
298       kdc_timesync
299              Accepted values for this relation are 1 or 0.  If it is nonzero,
300              client  machines  will compute the difference between their time
301              and the time returned by the KDC in the timestamps in the  tick‐
302              ets and use this value to correct for an inaccurate system clock
303              when requesting service tickets or authenticating  to  services.
304              This  corrective factor is only used by the Kerberos library; it
305              is not used to change the system clock.  The default value is 1.
306
307       kdc_req_checksum_type
308              An integer which specifies the type of checksum to use  for  the
309              KDC  requests,  for  compatibility with very old KDC implementa‐
310              tions.  This value is only used for DES keys; other keys use the
311              preferred checksum type for those keys.
312
313              The possible values and their meanings are as follows.
314
315                            ┌─────┬────────────────────────────┐
316                            │1    │ CRC32                      │
317                            ├─────┼────────────────────────────┤
318                            │2    │ RSA MD4                    │
319                            ├─────┼────────────────────────────┤
320                            │3    │ RSA MD4 DES                │
321                            ├─────┼────────────────────────────┤
322                            │4    │ DES CBC                    │
323                            ├─────┼────────────────────────────┤
324                            │7    │ RSA MD5                    │
325                            ├─────┼────────────────────────────┤
326                            │8    │ RSA MD5 DES                │
327                            ├─────┼────────────────────────────┤
328                            │9    │ NIST SHA                   │
329                            └─────┴────────────────────────────┘
330
331                            │12   │ HMAC SHA1 DES3             │
332                            ├─────┼────────────────────────────┤
333                            │-138 │ Microsoft  MD5 HMAC check‐ │
334                            │     │ sum type                   │
335                            └─────┴────────────────────────────┘
336
337       noaddresses
338              If this flag is true, requests for initial tickets will  not  be
339              made  with  address restrictions set, allowing the tickets to be
340              used across NATs.  The default value is true.
341
342       permitted_enctypes
343              Identifies all encryption types that are permitted  for  use  in
344              session  key  encryption.   The  default  value  for this tag is
345              aes256-cts-hmac-sha1-96                  aes128-cts-hmac-sha1-96
346              aes256-cts-hmac-sha384-192            aes128-cts-hmac-sha256-128
347              des3-cbc-sha1   arcfour-hmac-md5   camellia256-cts-cmac   camel‐
348              lia128-cts-cmac  des-cbc-crc  des-cbc-md5  des-cbc-md4, but sin‐
349              gle-DES encryption types will be implicitly  removed  from  this
350              list if the value of allow_weak_crypto is false.
351
352       plugin_base_dir
353              If  set,  determines  the  base directory where krb5 plugins are
354              located.  The default value is the krb5/plugins subdirectory  of
355              the krb5 library directory.
356
357       preferred_preauth_types
358              This  allows  you  to  set the preferred preauthentication types
359              which the client will attempt before others which may be  adver‐
360              tised  by a KDC.  The default value for this setting is "17, 16,
361              15, 14", which forces libkrb5 to attempt to use PKINIT if it  is
362              supported.
363
364       proxiable
365              If  this  flag  is  true,  initial  tickets will be proxiable by
366              default, if allowed by the KDC.  The default value is false.
367
368       rdns   If this flag is true, reverse name lookup will be used in  addi‐
369              tion  to forward name lookup to canonicalizing hostnames for use
370              in service principal names.  If dns_canonicalize_hostname is set
371              to false, this flag has no effect.  The default value is true.
372
373       realm_try_domains
374              Indicate  whether  a  host's domain components should be used to
375              determine the Kerberos realm of the host.   The  value  of  this
376              variable  is  an integer: -1 means not to search, 0 means to try
377              the host's domain itself, 1 means to also try the domain's imme‐
378              diate  parent,  and so forth.  The library's usual mechanism for
379              locating Kerberos realms is used to determine whether  a  domain
380              is   a   valid  realm,  which  may  involve  consulting  DNS  if
381              dns_lookup_kdc is set.  The default is not to search domain com‐
382              ponents.
383
384       renew_lifetime
385              (duration string.)  Sets the default renewable lifetime for ini‐
386              tial ticket requests.  The default value is 0.
387
388       safe_checksum_type
389              An integer which specifies the type of checksum to use  for  the
390              KRB-SAFE  requests.   By  default  it is set to 8 (RSA MD5 DES).
391              For compatibility with applications linked against  DCE  version
392              1.1  or  earlier Kerberos libraries, use a value of 3 to use the
393              RSA MD4 DES instead.  This field is ignored when  its  value  is
394              incompatible  with the session key type.  See the kdc_req_check‐
395              sum_type configuration option for the possible values and  their
396              meanings.
397
398       spake_preauth_groups
399              A  whitespace  or  comma-separated list of words which specifies
400              the groups allowed for SPAKE  preauthentication.   The  possible
401              values are:
402
403                        ┌─────────────┬────────────────────────────┐
404                        │edwards25519 │ Edwards25519   curve  (RFC
405                        │             │ 7748)                      │
406                        ├─────────────┼────────────────────────────┤
407                        │P-256        │ NIST  P-256   curve   (RFC
408                        │             │ 5480)                      │
409                        ├─────────────┼────────────────────────────┤
410                        │P-384        │ NIST   P-384   curve  (RFC
411                        │             │ 5480)                      │
412                        ├─────────────┼────────────────────────────┤
413                        │P-521        │ NIST  P-521   curve   (RFC
414                        │             │ 5480)                      │
415                        └─────────────┴────────────────────────────┘
416
417              The  default  value for the client is edwards25519.  The default
418              value for the KDC is empty.  New in release 1.17.
419
420       ticket_lifetime
421              (duration string.)  Sets the default lifetime for initial ticket
422              requests.  The default value is 1 day.
423
424       udp_preference_limit
425              When  sending  a  message to the KDC, the library will try using
426              TCP before UDP if the size of the message is  above  udp_prefer‐
427              ence_limit.    If   the  message  is  smaller  than  udp_prefer‐
428              ence_limit, then UDP will be tried before  TCP.   Regardless  of
429              the  size,  both  protocols  will  be tried if the first attempt
430              fails.
431
432       verify_ap_req_nofail
433              If this flag is true, then an attempt to verify initial  creden‐
434              tials  will  fail  if the client machine does not have a keytab.
435              The default value is false.
436
437   [realms]
438       Each tag in the [realms] section of the file is the name of a  Kerberos
439       realm.  The value of the tag is a subsection with relations that define
440       the properties of that particular realm.  For each realm, the following
441       tags may be specified in the realm's subsection:
442
443       admin_server
444              Identifies  the host where the administration server is running.
445              Typically, this is the master Kerberos server.  This tag must be
446              given a value in order to communicate with the kadmind(8) server
447              for the realm.
448
449       auth_to_local
450              This tag allows you to set a general rule for mapping  principal
451              names  to  local user names.  It will be used if there is not an
452              explicit mapping for the principal name  that  is  being  trans‐
453              lated. The possible values are:
454
455              RULE:exp
456                     The local name will be formulated from exp.
457
458                     The    format   for   exp   is   [n:string](regexp)s/pat‐
459                     tern/replacement/g.  The integer  n  indicates  how  many
460                     components  the  target  principal  should have.  If this
461                     matches, then a string will be formed from  string,  sub‐
462                     stituting  the realm of the principal for $0 and the n'th
463                     component of the principal for $n (e.g., if the principal
464                     was  johndoe/admin  then  [2:$2$1foo] would result in the
465                     string adminjohndoefoo).  If this string matches  regexp,
466                     then the s//[g] substitution command will be run over the
467                     string.  The optional g will cause the substitution to be
468                     global  over  the  string,  instead of replacing only the
469                     first match in the string.
470
471              DEFAULT
472                     The principal name will be used as the local  user  name.
473                     If the principal has more than one component or is not in
474                     the default realm, this rule is not  applicable  and  the
475                     conversion will fail.
476
477              For example:
478
479                 [realms]
480                     ATHENA.MIT.EDU = {
481                         auth_to_local = RULE:[2:$1](johndoe)s/^.*$/guest/
482                         auth_to_local = RULE:[2:$1;$2](^.*;admin$)s/;admin$//
483                         auth_to_local = RULE:[2:$2](^.*;root)s/^.*$/root/
484                         auto_to_local = DEFAULT
485                     }
486
487              would  result in any principal without root or admin as the sec‐
488              ond component to be translated with the default rule.  A princi‐
489              pal  with a second component of admin will become its first com‐
490              ponent.  root will be used as the local name for  any  principal
491              with  a  second  component  of root.  The exception to these two
492              rules are any principals johndoe/*, which will  always  get  the
493              local name guest.
494
495       auth_to_local_names
496              This subsection allows you to set explicit mappings from princi‐
497              pal names to local user names.  The tag is the mapping name, and
498              the value is the corresponding local user name.
499
500       default_domain
501              This  tag  specifies  the  domain  used to expand hostnames when
502              translating Kerberos 4 service principals to Kerberos 5  princi‐
503              pals  (for  example, when converting rcmd.hostname to host/host‐
504              name.domain).
505
506       disable_encrypted_timestamp
507              If this flag is true, the  client  will  not  perform  encrypted
508              timestamp  preauthentication  if  requested by the KDC.  Setting
509              this flag can help  to  prevent  dictionary  attacks  by  active
510              attackers,  if  the realm's KDCs support SPAKE preauthentication
511              or if initial authentication always uses  another  mechanism  or
512              always  uses  FAST.   This flag persists across client referrals
513              during initial authentication.  This flag does not  prevent  the
514              KDC from offering encrypted timestamp.  New in release 1.17.
515
516       http_anchors
517              When  KDCs  and kpasswd servers are accessed through HTTPS prox‐
518              ies, this tag can be used to specify the location of the CA cer‐
519              tificate  which should be trusted to issue the certificate for a
520              proxy server.  If left unspecified, the system-wide default  set
521              of CA certificates is used.
522
523              The  syntax  for  values  is  similar  to that of values for the
524              pkinit_anchors tag:
525
526              FILE: filename
527
528              filename is assumed to be the name of an OpenSSL-style ca-bundle
529              file.
530
531              DIR: dirname
532
533              dirname is assumed to be an directory which contains CA certifi‐
534              cates.  All files in the directory will  be  examined;  if  they
535              contain certificates (in PEM format), they will be used.
536
537              ENV: envvar
538
539              envvar  specifies  the name of an environment variable which has
540              been set to a value conforming to one of  the  previous  values.
541              For   example,  ENV:X509_PROXY_CA,  where  environment  variable
542              X509_PROXY_CA has been set to FILE:/tmp/my_proxy.pem.
543
544       kdc    The name or address of a host running a KDC for that realm.   An
545              optional  port  number,  separated from the hostname by a colon,
546              may be included.  If the name or address  contains  colons  (for
547              example,  if it is an IPv6 address), enclose it in square brack‐
548              ets to distinguish the colon from a port  separator.   For  your
549              computer  to be able to communicate with the KDC for each realm,
550              this tag must be given a value in each realm subsection  in  the
551              configuration  file, or there must be DNS SRV records specifying
552              the KDCs.
553
554       kpasswd_server
555              Points to the server where all the  password  changes  are  per‐
556              formed.   If  there  is  no  such  entry,  the  port  464 on the
557              admin_server host will be tried.
558
559       master_kdc
560              Identifies the master KDC(s).  Currently, this tag  is  used  in
561              only one case: If an attempt to get credentials fails because of
562              an invalid password, the client software will attempt to contact
563              the  master  KDC,  in  case  the  user's  password has just been
564              changed, and the updated database has not been propagated to the
565              slave servers yet.
566
567       v4_instance_convert
568              This subsection allows the administrator to configure exceptions
569              to the default_domain mapping rule.  It  contains  V4  instances
570              (the tag name) which should be translated to some specific host‐
571              name (the tag value) as the second component in  a  Kerberos  V5
572              principal name.
573
574       v4_realm
575              This  relation  is used by the krb524 library routines when con‐
576              verting a V5 principal name to a V4 principal name.  It is  used
577              when  the  V4 realm name and the V5 realm name are not the same,
578              but still share the same principal names and passwords. The  tag
579              value is the Kerberos V4 realm name.
580
581   [domain_realm]
582       The [domain_realm] section provides a translation from a domain name or
583       hostname to a Kerberos realm name.  The tag name can be a host name  or
584       domain  name,  where domain names are indicated by a prefix of a period
585       (.).  The value of the relation is the Kerberos  realm  name  for  that
586       particular  host  or  domain.  A host name relation implicitly provides
587       the corresponding domain name relation, unless an explicit domain  name
588       relation  is  provided.  The Kerberos realm may be identified either in
589       the realms section or using DNS SRV records.   Host  names  and  domain
590       names should be in lower case.  For example:
591
592          [domain_realm]
593              crash.mit.edu = TEST.ATHENA.MIT.EDU
594              .dev.mit.edu = TEST.ATHENA.MIT.EDU
595              mit.edu = ATHENA.MIT.EDU
596
597       maps  the host with the name crash.mit.edu into the TEST.ATHENA.MIT.EDU
598       realm.  The second entry maps all hosts under  the  domain  dev.mit.edu
599       into  the  TEST.ATHENA.MIT.EDU  realm,  but  not the host with the name
600       dev.mit.edu.  That host is matched by the third entry, which  maps  the
601       host mit.edu and all hosts under the domain mit.edu that do not match a
602       preceding rule into the realm ATHENA.MIT.EDU.
603
604       If no translation entry applies to a hostname used for a service  prin‐
605       cipal  for  a  service  ticket  request,  the library will try to get a
606       referral to the appropriate realm from the client realm's KDC.  If that
607       does  not  succeed, the host's realm is considered to be the hostname's
608       domain portion converted to  uppercase,  unless  the  realm_try_domains
609       setting in [libdefaults] causes a different parent domain to be used.
610
611   [capaths]
612       In  order  to perform direct (non-hierarchical) cross-realm authentica‐
613       tion, configuration is needed to  determine  the  authentication  paths
614       between realms.
615
616       A  client will use this section to find the authentication path between
617       its realm and the realm of the server.  The server will use  this  sec‐
618       tion  to verify the authentication path used by the client, by checking
619       the transited field of the received ticket.
620
621       There is a tag for each participating client realm, and  each  tag  has
622       subtags  for each of the server realms.  The value of the subtags is an
623       intermediate realm which may participate in the cross-realm authentica‐
624       tion.  The subtags may be repeated if there is more then one intermedi‐
625       ate realm.  A value of  "."  means  that  the  two  realms  share  keys
626       directly, and no intermediate realms should be allowed to participate.
627
628       Only  those  entries  which  will be needed on the client or the server
629       need to be present.  A client needs a tag for its local realm with sub‐
630       tags  for all the realms of servers it will need to authenticate to.  A
631       server needs a tag for each realm of the clients it will serve, with  a
632       subtag of the server realm.
633
634       For example, ANL.GOV, PNL.GOV, and NERSC.GOV all wish to use the ES.NET
635       realm as an intermediate realm.  ANL has a sub  realm  of  TEST.ANL.GOV
636       which  will authenticate with NERSC.GOV but not PNL.GOV.  The [capaths]
637       section for ANL.GOV systems would look like this:
638
639          [capaths]
640              ANL.GOV = {
641                  TEST.ANL.GOV = .
642                  PNL.GOV = ES.NET
643                  NERSC.GOV = ES.NET
644                  ES.NET = .
645              }
646              TEST.ANL.GOV = {
647                  ANL.GOV = .
648              }
649              PNL.GOV = {
650                  ANL.GOV = ES.NET
651              }
652              NERSC.GOV = {
653                  ANL.GOV = ES.NET
654              }
655              ES.NET = {
656                  ANL.GOV = .
657              }
658
659       The [capaths] section of the configuration file used on NERSC.GOV  sys‐
660       tems would look like this:
661
662          [capaths]
663              NERSC.GOV = {
664                  ANL.GOV = ES.NET
665                  TEST.ANL.GOV = ES.NET
666                  TEST.ANL.GOV = ANL.GOV
667                  PNL.GOV = ES.NET
668                  ES.NET = .
669              }
670              ANL.GOV = {
671                  NERSC.GOV = ES.NET
672              }
673              PNL.GOV = {
674                  NERSC.GOV = ES.NET
675              }
676              ES.NET = {
677                  NERSC.GOV = .
678              }
679              TEST.ANL.GOV = {
680                  NERSC.GOV = ANL.GOV
681                  NERSC.GOV = ES.NET
682              }
683
684       When a subtag is used more than once within a tag, clients will use the
685       order of values to determine the path.  The  order  of  values  is  not
686       important to servers.
687
688   [appdefaults]
689       Each  tag  in the [appdefaults] section names a Kerberos V5 application
690       or an option that is used by  some  Kerberos  V5  application[s].   The
691       value of the tag defines the default behaviors for that application.
692
693       For example:
694
695          [appdefaults]
696              telnet = {
697                  ATHENA.MIT.EDU = {
698                      option1 = false
699                  }
700              }
701              telnet = {
702                  option1 = true
703                  option2 = true
704              }
705              ATHENA.MIT.EDU = {
706                  option2 = false
707              }
708              option2 = true
709
710       The  above  four ways of specifying the value of an option are shown in
711       order of decreasing precedence. In this example, if telnet  is  running
712       in  the  realm  EXAMPLE.COM,  it  should,  by default, have option1 and
713       option2  set  to  true.   However,  a  telnet  program  in  the   realm
714       ATHENA.MIT.EDU  should  have  option1  set  to false and option2 set to
715       true.  Any other programs in ATHENA.MIT.EDU should have option2 set  to
716       false  by  default.   Any  programs running in other realms should have
717       option2 set to true.
718
719       The list of specifiable options for each application may  be  found  in
720       that  application's man pages.  The application defaults specified here
721       are overridden by those specified in the realms section.
722
723   [plugins]
724          · pwqual interface
725
726          · kadm5_hook interface
727
728          · clpreauth and kdcpreauth interfaces
729
730       Tags in the [plugins] section can be used to  register  dynamic  plugin
731       modules  and  to  turn  modules  on  and off.  Not every krb5 pluggable
732       interface uses the [plugins] section; the ones that do  are  documented
733       here.
734
735       New in release 1.9.
736
737       Each pluggable interface corresponds to a subsection of [plugins].  All
738       subsections support the same tags:
739
740       disable
741              This tag may have multiple values. If there are values for  this
742              tag,  then  the named modules will be disabled for the pluggable
743              interface.
744
745       enable_only
746              This tag may have multiple values. If there are values for  this
747              tag,  then  only the named modules will be enabled for the plug‐
748              gable interface.
749
750       module This tag may have multiple values.  Each value is  a  string  of
751              the  form  modulename:pathname,  which  causes the shared object
752              located at pathname to be registered as a dynamic  module  named
753              modulename  for  the pluggable interface.  If pathname is not an
754              absolute path, it will be  treated  as  relative  to  the  plug‐
755              in_base_dir value from [libdefaults].
756
757       For pluggable interfaces where module order matters, modules registered
758       with a module tag normally come first, in the  order  they  are  regis‐
759       tered,  followed  by  built-in modules in the order they are documented
760       below.  If enable_only tags are used, then  the  order  of  those  tags
761       overrides the normal module order.
762
763       The  following subsections are currently supported within the [plugins]
764       section:
765
766   ccselect interface
767       The ccselect subsection controls modules for credential cache selection
768       within  a cache collection.  In addition to any registered dynamic mod‐
769       ules, the following built-in modules exist (and may  be  disabled  with
770       the disable tag):
771
772       k5identity
773              Uses a .k5identity file in the user's home directory to select a
774              client principal
775
776       realm  Uses the service realm to guess an appropriate  cache  from  the
777              collection
778
779       hostname
780              If  the  service principal is host-based, uses the service host‐
781              name to guess an appropriate cache from the collection
782
783   pwqual interface
784       The pwqual subsection controls modules for the password quality  inter‐
785       face,  which  is  used  to  reject  weak  passwords  when passwords are
786       changed.  The following built-in modules exist for this interface:
787
788       dict   Checks against the realm dictionary file
789
790       empty  Rejects empty passwords
791
792       hesiod Checks against user information stored in Hesiod (only  if  Ker‐
793              beros was built with Hesiod support)
794
795       princ  Checks against components of the principal name
796
797   kadm5_hook interface
798       The kadm5_hook interface provides plugins with information on principal
799       creation, modification, password changes and deletion.  This  interface
800       can  be used to write a plugin to synchronize MIT Kerberos with another
801       database such as Active Directory.  No plugins are built  in  for  this
802       interface.
803
804   kadm5_auth interface
805       The  kadm5_auth  section  (introduced in release 1.16) controls modules
806       for the kadmin authorization  interface,  which  determines  whether  a
807       client principal is allowed to perform a kadmin operation.  The follow‐
808       ing built-in modules exist for this interface:
809
810       acl    This module reads the kadm5.acl(5) file, and  authorizes  opera‐
811              tions which are allowed according to the rules in the file.
812
813       self   This  module  authorizes self-service operations including pass‐
814              word changes, creation of new random keys, fetching the client's
815              principal  record  or string attributes, and fetching the policy
816              record associated with the client principal.
817
818   clpreauth and kdcpreauth interfaces
819       The clpreauth and kdcpreauth interfaces allow plugin modules to provide
820       client  and  KDC  preauthentication mechanisms.  The following built-in
821       modules exist for these interfaces:
822
823       pkinit This module implements the PKINIT preauthentication mechanism.
824
825       encrypted_challenge
826              This module implements the encrypted challenge FAST factor.
827
828       encrypted_timestamp
829              This module implements the encrypted timestamp mechanism.
830
831   hostrealm interface
832       The hostrealm section (introduced in release 1.12) controls modules for
833       the  host-to-realm  interface, which affects the local mapping of host‐
834       names to realm names and the choice of default  realm.   The  following
835       built-in modules exist for this interface:
836
837       profile
838              This  module  consults the [domain_realm] section of the profile
839              for authoritative host-to-realm mappings, and the  default_realm
840              variable for the default realm.
841
842       dns    This  module  looks  for  DNS records for fallback host-to-realm
843              mappings and  the  default  realm.   It  only  operates  if  the
844              dns_lookup_realm variable is set to true.
845
846       domain This  module  applies heuristics for fallback host-to-realm map‐
847              pings.  It implements the realm_try_domains variable,  and  uses
848              the  uppercased  parent  domain of the hostname if that does not
849              produce a result.
850
851   localauth interface
852       The localauth section (introduced in release 1.12) controls modules for
853       the  local  authorization  interface,  which  affects  the relationship
854       between Kerberos principals and local system accounts.   The  following
855       built-in modules exist for this interface:
856
857       default
858              This  module  implements the DEFAULT type for auth_to_local val‐
859              ues.
860
861       rule   This module implements the RULE type for auth_to_local values.
862
863       names  This module looks for an  auth_to_local_names  mapping  for  the
864              principal name.
865
866       auth_to_local
867              This  module  processes  auth_to_local  values  in  the  default
868              realm's  section,  and  applies  the  default   method   if   no
869              auth_to_local values exist.
870
871       k5login
872              This  module authorizes a principal to a local account according
873              to the account's .k5login(5) file.
874
875       an2ln  This module authorizes a principal to a  local  account  if  the
876              principal name maps to the local account name.
877
878   certauth interface
879       The  certauth section (introduced in release 1.16) controls modules for
880       the certificate authorization interface,  which  determines  whether  a
881       certificate  is allowed to preauthenticate a user via PKINIT.  The fol‐
882       lowing built-in modules exist for this interface:
883
884       pkinit_san
885              This module authorizes the certificate if it contains  a  PKINIT
886              Subject  Alternative Name for the requested client principal, or
887              a Microsoft UPN SAN matching the principal  if  pkinit_allow_upn
888              is set to true for the realm.
889
890       pkinit_eku
891              This  module  rejects  the certificate if it does not contain an
892              Extended   Key   Usage    attribute    consistent    with    the
893              pkinit_eku_checking value for the realm.
894
895       dbmatch
896              This  module  authorizes or rejects the certificate according to
897              whether it matches the pkinit_cert_match string attribute on the
898              client principal, if that attribute is present.
899

PKINIT OPTIONS

901       NOTE:
902          The  following  are  PKINIT-specific  options.   These values may be
903          specified  in  [libdefaults]  as  global  defaults,  or   within   a
904          realm-specific  subsection  of [libdefaults], or may be specified as
905          realm-specific values in the  [realms]  section.   A  realm-specific
906          value overrides, not adds to, a generic [libdefaults] specification.
907          The search order is:
908
909       1. realm-specific subsection of [libdefaults]:
910
911             [libdefaults]
912                 EXAMPLE.COM = {
913                     pkinit_anchors = FILE:/usr/local/example.com.crt
914                 }
915
916       2. realm-specific value in the [realms] section:
917
918             [realms]
919                 OTHERREALM.ORG = {
920                     pkinit_anchors = FILE:/usr/local/otherrealm.org.crt
921                 }
922
923       3. generic value in the [libdefaults] section:
924
925             [libdefaults]
926                 pkinit_anchors = DIR:/usr/local/generic_trusted_cas/
927
928   Specifying PKINIT identity information
929       The syntax for specifying Public Key identity,  trust,  and  revocation
930       information for PKINIT is as follows:
931
932       FILE:filename[,keyfilename]
933              This option has context-specific behavior.
934
935              In  pkinit_identity or pkinit_identities, filename specifies the
936              name of a PEM-format file containing the user's certificate.  If
937              keyfilename is not specified, the user's private key is expected
938              to be in filename as well.  Otherwise, keyfilename is  the  name
939              of the file containing the private key.
940
941              In  pkinit_anchors or pkinit_pool, filename is assumed to be the
942              name of an OpenSSL-style ca-bundle file.
943
944       DIR:dirname
945              This option has context-specific behavior.
946
947              In pkinit_identity or  pkinit_identities,  dirname  specifies  a
948              directory  with files named *.crt and *.key where the first part
949              of the file name is the same for matching pairs  of  certificate
950              and private key files.  When a file with a name ending with .crt
951              is found, a matching file ending with .key is assumed to contain
952              the private key.  If no such file is found, then the certificate
953              in the .crt is not used.
954
955              In pkinit_anchors or pkinit_pool, dirname is assumed  to  be  an
956              OpenSSL-style  hashed  CA directory where each CA cert is stored
957              in a  file  named  hash-of-ca-cert.#.   This  infrastructure  is
958              encouraged,  but all files in the directory will be examined and
959              if they contain certificates (in PEM format), they will be used.
960
961              In pkinit_revoke, dirname is  assumed  to  be  an  OpenSSL-style
962              hashed  CA  directory  where each revocation list is stored in a
963              file named hash-of-ca-cert.r#.  This infrastructure  is  encour‐
964              aged,  but  all  files  in the directory will be examined and if
965              they contain a revocation list (in PEM  format),  they  will  be
966              used.
967
968       PKCS12:filename
969              filename  is  the name of a PKCS #12 format file, containing the
970              user's certificate and private key.
971
972       PKCS11:[module_name=]modname[:slotid=slot-id][:token=token-label][:cer‐
973       tid=cert-id][:certlabel=cert-label]
974              All keyword/values are optional.  modname specifies the location
975              of a library implementing PKCS #11.  If a value  is  encountered
976              with  no  keyword,  it is assumed to be the modname.  If no mod‐
977              ule-name is specified, the default is opensc-pkcs11.so.  slotid=
978              and/or  token= may be specified to force the use of a particular
979              smard card reader or token if there is more than one  available.
980              certid=  and/or  certlabel= may be specified to force the selec‐
981              tion of  a  particular  certificate  on  the  device.   See  the
982              pkinit_cert_match configuration option for more ways to select a
983              particular certificate to use for PKINIT.
984
985       ENV:envvar
986              envvar specifies the name of an environment variable  which  has
987              been  set  to  a value conforming to one of the previous values.
988              For  example,   ENV:X509_PROXY,   where   environment   variable
989              X509_PROXY has been set to FILE:/tmp/my_proxy.pem.
990
991   PKINIT krb5.conf options
992       pkinit_anchors
993              Specifies  the  location  of  trusted anchor (root) certificates
994              which the client trusts to sign KDC certificates.   This  option
995              may  be  specified multiple times.  These values from the config
996              file are not used if the user specifies X509_anchors on the com‐
997              mand line.
998
999       pkinit_cert_match
1000              Specifies  matching rules that the client certificate must match
1001              before it is used to attempt PKINIT authentication.  If  a  user
1002              has  multiple  certificates  available  (on a smart card, or via
1003              other media), there  must  be  exactly  one  certificate  chosen
1004              before  attempting  PKINIT  authentication.   This option may be
1005              specified multiple times.  All the  available  certificates  are
1006              checked  against  each  rule  in order until there is a match of
1007              exactly one certificate.
1008
1009              The Subject and Issuer  comparison  strings  are  the  RFC  2253
1010              string  representations  from  the  certificate  Subject  DN and
1011              Issuer DN values.
1012
1013              The syntax of the matching rules is:
1014                 [relation-operator]component-rule ...
1015
1016              where:
1017
1018              relation-operator
1019                     can be either &&, meaning all component rules must match,
1020                     or  ||,  meaning only one component rule must match.  The
1021                     default is &&.
1022
1023              component-rule
1024                     can be one of the following.  Note that there is no punc‐
1025                     tuation or whitespace between component rules.
1026                        <SUBJECT>regular-expression
1027                        <ISSUER>regular-expression
1028                        <SAN>regular-expression
1029                        <EKU>extended-key-usage-list
1030                        <KU>key-usage-list
1031
1032
1033                     extended-key-usage-list  is  a  comma-separated  list  of
1034                     required Extended Key Usage values.  All  values  in  the
1035                     list  must  be  present in the certificate.  Extended Key
1036                     Usage values can be:
1037
1038                     · pkinit
1039
1040                     · msScLogin
1041
1042                     · clientAuth
1043
1044                     · emailProtection
1045
1046                     key-usage-list is a comma-separated list of required  Key
1047                     Usage  values.  All values in the list must be present in
1048                     the certificate.  Key Usage values can be:
1049
1050                     · digitalSignature
1051
1052                     · keyEncipherment
1053
1054              Examples:
1055
1056                 pkinit_cert_match = ||<SUBJECT>.*DoE.*<SAN>.*@EXAMPLE.COM
1057                 pkinit_cert_match = &&<EKU>msScLogin,clientAuth<ISSUER>.*DoE.*
1058                 pkinit_cert_match = <EKU>msScLogin,clientAuth<KU>digitalSignature
1059
1060       pkinit_eku_checking
1061              This option specifies what Extended Key Usage value the KDC cer‐
1062              tificate  presented  to  the client must contain.  (Note that if
1063              the  KDC  certificate  has  the  pkinit   SubjectAlternativeName
1064              encoded  as the Kerberos TGS name, EKU checking is not necessary
1065              since the issuing CA has certified this as a  KDC  certificate.)
1066              The values recognized in the krb5.conf file are:
1067
1068              kpKDC  This is the default value and specifies that the KDC must
1069                     have the id-pkinit-KPKdc EKU as defined in RFC 4556.
1070
1071              kpServerAuth
1072                     If kpServerAuth is specified, a KDC certificate with  the
1073                     id-kp-serverAuth  EKU  will  be accepted.  This key usage
1074                     value is used in most commercially issued server certifi‐
1075                     cates.
1076
1077              none   If  none  is specified, then the KDC certificate will not
1078                     be checked to verify it has an acceptable EKU.   The  use
1079                     of this option is not recommended.
1080
1081       pkinit_dh_min_bits
1082              Specifies  the  size  of  the Diffie-Hellman key the client will
1083              attempt to use.  The acceptable values are 1024, 2048, and 4096.
1084              The default is 2048.
1085
1086       pkinit_identities
1087              Specifies  the  location(s)  to be used to find the user's X.509
1088              identity information.  This option  may  be  specified  multiple
1089              times.  Each value is attempted in order until identity informa‐
1090              tion is found and authentication is attempted.  Note that  these
1091              values  are not used if the user specifies X509_user_identity on
1092              the command line.
1093
1094       pkinit_kdc_hostname
1095              The presense of this option indicates that the client is willing
1096              to accept a KDC certificate with a dNSName SAN (Subject Alterna‐
1097              tive Name) rather than requiring the id-pkinit-san as defined in
1098              RFC  4556.   This  option  may be specified multiple times.  Its
1099              value should contain the acceptable hostname  for  the  KDC  (as
1100              contained in its certificate).
1101
1102       pkinit_pool
1103              Specifies the location of intermediate certificates which may be
1104              used by the client to complete the trust  chain  between  a  KDC
1105              certificate  and a trusted anchor.  This option may be specified
1106              multiple times.
1107
1108       pkinit_require_crl_checking
1109              The default certificate verification process will  always  check
1110              the available revocation information to see if a certificate has
1111              been revoked.  If a match is found for the certificate in a CRL,
1112              verification  fails.   If  the certificate being verified is not
1113              listed in a CRL, or there is no CRL present for its issuing  CA,
1114              and pkinit_require_crl_checking is false, then verification suc‐
1115              ceeds.
1116
1117              However, if pkinit_require_crl_checking is true and there is  no
1118              CRL  information available for the issuing CA, then verification
1119              fails.
1120
1121              pkinit_require_crl_checking should be set to true if the  policy
1122              is such that up-to-date CRLs must be present for every CA.
1123
1124       pkinit_revoke
1125              Specifies  the  location  of  Certificate  Revocation List (CRL)
1126              information to be used by the client when verifying the validity
1127              of  the KDC certificate presented.  This option may be specified
1128              multiple times.
1129

PARAMETER EXPANSION

1131       Starting   with   release   1.11,   several    variables,    such    as
1132       default_keytab_name, allow parameters to be expanded.  Valid parameters
1133       are:
1134
1135                    ┌──────────────────┬────────────────────────────┐
1136                    │%{TEMP}           │ Temporary directory        │
1137                    ├──────────────────┼────────────────────────────┤
1138                    │%{uid}            │ Unix real UID  or  Windows │
1139                    │                  │ SID                        │
1140                    ├──────────────────┼────────────────────────────┤
1141                    │%{euid}           │ Unix  effective user ID or │
1142                    │                  │ Windows SID                │
1143                    ├──────────────────┼────────────────────────────┤
1144                    │%{USERID}         │ Same as %{uid}             │
1145                    ├──────────────────┼────────────────────────────┤
1146                    │%{null}           │ Empty string               │
1147                    ├──────────────────┼────────────────────────────┤
1148                    │%{LIBDIR}         │ Installation       library │
1149                    │                  │ directory                  │
1150                    ├──────────────────┼────────────────────────────┤
1151                    │%{BINDIR}         │ Installation binary direc‐ │
1152                    │                  │ tory                       │
1153                    ├──────────────────┼────────────────────────────┤
1154                    │%{SBINDIR}        │ Installation admin  binary │
1155                    │                  │ directory                  │
1156                    ├──────────────────┼────────────────────────────┤
1157                    │%{username}       │ (Unix)  Username of effec‐ │
1158                    │                  │ tive user ID               │
1159                    ├──────────────────┼────────────────────────────┤
1160                    │%{APPDATA}        │ (Windows) Roaming applica‐ │
1161                    │                  │ tion data for current user │
1162                    ├──────────────────┼────────────────────────────┤
1163                    │%{COMMON_APPDATA} │ (Windows) Application data │
1164                    │                  │ for all users              │
1165                    ├──────────────────┼────────────────────────────┤
1166                    │%{LOCAL_APPDATA}  │ (Windows)  Local  applica‐ │
1167                    │                  │ tion data for current user │
1168                    ├──────────────────┼────────────────────────────┤
1169                    │%{SYSTEM}         │ (Windows)  Windows  system │
1170                    │                  │ folder                     │
1171                    ├──────────────────┼────────────────────────────┤
1172                    │%{WINDOWS}        │ (Windows) Windows folder   │
1173                    ├──────────────────┼────────────────────────────┤
1174                    │%{USERCONFIG}     │ (Windows)   Per-user   MIT │
1175                    │                  │ krb5 config file directory │
1176                    ├──────────────────┼────────────────────────────┤
1177                    │%{COMMONCONFIG}   │ (Windows)  Common MIT krb5 │
1178                    │                  │ config file directory      │
1179                    └──────────────────┴────────────────────────────┘
1180

SAMPLE KRB5.CONF FILE

1182       Here is an example of a generic krb5.conf file:
1183
1184          [libdefaults]
1185              default_realm = ATHENA.MIT.EDU
1186              dns_lookup_kdc = true
1187              dns_lookup_realm = false
1188
1189          [realms]
1190              ATHENA.MIT.EDU = {
1191                  kdc = kerberos.mit.edu
1192                  kdc = kerberos-1.mit.edu
1193                  kdc = kerberos-2.mit.edu
1194                  admin_server = kerberos.mit.edu
1195                  master_kdc = kerberos.mit.edu
1196              }
1197              EXAMPLE.COM = {
1198                  kdc = kerberos.example.com
1199                  kdc = kerberos-1.example.com
1200                  admin_server = kerberos.example.com
1201              }
1202
1203          [domain_realm]
1204              mit.edu = ATHENA.MIT.EDU
1205
1206          [capaths]
1207              ATHENA.MIT.EDU = {
1208                     EXAMPLE.COM = .
1209              }
1210              EXAMPLE.COM = {
1211                     ATHENA.MIT.EDU = .
1212              }
1213

FILES

1215       /etc/krb5.conf
1216

SEE ALSO

1218       syslog(3)
1219

AUTHOR

1221       MIT
1222
1224       1985-2018, MIT
1225
1226
1227
1228
12291.16.1                                                            KRB5.CONF(5)
Impressum