1KRB5.CONF(5)                     MIT Kerberos                     KRB5.CONF(5)
2
3
4

NAME

6       krb5.conf - Kerberos configuration file
7
8       The krb5.conf file contains Kerberos configuration information, includ‐
9       ing the locations of KDCs and admin servers for the Kerberos realms  of
10       interest, defaults for the current realm and for Kerberos applications,
11       and mappings of hostnames onto Kerberos realms.  Normally,  you  should
12       install  your  krb5.conf  file in the directory /etc.  You can override
13       the default location by setting the environment  variable  KRB5_CONFIG.
14       Multiple colon-separated filenames may be specified in KRB5_CONFIG; all
15       files which are present will be read.  Starting in release 1.14, direc‐
16       tory  names  can also be specified in KRB5_CONFIG; all files within the
17       directory  whose  names  consist  solely  of  alphanumeric  characters,
18       dashes, or underscores will be read.
19

STRUCTURE

21       The krb5.conf file is set up in the style of a Windows INI file.  Lines
22       beginning with '#' or  ';'  (possibly  after  initial  whitespace)  are
23       ignored  as  comments.   Sections  are  headed  by the section name, in
24       square brackets.  Each section may contain zero or more  relations,  of
25       the form:
26
27          foo = bar
28
29       or:
30
31          fubar = {
32              foo = bar
33              baz = quux
34          }
35
36       Placing  a  '*'  at  the end of a line indicates that this is the final
37       value for the tag.  This means that neither the remainder of this  con‐
38       figuration  file  nor  any other configuration file will be checked for
39       any other values for this tag.
40
41       For example, if you have the following lines:
42
43          foo = bar*
44          foo = baz
45
46       then the second value of foo (baz) would never be read.
47
48       The krb5.conf file can include other files using either of the  follow‐
49       ing directives at the beginning of a line:
50
51          include FILENAME
52          includedir DIRNAME
53
54       FILENAME  or  DIRNAME  should  be  an  absolute path. The named file or
55       directory must exist and be readable.  Including a  directory  includes
56       all  files  within the directory whose names consist solely of alphanu‐
57       meric characters, dashes, or underscores.  Starting  in  release  1.15,
58       files  with  names ending in ".conf" are also included, unless the name
59       begins with ".".  Included profile files are syntactically  independent
60       of  their  parents,  so  each  included  file must begin with a section
61       header.  Starting in release  1.17,  files  are  read  in  alphanumeric
62       order; in previous releases, they may be read in any order.
63
64       The  krb5.conf  file  can specify that configuration should be obtained
65       from a loadable module, rather than the file itself, using the  follow‐
66       ing directive at the beginning of a line before any section headers:
67
68          module MODULEPATH:RESIDUAL
69
70       MODULEPATH  may  be  relative to the library path of the krb5 installa‐
71       tion, or it may be an absolute path.  RESIDUAL is provided to the  mod‐
72       ule  at  initialization  time.   If  krb5.conf uses a module directive,
73       kdc.conf(5) should also use one if it exists.
74

SECTIONS

76       The krb5.conf file may contain the following sections:
77
78                    ┌───────────────┬────────────────────────────┐
79[libdefaults]  │ Settings used by the  Ker‐ │
80                    │               │ beros V5 library           │
81                    ├───────────────┼────────────────────────────┤
82[realms]       │ Realm-specific     contact │
83                    │               │ information and settings   │
84                    ├───────────────┼────────────────────────────┤
85[domain_realm] │ Maps server  hostnames  to │
86                    │               │ Kerberos realms            │
87                    ├───────────────┼────────────────────────────┤
88[capaths]      │ Authentication  paths  for │
89                    │               │ non-hierarchical           │
90                    │               │ cross-realm                │
91                    ├───────────────┼────────────────────────────┤
92[appdefaults]  │ Settings used by some Ker‐ │
93                    │               │ beros V5 applications      │
94                    ├───────────────┼────────────────────────────┤
95[plugins]      │ Controls   plugin   module │
96                    │               │ registration               │
97                    └───────────────┴────────────────────────────┘
98
99       Additionally,  krb5.conf  may include any of the relations described in
100       kdc.conf(5), but it is not a recommended practice.
101
102   [libdefaults]
103       The libdefaults section may contain any of the following relations:
104
105       allow_weak_crypto
106              If this flag is set to false, then  weak  encryption  types  (as
107              noted  in  Encryption_types in kdc.conf(5)) will be filtered out
108              of the  lists  default_tgs_enctypes,  default_tkt_enctypes,  and
109              permitted_enctypes.   The  default  value for this tag is false,
110              which may cause authentication failures in existing Kerberos in‐
111              frastructures  that  do  not  support  strong  crypto.  Users in
112              affected environments should set this tag to  true  until  their
113              infrastructure adopts stronger ciphers.
114
115       ap_req_checksum_type
116              An integer which specifies the type of AP-REQ checksum to use in
117              authenticators.  This variable should be unset so the  appropri‐
118              ate  checksum  for the encryption key in use will be used.  This
119              can be set if backward compatibility requires a specific  check‐
120              sum  type.   See  the kdc_req_checksum_type configuration option
121              for the possible values and their meanings.
122
123       canonicalize
124              If this flag is set to true, initial ticket requests to the  KDC
125              will  request canonicalization of the client principal name, and
126              answers with different  client  principals  than  the  requested
127              principal will be accepted.  The default value is false.
128
129       ccache_type
130              This  parameter  determines the format of credential cache types
131              created by kinit(1) or other programs.  The default value is  4,
132              which represents the most current format.  Smaller values can be
133              used for compatibility with very old implementations of Kerberos
134              which interact with credential caches on the same host.
135
136       clockskew
137              Sets  the  maximum allowable amount of clockskew in seconds that
138              the library will tolerate before assuming that a  Kerberos  mes‐
139              sage is invalid.  The default value is 300 seconds, or five min‐
140              utes.
141
142              The clockskew setting is also used when evaluating ticket  start
143              and  expiration  times.   For example, tickets that have reached
144              their expiration time can still be used (and renewed if they are
145              renewable tickets) if they have been expired for a shorter dura‐
146              tion than the clockskew setting.
147
148       default_ccache_name
149              This relation specifies  the  name  of  the  default  credential
150              cache.   The  default is FILE:/tmp/krb5cc_%{uid}.  This relation
151              is subject to parameter expansion (see below).  New  in  release
152              1.11.
153
154       default_client_keytab_name
155              This  relation  specifies  the  name  of  the default keytab for
156              obtaining client credentials.   The  default  is  FILE:/var/ker‐
157              beros/krb5/user/%{euid}/client.keytab.  This relation is subject
158              to parameter expansion (see below).  New in release 1.11.
159
160       default_keytab_name
161              This relation specifies the default keytab name to  be  used  by
162              application    servers   such   as   sshd.    The   default   is
163              FILE:/etc/krb5.keytab.  This relation is  subject  to  parameter
164              expansion (see below).
165
166       default_realm
167              Identifies  the  default Kerberos realm for the client.  Set its
168              value to your Kerberos realm.  If this value is not set, then  a
169              realm  must  be  specified  with  every  Kerberos principal when
170              invoking programs such as kinit(1).
171
172       default_tgs_enctypes
173              Identifies the supported list of session  key  encryption  types
174              that  the  client should request when making a TGS-REQ, in order
175              of preference from highest to lowest.  The list may be delimited
176              with  commas or whitespace.  See Encryption_types in kdc.conf(5)
177              for a list of the accepted values for  this  tag.   The  default
178              value    is    aes256-cts-hmac-sha1-96   aes128-cts-hmac-sha1-96
179              aes256-cts-hmac-sha384-192            aes128-cts-hmac-sha256-128
180              des3-cbc-sha1   arcfour-hmac-md5   camellia256-cts-cmac   camel‐
181              lia128-cts-cmac des-cbc-crc des-cbc-md5  des-cbc-md4,  but  sin‐
182              gle-DES  encryption  types  will be implicitly removed from this
183              list if the value of allow_weak_crypto is false.
184
185              Do not set this unless required for specific  backward  compati‐
186              bility  purposes;  stale  values  of  this  setting  can prevent
187              clients from taking advantage of new stronger enctypes when  the
188              libraries are upgraded.
189
190       default_tkt_enctypes
191              Identifies  the  supported  list of session key encryption types
192              that the client should request when making an AS-REQ,  in  order
193              of preference from highest to lowest.  The format is the same as
194              for default_tgs_enctypes.  The default value  for  this  tag  is
195              aes256-cts-hmac-sha1-96                  aes128-cts-hmac-sha1-96
196              aes256-cts-hmac-sha384-192            aes128-cts-hmac-sha256-128
197              des3-cbc-sha1   arcfour-hmac-md5   camellia256-cts-cmac   camel‐
198              lia128-cts-cmac des-cbc-crc des-cbc-md5  des-cbc-md4,  but  sin‐
199              gle-DES  encryption  types  will be implicitly removed from this
200              list if the value of allow_weak_crypto is false.
201
202              Do not set this unless required for specific  backward  compati‐
203              bility  purposes;  stale  values  of  this  setting  can prevent
204              clients from taking advantage of new stronger enctypes when  the
205              libraries are upgraded.
206
207       dns_canonicalize_hostname
208              Indicate whether name lookups will be used to canonicalize host‐
209              names for use in service principal names.  Setting this flag  to
210              false  can  improve  security  by  reducing reliance on DNS, but
211              means  that  short  hostnames  will  not  be  canonicalized   to
212              fully-qualified hostnames.  The default value is true.
213
214              If  this  option  is  set to fallback (new in release 1.18), DNS
215              canonicalization will only be performed the server  hostname  is
216              not found with the original name when requesting credentials.
217
218       dns_lookup_kdc
219              Indicate  whether  DNS  SRV records should be used to locate the
220              KDCs and other servers for a realm, if they are  not  listed  in
221              the  krb5.conf  information  for  the  realm.   (Note  that  the
222              admin_server entry must be in the krb5.conf realm information in
223              order  to  contact  kadmind,  because the DNS implementation for
224              kadmin is incomplete.)
225
226              Enabling this option does open up a  type  of  denial-of-service
227              attack,  if  someone spoofs the DNS records and redirects you to
228              another server.  However, it's no worse than a  denial  of  ser‐
229              vice,  because  that  fake KDC will be unable to decode anything
230              you send it (besides the initial ticket request,  which  has  no
231              encrypted  data),  and  anything  the fake KDC sends will not be
232              trusted without verification using some  secret  that  it  won't
233              know.
234
235       dns_uri_lookup
236              Indicate  whether  DNS  URI records should be used to locate the
237              KDCs and other servers for a realm, if they are  not  listed  in
238              the  krb5.conf  information for the realm.  SRV records are used
239              as a fallback if no URI records were found.  The  default  value
240              is true.  New in release 1.15.
241
242       err_fmt
243              This  relation allows for custom error message formatting.  If a
244              value is set, error messages will be formatted by substituting a
245              normal  error  message  for  %M  and an error code for %C in the
246              value.
247
248       extra_addresses
249              This allows a computer to use multiple local addresses, in order
250              to  allow  Kerberos  to  work  in a network that uses NATs while
251              still using address-restricted tickets.  The addresses should be
252              in  a  comma-separated list.  This option has no effect if noad‐
253              dresses is true.
254
255       forwardable
256              If this flag is true, initial tickets  will  be  forwardable  by
257              default, if allowed by the KDC.  The default value is false.
258
259       ignore_acceptor_hostname
260              When  accepting  GSSAPI or krb5 security contexts for host-based
261              service principals, ignore any hostname passed  by  the  calling
262              application,  and  allow  clients to authenticate to any service
263              principal in the keytab matching the service name and realm name
264              (if  given).   This option can improve the administrative flexi‐
265              bility of server applications on  multihomed  hosts,  but  could
266              compromise  the  security  of virtual hosting environments.  The
267              default value is false.  New in release 1.10.
268
269       k5login_authoritative
270              If this flag is true, principals  must  be  listed  in  a  local
271              user's k5login file to be granted login access, if a .k5login(5)
272              file exists.  If this flag is false, a principal  may  still  be
273              granted  login access through other mechanisms even if a k5login
274              file exists but does not list the principal.  The default  value
275              is true.
276
277       k5login_directory
278              If  set,  the  library will look for a local user's k5login file
279              within the named directory, with a filename corresponding to the
280              local  username.   If not set, the library will look for k5login
281              files in the user's home directory, with the filename  .k5login.
282              For  security reasons, .k5login files must be owned by the local
283              user or by root.
284
285       kcm_mach_service
286              On macOS only, determines the name of the bootstrap service used
287              to contact the KCM daemon for the KCM credential cache type.  If
288              the value is -, Mach RPC will not be used  to  contact  the  KCM
289              daemon.  The default value is org.h5l.kcm.
290
291       kcm_socket
292              Determines the path to the Unix domain socket used to access the
293              KCM daemon for the KCM credential cache type.  If the  value  is
294              -,  Unix domain sockets will not be used to contact the KCM dae‐
295              mon.  The default value is /var/run/.heim_org.h5l.kcm-socket.
296
297       kdc_default_options
298              Default KDC options (Xored for multiple values) when  requesting
299              initial   tickets.    By   default   it  is  set  to  0x00000010
300              (KDC_OPT_RENEWABLE_OK).
301
302       kdc_timesync
303              Accepted values for this relation are 1 or 0.  If it is nonzero,
304              client  machines  will compute the difference between their time
305              and the time returned by the KDC in the timestamps in the  tick‐
306              ets and use this value to correct for an inaccurate system clock
307              when requesting service tickets or authenticating  to  services.
308              This  corrective factor is only used by the Kerberos library; it
309              is not used to change the system clock.  The default value is 1.
310
311       kdc_req_checksum_type
312              An integer which specifies the type of checksum to use  for  the
313              KDC  requests,  for  compatibility with very old KDC implementa‐
314              tions.  This value is only used for DES keys; other keys use the
315              preferred checksum type for those keys.
316
317              The possible values and their meanings are as follows.
318
319                            ┌─────┬────────────────────────────┐
320                            │1    │ CRC32                      │
321                            ├─────┼────────────────────────────┤
322                            │2    │ RSA MD4                    │
323                            ├─────┼────────────────────────────┤
324                            │3    │ RSA MD4 DES                │
325                            ├─────┼────────────────────────────┤
326                            │4    │ DES CBC                    │
327                            ├─────┼────────────────────────────┤
328                            │7    │ RSA MD5                    │
329                            └─────┴────────────────────────────┘
330
331                            │8    │ RSA MD5 DES                │
332                            ├─────┼────────────────────────────┤
333                            │9    │ NIST SHA                   │
334                            ├─────┼────────────────────────────┤
335                            │12   │ HMAC SHA1 DES3             │
336                            ├─────┼────────────────────────────┤
337                            │-138 │ Microsoft  MD5 HMAC check‐ │
338                            │     │ sum type                   │
339                            └─────┴────────────────────────────┘
340
341       noaddresses
342              If this flag is true, requests for initial tickets will  not  be
343              made  with  address restrictions set, allowing the tickets to be
344              used across NATs.  The default value is true.
345
346       permitted_enctypes
347              Identifies all encryption types that are permitted  for  use  in
348              session  key  encryption.   The  default  value  for this tag is
349              aes256-cts-hmac-sha1-96                  aes128-cts-hmac-sha1-96
350              aes256-cts-hmac-sha384-192            aes128-cts-hmac-sha256-128
351              des3-cbc-sha1   arcfour-hmac-md5   camellia256-cts-cmac   camel‐
352              lia128-cts-cmac  des-cbc-crc  des-cbc-md5  des-cbc-md4, but sin‐
353              gle-DES encryption types will be implicitly  removed  from  this
354              list if the value of allow_weak_crypto is false.
355
356       plugin_base_dir
357              If  set,  determines  the  base directory where krb5 plugins are
358              located.  The default value is the krb5/plugins subdirectory  of
359              the krb5 library directory.  This relation is subject to parame‐
360              ter expansion (see below) in release 1.17 and later.
361
362       preferred_preauth_types
363              This allows you to set  the  preferred  preauthentication  types
364              which  the client will attempt before others which may be adver‐
365              tised by a KDC.  The default value for this setting is "17,  16,
366              15,  14", which forces libkrb5 to attempt to use PKINIT if it is
367              supported.
368
369       proxiable
370              If this flag is true,  initial  tickets  will  be  proxiable  by
371              default, if allowed by the KDC.  The default value is false.
372
373       rdns   If  this flag is true, reverse name lookup will be used in addi‐
374              tion to forward name lookup to canonicalizing hostnames for  use
375              in service principal names.  If dns_canonicalize_hostname is set
376              to false, this flag has no effect.  The default value is true.
377
378       realm_try_domains
379              Indicate whether a host's domain components should  be  used  to
380              determine  the  Kerberos  realm  of the host.  The value of this
381              variable is an integer: -1 means not to search, 0 means  to  try
382              the host's domain itself, 1 means to also try the domain's imme‐
383              diate parent, and so forth.  The library's usual  mechanism  for
384              locating  Kerberos  realms is used to determine whether a domain
385              is  a  valid  realm,  which  may  involve  consulting   DNS   if
386              dns_lookup_kdc is set.  The default is not to search domain com‐
387              ponents.
388
389       renew_lifetime
390              (duration string.)  Sets the default renewable lifetime for ini‐
391              tial ticket requests.  The default value is 0.
392
393       safe_checksum_type
394              An  integer  which specifies the type of checksum to use for the
395              KRB-SAFE requests.  By default it is set to  8  (RSA  MD5  DES).
396              For  compatibility  with applications linked against DCE version
397              1.1 or earlier Kerberos libraries, use a value of 3 to  use  the
398              RSA  MD4  DES  instead.  This field is ignored when its value is
399              incompatible with the session key type.  See the  kdc_req_check‐
400              sum_type  configuration option for the possible values and their
401              meanings.
402
403       spake_preauth_groups
404              A whitespace or comma-separated list of  words  which  specifies
405              the  groups  allowed  for SPAKE preauthentication.  The possible
406              values are:
407
408                        ┌─────────────┬────────────────────────────┐
409                        │edwards25519 │ Edwards25519  curve   (RFC
410                        │             │ 7748)                      │
411                        ├─────────────┼────────────────────────────┤
412                        │P-256        │ NIST   P-256   curve  (RFC
413                        │             │ 5480)                      │
414                        ├─────────────┼────────────────────────────┤
415                        │P-384        │ NIST  P-384   curve   (RFC
416                        │             │ 5480)                      │
417                        ├─────────────┼────────────────────────────┤
418                        │P-521        │ NIST   P-521   curve  (RFC
419                        │             │ 5480)                      │
420                        └─────────────┴────────────────────────────┘
421
422              The default value for the client is edwards25519.   The  default
423              value for the KDC is empty.  New in release 1.17.
424
425       ticket_lifetime
426              (duration string.)  Sets the default lifetime for initial ticket
427              requests.  The default value is 1 day.
428
429       udp_preference_limit
430              When sending a message to the KDC, the library  will  try  using
431              TCP  before  UDP if the size of the message is above udp_prefer‐
432              ence_limit.   If  the  message  is  smaller   than   udp_prefer‐
433              ence_limit,  then  UDP  will be tried before TCP.  Regardless of
434              the size, both protocols will be  tried  if  the  first  attempt
435              fails.
436
437       verify_ap_req_nofail
438              If  this flag is true, then an attempt to verify initial creden‐
439              tials will fail if the client machine does not  have  a  keytab.
440              The default value is false.
441
442   [realms]
443       Each  tag in the [realms] section of the file is the name of a Kerberos
444       realm.  The value of the tag is a subsection with relations that define
445       the properties of that particular realm.  For each realm, the following
446       tags may be specified in the realm's subsection:
447
448       admin_server
449              Identifies the host where the administration server is  running.
450              Typically, this is the master Kerberos server.  This tag must be
451              given a value in order to communicate with the kadmind(8) server
452              for the realm.
453
454       auth_to_local
455              This  tag allows you to set a general rule for mapping principal
456              names to local user names.  It will be used if there is  not  an
457              explicit  mapping  for  the  principal name that is being trans‐
458              lated. The possible values are:
459
460              RULE:exp
461                     The local name will be formulated from exp.
462
463                     The   format   for   exp   is    [n:string](regexp)s/pat‐
464                     tern/replacement/g.   The  integer  n  indicates how many
465                     components the target principal  should  have.   If  this
466                     matches,  then  a string will be formed from string, sub‐
467                     stituting the realm of the principal for $0 and the  n'th
468                     component of the principal for $n (e.g., if the principal
469                     was johndoe/admin then [2:$2$1foo] would  result  in  the
470                     string  adminjohndoefoo).  If this string matches regexp,
471                     then the s//[g] substitution command will be run over the
472                     string.  The optional g will cause the substitution to be
473                     global over the string, instead  of  replacing  only  the
474                     first match in the string.
475
476              DEFAULT
477                     The  principal  name will be used as the local user name.
478                     If the principal has more than one component or is not in
479                     the  default  realm,  this rule is not applicable and the
480                     conversion will fail.
481
482              For example:
483
484                 [realms]
485                     ATHENA.MIT.EDU = {
486                         auth_to_local = RULE:[2:$1](johndoe)s/^.*$/guest/
487                         auth_to_local = RULE:[2:$1;$2](^.*;admin$)s/;admin$//
488                         auth_to_local = RULE:[2:$2](^.*;root)s/^.*$/root/
489                         auth_to_local = DEFAULT
490                     }
491
492              would result in any principal without root or admin as the  sec‐
493              ond component to be translated with the default rule.  A princi‐
494              pal with a second component of admin will become its first  com‐
495              ponent.   root  will be used as the local name for any principal
496              with a second component of root.  The  exception  to  these  two
497              rules  are  any  principals johndoe/*, which will always get the
498              local name guest.
499
500       auth_to_local_names
501              This subsection allows you to set explicit mappings from princi‐
502              pal names to local user names.  The tag is the mapping name, and
503              the value is the corresponding local user name.
504
505       default_domain
506              This tag specifies the domain  used  to  expand  hostnames  when
507              translating  Kerberos 4 service principals to Kerberos 5 princi‐
508              pals (for example, when converting rcmd.hostname  to  host/host‐
509              name.domain).
510
511       disable_encrypted_timestamp
512              If  this  flag  is  true,  the client will not perform encrypted
513              timestamp preauthentication if requested by  the  KDC.   Setting
514              this  flag  can  help  to  prevent  dictionary attacks by active
515              attackers, if the realm's KDCs support  SPAKE  preauthentication
516              or  if  initial  authentication always uses another mechanism or
517              always uses FAST.  This flag persists  across  client  referrals
518              during  initial  authentication.  This flag does not prevent the
519              KDC from offering encrypted timestamp.  New in release 1.17.
520
521       http_anchors
522              When KDCs and kpasswd servers are accessed through  HTTPS  prox‐
523              ies, this tag can be used to specify the location of the CA cer‐
524              tificate which should be trusted to issue the certificate for  a
525              proxy  server.  If left unspecified, the system-wide default set
526              of CA certificates is used.
527
528              The syntax for values is similar  to  that  of  values  for  the
529              pkinit_anchors tag:
530
531              FILE: filename
532
533              filename is assumed to be the name of an OpenSSL-style ca-bundle
534              file.
535
536              DIR: dirname
537
538              dirname is assumed to be an directory which contains CA certifi‐
539              cates.   All  files  in  the directory will be examined; if they
540              contain certificates (in PEM format), they will be used.
541
542              ENV: envvar
543
544              envvar specifies the name of an environment variable  which  has
545              been  set  to  a value conforming to one of the previous values.
546              For  example,  ENV:X509_PROXY_CA,  where  environment   variable
547              X509_PROXY_CA has been set to FILE:/tmp/my_proxy.pem.
548
549       kdc    The  name or address of a host running a KDC for that realm.  An
550              optional port number, separated from the hostname  by  a  colon,
551              may  be  included.   If the name or address contains colons (for
552              example, if it is an IPv6 address), enclose it in square  brack‐
553              ets  to  distinguish  the colon from a port separator.  For your
554              computer to be able to communicate with the KDC for each  realm,
555              this  tag  must be given a value in each realm subsection in the
556              configuration file, or there must be DNS SRV records  specifying
557              the KDCs.
558
559       kpasswd_server
560              Points  to  the  server  where all the password changes are per‐
561              formed.  If there is no such entry, DNS will be queried  (unless
562              forbidden   by   dns_lookup_kdc).   Finally,  port  464  on  the
563              admin_server host will be tried.
564
565       master_kdc
566              Identifies the master KDC(s).  Currently, this tag  is  used  in
567              only one case: If an attempt to get credentials fails because of
568              an invalid password, the client software will attempt to contact
569              the  master  KDC,  in  case  the  user's  password has just been
570              changed, and the updated database has not been propagated to the
571              replica servers yet.
572
573       v4_instance_convert
574              This subsection allows the administrator to configure exceptions
575              to the default_domain mapping rule.  It  contains  V4  instances
576              (the tag name) which should be translated to some specific host‐
577              name (the tag value) as the second component in  a  Kerberos  V5
578              principal name.
579
580       v4_realm
581              This  relation  is used by the krb524 library routines when con‐
582              verting a V5 principal name to a V4 principal name.  It is  used
583              when  the  V4 realm name and the V5 realm name are not the same,
584              but still share the same principal names and passwords. The  tag
585              value is the Kerberos V4 realm name.
586
587   [domain_realm]
588       The [domain_realm] section provides a translation from a domain name or
589       hostname to a Kerberos realm name.  The tag name can be a host name  or
590       domain  name,  where domain names are indicated by a prefix of a period
591       (.).  The value of the relation is the Kerberos  realm  name  for  that
592       particular  host  or  domain.  A host name relation implicitly provides
593       the corresponding domain name relation, unless an explicit domain  name
594       relation  is  provided.  The Kerberos realm may be identified either in
595       the realms section or using DNS SRV records.   Host  names  and  domain
596       names should be in lower case.  For example:
597
598          [domain_realm]
599              crash.mit.edu = TEST.ATHENA.MIT.EDU
600              .dev.mit.edu = TEST.ATHENA.MIT.EDU
601              mit.edu = ATHENA.MIT.EDU
602
603       maps  the host with the name crash.mit.edu into the TEST.ATHENA.MIT.EDU
604       realm.  The second entry maps all hosts under  the  domain  dev.mit.edu
605       into  the  TEST.ATHENA.MIT.EDU  realm,  but  not the host with the name
606       dev.mit.edu.  That host is matched by the third entry, which  maps  the
607       host mit.edu and all hosts under the domain mit.edu that do not match a
608       preceding rule into the realm ATHENA.MIT.EDU.
609
610       If no translation entry applies to a hostname used for a service  prin‐
611       cipal  for  a  service  ticket  request,  the library will try to get a
612       referral to the appropriate realm from the client realm's KDC.  If that
613       does  not  succeed, the host's realm is considered to be the hostname's
614       domain portion converted to  uppercase,  unless  the  realm_try_domains
615       setting in [libdefaults] causes a different parent domain to be used.
616
617   [capaths]
618       In  order  to perform direct (non-hierarchical) cross-realm authentica‐
619       tion, configuration is needed to  determine  the  authentication  paths
620       between realms.
621
622       A  client will use this section to find the authentication path between
623       its realm and the realm of the server.  The server will use  this  sec‐
624       tion  to verify the authentication path used by the client, by checking
625       the transited field of the received ticket.
626
627       There is a tag for each participating client realm, and  each  tag  has
628       subtags  for each of the server realms.  The value of the subtags is an
629       intermediate realm which may participate in the cross-realm authentica‐
630       tion.  The subtags may be repeated if there is more then one intermedi‐
631       ate realm.  A value of  "."  means  that  the  two  realms  share  keys
632       directly, and no intermediate realms should be allowed to participate.
633
634       Only  those  entries  which  will be needed on the client or the server
635       need to be present.  A client needs a tag for its local realm with sub‐
636       tags  for all the realms of servers it will need to authenticate to.  A
637       server needs a tag for each realm of the clients it will serve, with  a
638       subtag of the server realm.
639
640       For example, ANL.GOV, PNL.GOV, and NERSC.GOV all wish to use the ES.NET
641       realm as an intermediate realm.  ANL has a sub  realm  of  TEST.ANL.GOV
642       which  will authenticate with NERSC.GOV but not PNL.GOV.  The [capaths]
643       section for ANL.GOV systems would look like this:
644
645          [capaths]
646              ANL.GOV = {
647                  TEST.ANL.GOV = .
648                  PNL.GOV = ES.NET
649                  NERSC.GOV = ES.NET
650                  ES.NET = .
651              }
652              TEST.ANL.GOV = {
653                  ANL.GOV = .
654              }
655              PNL.GOV = {
656                  ANL.GOV = ES.NET
657              }
658              NERSC.GOV = {
659                  ANL.GOV = ES.NET
660              }
661              ES.NET = {
662                  ANL.GOV = .
663              }
664
665       The [capaths] section of the configuration file used on NERSC.GOV  sys‐
666       tems would look like this:
667
668          [capaths]
669              NERSC.GOV = {
670                  ANL.GOV = ES.NET
671                  TEST.ANL.GOV = ES.NET
672                  TEST.ANL.GOV = ANL.GOV
673                  PNL.GOV = ES.NET
674                  ES.NET = .
675              }
676              ANL.GOV = {
677                  NERSC.GOV = ES.NET
678              }
679              PNL.GOV = {
680                  NERSC.GOV = ES.NET
681              }
682              ES.NET = {
683                  NERSC.GOV = .
684              }
685              TEST.ANL.GOV = {
686                  NERSC.GOV = ANL.GOV
687                  NERSC.GOV = ES.NET
688              }
689
690       When a subtag is used more than once within a tag, clients will use the
691       order of values to determine the path.  The  order  of  values  is  not
692       important to servers.
693
694   [appdefaults]
695       Each  tag  in the [appdefaults] section names a Kerberos V5 application
696       or an option that is used by  some  Kerberos  V5  application[s].   The
697       value of the tag defines the default behaviors for that application.
698
699       For example:
700
701          [appdefaults]
702              telnet = {
703                  ATHENA.MIT.EDU = {
704                      option1 = false
705                  }
706              }
707              telnet = {
708                  option1 = true
709                  option2 = true
710              }
711              ATHENA.MIT.EDU = {
712                  option2 = false
713              }
714              option2 = true
715
716       The  above  four ways of specifying the value of an option are shown in
717       order of decreasing precedence. In this example, if telnet  is  running
718       in  the  realm  EXAMPLE.COM,  it  should,  by default, have option1 and
719       option2  set  to  true.   However,  a  telnet  program  in  the   realm
720       ATHENA.MIT.EDU  should  have  option1  set  to false and option2 set to
721       true.  Any other programs in ATHENA.MIT.EDU should have option2 set  to
722       false  by  default.   Any  programs running in other realms should have
723       option2 set to true.
724
725       The list of specifiable options for each application may  be  found  in
726       that  application's man pages.  The application defaults specified here
727       are overridden by those specified in the realms section.
728
729   [plugins]
730          · pwqual interface
731
732          · kadm5_hook interface
733
734          · clpreauth and kdcpreauth interfaces
735
736       Tags in the [plugins] section can be used to  register  dynamic  plugin
737       modules  and  to  turn  modules  on  and off.  Not every krb5 pluggable
738       interface uses the [plugins] section; the ones that do  are  documented
739       here.
740
741       New in release 1.9.
742
743       Each pluggable interface corresponds to a subsection of [plugins].  All
744       subsections support the same tags:
745
746       disable
747              This tag may have multiple values. If there are values for  this
748              tag,  then  the named modules will be disabled for the pluggable
749              interface.
750
751       enable_only
752              This tag may have multiple values. If there are values for  this
753              tag,  then  only the named modules will be enabled for the plug‐
754              gable interface.
755
756       module This tag may have multiple values.  Each value is  a  string  of
757              the  form  modulename:pathname,  which  causes the shared object
758              located at pathname to be registered as a dynamic  module  named
759              modulename  for  the pluggable interface.  If pathname is not an
760              absolute path, it will be  treated  as  relative  to  the  plug‐
761              in_base_dir value from [libdefaults].
762
763       For pluggable interfaces where module order matters, modules registered
764       with a module tag normally come first, in the  order  they  are  regis‐
765       tered,  followed  by  built-in modules in the order they are documented
766       below.  If enable_only tags are used, then  the  order  of  those  tags
767       overrides the normal module order.
768
769       The  following subsections are currently supported within the [plugins]
770       section:
771
772   ccselect interface
773       The ccselect subsection controls modules for credential cache selection
774       within  a cache collection.  In addition to any registered dynamic mod‐
775       ules, the following built-in modules exist (and may  be  disabled  with
776       the disable tag):
777
778       k5identity
779              Uses a .k5identity file in the user's home directory to select a
780              client principal
781
782       realm  Uses the service realm to guess an appropriate  cache  from  the
783              collection
784
785       hostname
786              If  the  service principal is host-based, uses the service host‐
787              name to guess an appropriate cache from the collection
788
789   pwqual interface
790       The pwqual subsection controls modules for the password quality  inter‐
791       face,  which  is  used  to  reject  weak  passwords  when passwords are
792       changed.  The following built-in modules exist for this interface:
793
794       dict   Checks against the realm dictionary file
795
796       empty  Rejects empty passwords
797
798       hesiod Checks against user information stored in Hesiod (only  if  Ker‐
799              beros was built with Hesiod support)
800
801       princ  Checks against components of the principal name
802
803   kadm5_hook interface
804       The kadm5_hook interface provides plugins with information on principal
805       creation, modification, password changes and deletion.  This  interface
806       can  be used to write a plugin to synchronize MIT Kerberos with another
807       database such as Active Directory.  No plugins are built  in  for  this
808       interface.
809
810   kadm5_auth interface
811       The  kadm5_auth  section  (introduced in release 1.16) controls modules
812       for the kadmin authorization  interface,  which  determines  whether  a
813       client principal is allowed to perform a kadmin operation.  The follow‐
814       ing built-in modules exist for this interface:
815
816       acl    This module reads the kadm5.acl(5) file, and  authorizes  opera‐
817              tions which are allowed according to the rules in the file.
818
819       self   This  module  authorizes self-service operations including pass‐
820              word changes, creation of new random keys, fetching the client's
821              principal  record  or string attributes, and fetching the policy
822              record associated with the client principal.
823
824   clpreauth and kdcpreauth interfaces
825       The clpreauth and kdcpreauth interfaces allow plugin modules to provide
826       client  and  KDC  preauthentication mechanisms.  The following built-in
827       modules exist for these interfaces:
828
829       pkinit This module implements the PKINIT preauthentication mechanism.
830
831       encrypted_challenge
832              This module implements the encrypted challenge FAST factor.
833
834       encrypted_timestamp
835              This module implements the encrypted timestamp mechanism.
836
837   hostrealm interface
838       The hostrealm section (introduced in release 1.12) controls modules for
839       the  host-to-realm  interface, which affects the local mapping of host‐
840       names to realm names and the choice of default  realm.   The  following
841       built-in modules exist for this interface:
842
843       profile
844              This  module  consults the [domain_realm] section of the profile
845              for authoritative host-to-realm mappings, and the  default_realm
846              variable for the default realm.
847
848       dns    This  module  looks  for  DNS records for fallback host-to-realm
849              mappings and  the  default  realm.   It  only  operates  if  the
850              dns_lookup_realm variable is set to true.
851
852       domain This  module  applies heuristics for fallback host-to-realm map‐
853              pings.  It implements the realm_try_domains variable,  and  uses
854              the  uppercased  parent  domain of the hostname if that does not
855              produce a result.
856
857   localauth interface
858       The localauth section (introduced in release 1.12) controls modules for
859       the  local  authorization  interface,  which  affects  the relationship
860       between Kerberos principals and local system accounts.   The  following
861       built-in modules exist for this interface:
862
863       default
864              This  module  implements the DEFAULT type for auth_to_local val‐
865              ues.
866
867       rule   This module implements the RULE type for auth_to_local values.
868
869       names  This module looks for an  auth_to_local_names  mapping  for  the
870              principal name.
871
872       auth_to_local
873              This  module  processes  auth_to_local  values  in  the  default
874              realm's  section,  and  applies  the  default   method   if   no
875              auth_to_local values exist.
876
877       k5login
878              This  module authorizes a principal to a local account according
879              to the account's .k5login(5) file.
880
881       an2ln  This module authorizes a principal to a  local  account  if  the
882              principal name maps to the local account name.
883
884   certauth interface
885       The  certauth section (introduced in release 1.16) controls modules for
886       the certificate authorization interface,  which  determines  whether  a
887       certificate  is allowed to preauthenticate a user via PKINIT.  The fol‐
888       lowing built-in modules exist for this interface:
889
890       pkinit_san
891              This module authorizes the certificate if it contains  a  PKINIT
892              Subject  Alternative Name for the requested client principal, or
893              a Microsoft UPN SAN matching the principal  if  pkinit_allow_upn
894              is set to true for the realm.
895
896       pkinit_eku
897              This  module  rejects  the certificate if it does not contain an
898              Extended   Key   Usage    attribute    consistent    with    the
899              pkinit_eku_checking value for the realm.
900
901       dbmatch
902              This  module  authorizes or rejects the certificate according to
903              whether it matches the pkinit_cert_match string attribute on the
904              client principal, if that attribute is present.
905

PKINIT OPTIONS

907       NOTE:
908          The  following  are  PKINIT-specific  options.   These values may be
909          specified  in  [libdefaults]  as  global  defaults,  or   within   a
910          realm-specific  subsection  of [libdefaults], or may be specified as
911          realm-specific values in the  [realms]  section.   A  realm-specific
912          value overrides, not adds to, a generic [libdefaults] specification.
913          The search order is:
914
915       1. realm-specific subsection of [libdefaults]:
916
917             [libdefaults]
918                 EXAMPLE.COM = {
919                     pkinit_anchors = FILE:/usr/local/example.com.crt
920                 }
921
922       2. realm-specific value in the [realms] section:
923
924             [realms]
925                 OTHERREALM.ORG = {
926                     pkinit_anchors = FILE:/usr/local/otherrealm.org.crt
927                 }
928
929       3. generic value in the [libdefaults] section:
930
931             [libdefaults]
932                 pkinit_anchors = DIR:/usr/local/generic_trusted_cas/
933
934   Specifying PKINIT identity information
935       The syntax for specifying Public Key identity,  trust,  and  revocation
936       information for PKINIT is as follows:
937
938       FILE:filename[,keyfilename]
939              This option has context-specific behavior.
940
941              In  pkinit_identity or pkinit_identities, filename specifies the
942              name of a PEM-format file containing the user's certificate.  If
943              keyfilename is not specified, the user's private key is expected
944              to be in filename as well.  Otherwise, keyfilename is  the  name
945              of the file containing the private key.
946
947              In  pkinit_anchors or pkinit_pool, filename is assumed to be the
948              name of an OpenSSL-style ca-bundle file.
949
950       DIR:dirname
951              This option has context-specific behavior.
952
953              In pkinit_identity or  pkinit_identities,  dirname  specifies  a
954              directory  with files named *.crt and *.key where the first part
955              of the file name is the same for matching pairs  of  certificate
956              and private key files.  When a file with a name ending with .crt
957              is found, a matching file ending with .key is assumed to contain
958              the private key.  If no such file is found, then the certificate
959              in the .crt is not used.
960
961              In pkinit_anchors or pkinit_pool, dirname is assumed  to  be  an
962              OpenSSL-style  hashed  CA directory where each CA cert is stored
963              in a  file  named  hash-of-ca-cert.#.   This  infrastructure  is
964              encouraged,  but all files in the directory will be examined and
965              if they contain certificates (in PEM format), they will be used.
966
967              In pkinit_revoke, dirname is  assumed  to  be  an  OpenSSL-style
968              hashed  CA  directory  where each revocation list is stored in a
969              file named hash-of-ca-cert.r#.  This infrastructure  is  encour‐
970              aged,  but  all  files  in the directory will be examined and if
971              they contain a revocation list (in PEM  format),  they  will  be
972              used.
973
974       PKCS12:filename
975              filename  is  the name of a PKCS #12 format file, containing the
976              user's certificate and private key.
977
978       PKCS11:[module_name=]modname[:slotid=slot-id][:token=token-label][:cer‐
979       tid=cert-id][:certlabel=cert-label]
980              All keyword/values are optional.  modname specifies the location
981              of a library implementing PKCS #11.  If a value  is  encountered
982              with  no  keyword,  it is assumed to be the modname.  If no mod‐
983              ule-name is specified, the default is opensc-pkcs11.so.  slotid=
984              and/or  token= may be specified to force the use of a particular
985              smard card reader or token if there is more than one  available.
986              certid=  and/or  certlabel= may be specified to force the selec‐
987              tion of  a  particular  certificate  on  the  device.   See  the
988              pkinit_cert_match configuration option for more ways to select a
989              particular certificate to use for PKINIT.
990
991       ENV:envvar
992              envvar specifies the name of an environment variable  which  has
993              been  set  to  a value conforming to one of the previous values.
994              For  example,   ENV:X509_PROXY,   where   environment   variable
995              X509_PROXY has been set to FILE:/tmp/my_proxy.pem.
996
997   PKINIT krb5.conf options
998       pkinit_anchors
999              Specifies  the  location  of  trusted anchor (root) certificates
1000              which the client trusts to sign KDC certificates.   This  option
1001              may  be  specified multiple times.  These values from the config
1002              file are not used if the user specifies X509_anchors on the com‐
1003              mand line.
1004
1005       pkinit_cert_match
1006              Specifies  matching rules that the client certificate must match
1007              before it is used to attempt PKINIT authentication.  If  a  user
1008              has  multiple  certificates  available  (on a smart card, or via
1009              other media), there  must  be  exactly  one  certificate  chosen
1010              before  attempting  PKINIT  authentication.   This option may be
1011              specified multiple times.  All the  available  certificates  are
1012              checked  against  each  rule  in order until there is a match of
1013              exactly one certificate.
1014
1015              The Subject and Issuer  comparison  strings  are  the  RFC  2253
1016              string  representations  from  the  certificate  Subject  DN and
1017              Issuer DN values.
1018
1019              The syntax of the matching rules is:
1020                 [relation-operator]component-rule ...
1021
1022              where:
1023
1024              relation-operator
1025                     can be either &&, meaning all component rules must match,
1026                     or  ||,  meaning only one component rule must match.  The
1027                     default is &&.
1028
1029              component-rule
1030                     can be one of the following.  Note that there is no punc‐
1031                     tuation or whitespace between component rules.
1032                        <SUBJECT>regular-expression
1033                        <ISSUER>regular-expression
1034                        <SAN>regular-expression
1035                        <EKU>extended-key-usage-list
1036                        <KU>key-usage-list
1037
1038
1039                     extended-key-usage-list  is  a  comma-separated  list  of
1040                     required Extended Key Usage values.  All  values  in  the
1041                     list  must  be  present in the certificate.  Extended Key
1042                     Usage values can be:
1043
1044                     · pkinit
1045
1046                     · msScLogin
1047
1048                     · clientAuth
1049
1050                     · emailProtection
1051
1052                     key-usage-list is a comma-separated list of required  Key
1053                     Usage  values.  All values in the list must be present in
1054                     the certificate.  Key Usage values can be:
1055
1056                     · digitalSignature
1057
1058                     · keyEncipherment
1059
1060              Examples:
1061
1062                 pkinit_cert_match = ||<SUBJECT>.*DoE.*<SAN>.*@EXAMPLE.COM
1063                 pkinit_cert_match = &&<EKU>msScLogin,clientAuth<ISSUER>.*DoE.*
1064                 pkinit_cert_match = <EKU>msScLogin,clientAuth<KU>digitalSignature
1065
1066       pkinit_eku_checking
1067              This option specifies what Extended Key Usage value the KDC cer‐
1068              tificate  presented  to  the client must contain.  (Note that if
1069              the  KDC  certificate  has  the  pkinit   SubjectAlternativeName
1070              encoded  as the Kerberos TGS name, EKU checking is not necessary
1071              since the issuing CA has certified this as a  KDC  certificate.)
1072              The values recognized in the krb5.conf file are:
1073
1074              kpKDC  This is the default value and specifies that the KDC must
1075                     have the id-pkinit-KPKdc EKU as defined in RFC 4556.
1076
1077              kpServerAuth
1078                     If kpServerAuth is specified, a KDC certificate with  the
1079                     id-kp-serverAuth  EKU  will  be accepted.  This key usage
1080                     value is used in most commercially issued server certifi‐
1081                     cates.
1082
1083              none   If  none  is specified, then the KDC certificate will not
1084                     be checked to verify it has an acceptable EKU.   The  use
1085                     of this option is not recommended.
1086
1087       pkinit_dh_min_bits
1088              Specifies  the  size  of  the Diffie-Hellman key the client will
1089              attempt to use.  The acceptable values are 1024, 2048, and 4096.
1090              The default is 2048.
1091
1092       pkinit_identities
1093              Specifies  the  location(s)  to be used to find the user's X.509
1094              identity information.  If  this  option  is  specified  multiple
1095              times,  the first valid value is used; this can be used to spec‐
1096              ify an environment variable  (with  ENV:envvar)  followed  by  a
1097              default  value.  Note that these values are not used if the user
1098              specifies X509_user_identity on the command line.
1099
1100       pkinit_kdc_hostname
1101              The presense of this option indicates that the client is willing
1102              to accept a KDC certificate with a dNSName SAN (Subject Alterna‐
1103              tive Name) rather than requiring the id-pkinit-san as defined in
1104              RFC  4556.   This  option  may be specified multiple times.  Its
1105              value should contain the acceptable hostname  for  the  KDC  (as
1106              contained in its certificate).
1107
1108       pkinit_pool
1109              Specifies the location of intermediate certificates which may be
1110              used by the client to complete the trust  chain  between  a  KDC
1111              certificate  and a trusted anchor.  This option may be specified
1112              multiple times.
1113
1114       pkinit_require_crl_checking
1115              The default certificate verification process will  always  check
1116              the available revocation information to see if a certificate has
1117              been revoked.  If a match is found for the certificate in a CRL,
1118              verification  fails.   If  the certificate being verified is not
1119              listed in a CRL, or there is no CRL present for its issuing  CA,
1120              and pkinit_require_crl_checking is false, then verification suc‐
1121              ceeds.
1122
1123              However, if pkinit_require_crl_checking is true and there is  no
1124              CRL  information available for the issuing CA, then verification
1125              fails.
1126
1127              pkinit_require_crl_checking should be set to true if the  policy
1128              is such that up-to-date CRLs must be present for every CA.
1129
1130       pkinit_revoke
1131              Specifies  the  location  of  Certificate  Revocation List (CRL)
1132              information to be used by the client when verifying the validity
1133              of  the KDC certificate presented.  This option may be specified
1134              multiple times.
1135

PARAMETER EXPANSION

1137       Starting   with   release   1.11,   several    variables,    such    as
1138       default_keytab_name, allow parameters to be expanded.  Valid parameters
1139       are:
1140
1141                    ┌──────────────────┬────────────────────────────┐
1142                    │%{TEMP}           │ Temporary directory        │
1143                    ├──────────────────┼────────────────────────────┤
1144                    │%{uid}            │ Unix real UID  or  Windows │
1145                    │                  │ SID                        │
1146                    ├──────────────────┼────────────────────────────┤
1147                    │%{euid}           │ Unix  effective user ID or │
1148                    │                  │ Windows SID                │
1149                    ├──────────────────┼────────────────────────────┤
1150                    │%{USERID}         │ Same as %{uid}             │
1151                    ├──────────────────┼────────────────────────────┤
1152                    │%{null}           │ Empty string               │
1153                    ├──────────────────┼────────────────────────────┤
1154                    │%{LIBDIR}         │ Installation       library │
1155                    │                  │ directory                  │
1156                    ├──────────────────┼────────────────────────────┤
1157                    │%{BINDIR}         │ Installation binary direc‐ │
1158                    │                  │ tory                       │
1159                    ├──────────────────┼────────────────────────────┤
1160                    │%{SBINDIR}        │ Installation admin  binary │
1161                    │                  │ directory                  │
1162                    ├──────────────────┼────────────────────────────┤
1163                    │%{username}       │ (Unix)  Username of effec‐ │
1164                    │                  │ tive user ID               │
1165                    ├──────────────────┼────────────────────────────┤
1166                    │%{APPDATA}        │ (Windows) Roaming applica‐ │
1167                    │                  │ tion data for current user │
1168                    ├──────────────────┼────────────────────────────┤
1169                    │%{COMMON_APPDATA} │ (Windows) Application data │
1170                    │                  │ for all users              │
1171                    ├──────────────────┼────────────────────────────┤
1172                    │%{LOCAL_APPDATA}  │ (Windows)  Local  applica‐ │
1173                    │                  │ tion data for current user │
1174                    ├──────────────────┼────────────────────────────┤
1175                    │%{SYSTEM}         │ (Windows)  Windows  system │
1176                    │                  │ folder                     │
1177                    ├──────────────────┼────────────────────────────┤
1178                    │%{WINDOWS}        │ (Windows) Windows folder   │
1179                    ├──────────────────┼────────────────────────────┤
1180                    │%{USERCONFIG}     │ (Windows)   Per-user   MIT │
1181                    │                  │ krb5 config file directory │
1182                    ├──────────────────┼────────────────────────────┤
1183                    │%{COMMONCONFIG}   │ (Windows)  Common MIT krb5 │
1184                    │                  │ config file directory      │
1185                    └──────────────────┴────────────────────────────┘
1186

SAMPLE KRB5.CONF FILE

1188       Here is an example of a generic krb5.conf file:
1189
1190          [libdefaults]
1191              default_realm = ATHENA.MIT.EDU
1192              dns_lookup_kdc = true
1193              dns_lookup_realm = false
1194
1195          [realms]
1196              ATHENA.MIT.EDU = {
1197                  kdc = kerberos.mit.edu
1198                  kdc = kerberos-1.mit.edu
1199                  kdc = kerberos-2.mit.edu
1200                  admin_server = kerberos.mit.edu
1201                  master_kdc = kerberos.mit.edu
1202              }
1203              EXAMPLE.COM = {
1204                  kdc = kerberos.example.com
1205                  kdc = kerberos-1.example.com
1206                  admin_server = kerberos.example.com
1207              }
1208
1209          [domain_realm]
1210              mit.edu = ATHENA.MIT.EDU
1211
1212          [capaths]
1213              ATHENA.MIT.EDU = {
1214                     EXAMPLE.COM = .
1215              }
1216              EXAMPLE.COM = {
1217                     ATHENA.MIT.EDU = .
1218              }
1219

FILES

1221       /etc/krb5.conf
1222

SEE ALSO

1224       syslog(3)
1225

AUTHOR

1227       MIT
1228
1230       1985-2019, MIT
1231
1232
1233
1234
12351.17                                                              KRB5.CONF(5)
Impressum