1KDC.CONF(5)                      MIT Kerberos                      KDC.CONF(5)
2
3
4

NAME

6       kdc.conf - Kerberos V5 KDC configuration file
7
8       The kdc.conf file supplements krb5.conf(5) for programs which are typi‐
9       cally only used on a KDC, such as the krb5kdc(8) and kadmind(8) daemons
10       and  the  kdb5_util(8)  program.  Relations documented here may also be
11       specified in krb5.conf; for the KDC programs mentioned,  krb5.conf  and
12       kdc.conf will be merged into a single configuration profile.
13
14       Normally,  the  kdc.conf  file  is  found  in  the KDC state directory,
15       /var/kerberos/krb5kdc.  You can override the default location  by  set‐
16       ting the environment variable KRB5_KDC_PROFILE.
17
18       Please  note that you need to restart the KDC daemon for any configura‐
19       tion changes to take effect.
20

STRUCTURE

22       The kdc.conf file is set up in the  same  format  as  the  krb5.conf(5)
23       file.
24

SECTIONS

26       The kdc.conf file may contain the following sections:
27
28                    ┌──────────────┬────────────────────────────┐
29[kdcdefaults] │ Default   values  for  KDC │
30                    │              │ behavior                   │
31                    ├──────────────┼────────────────────────────┤
32[realms]      │ Realm-specific    database │
33                    │              │ configuration and settings │
34                    ├──────────────┼────────────────────────────┤
35[dbdefaults]  │ Default database settings  │
36                    ├──────────────┼────────────────────────────┤
37[dbmodules]   │ Per-database settings      │
38                    ├──────────────┼────────────────────────────┤
39[logging]     │ Controls how Kerberos dae‐ │
40                    │              │ mons perform logging       │
41                    └──────────────┴────────────────────────────┘
42
43   [kdcdefaults]
44       Some relations in the [kdcdefaults] section specify default values  for
45       realm variables, to be used if the [realms] subsection does not contain
46       a relation for the tag.  See the [realms] section for  the  definitions
47       of these relations.
48
49       · host_based_services
50
51       · kdc_listen
52
53       · kdc_ports
54
55       · kdc_tcp_listen
56
57       · kdc_tcp_ports
58
59       · no_host_referral
60
61       · restrict_anonymous_to_tgt
62
63       The following [kdcdefaults] variables have no per-realm equivalent:
64
65       kdc_max_dgram_reply_size
66              Specifies  the  maximum  packet  size that can be sent over UDP.
67              The default value is 4096 bytes.
68
69       kdc_tcp_listen_backlog
70              (Integer.)  Set the size of the listen queue length for the  KDC
71              daemon.   The  value may be limited by OS settings.  The default
72              value is 5.
73
74       spake_preauth_kdc_challenge
75              (String.)  Specifies the group for a SPAKE optimistic challenge.
76              See  the spake_preauth_groups variable in libdefaults for possi‐
77              ble values.  The default is not to  issue  an  optimistic  chal‐
78              lenge.  (New in release 1.17.)
79
80   [realms]
81       Each  tag in the [realms] section is the name of a Kerberos realm.  The
82       value of the tag is a subsection where the relations define KDC parame‐
83       ters  for  that  particular  realm.  The following example shows how to
84       define one parameter for the ATHENA.MIT.EDU realm:
85
86          [realms]
87              ATHENA.MIT.EDU = {
88                  max_renewable_life = 7d 0h 0m 0s
89              }
90
91       The following tags may be specified in a [realms] subsection:
92
93       acl_file
94              (String.)  Location of the access control list  file  that  kad‐
95              mind(8)  uses  to  determine  which principals are allowed which
96              permissions on the Kerberos database.  To operate without an ACL
97              file,  set this relation to the empty string with acl_file = "".
98              The default value is /var/kerberos/krb5kdc/kadm5.acl.  For  more
99              information on Kerberos ACL file see kadm5.acl(5).
100
101       database_module
102              (String.)  This relation indicates the name of the configuration
103              section under [dbmodules] for database-specific parameters  used
104              by  the  loadable  database  library.   The default value is the
105              realm name.  If  this  configuration  section  does  not  exist,
106              default values will be used for all database parameters.
107
108       database_name
109              (String,  deprecated.)   This relation specifies the location of
110              the Kerberos database for this realm, if the DB2 module is being
111              used  and the [dbmodules] configuration section does not specify
112              a   database   name.    The   default   value    is    /var/ker‐
113              beros/krb5kdc/principal.
114
115       default_principal_expiration
116              (abstime  string.)   Specifies  the  default  expiration date of
117              principals created in this realm.  The default value is 0, which
118              means no expiration date.
119
120       default_principal_flags
121              (Flag  string.)   Specifies the default attributes of principals
122              created in  this  realm.   The  format  for  this  string  is  a
123              comma-separated  list  of  flags, with '+' before each flag that
124              should be enabled and '-' before each flag that should  be  dis‐
125              abled.   The  postdateable,  forwardable,  tgt-based, renewable,
126              proxiable, dup-skey, allow-tickets, and service flags default to
127              enabled.
128
129              There are a number of possible flags:
130
131              allow-tickets
132                     Enabling  this flag means that the KDC will issue tickets
133                     for this  principal.   Disabling  this  flag  essentially
134                     deactivates the principal within this realm.
135
136              dup-skey
137                     Enabling  this  flag allows the KDC to issue user-to-user
138                     service tickets for this principal.
139
140              forwardable
141                     Enabling this flag allows the principal  to  obtain  for‐
142                     wardable tickets.
143
144              hwauth If  this  flag is enabled, then the principal is required
145                     to preauthenticate using a hardware device before receiv‐
146                     ing any tickets.
147
148              no-auth-data-required
149                     Enabling  this  flag  prevents  PAC or AD-SIGNEDPATH data
150                     from being added to service tickets for the principal.
151
152              ok-as-delegate
153                     If this flag is enabled, it hints the client that creden‐
154                     tials  can and should be delegated when authenticating to
155                     the service.
156
157              ok-to-auth-as-delegate
158                     Enabling this flag allows the principal  to  use  S4USelf
159                     tickets.
160
161              postdateable
162                     Enabling  this  flag allows the principal to obtain post‐
163                     dateable tickets.
164
165              preauth
166                     If this flag is enabled on a client principal, then  that
167                     principal  is  required  to  preauthenticate  to  the KDC
168                     before receiving any tickets.  On  a  service  principal,
169                     enabling  this  flag  means that service tickets for this
170                     principal will only be issued to clients with a TGT  that
171                     has the preauthenticated bit set.
172
173              proxiable
174                     Enabling  this  flag allows the principal to obtain proxy
175                     tickets.
176
177              pwchange
178                     Enabling this flag forces  a  password  change  for  this
179                     principal.
180
181              pwservice
182                     If  this  flag  is  enabled, it marks this principal as a
183                     password change service.  This should  only  be  used  in
184                     special  cases,  for  example,  if  a user's password has
185                     expired, then the user has to get tickets for that  prin‐
186                     cipal without going through the normal password authenti‐
187                     cation in order to be able to change the password.
188
189              renewable
190                     Enabling this flag allows the principal to obtain  renew‐
191                     able tickets.
192
193              service
194                     Enabling  this  flag  allows the the KDC to issue service
195                     tickets for this principal.  In release 1.17  and  later,
196                     user-to-user  service  tickets  are  still allowed if the
197                     dup-skey flag is set.
198
199              tgt-based
200                     Enabling this flag allows a principal to  obtain  tickets
201                     based  on a ticket-granting-ticket, rather than repeating
202                     the authentication process that was used  to  obtain  the
203                     TGT.
204
205       dict_file
206              (String.)   Location  of  the dictionary file containing strings
207              that are not allowed as passwords.  The file should contain  one
208              string  per  line,  with  no  additional whitespace.  If none is
209              specified or if there is no policy assigned to the principal, no
210              dictionary checks of passwords will be performed.
211
212       encrypted_challenge_indicator
213              (String.)  Specifies the authentication indicator value that the
214              KDC asserts into tickets obtained using FAST encrypted challenge
215              pre-authentication.  New in 1.16.
216
217       host_based_services
218              (Whitespace-  or  comma-separated  list.)   Lists services which
219              will get host-based referral processing even if the server prin‐
220              cipal is not marked as host-based by the client.
221
222       iprop_enable
223              (Boolean  value.)  Specifies whether incremental database propa‐
224              gation is enabled.  The default value is false.
225
226       iprop_master_ulogsize
227              (Integer.)  Specifies the maximum number of log  entries  to  be
228              retained  for  incremental  propagation.   The  default value is
229              1000.  Prior to release 1.11, the maximum value was 2500.
230
231       iprop_replica_poll
232              (Delta time string.)  Specifies how often the replica KDC  polls
233              for  new updates from the master.  The default value is 2m (that
234              is, two minutes).  New in release 1.17.
235
236       iprop_slave_poll
237              (Delta time string.)  The name for iprop_replica_poll  prior  to
238              release   1.17.    Its   value   is   used   as  a  fallback  if
239              iprop_replica_poll is not specified.
240
241       iprop_listen
242              (Whitespace- or comma-separated list.)  Specifies the iprop  RPC
243              listening  addresses  and/or  ports  for  the kadmind(8) daemon.
244              Each entry may be an interface address, a  port  number,  or  an
245              address  and  port  number separated by a colon.  If the address
246              contains colons, enclose it in square brackets.  If  no  address
247              is specified, the wildcard address is used.  If kadmind fails to
248              bind to any of the specified addresses, it will fail  to  start.
249              The  default (when iprop_enable is true) is to bind to the wild‐
250              card address at  the  port  specified  in  iprop_port.   New  in
251              release 1.15.
252
253       iprop_port
254              (Port  number.)  Specifies the port number to be used for incre‐
255              mental propagation.  When iprop_enable is true, this relation is
256              required  in  the replica KDC configuration file, and this rela‐
257              tion or iprop_listen is required  in  the  master  configuration
258              file,  as  there is no default port number.  Port numbers speci‐
259              fied in iprop_listen entries will override this port number  for
260              the kadmind(8) daemon.
261
262       iprop_resync_timeout
263              (Delta time string.)  Specifies the amount of time to wait for a
264              full propagation to complete.  This is optional in configuration
265              files, and is used by replica KDCs only.  The default value is 5
266              minutes (5m).  New in release 1.11.
267
268       iprop_logfile
269              (File name.)  Specifies where the update log file for the  realm
270              database  is  to  be  stored.   The  default is to use the data‐
271              base_name entry from the realms section of the krb5 config file,
272              with .ulog appended.  (NOTE: If database_name isn't specified in
273              the realms section, perhaps because the LDAP database  back  end
274              is  being used, or the file name is specified in the [dbmodules]
275              section, then the hard-coded default for database_name is  used.
276              Determination  of  the  iprop_logfile default value will not use
277              values from the [dbmodules] section.)
278
279       kadmind_listen
280              (Whitespace- or comma-separated list.)  Specifies the kadmin RPC
281              listening  addresses  and/or  ports  for  the kadmind(8) daemon.
282              Each entry may be an interface address, a  port  number,  or  an
283              address  and  port  number separated by a colon.  If the address
284              contains colons, enclose it in square brackets.  If  no  address
285              is specified, the wildcard address is used.  If kadmind fails to
286              bind to any of the specified addresses, it will fail  to  start.
287              The default is to bind to the wildcard address at the port spec‐
288              ified in kadmind_port, or the standard kadmin port  (749).   New
289              in release 1.15.
290
291       kadmind_port
292              (Port  number.)  Specifies the port on which the kadmind(8) dae‐
293              mon is to listen for this realm.  Port numbers specified in kad‐
294              mind_listen   entries  will  override  this  port  number.   The
295              assigned port for kadmind is 749, which is used by default.
296
297       key_stash_file
298              (String.)  Specifies the location where the master key has  been
299              stored   (via   kdb5_util  stash).   The  default  is  /var/ker‐
300              beros/krb5kdc/.k5.REALM, where REALM is the Kerberos realm.
301
302       kdc_listen
303              (Whitespace- or comma-separated list.)  Specifies the  UDP  lis‐
304              tening  addresses  and/or ports for the krb5kdc(8) daemon.  Each
305              entry may be an interface address, a port number, or an  address
306              and  port  number separated by a colon.  If the address contains
307              colons, enclose it in square brackets.  If no address is  speci‐
308              fied,  the  wildcard  address is used.  If no port is specified,
309              the standard port (88) is used.  If the KDC daemon fails to bind
310              to  any  of the specified addresses, it will fail to start.  The
311              default is to bind to the wildcard address on the standard port.
312              New in release 1.15.
313
314       kdc_ports
315              (Whitespace-  or  comma-separated  list,  deprecated.)  Prior to
316              release 1.15, this relation lists the ports for  the  krb5kdc(8)
317              daemon  to  listen  on  for  UDP  requests.  In release 1.15 and
318              later, it has the same meaning as kdc_listen if that relation is
319              not defined.
320
321       kdc_tcp_listen
322              (Whitespace-  or  comma-separated list.)  Specifies the TCP lis‐
323              tening addresses and/or ports for the krb5kdc(8)  daemon.   Each
324              entry  may be an interface address, a port number, or an address
325              and port number separated by a colon.  If the  address  contains
326              colons,  enclose it in square brackets.  If no address is speci‐
327              fied, the wildcard address is used.  If no  port  is  specified,
328              the  standard  port  (88) is used.  To disable listening on TCP,
329              set this relation to the empty string with kdc_tcp_listen =  "".
330              If  the  KDC  daemon  fails  to  bind  to  any  of the specified
331              addresses, it will fail to start.  The default is to bind to the
332              wildcard address on the standard port.  New in release 1.15.
333
334       kdc_tcp_ports
335              (Whitespace-  or  comma-separated  list,  deprecated.)  Prior to
336              release 1.15, this relation lists the ports for  the  krb5kdc(8)
337              daemon  to  listen  on  for  UDP  requests.  In release 1.15 and
338              later, it has the same meaning as kdc_tcp_listen if  that  rela‐
339              tion is not defined.
340
341       kpasswd_listen
342              (Comma-separated   list.)    Specifies   the  kpasswd  listening
343              addresses and/or ports for the kadmind(8)  daemon.   Each  entry
344              may  be  an  interface address, a port number, or an address and
345              port number separated by  a  colon.   If  the  address  contains
346              colons,  enclose it in square brackets.  If no address is speci‐
347              fied, the wildcard address is used.  If kadmind fails to bind to
348              any  of  the  specified  addresses,  it will fail to start.  The
349              default is to bind to the wildcard address at the port specified
350              in  kpasswd_port,  or  the  standard kpasswd port (464).  New in
351              release 1.15.
352
353       kpasswd_port
354              (Port number.)  Specifies the port on which the kadmind(8)  dae‐
355              mon  is  to  listen for password change requests for this realm.
356              Port numbers specified in kpasswd_listen entries  will  override
357              this  port  number.   The  assigned  port  for  password  change
358              requests is 464, which is used by default.
359
360       master_key_name
361              (String.)  Specifies the name of the principal  associated  with
362              the master key.  The default is K/M.
363
364       master_key_type
365              (Key  type  string.)   Specifies the master key's key type.  The
366              default value for this is aes256-cts-hmac-sha1-96.  For  a  list
367              of all possible values, see Encryption types.
368
369       max_life
370              (duration  string.)  Specifies the maximum time period for which
371              a ticket may be valid in this realm.  The default  value  is  24
372              hours.
373
374       max_renewable_life
375              (duration  string.)   Specifies  the  maximum time period during
376              which a valid ticket may be renewed in this realm.  The  default
377              value is 0.
378
379       no_host_referral
380              (Whitespace-  or comma-separated list.)  Lists services to block
381              from getting host-based referral processing, even if the  client
382              marks  the server principal as host-based or the service is also
383              listed in host_based_services.  no_host_referral = *  will  dis‐
384              able referral processing altogether.
385
386       reject_bad_transit
387              (Boolean value.)  If set to true, the KDC will check the list of
388              transited realms for cross-realm  tickets  against  the  transit
389              path  computed  from  the realm names and the capaths section of
390              its krb5.conf(5) file; if the path in the ticket  to  be  issued
391              contains  any  realms  not in the computed path, the ticket will
392              not be issued, and an error  will  be  returned  to  the  client
393              instead.   If  this  value is set to false, such tickets will be
394              issued anyways, and it will be left up to the application server
395              to validate the realm transit path.
396
397              If  the  disable-transited-check  flag  is  set  in the incoming
398              request, this  check  is  not  performed  at  all.   Having  the
399              reject_bad_transit  option will cause such ticket requests to be
400              rejected always.
401
402              This transit path checking  and  config  file  option  currently
403              apply only to TGS requests.
404
405              The default value is true.
406
407       restrict_anonymous_to_tgt
408              (Boolean  value.)   If  set  to true, the KDC will reject ticket
409              requests from anonymous principals to service  principals  other
410              than  the  realm's  ticket-granting service.  This option allows
411              anonymous PKINIT to be enabled for use  as  FAST  armor  tickets
412              without  allowing  anonymous  authentication  to  services.  The
413              default value is false.  New in release 1.9.
414
415       spake_preauth_indicator
416              (String.)  Specifies an authentication indicator value that  the
417              KDC  asserts  into  tickets obtained using SPAKE pre-authentica‐
418              tion.  The default is not to add any  indicators.   This  option
419              may be specified multiple times.  New in release 1.17.
420
421       supported_enctypes
422              (List of key:salt strings.)  Specifies the default key/salt com‐
423              binations of principals for this realm.  Any principals  created
424              through  kadmin(1)  will  have keys of these types.  The default
425              value   for   this   tag    is    aes256-cts-hmac-sha1-96:normal
426              aes128-cts-hmac-sha1-96:normal.   For  lists of possible values,
427              see Keysalt lists.
428
429   [dbdefaults]
430       The [dbdefaults] section specifies default  values  for  some  database
431       parameters, to be used if the [dbmodules] subsection does not contain a
432       relation for the tag.  See the [dbmodules] section for the  definitions
433       of these relations.
434
435       · ldap_kerberos_container_dn
436
437       · ldap_kdc_dn
438
439       · ldap_kdc_sasl_authcid
440
441       · ldap_kdc_sasl_authzid
442
443       · ldap_kdc_sasl_mech
444
445       · ldap_kdc_sasl_realm
446
447       · ldap_kadmind_dn
448
449       · ldap_kadmind_sasl_authcid
450
451       · ldap_kadmind_sasl_authzid
452
453       · ldap_kadmind_sasl_mech
454
455       · ldap_kadmind_sasl_realm
456
457       · ldap_service_password_file
458
459       · ldap_conns_per_server
460
461   [dbmodules]
462       The  [dbmodules]  section  contains parameters used by the KDC database
463       library and database modules.  Each tag in the [dbmodules]  section  is
464       the  name  of a Kerberos realm or a section name specified by a realm's
465       database_module parameter.  The following example shows how  to  define
466       one database parameter for the ATHENA.MIT.EDU realm:
467
468          [dbmodules]
469              ATHENA.MIT.EDU = {
470                  disable_last_success = true
471              }
472
473       The following tags may be specified in a [dbmodules] subsection:
474
475       database_name
476              This  DB2-specific tag indicates the location of the database in
477              the filesystem.  The default is /var/kerberos/krb5kdc/principal.
478
479       db_library
480              This tag indicates the name of  the  loadable  database  module.
481              The  value  should be db2 for the DB2 module, klmdb for the LMDB
482              module, or kldap for the LDAP module.
483
484       disable_last_success
485              If set to true, suppresses KDC updates to the  "Last  successful
486              authentication"  field of principal entries requiring preauthen‐
487              tication.  Setting this flag may improve performance.   (Princi‐
488              pal  entries which do not require preauthentication never update
489              the "Last successful authentication" field.).  First  introduced
490              in release 1.9.
491
492       disable_lockout
493              If  set  to  true,  suppresses  KDC  updates to the "Last failed
494              authentication" and "Failed password attempts" fields of princi‐
495              pal  entries requiring preauthentication.  Setting this flag may
496              improve performance, but also disables account  lockout.   First
497              introduced in release 1.9.
498
499       ldap_conns_per_server
500              This LDAP-specific tag indicates the number of connections to be
501              maintained per LDAP server.
502
503       ldap_kdc_dn and ldap_kadmind_dn
504              These LDAP-specific tags indicate the default DN for binding  to
505              the  LDAP server.  The krb5kdc(8) daemon uses ldap_kdc_dn, while
506              the kadmind(8) daemon  and  other  administrative  programs  use
507              ldap_kadmind_dn.   The  kadmind  DN must have the rights to read
508              and write the Kerberos data in the LDAP database.   The  KDC  DN
509              must  have  the  same  rights,  unless  disable_lockout and dis‐
510              able_last_success are true, in which case it only needs to  have
511              rights  to  read the Kerberos data.  These tags are ignored if a
512              SASL mechanism  is  set  with  ldap_kdc_sasl_mech  or  ldap_kad‐
513              mind_sasl_mech.
514
515       ldap_kdc_sasl_mech and ldap_kadmind_sasl_mech
516              These  LDAP-specific  tags  specify  the SASL mechanism (such as
517              EXTERNAL) to use when  binding  to  the  LDAP  server.   New  in
518              release 1.13.
519
520       ldap_kdc_sasl_authcid and ldap_kadmind_sasl_authcid
521              These  LDAP-specific  tags specify the SASL authentication iden‐
522              tity to use when binding to the LDAP server.  Not all SASL mech‐
523              anisms  require  an authentication identity.  If the SASL mecha‐
524              nism requires a secret (such as the  password  for  DIGEST-MD5),
525              these tags also determine the name within the ldap_service_pass‐
526              word_file where the secret is stashed.  New in release 1.13.
527
528       ldap_kdc_sasl_authzid and ldap_kadmind_sasl_authzid
529              These LDAP-specific tags specify the SASL authorization identity
530              to  use  when binding to the LDAP server.  In most circumstances
531              they do not need to be specified.  New in release 1.13.
532
533       ldap_kdc_sasl_realm and ldap_kadmind_sasl_realm
534              These LDAP-specific tags specify the  SASL  realm  to  use  when
535              binding  to  the LDAP server.  In most circumstances they do not
536              need to be set.  New in release 1.13.
537
538       ldap_kerberos_container_dn
539              This LDAP-specific tag indicates the DN of the container  object
540              where the realm objects will be located.
541
542       ldap_servers
543              This  LDAP-specific  tag indicates the list of LDAP servers that
544              the Kerberos servers can connect to.  The list of  LDAP  servers
545              is whitespace-separated.  The LDAP server is specified by a LDAP
546              URI.  It is recommended to use ldapi: or ldaps: URLs to  connect
547              to the LDAP server.
548
549       ldap_service_password_file
550              This LDAP-specific tag indicates the file containing the stashed
551              passwords  (created  by  kdb5_ldap_util  stashsrvpw)   for   the
552              ldap_kdc_dn    and   ldap_kadmind_dn   objects,   or   for   the
553              ldap_kdc_sasl_authcid  or  ldap_kadmind_sasl_authcid  names  for
554              SASL authentication.  This file must be kept secure.
555
556       mapsize
557              This  LMDB-specific  tag  indicates  the maximum size of the two
558              database environments in megabytes.  The default value  is  128.
559              Increase  this  value  to  address  "Environment  mapsize  limit
560              reached" errors.  New in release 1.17.
561
562       max_readers
563              This LMDB-specific tag indicates the maximum number  of  concur‐
564              rent  reading processes for the databases.  The default value is
565              128.  New in release 1.17.
566
567       nosync This LMDB-specific tag can be set to improve the  throughput  of
568              kadmind and other administrative agents, at the expense of dura‐
569              bility (recent database changes may not survive a  power  outage
570              or  other  sudden reboot).  It does not affect the throughput of
571              the KDC.  The default value is false.  New in release 1.17.
572
573       unlockiter
574              If set to true, this DB2-specific tag  causes  iteration  opera‐
575              tions to release the database lock while processing each princi‐
576              pal.  Setting this flag to true can prevent extended blocking of
577              KDC  or  kadmin  operations when dumps of large databases are in
578              progress.  First introduced in release 1.13.
579
580       The following tag may be specified directly in the [dbmodules]  section
581       to control where database modules are loaded from:
582
583       db_module_dir
584              This  tag  controls  where  the plugin system looks for database
585              modules.  The value should be an absolute path.
586
587   [logging]
588       The [logging] section indicates how krb5kdc(8) and  kadmind(8)  perform
589       logging.  It may contain the following relations:
590
591       admin_server
592              Specifies how kadmind(8) performs logging.
593
594       kdc    Specifies how krb5kdc(8) performs logging.
595
596       default
597              Specifies  how  either daemon performs logging in the absence of
598              relations specific to the daemon.
599
600       debug  (Boolean  value.)   Specifies  whether  debugging  messages  are
601              included  in  log outputs other than SYSLOG.  Debugging messages
602              are always included in the system log output because syslog per‐
603              forms  its  own priority filtering.  The default value is false.
604              New in release 1.15.
605
606       Logging specifications may have the following forms:
607
608       FILE=filename or FILE:filename
609              This value causes the daemon's logging messages  to  go  to  the
610              filename.   If  the = form is used, the file is overwritten.  If
611              the : form is used, the file is appended to.
612
613       STDERR This value causes the daemon's logging messages  to  go  to  its
614              standard error stream.
615
616       CONSOLE
617              This  value  causes  the  daemon's logging messages to go to the
618              console, if the system supports it.
619
620       DEVICE=<devicename>
621              This causes the daemon's logging messages to go to the specified
622              device.
623
624       SYSLOG[:severity[:facility]]
625              This  causes  the  daemon's logging messages to go to the system
626              log.
627
628              For backward compatibility, a severity argument  may  be  speci‐
629              fied,  and  must  be  specified  in order to specify a facility.
630              This argument will be ignored.
631
632              The facility argument specifies the  facility  under  which  the
633              messages  are  logged.  This may be any of the following facili‐
634              ties supported by the syslog(3)  call  minus  the  LOG_  prefix:
635              KERN,  USER,  MAIL,  DAEMON,  AUTH,  LPR,  NEWS, UUCP, CRON, and
636              LOCAL0 through LOCAL7.  If no facility is specified, the default
637              is AUTH.
638
639       In  the following example, the logging messages from the KDC will go to
640       the console and to the system log under the  facility  LOG_DAEMON,  and
641       the logging messages from the administrative server will be appended to
642       the file /var/adm/kadmin.log and sent to the device /dev/tty04.
643
644          [logging]
645              kdc = CONSOLE
646              kdc = SYSLOG:INFO:DAEMON
647              admin_server = FILE:/var/adm/kadmin.log
648              admin_server = DEVICE=/dev/tty04
649
650       If no logging specification is given, the default is to use syslog.  To
651       disable logging entirely, specify default = DEVICE=/dev/null.
652
653   [otp]
654       Each  subsection  of  [otp] is the name of an OTP token type.  The tags
655       within the subsection define the configuration required  to  forward  a
656       One Time Password request to a RADIUS server.
657
658       For each token type, the following tags may be specified:
659
660       server This  is  the server to send the RADIUS request to.  It can be a
661              hostname with optional port, an ip address with  optional  port,
662              or  a  Unix  domain  socket  address.   The default is /var/ker‐
663              beros/krb5kdc/<name>.socket.
664
665       secret This  tag  indicates  a  filename  (which  may  be  relative  to
666              /var/kerberos/krb5kdc) containing the secret used to encrypt the
667              RADIUS packets.  The secret should appear in the first  line  of
668              the  file by itself; leading and trailing whitespace on the line
669              will be removed.  If the value of server is a Unix domain socket
670              address,  this tag is optional, and an empty secret will be used
671              if it is not specified.  Otherwise, this tag is required.
672
673       timeout
674              An integer which specifies the time in seconds during which  the
675              KDC  should  attempt  to contact the RADIUS server.  This tag is
676              the total time across all retries and should be  less  than  the
677              time  which  an  OTP  value remains valid for.  The default is 5
678              seconds.
679
680       retries
681              This tag specifies the number of retries to make to  the  RADIUS
682              server.  The default is 3 retries (4 tries).
683
684       strip_realm
685              If  this  tag  is  true, the principal without the realm will be
686              passed to the RADIUS  server.   Otherwise,  the  realm  will  be
687              included.  The default value is true.
688
689       indicator
690              This tag specifies an authentication indicator to be included in
691              the ticket if this token type is  used  to  authenticate.   This
692              option may be specified multiple times.  (New in release 1.14.)
693
694       In the following example, requests are sent to a remote server via UDP:
695
696          [otp]
697              MyRemoteTokenType = {
698                  server = radius.mydomain.com:1812
699                  secret = SEmfiajf42$
700                  timeout = 15
701                  retries = 5
702                  strip_realm = true
703              }
704
705       An  implicit  default  token type named DEFAULT is defined for when the
706       per-principal configuration does not specify a token type.  Its config‐
707       uration  is shown below.  You may override this token type to something
708       applicable for your situation:
709
710          [otp]
711              DEFAULT = {
712                  strip_realm = false
713              }
714

PKINIT OPTIONS

716       NOTE:
717          The following are pkinit-specific  options.   These  values  may  be
718          specified   in   [kdcdefaults]  as  global  defaults,  or  within  a
719          realm-specific subsection of [realms].  Also note that a  realm-spe‐
720          cific  value  over-rides,  does  not add to, a generic [kdcdefaults]
721          specification.  The search order is:
722
723       1. realm-specific subsection of [realms]:
724
725             [realms]
726                 EXAMPLE.COM = {
727                     pkinit_anchors = FILE:/usr/local/example.com.crt
728                 }
729
730       2. generic value in the [kdcdefaults] section:
731
732             [kdcdefaults]
733                 pkinit_anchors = DIR:/usr/local/generic_trusted_cas/
734
735       For information about the syntax of some of these options, see Specify‐
736       ing PKINIT identity information in krb5.conf(5).
737
738       pkinit_anchors
739              Specifies  the  location  of  trusted anchor (root) certificates
740              which the KDC trusts to sign client certificates.   This  option
741              is  required  if  pkinit  is  to  be supported by the KDC.  This
742              option may be specified multiple times.
743
744       pkinit_dh_min_bits
745              Specifies the minimum number of  bits  the  KDC  is  willing  to
746              accept for a client's Diffie-Hellman key.  The default is 2048.
747
748       pkinit_allow_upn
749              Specifies  that the KDC is willing to accept client certificates
750              with the Microsoft UserPrincipalName (UPN)  Subject  Alternative
751              Name  (SAN).   This means the KDC accepts the binding of the UPN
752              in the certificate to the Kerberos principal name.  The  default
753              value is false.
754
755              Without  this option, the KDC will only accept certificates with
756              the id-pkinit-san as defined in RFC 4556.  There is currently no
757              option to disable SAN checking in the KDC.
758
759       pkinit_eku_checking
760              This  option  specifies what Extended Key Usage (EKU) values the
761              KDC is willing to accept in  client  certificates.   The  values
762              recognized in the kdc.conf file are:
763
764              kpClientAuth
765                     This  is the default value and specifies that client cer‐
766                     tificates must have  the  id-pkinit-KPClientAuth  EKU  as
767                     defined in RFC 4556.
768
769              scLogin
770                     If scLogin is specified, client certificates with the Mi‐
771                     crosoft Smart Card Login EKU (id-ms-kp-sc-logon) will  be
772                     accepted.
773
774              none   If  none  is specified, then client certificates will not
775                     be checked to verify they have an  acceptable  EKU.   The
776                     use of this option is not recommended.
777
778       pkinit_identity
779              Specifies  the location of the KDC's X.509 identity information.
780              This option is required if pkinit is to be supported by the KDC.
781
782       pkinit_indicator
783              Specifies an authentication indicator to include in  the  ticket
784              if pkinit is used to authenticate.  This option may be specified
785              multiple times.  (New in release 1.14.)
786
787       pkinit_pool
788              Specifies the location of intermediate certificates which may be
789              used  by  the KDC to complete the trust chain between a client's
790              certificate and a trusted anchor.  This option may be  specified
791              multiple times.
792
793       pkinit_revoke
794              Specifies  the  location  of  Certificate  Revocation List (CRL)
795              information to be used by the KDC when verifying the validity of
796              client  certificates.   This  option  may  be specified multiple
797              times.
798
799       pkinit_require_crl_checking
800              The default certificate verification process will  always  check
801              the available revocation information to see if a certificate has
802              been revoked.  If a match is found for the certificate in a CRL,
803              verification  fails.   If  the certificate being verified is not
804              listed in a CRL, or there is no CRL present for its issuing  CA,
805              and pkinit_require_crl_checking is false, then verification suc‐
806              ceeds.
807
808              However, if pkinit_require_crl_checking is true and there is  no
809              CRL  information available for the issuing CA, then verification
810              fails.
811
812              pkinit_require_crl_checking should be set to true if the  policy
813              is such that up-to-date CRLs must be present for every CA.
814
815       pkinit_require_freshness
816              Specifies  whether  to  require  clients  to include a freshness
817              token in PKINIT requests.  The default value is false.  (New  in
818              release 1.17.)
819

ENCRYPTION TYPES

821       Any  tag in the configuration files which requires a list of encryption
822       types can be set to some combination of the following strings.  Encryp‐
823       tion  types  marked  as  "weak" are available for compatibility but not
824       recommended for use.
825
826             ┌───────────────────────────┬─────────────────────────────┐
827             │aes256-cts-hmac-sha1-96    │ AES-256   CTS   mode  with  │
828             │aes256-cts aes256-sha1     │ 96-bit SHA-1 HMAC           │
829             ├───────────────────────────┼─────────────────────────────┤
830             │aes128-cts-hmac-sha1-96    │ AES-128   CTS   mode  with  │
831             │aes128-cts aes128-sha1     │ 96-bit SHA-1 HMAC           │
832             ├───────────────────────────┼─────────────────────────────┤
833             │aes256-cts-hmac-sha384-192 │ AES-256   CTS   mode  with  │
834             │aes256-sha2                │ 192-bit SHA-384 HMAC        │
835             ├───────────────────────────┼─────────────────────────────┤
836             │aes128-cts-hmac-sha256-128 │ AES-128   CTS   mode  with  │
837             │aes128-sha2                │ 128-bit SHA-256 HMAC        │
838             ├───────────────────────────┼─────────────────────────────┤
839             │arcfour-hmac rc4-hmac arc‐ │ RC4 with HMAC/MD5           │
840             │four-hmac-md5              │                             │
841             └───────────────────────────┴─────────────────────────────┘
842
843
844
845
846             │arcfour-hmac-exp           │ Exportable     RC4    with  │
847             │rc4-hmac-exp          arc‐ │ HMAC/MD5 (weak)             │
848             │four-hmac-md5-exp          │                             │
849             ├───────────────────────────┼─────────────────────────────┤
850             │camellia256-cts-cmac       │ Camellia-256 CTS mode with  │
851             │camellia256-cts            │ CMAC                        │
852             ├───────────────────────────┼─────────────────────────────┤
853             │camellia128-cts-cmac       │ Camellia-128 CTS mode with  │
854             │camellia128-cts            │ CMAC                        │
855             ├───────────────────────────┼─────────────────────────────┤
856             │aes                        │ The      AES       family:  │
857             │                           │ aes256-cts-hmac-sha1-96,    │
858             │                           │ aes128-cts-hmac-sha1-96,    │
859             │                           │ aes256-cts-hmac-sha384-192, │
860             │                           │ and                         │
861             │                           │ aes128-cts-hmac-sha256-128  │
862             ├───────────────────────────┼─────────────────────────────┤
863             │rc4                        │ The    RC4   family:   arc‐ │
864             │                           │ four-hmac                   │
865             ├───────────────────────────┼─────────────────────────────┤
866             │camellia                   │ The Camellia family: camel‐ │
867             │                           │ lia256-cts-cmac  and camel‐ │
868             │                           │ lia128-cts-cmac             │
869             └───────────────────────────┴─────────────────────────────┘
870
871       The string DEFAULT can be used to refer to the default set of types for
872       the  variable  in  question.  Types or families can be removed from the
873       current list by prefixing them with a minus sign ("-").  Types or fami‐
874       lies  can  be  prefixed with a plus sign ("+") for symmetry; it has the
875       same meaning as just listing the type or family.  For example, "DEFAULT
876       -rc4"  would  be  the  default  set  of encryption types with RC4 types
877       removed, and "aes128-sha2 DEFAULT" would be the default set of  encryp‐
878       tion types with aes128-sha2 moved to the front.
879
880       While  aes128-cts  and aes256-cts are supported for all Kerberos opera‐
881       tions, they are not supported by very old versions of our GSSAPI imple‐
882       mentation  (krb5-1.3.1 and earlier).  Services running versions of krb5
883       without AES support must not be given keys of these encryption types in
884       the KDC database.
885
886       The  aes128-sha2  and  aes256-sha2  encryption types are new in release
887       1.15.  Services running versions of  krb5  without  support  for  these
888       newer encryption types must not be given keys of these encryption types
889       in the KDC database.
890

KEYSALT LISTS

892       Kerberos keys for users are usually derived from  passwords.   Kerberos
893       commands  and  configuration  parameters that affect generation of keys
894       take lists of enctype-salttype  ("keysalt")  pairs,  known  as  keysalt
895       lists.   Each  keysalt  pair  is an enctype name followed by a salttype
896       name, in the format enc:salt.  Individual keysalt list members are sep‐
897       arated by comma (",") characters or space characters.  For example:
898
899          kadmin -e aes256-cts:normal,aes128-cts:normal
900
901       would  start  up  kadmin  so  that  by  default it would generate pass‐
902       word-derived keys for the aes256-cts and aes128-cts  encryption  types,
903       using a normal salt.
904
905       To  ensure that people who happen to pick the same password do not have
906       the same key, Kerberos 5 incorporates more  information  into  the  key
907       using  something  called  a salt.  The supported salt types are as fol‐
908       lows:
909
910                      ┌──────────┬────────────────────────────┐
911                      │normal    │ default for Kerberos  Ver‐ │
912                      │          │ sion 5                     │
913                      ├──────────┼────────────────────────────┤
914                      │norealm   │ same as the default, with‐ │
915                      │          │ out using  realm  informa‐ │
916                      │          │ tion                       │
917                      └──────────┴────────────────────────────┘
918
919                      │onlyrealm │ uses  only  realm informa‐ │
920                      │          │ tion as the salt           │
921                      ├──────────┼────────────────────────────┤
922                      │special   │ generate a random salt     │
923                      └──────────┴────────────────────────────┘
924

SAMPLE KDC.CONF FILE

926       Here's an example of a kdc.conf file:
927
928          [kdcdefaults]
929              kdc_listen = 88
930              kdc_tcp_listen = 88
931          [realms]
932              ATHENA.MIT.EDU = {
933                  kadmind_port = 749
934                  max_life = 12h 0m 0s
935                  max_renewable_life = 7d 0h 0m 0s
936                  master_key_type = aes256-cts-hmac-sha1-96
937                  supported_enctypes = aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal
938                  database_module = openldap_ldapconf
939              }
940
941          [logging]
942              kdc = FILE:/usr/local/var/krb5kdc/kdc.log
943              admin_server = FILE:/usr/local/var/krb5kdc/kadmin.log
944
945          [dbdefaults]
946              ldap_kerberos_container_dn = cn=krbcontainer,dc=mit,dc=edu
947
948          [dbmodules]
949              openldap_ldapconf = {
950                  db_library = kldap
951                  disable_last_success = true
952                  ldap_kdc_dn = "cn=krbadmin,dc=mit,dc=edu"
953                      # this object needs to have read rights on
954                      # the realm container and principal subtrees
955                  ldap_kadmind_dn = "cn=krbadmin,dc=mit,dc=edu"
956                      # this object needs to have read and write rights on
957                      # the realm container and principal subtrees
958                  ldap_service_password_file = /etc/kerberos/service.keyfile
959                  ldap_servers = ldaps://kerberos.mit.edu
960                  ldap_conns_per_server = 5
961              }
962

FILES

964       /var/kerberos/krb5kdc/kdc.conf
965

SEE ALSO

967       krb5.conf(5), krb5kdc(8), kadm5.acl(5)
968

AUTHOR

970       MIT
971
973       1985-2020, MIT
974
975
976
977
9781.18                                                               KDC.CONF(5)
Impressum