1kdc.conf(4) File Formats kdc.conf(4)
2
3
4
6 kdc.conf - Key Distribution Center (KDC) configuration file
7
9 /etc/krb5/kdc.conf
10
11
13 The kdc.conf file contains KDC configuration information, including
14 defaults used when issuing Kerberos tickets. This file must reside on
15 all KDC servers. After you make any changes to the kdc.conf file, stop
16 and restart the krb5kdc daemon on the KDC for the changes to take
17 effect.
18
19
20 The format of the kdc.conf consists of section headings in square
21 brackets ([]). Each section contains zero or more configuration vari‐
22 ables (called relations), of the form of:
23
24 relation = relation-value
25
26
27
28
29 or
30
31 relation-subsection = {
32 relation = relation-value
33 relation = relation-value
34 }
35
36
37
38
39 The kdc.conf file contains one of more of the following three sections:
40
41 kdcdefaults
42
43 Contains default values for overall behavior of the KDC.
44
45
46 realms
47
48 Contains subsections for Kerberos realms, where relation-subsection
49 is the name of a realm. Each subsection contains relations that
50 define KDC properties for that particular realm, including where to
51 find the Kerberos servers for that realm.
52
53
54 logging
55
56 Contains relations that determine how Kerberos programs perform
57 logging.
58
59
60 The kdcdefaults Section
61 The following relation can be defined in the [kdcdefaults] section:
62
63 kdc_ports
64
65 This relation lists the UDP ports on which the Kerberos server
66 should listen by default. This list is a comma-separated list of
67 integers. If the assigned value is 0, the Kerberos server does not
68 listen on any UDP port. If this relation is not specified, the Ker‐
69 beros server listens on port 750 and port 88.
70
71
72 kdc_tcp_ports
73
74 This relation lists the TCP ports on which the Kerberos server
75 should listen by default. This list is a comma-separated list of
76 integers. If the assigned value is 0, the Kerberos server does not
77 listen on any TCP port. If this relation is not specified, the Ker‐
78 beros server listens on the kdc TCP port specified in /etc/ser‐
79 vices. If this port is not found in /etc/services the Kerberos
80 server defaults to listen on TCP port 88.
81
82
83 kdc_max_tcp_connections
84
85 This relation controls the maximum number of TCP connections the
86 KDC allows. The minimum value is 10. If this relation is not speci‐
87 fied, the Kerberos server allows a maximum of 30 TCP connections.
88
89
90 The realms Section
91 This section contains subsections for Kerberos realms, where relation-
92 subsection is the name of a realm. Each subsection contains relations
93 that define KDC properties for that particular realm.
94
95
96 The following relations can be specified in each subsection:
97
98 acl_file
99
100 (string) Location of the Kerberos V5 access control list (ACL) file
101 that kadmin uses to determine the privileges allowed to each prin‐
102 cipal on the database. The default location is /etc/krb5/kadm5.acl.
103
104
105 admin_keytab
106
107 (string) Location of the keytab file that kadmin uses to authenti‐
108 cate to the database. The default location is
109 /etc/krb5/kadm5.keytab.
110
111
112 database_name
113
114 (string) Location of the Kerberos database for this realm. The
115 default location is /var/krb5/principal.
116
117
118 default_principal_expiration
119
120 (absolute time string) The default expiration date of principals
121 created in this realm. See the Time Format section in kinit(1) for
122 the valid absolute time formats you can use for default_princi‐
123 pal_expiration.
124
125
126 default_principal_flags
127
128 (flag string) The default attributes of principals created in this
129 realm. Some of these flags are better to set on an individual prin‐
130 cipal basis through the use of the attribute modifiers when using
131 the kadmin command to create and modify principals. However, some
132 of these options can be applied to all principals in the realm by
133 adding them to the list of flags associated with this relation.
134
135 A "flag string" is a list of one or more of the flags listed below
136 preceded by a minus (-) or a plus (+) character, indicating that
137 the option that follows should be enabled or disabled.
138
139 Flags below marked with an asterisk (*) are flags that are best
140 applied on an individual principal basis through the kadmin or
141 gkadmin interface rather than as a blanket attribute to be applied
142 to all principals.
143
144 postdateable
145
146 Create postdatable tickets.
147
148
149 forwardable
150
151 Create forwardable tickets.
152
153
154 tgt-based
155
156 Allow TGT-based requests.
157
158
159 renewable
160
161 Create Renewable tickets.
162
163
164 proxiable
165
166 Create Proxiable tickets.
167
168
169 dup-skey
170
171 Allow DUP_SKEY requests, this enables user-to-user authentica‐
172 tion.
173
174
175 preauth
176
177 Require the use of pre-authentication data whenever principals
178 request TGTs.
179
180
181 hwauth
182
183 Require the use of hardware-based pre-authentication data when‐
184 ever principals request TGTs.
185
186
187 * allow-tickets
188
189 Allow tickets to be issued for all principals.
190
191
192 * pwdchange
193
194 Require principal's to change their password.
195
196
197 * service
198
199 Enable or disable a service.
200
201
202 * pwservice
203
204 Mark principals as password changing principals.
205
206 An example of default_principal_flags is shown in EXAMPLES, below.
207
208
209 dict_file
210
211 (string) Location of the dictionary file containing strings that
212 are not allowed as passwords. A principal with any password policy
213 is not allowed to select a password in the dictionary. The default
214 location is /var/krb5/kadm5.dict.
215
216
217 kadmind_port
218
219 (port number) The port that the kadmind daemon is to listen on for
220 this realm. The assigned port for kadmind is 749.
221
222
223 key_stash_file
224
225 (string) Location where the master key has been stored (by
226 kdb5_util stash). The default location is /var/krb5/.k5.realm,
227 where realm is the Kerberos realm.
228
229
230 kdc_ports
231
232 (string) The list of UDP ports that the KDC listens on for this
233 realm. By default, the value of kdc_ports as specified in the
234 [kdcdefaults] section is used.
235
236
237 kdc_tcp_ports
238
239 (string) The list of TCP ports that the KDC listens on (in addition
240 to the UDP ports specified by kdc_ports) for this realm. By
241 default, the value of kdc_tcp_ports as specified in the [kdcde‐
242 faults] section is used.
243
244
245 master_key_name
246
247 (string) The name of the master key.
248
249
250 master_key_type
251
252 (key type string) The master key's key type. This is used to deter‐
253 mine the type of encryption that encrypts the entries in the prin‐
254 cipal db. des-cbc-crc, des3-cbc-md5, des3-cbc-sha1-kd, arcfour-
255 hmac-md5, arcfour-hmac-md5-exp, aes128-cts-hmac-sha1-96, and
256 aes256-cts-hmac-sha1-96 are supported at this time (des-cbc-crc is
257 the default). If you set this to des3-cbc-sha1-kd all systems that
258 receive copies of the principal db, such as those running slave
259 KDC's, must support des3-cbc-sha1-kd.
260
261
262 max_life
263
264 (delta time string) The maximum time period for which a ticket is
265 valid in this realm. See the Time Format section in kinit(1) for
266 the valid time duration formats you can use for max_life.
267
268
269 max_renewable_life
270
271 (delta time string) The maximum time period during which a valid
272 ticket can be renewed in this realm. See the Time Format section in
273 kinit(1) for the valid time duration formats you can use for
274 max_renewable_life.
275
276
277 sunw_dbprop_enable = [true | false]
278
279 Enable or disable incremental database propagation. Default is
280 false.
281
282
283 sunw_dbprop_master_ulogsize = N
284
285 Specifies the maximum number of log entries available for incremen‐
286 tal propagation to the slave KDC servers. The maximum value that
287 this can be is 2500 entries. Default value is 1000 entries.
288
289
290 sunw_dbprop_slave_poll = N[s, m, h]
291
292 Specifies how often the slave KDC polls for new updates that the
293 master might have. Default is 2m (two minutes).
294
295
296 supported_enctypes
297
298 List of key/salt strings. The default key/salt combinations of
299 principals for this realm. The key is separated from the salt by a
300 colon (:) or period (.). Multiple key/salt strings can be used by
301 separating each string with a space. The salt is additional infor‐
302 mation encoded within the key that tells what kind of key it is.
303 Only the normal salt is supported at this time, for example, des-
304 cbc-crc:normal. If this relation is not specified, the default set‐
305 ting is:
306
307 aes256-cts-hmac-sha1-96:normal \ (see note below)
308 aes128-cts-hmac-sha1-96:normal \
309 des3-cbc-sha1-kd:normal \
310 arcfour-hmac-md5:normal \
311 des-cbc-md5:normal
312
313
314 Note -
315
316 The unbundled Strong Cryptographic packages must be installed for
317 the aes256-cts-hmac-sha1-96:normal enctype to be available for
318 Kerberos.
319
320
321 reject_bad_transit
322
323 This boolean specifies whether the list of transited realms for
324 cross-realm tickets should be checked against the transit path com‐
325 puted from the realm names and the [capaths] section of its
326 krb5.conf(4) file.
327
328 The default for reject_bad_transit is true.
329
330
331 The logging Section
332 This section indicates how Kerberos programs perform logging. The same
333 relation can be repeated if you want to assign it multiple logging
334 methods. The following relations can be defined in the [logging] sec‐
335 tion:
336
337 kdc
338
339 Specifies how the KDC is to perform its logging. The default is
340 FILE:/var/krb5/kdc.log.
341
342
343 admin_server
344
345 Specifies how the administration server is to perform its logging.
346 The default is FILE:/var/krb5/kadmin.log.
347
348
349 default
350
351 Specifies how to perform logging in the absence of explicit speci‐
352 fications.
353
354
355
356 The [logging] relations can have the following values:
357
358
359 FILE:filename
360
361
362 or
363
364 FILE=filename
365
366 This value causes the entity's logging messages to go to the speci‐
367 fied file. If the `=' form is used, the file is overwritten. If the
368 `:' form is used, the file is appended to.
369
370
371 STDERR
372
373 This value sends the entity's logging messages to its standard
374 error stream.
375
376
377 CONSOLE
378
379 This value sends the entity's logging messages to the console, if
380 the system supports it.
381
382
383 DEVICE=devicename
384
385 This sends the entity's logging messages to the specified device.
386
387
388 SYSLOG[:severity[:facility]]
389
390 This sends the entity's logging messages to the system log.
391
392 The severity argument specifies the default severity of system log
393 messages. This default can be any of the following severities sup‐
394 ported by the syslog(3C) call, minus the LOG_ prefix: LOG_EMERG,
395 LOG_ALERT, LOG_CRIT, LOG_ERR, LOG_WARNING, LOG_NOTICE, LOG_INFO,
396 and LOG_DEBUG. For example, a value of CRIT would specify LOG_CRIT
397 severity.
398
399 The facility argument specifies the facility under which the mes‐
400 sages are logged. This can be any of the following facilities sup‐
401 ported by the syslog(3C) call minus the LOG_ prefix: LOG_KERN,
402 LOG_USER, LOG_MAIL, LOG_DAEMON, LOG_AUTH, LOG_LPR, LOG_NEWS,
403 LOG_UUCP, LOG_CRON, and LOG_LOCAL0 through LOG_LOCAL7.
404
405 If no severity is specified, the default is ERR. If no facility is
406 specified, the default is AUTH.
407
408 In the following example, the logging messages from the KDC go to
409 the console and to the system log under the facility LOG_DAEMON
410 with default severity of LOG_INFO; the logging messages from the
411 administration server are appended to the /var/krb5/kadmin.log file
412 and sent to the /dev/tty04 device.
413
414 [logging]
415 kdc = CONSOLE
416 kdc = SYSLOG:INFO:DAEMON
417 admin_server = FILE:/export/logging/kadmin.log
418 admin_server = DEVICE=/dev/tty04
419
420
421
422
423 PKINIT-specific Options
424 The following are pkinit-specific options. These values can be speci‐
425 fied in [kdcdefaults] as global defaults, or within a realm-specific
426 subsection of [realms]. A realm-specific value overrides, does not add
427 to, a generic [kdcdefaults] specification. The search order is
428
429 1. realm-specific subsection of [realms]
430
431 [realms]
432 [realms]
433 EXAMPLE.COM = {
434 pkinit_anchors = FILE:/usr/local/example.com.crt
435 }
436
437
438
439 2. generic value in the [kdcdefaults] section
440
441 [kdcdefaults]
442 pkinit_anchors = DIR:/usr/local/generic_trusted_cas/
443
444
445 pkinit_identity = URI Specifies the location of the KDC's X.509
446 identity information. This option is required
447 if pkinit is supported by the KDC. Valid URI
448 types are FILE, DIR, PKCS11, PKCS12, and ENV.
449 See the PKINIT URI Types section for more
450 details.
451
452
453 pkinit_anchors = URI Specifies the location of trusted anchor
454 (root) certificates which the KDC trusts to
455 sign client certificates. This option is
456 required if pkinit is supported by the KDC.
457 This option can be specified multiple times.
458 Valid URI types are FILE and DIR. See the
459 PKINIT URI Types section for details.
460
461
462 pkinit_pool Specifies the location of intermediate cer‐
463 tificates which can be used by the KDC to com‐
464 plete the trust chain between a client's cer‐
465 tificate and a trusted anchor. This option can
466 be specified multiple times. Valid URI types
467 are FILE and DIR. See the PKINIT URI Types
468 section for more details.
469
470
471 pkinit_revoke Specifies the location of Certificate Revoca‐
472 tion List (CRL) information to be used by the
473 KDC when verifying the validity of client cer‐
474 tificates. This option can be specified multi‐
475 ple times. The default certificate verifica‐
476 tion process always checks the available revo‐
477 cation information to see if a certificate has
478 been revoked. If a match is found for the cer‐
479 tificate in a CRL, verification fails. If the
480 certificate being verified is not listed in a
481 CRL, or there is no CRL present for its issu‐
482 ing CA, and pkinit_require_crl_checking is
483 false, then verification succeeds. The only
484 valid URI types is DIR. See the PKINIT URI
485 Types section for more details. If
486 pkinit_require_crl_checking is true and there
487 is no CRL information available for the issu‐
488 ing CA, verification fails.
489 pkinit_require_crl_checking should be set to
490 true if the policy is such that up-to-date
491 CRLs must be present for every CA.
492
493
494 pkinit_dh_min_bits Specifies the minimum number of bits the KDC
495 is willing to accept for a client's Diffie-
496 Hellman key.
497
498
499 pkinit_allow_upn Specifies that the KDC is willing to accept
500 client certificates with the Microsoft User‐
501 PrincipalName (UPN) Subject Alternative Name
502 (SAN). This means the KDC accepts the binding
503 of the UPN in the certificate to the Kerberos
504 principal name.
505
506 The default is false.
507
508 Without this option, the KDC only accepts cer‐
509 tificates with the id-pkinit-san as defined in
510 RFC4556. There is currently no option to dis‐
511 able SAN checking in the KDC.
512
513
514 pkinit_eku_checking This option specifies what Extended Key Usage
515 (EKU) values the KDC is willing to accept in
516 client certificates. The values recognized in
517 the kdc.conf file are:
518
519 kpClientAuth This is the default value and
520 specifies that client certifi‐
521 cates must have the id-pkinit-
522 KPClientAuth EKU as defined in
523 RFC4556.
524
525
526 scLogin If scLogin is specified,
527 client certificates with the
528 Microsoft Smart Card Login EKU
529 (id-ms-kp-sc-logon) is
530 accepted.
531
532
533
534 PKINIT URI Types
535 FILE:file-name[,key-file-name]
536
537 This option has context-specific behavior.
538
539 pkinit_identity file-name specifies the name of a PEM-format
540 file containing the user's certificate. If key-
541 file-name is not specified, the user's private
542 key is expected to be in file-name as well. Oth‐
543 erwise, key-file-name is the name of the file
544 containing the private key.
545
546
547 pkinit_anchors file-name is assumed to be the name of an
548 pkinit_pool OpenSSL-style ca-bundle file. The ca-bundle file
549 should be base-64 encoded.
550
551
552
553 DIR:directory-name
554
555 This option has context-specific behavior.
556
557 pkinit_identity directory-name specifies a directory with files
558 named *.crt and *.key, where the first part of
559 the file name is the same for matching pairs of
560 certificate and private key files. When a file
561 with a name ending with .crt is found, a match‐
562 ing file ending with .key is assumed to contain
563 the private key. If no such file is found, then
564 the certificate in the .crt is not used.
565
566
567 pkinit_anchors directory-name is assumed to be an OpenSSL-style
568 pkinit_pool hashed CA directory where each CA cert is stored
569 in a file named hash-of-ca-cert.#. This infra‐
570 structure is encouraged, but all files in the
571 directory is examined and if they contain cer‐
572 tificates (in PEM format), they are used.
573
574
575 pkinit_revoke directory-name is assumed to be an OpenSSL-style
576 hashed CA directory where each revocation list
577 is stored in a file named hash-of-ca-cert.r#.
578 This infrastructure is encouraged, but all files
579 in the directory is examined and if they contain
580 a revocation list (in PEM format), they are
581 used.
582
583
584
585 PKCS12:pkcs12-file-name
586
587 pkcs12-file-name is the name of a PKCS #12 format file, containing
588 the user's certificate and private key.
589
590
591 PKCS11:[slotid=slot-id][:token=token-label][:certid=cert-id][:certla‐
592 bel=cert-label]
593
594 All keyword/values are optional. PKCS11 modules (for example,
595 opensc-pkcs11.so) must be installed as a crypto provider under
596 libpkcs11(3LIB). slotid= and/or token= can be specified to force
597 the use of a particular smard card reader or token if there is more
598 than one available. certid= and/or certlabel= can be specified to
599 force the selection of a particular certificate on the device. See
600 the pkinit_cert_match configuration option for more ways to select
601 a particular certificate to use for pkinit.
602
603
604 ENV:environment-variable-name
605
606 environment-variable-name specifies the name of an environment
607 variable which has been set to a value conforming to one of the
608 previous values. For example, ENV:X509_PROXY, where environment
609 variable X509_PROXY has been set to FILE:/tmp/my_proxy.pem.
610
611
613 Example 1 Sample kdc.conf File
614
615
616 The following is an example of a kdc.conf file:
617
618
619 [kdcdefaults]
620 kdc_ports = 88
621
622 [realms]
623 ATHENA.MIT.EDU = {
624 kadmind_port = 749
625 max_life = 10h 0m 0s
626 max_renewable_life = 7d 0h 0m 0s
627 default_principal_flags = +preauth,+forwardable,-postdateable
628 master_key_type = des-cbc-crc
629 supported_enctypes = des-cbc-crc:normal
630 }
631
632 [logging]
633 kdc = FILE:/export/logging/kdc.log
634 admin_server = FILE:/export/logging/kadmin.log
635
636
638 /etc/krb5/kadm5.acl
639
640 List of principals and their kadmin administrative privileges.
641
642
643 /etc/krb5/kadm5.keytab
644
645 Keytab for kadmind principals: kadmin/fqdn, changepw/fqdn, and kad‐
646 min/changepw.
647
648
649 /var/krb5/principal
650
651 Kerberos principal database.
652
653
654 /var/krb5/principal.ulog
655
656 The update log file for incremental propagation.
657
658
659 /var/krb5/kadm5.dict
660
661 Dictionary of strings explicitly disallowed as passwords.
662
663
664 /var/krb5/kdc.log
665
666 KDC logging file.
667
668
669 /var/krb5/kadmin.log
670
671 Kerberos administration server logging file.
672
673
675 See attributes(5) for descriptions of the following attributes:
676
677
678
679
680 ┌─────────────────────────────┬─────────────────────────────┐
681 │ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
682 ├─────────────────────────────┼─────────────────────────────┤
683 │Availability │SUNWkdcu │
684 ├─────────────────────────────┼─────────────────────────────┤
685 │Interface Stability │See below. │
686 └─────────────────────────────┴─────────────────────────────┘
687
688
689 All of the keywords, except for the PKINIT keywords are Committed. The
690 PKINIT keywords are Volatile.
691
693 kpasswd(1), gkadmin(1M), kadmind(1M), kadmin.local(1M), kdb5_util(1M),
694 kpropd(1M), libpkcs11(3LIB), syslog(3C), kadm5.acl(4), krb5.conf(4),
695 attributes(5), kerberos(5)
696
697
698
699SunOS 5.11 12 Nov 2008 kdc.conf(4)