1KDC.CONF(5) File Formats Manual KDC.CONF(5)
2
3
4
6 kdc.conf - Kerberos V5 KDC configuration file
7
9 kdc.conf specifies per-realm configuration data to be used by the Ker‐
10 beros V5 Authentication Service and Key Distribution Center (AS/KDC).
11 This includes database, key and per-realm defaults.
12
13 The kdc.conf file uses the same format as the krb5.conf file. For a
14 basic description of the syntax, please refer to the krb5.conf descrip‐
15 tion.
16
17 The following sections are currently used in the kdc.conf file:
18
19 [kdcdefaults]
20 Contains parameters which control the overall behaviour of the
21 KDC.
22
23 [realms]
24 Contains subsections keyed by Kerberos realm names which
25 describe per-realm KDC parameters.
26
28 The following relations are defined in the [kdcdefaults] section:
29
30 kdc_ports
31 This relation lists the ports which the Kerberos server should
32 listen on, by default. This list is a comma separated list of
33 integers. If this relation is not specified, the compiled-in
34 default is usually port 88 and port 750.
35
36 kdc_tcp_ports
37 This relation lists the ports on which the Kerberos server
38 should listen for TCP connections by default. This list is a
39 comma separated list of integers. If this relation is not spec‐
40 ified, the compiled-in default is not to listen for TCP connec‐
41 tions at all.
42
43 If you wish to change this (which we do not recommend, because
44 the current implementation has little protection against denial-
45 of-service attacks), the standard port number assigned for Ker‐
46 beros TCP traffic is port 88.
47
48 v4_mode
49 This string specifies how the KDC should respond to Kerberos IV
50 packets. Valid values for this relation are the same as the
51 valid arguments to the -4 flag to krb5kdc. If this relation is
52 not specified, the compiled-in default of none is used.
53
54 kdc_max_dgram_reply_size
55 Specifies the maximum packet size that can be sent over UDP.
56 The default value is 4096 bytes.
57
58
60 Each tag in the [realms] section of the file names a Kerberos realm.
61 The value of the tag is a subsection where the relations in that sub‐
62 section define KDC parameters for that particular realm.
63
64 For each realm, the following tags may be specified in the [realms]
65 subsection:
66
67
68 acl_file
69 This string specifies the location of the access control list
70 (acl) file that kadmin uses to determine which principals are
71 allowed which permissions on the database. The default value is
72 /var/kerberos/krb5kdc/kadm5.acl.
73
74
75 admin_keytab
76 This string Specifies the location of the keytab file that kad‐
77 min uses to authenticate to the database. The default value is
78 /var/kerberos/krb5kdc/kadm5.keytab.
79
80
81 database_name
82 This string specifies the location of the Kerberos database for
83 this realm.
84
85
86 default_principal_expiration
87 This absolute time string specifies the default expiration date
88 of principals created in this realm.
89
90
91 default_principal_flags
92 This flag string specifies the default attributes of principals
93 created in this realm. The format for the string is a comma-
94 separated list of flags, with '+' before each flag to be enabled
95 and '-' before each flag to be disabled. The default is for
96 postdateable, forwardable, tgt-based, renewable, proxiable, dup-
97 skey, allow-tickets, and service to be enabled, and all others
98 to be disabled.
99
100 There are a number of possible flags:
101
102 postdateable
103 Enabling this flag allows the principal to obtain post‐
104 dateable tickets.
105
106 forwardable
107 Enabling this flag allows the principal to obtain for‐
108 wardable tickets.
109
110 tgt-based
111 Enabling this flag allows a principal to obtain tickets
112 based on a ticket-granting-ticket, rather than repeating
113 the authentication process that was used to obtain the
114 TGT.
115
116 renewable
117 Enabling this flag allows the principal to obtain renew‐
118 able tickets.
119
120 proxiable
121 Enabling this flag allows the principal to obtain proxy
122 tickets.
123
124 dup-skey
125 Enabling this flag allows the principal to obtain a ses‐
126 sion key for another user, permitting user-to-user
127 authentication for this principal.
128
129 allow-tickets
130 Enabling this flag means that the KDC will issue tickets
131 for this principal. Disabling this flag essentially
132 deactivates the principal within this realm.
133
134 preauth
135 If this flag is enabled on a client principal, then that
136 principal is required to preauthenticate to the KDC
137 before receiving any tickets. On a service principal,
138 enabling this flag means that service tickets for this
139 principal will only be issued to clients with a TGT that
140 has the preauthenticated ticket set.
141
142 hwauth If this flag is enabled, then the principal is required
143 to preauthenticate using a hardware device before receiv‐
144 ing any tickets.
145
146 pwchange
147 Enabling this flag forces a password change for this
148 principal.
149
150 service
151 Enabling this flag allows the the KDC to issue service
152 tickets for this principal.
153
154 pwservice
155 If this flag is enabled, it marks this principal as a
156 password change service. This should only be used in
157 special cases, for example, if a user's password has
158 expired, the user has to get tickets for that principal
159 to be able to change it without going through the normal
160 password authentication.
161
162
163 dict_file
164 This string location of the dictionary file containing strings
165 that are not allowed as passwords. If this tag is not set or if
166 there is no policy assigned to the principal, then no check will
167 be done.
168
169
170 kadmind_port
171 This port number specifies the port on which the kadmind daemon
172 is to listen for this realm.
173
174
175 kpasswd_port
176 This port number specifies the port on which the kadmind daemon
177 is to listen for this realm.
178
179
180 key_stash_file
181 This string specifies the location where the master key has been
182 stored with kdb5_stash.
183
184
185 kdc_ports
186 This string specifies the list of ports that the KDC is to lis‐
187 ten to for this realm. By default, the value of kdc_ports as
188 specified in the [kdcdefaults] section is used.
189
190
191 kdc_tcp_ports
192 This string specifies the list of ports that the KDC is to lis‐
193 ten to for TCP requests for this realm. By default, the value
194 of kdc_tcp_ports as specified in the [kdcdefaults] section is
195 used.
196
197
198 master_key_name
199 This string specifies the name of the principal associated with
200 the master key. The default value is K/M.
201
202
203 master_key_type
204 This key type string represents the master key's key type.
205
206
207 max_life
208 This delta time string specifies the maximum time period that a
209 ticket may be valid for in this realm.
210
211
212 max_renewable_life
213 This delta time string specifies the maximum time period that a
214 ticket may be renewed for in this realm.
215
216
217 iprop_enable
218 This boolean ("true" or "false") specifies whether incremental
219 database propagation is enabled. The default is "false".
220
221
222 iprop_master_ulogsize
223 This numeric value specifies the maximum number of log entries
224 to be retained for incremental propagation. The maximum value
225 is 2500; default is 1000.
226
227
228 iprop_slave_poll
229 This delta time string specifies how often the slave KDC polls
230 for new updates from the master. Default is "2m" (that is, two
231 minutes).
232
233
234 supported_enctypes
235 list of key:salt strings that specifies the default key/salt
236 combinations of principals for this realm
237
238
239 reject_bad_transit
240 this boolean specifies whether or not the list of transited
241 realms for cross-realm tickets should be checked against the
242 transit path computed from the realm names and the [capaths]
243 section of its krb5.conf file
244
245
247 /var/kerberos/krb5kdc/kdc.conf
248
249
251 krb5.conf(5), krb5kdc(8)
252
253
254
255 KDC.CONF(5)