1KDC.CONF(5) File Formats Manual KDC.CONF(5)
2
6 kdc.conf - Kerberos V5 KDC configuration file
7
9 kdc.conf specifies per-realm configuration data to be used by the Ker‐
10 beros V5 Authentication Service and Key Distribution Center (AS/KDC).
11 This includes database, key and per-realm defaults.
12 The kdc.conf file uses the same format as the krb5.conf file. For a
14 basic description of the syntax, please refer to the krb5.conf descrip‐
15 tion.
16 The following sections are currently used in the kdc.conf file:
18 [kdcdefaults]
20 Contains parameters which control the overall behaviour of the
21 KDC.
22 [realms]
24 Contains subsections keyed by Kerberos realm names which
25 describe per-realm KDC parameters.
26
28 The following relations are defined in the [kdcdefaults] section:
29 kdc_ports
31 This relation lists the ports which the Kerberos server should
32 listen on, by default. This list is a comma separated list of
33 integers. If this relation is not specified, the compiled-in
34 default is usually port 88 and port 750.
35 kdc_tcp_ports
37 This relation lists the ports on which the Kerberos server
38 should listen for TCP connections by default. This list is a
39 comma separated list of integers. If this relation is not spec‐
40 ified, the compiled-in default is not to listen for TCP connec‐
41 tions at all.
42 If you wish to change this (which we do not recommend, because
44 the current implementation has little protection against denial-
45 of-service attacks), the standard port number assigned for Ker‐
46 beros TCP traffic is port 88.
47 v4_mode
49 This string specifies how the KDC should respond to Kerberos IV
50 packets. Valid values for this relation are the same as the
51 valid arguments to the -4 flag to krb5kdc. If this relation is
52 not specified, the compiled-in default of none is used.
53
56 Each tag in the [realms] section of the file names a Kerberos realm.
57 The value of the tag is a subsection where the relations in that sub‐
58 section define KDC parameters for that particular realm.
59 For each realm, the following tags may be specified in the [realms]
61 subsection:
62 acl_file
65 This string specifies the location of the access control list
66 (acl) file that kadmin uses to determine which principals are
67 allowed which permissions on the database. The default value is
68 /var/kerberos/krb5kdc/kadm5.acl.
69 admin_keytab
72 This string Specifies the location of the keytab file that kad‐
73 min uses to authenticate to the database. The default value is
74 /var/kerberos/krb5kdc/kadm5.keytab.
75 database_name
78 This string specifies the location of the Kerberos database for
79 this realm.
80 default_principal_expiration
83 This absolute time string specifies the default expiration date
84 of principals created in this realm.
85 default_principal_flags
88 This flag string specifies the default attributes of principals
89 created in this realm. The format for the string is a comma-
90 separated list of flags, with '+' before each flag to be enabled
91 and '-' before each flag to be disabled. The default is for
92 postdateable, forwardable, tgt-based, renewable, proxiable, dup-
93 skey, allow-tickets, and service to be enabled, and all others
94 to be disabled.
95 There are a number of possible flags:
97 postdateable
99 Enabling this flag allows the principal to obtain post‐
100 dateable tickets.
101 forwardable
103 Enabling this flag allows the principal to obtain for‐
104 wardable tickets.
105 tgt-based
107 Enabling this flag allows a principal to obtain tickets
108 based on a ticket-granting-ticket, rather than repeating
109 the authentication process that was used to obtain the
110 TGT.
111 renewable
113 Enabling this flag allows the principal to obtain renew‐
114 able tickets.
115 proxiable
117 Enabling this flag allows the principal to obtain proxy
118 tickets.
119 dup-skey
121 Enabling this flag allows the principal to obtain a ses‐
122 sion key for another user, permitting user-to-user
123 authentication for this principal.
124 allow-tickets
126 Enabling this flag means that the KDC will issue tickets
127 for this principal. Disabling this flag essentially
128 deactivates the principal within this realm.
129 preauth
131 If this flag is enabled on a client principal, then that
132 principal is required to preauthenticate to the KDC
133 before receiving any tickets. On a service principal,
134 enabling this flag means that service tickets for this
135 principal will only be issued to clients with a TGT that
136 has the preauthenticated ticket set.
137 hwauth If this flag is enabled, then the principal is required
139 to preauthenticate using a hardware device before receiv‐
140 ing any tickets.
141 pwchange
143 Enabling this flag forces a password change for this
144 principal.
145 service
147 Enabling this flag allows the the KDC to issue service
148 tickets for this principal.
149 pwservice
151 If this flag is enabled, it marks this principal as a
152 password change service. This should only be used in
153 special cases, for example, if a user's password has
154 expired, the user has to get tickets for that principal
155 to be able to change it without going through the normal
156 password authentication.
157 dict_file
160 This string location of the dictionary file containing strings
161 that are not allowed as passwords. If this tag is not set or if
162 there is no policy assigned to the principal, then no check will
163 be done.
164 kadmind_port
167 This port number specifies the port on which the kadmind daemon
168 is to listen for this realm.
169 kpasswd_port
172 This port number specifies the port on which the kadmind daemon
173 is to listen for this realm.
174 key_stash_file
177 This string specifies the location where the master key has been
178 stored with kdb5_stash.
179 kdc_ports
182 This string specifies the list of ports that the KDC is to lis‐
183 ten to for this realm. By default, the value of kdc_ports as
184 specified in the [kdcdefaults] section is used.
185 kdc_tcp_ports
188 This string specifies the list of ports that the KDC is to lis‐
189 ten to for TCP requests for this realm. By default, the value
190 of kdc_tcp_ports as specified in the [kdcdefaults] section is
191 used.
192 master_key_name
195 This string specifies the name of the principal associated with
196 the master key. The default value is K/M.
197 master_key_type
200 This key type string represents the master key's key type.
201 max_life
204 This delta time string specifes the maximum time period that a
205 ticket may be valid for in this realm.
206 max_renewable_life
209 This delta time string specifies the maximum time period that a
210 ticket may be renewed for in this realm.
211 iprop_enable
214 This boolean ("true" or "false") specifies whether incremental
215 database propagation is enabled. The default is "false".
216 iprop_master_ulogsize
219 This numeric value specifies the maximum number of log entries
220 to be retained for incremental propagation. The maximum value
221 is 2500; default is 1000.
222 iprop_slave_poll
225 This delta time string specfies how often the slave KDC polls
226 for new updates from the master. Default is "2m" (that is, two
227 minutes).
228 supported_enctypes
231 list of key:salt strings that specifies the default key/salt
232 combinations of principals for this realm
233 reject_bad_transit
236 this boolean specifies whether or not the list of transited
237 realms for cross-realm tickets should be checked against the
238 transit path computed from the realm names and the [capaths]
239 section of its krb5.conf file
240
243 /var/kerberos/krb5kdc/kdc.conf
244
247 krb5.conf(5), krb5kdc(8)
248 KDC.CONF(5)