1KRB5.CONF(5)                BSD File Formats Manual               KRB5.CONF(5)
2

NAME

4     krb5.conf — configuration file for Kerberos 5
5

SYNOPSIS

7     #include <krb5.h>
8

DESCRIPTION

10     The krb5.conf file specifies several configuration parameters for the
11     Kerberos 5 library, as well as for some programs.
12
13     The file consists of one or more sections, containing a number of bind‐
14     ings.  The value of each binding can be either a string or a list of
15     other bindings.  The grammar looks like:
16
17           file:
18                   /* empty */
19                   sections
20
21           sections:
22                   section sections
23                   section
24
25           section:
26                   '[' section_name ']' bindings
27
28           section_name:
29                   STRING
30
31           bindings:
32                   binding bindings
33                   binding
34
35           binding:
36                   name '=' STRING
37                   name '=' '{' bindings '}'
38
39           name:
40                   STRING
41
42     STRINGs consists of one or more non-whitespace characters.
43
44     STRINGs that are specified later in this man-page uses the following
45     notation.
46
47           boolean
48                values can be either yes/true or no/false.
49
50           time
51                values can be a list of year, month, day, hour, min, second.
52                Example: 1 month 2 days 30 min.  If no unit is given, seconds
53                is assumed.
54
55           etypes
56                valid encryption types are: des-cbc-crc, des-cbc-md4, des-cbc-
57                md5, des3-cbc-sha1, arcfour-hmac-md5, aes128-cts-hmac-sha1-96,
58                and aes256-cts-hmac-sha1-96 .
59
60           address
61                an address can be either a IPv4 or a IPv6 address.
62
63     Currently recognised sections and bindings are:
64
65           [appdefaults]
66                Specifies the default values to be used for Kerberos applica‐
67                tions.  You can specify defaults per application, realm, or a
68                combination of these.  The preference order is:
69                1.   application realm option
70                2.   application option
71                3.   realm option
72                4.   option
73
74                The supported options are:
75
76                      forwardable = boolean
77                           When obtaining initial credentials, make the cre‐
78                           dentials forwardable.
79
80                      proxiable = boolean
81                           When obtaining initial credentials, make the cre‐
82                           dentials proxiable.
83
84                      no-addresses = boolean
85                           When obtaining initial credentials, request them
86                           for an empty set of addresses, making the tickets
87                           valid from any address.
88
89                      ticket_lifetime = time
90                           Default ticket lifetime.
91
92                      renew_lifetime = time
93                           Default renewable ticket lifetime.
94
95                      encrypt = boolean
96                           Use encryption, when available.
97
98                      forward = boolean
99                           Forward credentials to remote host (for rsh(1),
100                           telnet(1), etc).
101
102           [libdefaults]
103
104                      default_realm = REALM
105                           Default realm to use, this is also known as your
106                           “local realm”.  The default is the result of
107                           krb5_get_host_realm(local hostname).
108
109                      allow_weak_crypto = boolean
110                           are weak crypto algorithms allowed to be used,
111                           among others, DES is considered weak.
112
113                      clockskew = time
114                           Maximum time differential (in seconds) allowed when
115                           comparing times.  Default is 300 seconds (five min‐
116                           utes).
117
118                      kdc_timeout = time
119                           Maximum time to wait for a reply from the kdc,
120                           default is 3 seconds.
121
122                      capath = {
123
124                                 destination-realm = next-hop-realm
125
126                                 ...
127
128                                 }
129                           This is deprecated, see the capaths section below.
130
131                      default_cc_type = cctype
132                           sets the default credentials type.
133
134                      default_cc_name = ccname
135                           the default credentials cache name.  If you want to
136                           change the type only use default_cc_type.  The
137                           string can contain variables that are expanded on
138                           runtime.  The Only supported variable currently is
139                           %{uid} which expands to the current user id.
140
141                      default_etypes = etypes ...
142                           A list of default encryption types to use.
143                           (Default: all enctypes if allow_weak_crypto = TRUE,
144                           else all enctypes except single DES enctypes.)
145
146                      default_as_etypes = etypes ...
147                           A list of default encryption types to use in AS
148                           requests.  (Default: the value of default_etypes.)
149
150                      default_tgs_etypes = etypes ...
151                           A list of default encryption types to use in TGS
152                           requests.  (Default: the value of default_etypes.)
153
154                      default_etypes_des = etypes ...
155                           A list of default encryption types to use when
156                           requesting a DES credential.
157
158                      default_keytab_name = keytab
159                           The keytab to use if no other is specified, default
160                           is “FILE:/etc/krb5.keytab”.
161
162                      dns_lookup_kdc = boolean
163                           Use DNS SRV records to lookup KDC services loca‐
164                           tion.
165
166                      dns_lookup_realm = boolean
167                           Use DNS TXT records to lookup domain to realm map‐
168                           pings.
169
170                      kdc_timesync = boolean
171                           Try to keep track of the time differential between
172                           the local machine and the KDC, and then compensate
173                           for that when issuing requests.
174
175                      max_retries = number
176                           The max number of times to try to contact each KDC.
177
178                      large_msg_size = number
179                           The threshold where protocols with tiny maximum
180                           message sizes are not considered usable to send
181                           messages to the KDC.
182
183                      ticket_lifetime = time
184                           Default ticket lifetime.
185
186                      renew_lifetime = time
187                           Default renewable ticket lifetime.
188
189                      forwardable = boolean
190                           When obtaining initial credentials, make the cre‐
191                           dentials forwardable.  This option is also valid in
192                           the [realms] section.
193
194                      proxiable = boolean
195                           When obtaining initial credentials, make the cre‐
196                           dentials proxiable.  This option is also valid in
197                           the [realms] section.
198
199                      verify_ap_req_nofail = boolean
200                           If enabled, failure to verify credentials against a
201                           local key is a fatal error.  The application has to
202                           be able to read the corresponding service key for
203                           this to work.  Some applications, like su(1),
204                           enable this option unconditionally.
205
206                      warn_pwexpire = time
207                           How soon to warn for expiring password.  Default is
208                           seven days.
209
210                      http_proxy = proxy-spec
211                           A HTTP-proxy to use when talking to the KDC via
212                           HTTP.
213
214                      dns_proxy = proxy-spec
215                           Enable using DNS via HTTP.
216
217                      extra_addresses = address ...
218                           A list of addresses to get tickets for along with
219                           all local addresses.
220
221                      time_format = string
222                           How to print time strings in logs, this string is
223                           passed to strftime(3).
224
225                      date_format = string
226                           How to print date strings in logs, this string is
227                           passed to strftime(3).
228
229                      log_utc = boolean
230                           Write log-entries using UTC instead of your local
231                           time zone.
232
233                      scan_interfaces = boolean
234                           Scan all network interfaces for addresses, as
235                           opposed to simply using the address associated with
236                           the system's host name.
237
238                      fcache_version = int
239                           Use file credential cache format version specified.
240
241                      fcc-mit-ticketflags = boolean
242                           Use MIT compatible format for file credential
243                           cache.  It's the field ticketflags that is stored
244                           in reverse bit order for older than Heimdal 0.7.
245                           Setting this flag to TRUE makes it store the MIT
246                           way, this is default for Heimdal 0.7.
247
248                      check-rd-req-server
249                           If set to "ignore", the framework will ignore any
250                           of the server input to krb5_rd_req(3), this is very
251                           useful when the GSS-API server input the wrong
252                           server name into the gss_accept_sec_context call.
253
254                      k5login_directory = directory
255                           Alternative location for user .k5login files. This
256                           option is provided for compatibility with MIT krb5
257                           configuration files.
258
259                      k5login_authoritative = boolean
260                           If true then if a principal is not found in k5login
261                           files then krb5_userok(3) will not fallback on
262                           principal to username mapping. This option is pro‐
263                           vided for compatibility with MIT krb5 configuration
264                           files.
265
266                      kuserok = rule ...
267                           Specifies krb5_userok(3) behavior.  If multiple
268                           values are given, then krb5_userok(3) will evaluate
269                           them in order until one succeeds or all fail.
270                           Rules are implemented by plugins, with three built-
271                           in plugins described below. Default: USER-K5LOGIN
272                           SIMPLE DENY.
273
274                      kuserok = DENY
275                           If set and evaluated then krb5_userok(3) will deny
276                           access to the given username no matter what the
277                           principal name might be.
278
279                      kuserok = SIMPLE
280                           If set and evaluated then krb5_userok(3) will use
281                           principal to username mapping (see auth_to_local
282                           below).  If the principal maps to the requested
283                           username then access is allowed.
284
285                      kuserok = SYSTEM-K5LOGIN[:directory]
286                           If set and evaluated then krb5_userok(3) will use
287                           k5login files named after the luser argument to
288                           krb5_userok(3) in the given directory or in
289                           /etc/k5login.d/.  K5login files are text files,
290                           with each line containing just a principal name;
291                           principals apearing in a user's k5login file are
292                           permitted access to the user's account. Note: this
293                           rule performs no ownership nor permissions checks
294                           on k5login files; proper ownership and permis‐
295                           sions/ACLs are expected due to the k5login location
296                           being a system location.
297
298                      kuserok = USER-K5LOGIN
299                           If set and evaluated then krb5_userok(3) will use
300                           ~luser/.k5login and ~luser/.k5login.d/*.  User
301                           k5login files and directories must be owned by the
302                           user and must not have world nor group write per‐
303                           missions.
304
305                      aname2lname-text-db = filename
306                           The named file must be a sorted (in increasing
307                           order) text file where every line consists of an
308                           unparsed principal name optionally followed by
309                           whitespace and a username.  The aname2lname func‐
310                           tion will do a binary search on this file, if con‐
311                           figured, looking for lines that match the given
312                           principal name, and if found the given username
313                           will be used, or, if the username is missing, an
314                           error will be returned.  If the file doesn't exist,
315                           or if no matching line is found then other plugins
316                           will be allowed to run.
317
318                      fcache_strict_checking
319                           strict checking in FILE credential caches that
320                           owner, no symlink and permissions is correct.
321
322                      name_canon_rules = rules
323                           One or more service principal name canonicalization
324                           rules.  Each rule consists of one or more tokens
325                           separated by colon (':').  Currently these rules
326                           are used only for hostname canonicalization (usu‐
327                           ally when getting a service ticket, from a ccache
328                           or a TGS, but also when acquiring GSS initiator
329                           credentials from a keytab).  These rules can be
330                           used to implement DNS resolver-like search lists
331                           without having to use DNS.
332
333                           NOTE: Name canonicalization rules are an experimen‐
334                           tal feature.
335
336                           The first token is a rule type, one of: as-is,
337                           qualify, or nss.
338
339                           Any remaining tokens must be options tokens:
340                           use_fast (use FAST to protect TGS exchanges; cur‐
341                           rently not supported), use_dnssec (use DNSSEC to
342                           protect hostname lookups; currently not supported),
343                           ccache_only , use_referrals, no_referrals,
344                           lookup_realm, mindots=N, maxdots=N, order=N,
345                           domain= domain, realm= realm, match_domain= domain,
346                           and match_realm= realm.
347
348                           When trying to obtain a service ticket for a host-
349                           based service principal name, name canonicalization
350                           rules are applied to that name in the order given,
351                           one by one, until one succeds (a service ticket is
352                           obtained), or all fail.  Similarly when acquiring
353                           GSS initiator credentials from a keytab, and when
354                           comparing a non-canonical GSS name to a canonical
355                           one.
356
357                           For each rule the system checks that the hostname
358                           has at least mindots periods (if given) in it, at
359                           most maxdots periods (if given), that the hostname
360                           ends in the given match_domain (if given), and that
361                           the realm of the principal matches the match_realm
362                           (if given).
363
364                           As-is rules leave the hostname unmodified but may
365                           set a realm.  Qualify rules qualify the hostname
366                           with the given domain and also may set the realm.
367                           The nss rule uses the system resolver to lookup the
368                           host's canonical name and is usually not secure.
369                           Note that using the nss rule type implies having to
370                           have principal aliases in the HDB (though not nec‐
371                           essarily in keytabs).
372
373                           The empty realm denotes "ask the client's realm's
374                           TGS".  The empty realm may be set as well as
375                           matched.
376
377                           The order in which rules are applied is as follows:
378                           first all the rules with explicit order then all
379                           other rules in the order in which they appear.  If
380                           any two rules have the same explicit order, their
381                           order of appearance in krb5.conf breaks the tie.
382                           Explicitly specifying order can be useful where
383                           tools read and write the configuration file without
384                           preserving parameter order.
385
386                           Malformed rules are ignored.
387
388                      allow_hierarchical_capaths = boolean
389                           When validating cross-realm transit paths, absent
390                           any explicit capath from the client realm to the
391                           server realm, allow a hierarchical transit path via
392                           the common ancestor domain of the two realms.
393                           Defaults to true.  Note, absent an explicit set‐
394                           ting, hierarchical capaths are always used by the
395                           KDC when generating a referral to a destination
396                           with which is no direct trust.
397
398           [domain_realm]
399                This is a list of mappings from DNS domain to Kerberos realm.
400                Each binding in this section looks like:
401
402                      domain = realm
403
404                The domain can be either a full name of a host or a trailing
405                component, in the latter case the domain-string should start
406                with a period.  The trailing component only matches hosts that
407                are in the same domain, ie “.example.com” matches
408                “foo.example.com”, but not “foo.test.example.com”.
409
410                The realm may be the token `dns_locate', in which case the
411                actual realm will be determined using DNS (independently of
412                the setting of the `dns_lookup_realm' option).
413
414           [realms]
415
416                      REALM = {
417
418                                 kdc = [service/]host[:port]
419                                      Specifies a list of kdcs for this realm.
420                                      If the optional port is absent, the
421                                      default value for the “kerberos/udp”
422                                      “kerberos/tcp”, and “http/tcp” port
423                                      (depending on service) will be used.
424                                      The kdcs will be used in the order that
425                                      they are specified.
426
427                                      The optional service specifies over what
428                                      medium the kdc should be contacted.
429                                      Possible services are “udp”, “tcp”, and
430                                      “http”.  Http can also be written as
431                                      “http://”.  Default service is “udp” and
432                                      “tcp”.
433
434                                 admin_server = host[:port]
435                                      Specifies the admin server for this
436                                      realm, where all the modifications to
437                                      the database are performed.
438
439                                 kpasswd_server = host[:port]
440                                      Points to the server where all the pass‐
441                                      word changes are performed.  If there is
442                                      no such entry, the kpasswd port on the
443                                      admin_server host will be tried.
444
445                                 tgs_require_subkey
446                                      a boolan variable that defaults to
447                                      false.  Old DCE secd (pre 1.1) might
448                                      need this to be true.
449
450                                 auth_to_local_names = {
451
452                                            principal_name = username
453                                                 The given principal_name will
454                                                 be mapped to the given
455                                                 username if the REALM is a
456                                                 default realm.
457
458                                 }
459
460                                 auth_to_local = HEIMDAL_DEFAULT
461                                      Use the Heimdal default principal to
462                                      username mapping.  Applies to principals
463                                      from the REALM if and only if REALM is a
464                                      default realm.
465
466                                 auth_to_local = DEFAULT
467                                      Use the MIT default principal to user‐
468                                      name mapping.  Applies to principals
469                                      from the REALM if and only if REALM is a
470                                      default realm.
471
472                                 auth_to_local = DB:/path/to/db.txt
473                                      Use a binary search of the given DB.
474                                      The DB must be a flat-text file sortedf
475                                      in the "C" locale, with each record
476                                      being a line (separated by either LF or
477                                      CRLF) consisting of a principal name
478                                      followed by whitespace followed by a
479                                      username.  Applies to principals from
480                                      the REALM if and only if REALM is a
481                                      default realm.
482
483                                 auth_to_local = DB:/path/to/db
484                                      Use the given DB, if there's a plugin
485                                      for it.  Applies to principals from the
486                                      REALM if and only if REALM is a default
487                                      realm.
488
489                                 auth_to_local = RULE:...
490                                      Use the given rule, if there's a plugin
491                                      for it.  Applies to principals from the
492                                      REALM if and only if REALM is a default
493                                      realm.
494
495                                 auth_to_local = NONE
496                                      No additional principal to username map‐
497                                      ping is done. Note that
498                                      auth_to_local_names and any preceding
499                                      auth_to_local rules have precedence.
500
501                      }
502
503           [capaths]
504
505                      client-realm = {
506
507                                 server-realm = hop-realm ...
508                                      This serves two purposes. First the
509                                      first listed hop-realm tells a client
510                                      which realm it should contact in order
511                                      to ultimately obtain credentials for a
512                                      service in the server-realm.  Secondly,
513                                      it tells the KDC (and other servers)
514                                      which realms are allowed in a multi-hop
515                                      traversal from client-realm to
516                                      server-realm.  Except for the client
517                                      case, the order of the realms are not
518                                      important.
519
520                      }
521
522           [logging]
523
524                      entity = destination
525                           Specifies that entity should use the specified
526                           destination for logging.  See the krb5_openlog(3)
527                           manual page for a list of defined destinations.
528
529           [kdc]
530
531                      database = {
532
533                                 dbname = [DATBASETYPE:]DATABASENAME
534                                      Use this database for this realm.  The
535                                      DATABASETYPE should be one of 'lmdb',
536                                      'db3', 'db1', 'db', 'sqlite', or 'ldap'.
537                                      See the info documetation how to config‐
538                                      ure different database backends.
539
540                                 realm = REALM
541                                      Specifies the realm that will be stored
542                                      in this database.  It realm isn't set,
543                                      it will used as the default database,
544                                      there can only be one entry that doesn't
545                                      have a realm stanza.
546
547                                 mkey_file = FILENAME
548                                      Use this keytab file for the master key
549                                      of this database.  If not specified
550                                      DATABASENAME.mkey will be used.
551
552                                 acl_file = PA FILENAME
553                                      Use this file for the ACL list of this
554                                      database.
555
556                                 log_file = FILENAME
557                                      Use this file as the log of changes per‐
558                                      formed to the database.  This file is
559                                      used by ipropd-master for propagating
560                                      changes to slaves.  It is also used by
561                                      kadmind and kadmin (when used with the
562                                      -l option), and by all applications
563                                      using libkadm5 with the local backend,
564                                      for two-phase commit functionality.
565                                      Slaves also use this.  Setting this to
566                                      /dev/null disables two-phase commit and
567                                      incremental propagation.  Use iprop-log
568                                      to show the contents of this log file.
569
570                                 log-max-size = number
571                                      When the log reaches this size (in
572                                      bytes), the log will be truncated, sav‐
573                                      ing some entries, and keeping the latest
574                                      version number so as to not disrupt
575                                      incremental propagation.  If set to a
576                                      negative value then automatic log trun‐
577                                      cation will be disabled.  Defaults to
578                                      52428800 (50MB).
579
580                      }
581
582                      max-request = SIZE
583                           Maximum size of a kdc request.
584
585                      require-preauth = BOOL
586                           If set pre-authentication is required.
587
588                      ports = list of ports
589                           List of ports the kdc should listen to.
590
591                      addresses = list of interfaces
592                           List of addresses the kdc should bind to.
593
594                      enable-http = BOOL
595                           Should the kdc answer kdc-requests over http.
596
597                      tgt-use-strongest-session-key = BOOL
598                           If this is TRUE then the KDC will prefer the
599                           strongest key from the client's AS-REQ or TGS-REQ
600                           enctype list for the ticket session key that is
601                           supported by the KDC and the target principal when
602                           the target principal is a krbtgt principal.  Else
603                           it will prefer the first key from the client's AS-
604                           REQ enctype list that is also supported by the KDC
605                           and the target principal.  Defaults to FALSE.
606
607                      svc-use-strongest-session-key = BOOL
608                           Like tgt-use-strongest-session-key, but applies to
609                           the session key enctype of tickets for services
610                           other than krbtgt principals. Defaults to FALSE.
611
612                      preauth-use-strongest-session-key = BOOL
613                           If TRUE then select the strongest possible enctype
614                           from the client's AS-REQ for PA-ETYPE-INFO2 (i.e.,
615                           for password-based pre-authentication).  Else pick
616                           the first supported enctype from the client's AS-
617                           REQ.  Defaults to FALSE.
618
619                      use-strongest-server-key = BOOL
620                           If TRUE then the KDC picks, for the ticket
621                           encrypted part's key, the first supported enctype
622                           from the target service principal's hdb entry's
623                           current keyset. Else the KDC picks the first sup‐
624                           ported enctype from the target service principal's
625                           hdb entry's current keyset.  Defaults to TRUE.
626
627                      check-ticket-addresses = BOOL
628                           Verify the addresses in the tickets used in tgs
629                           requests.
630
631                      allow-null-ticket-addresses = BOOL
632                           Allow address-less tickets.
633
634                      allow-anonymous = BOOL
635                           If the kdc is allowed to hand out anonymous tick‐
636                           ets.
637
638                      encode_as_rep_as_tgs_rep = BOOL
639                           Encode as-rep as tgs-rep tobe compatible with mis‐
640                           takes older DCE secd did.
641
642                      kdc_warn_pwexpire = TIME
643                           The time before expiration that the user should be
644                           warned that her password is about to expire.
645
646                      logging = Logging
647                           What type of logging the kdc should use, see also
648                           [logging]/kdc.
649
650                      hdb-ldap-structural-object structural object
651                           If the LDAP backend is used for storing principals,
652                           this is the structural object that will be used
653                           when creating and when reading objects.  The
654                           default value is account .
655
656                      hdb-ldap-create-base creation dn
657                           is the dn that will be appended to the principal
658                           when creating entries.  Default value is the search
659                           dn.
660
661                      enable-digest = BOOL
662                           Should the kdc answer digest requests. The default
663                           is FALSE.
664
665                      digests_allowed = list of digests
666                           Specifies the digests the kdc will reply to. The
667                           default is ntlm-v2.
668
669                      kx509_ca = file
670                           Specifies the PEM credentials for the kx509 certi‐
671                           fication authority.
672
673                      require_initial_kca_tickets = boolean
674                           Specified whether to require that tickets for the
675                           kca_service service principal be INITIAL.  This may
676                           be set on a per-realm basis as well as globally.
677                           Defaults to true for the global setting.
678
679                      kx509_include_pkinit_san = boolean
680                           If true then the kx509 client principal's name and
681                           realm will be included in an id-pkinit-san certifi‐
682                           cate extension.  This can be set on a per-realm
683                           basis as well as globally.  Defaults to true for
684                           the global setting.
685
686                      kx509_template = file
687                           Specifies the PEM file with a template for the cer‐
688                           tificates to be issued.  The following variables
689                           can be interpolated in the subject name using
690                           ${variable} syntax:
691
692                                 principal-name
693                                      The full name of the kx509 client prin‐
694                                      cipal.
695
696                                 principal-name-without-realm
697                                      The full name of the kx509 client prin‐
698                                      cipal, excluding the realm name.
699
700                                 principal-name-realm
701                                      The name of the client principal's
702                                      realm.
703                The kx509, kx509_template, kx509_include_pkinit_san, and
704                require_initial_kca_tickets parameters may be set on a per-
705                realm basis as well.
706
707           [kadmin]
708
709                      password_lifetime = time
710                           If a principal already have its password set for
711                           expiration, this is the time it will be valid for
712                           after a change.
713
714                      default_keys = keytypes...
715                           For each entry in default_keys try to parse it as a
716                           sequence of etype:salttype:salt syntax of this if
717                           something like:
718
719                           [(des|des3|etype):](pw-salt|afs3-salt)[:string]
720
721                           If etype is omitted it means everything, and if
722                           string is omitted it means the default salt string
723                           (for that principal and encryption type).  Addi‐
724                           tional special values of keytypes are:
725
726                                 v5   The Kerberos 5 salt pw-salt
727
728                      default_key_rules = {
729
730                                 globing-rule = keytypes...
731                                      a globbing rule to matching a principal,
732                                      and when true, use the keytypes as spec‐
733                                      ified the same format as [kad‐
734                                      min]default_keys .
735
736                      }
737
738                      prune-key-history = BOOL
739                           When adding keys to the key history, drop keys that
740                           are too old to match unexpired tickets (based on
741                           the principal's maximum ticket lifetime).  If the
742                           KDC keystore is later compromised traffic protected
743                           with the discarded older keys may remain protected.
744                           This also keeps the HDB records for principals with
745                           key history from growing without bound.  The
746                           default (backwards compatible) value is "false".
747
748                      use_v4_salt = BOOL
749                           When true, this is the same as
750
751                           default_keys = des3:pw-salt v4
752
753                           and is only left for backwards compatibility.
754
755                      [password_quality]
756                           Check the Password quality assurance in the info
757                           documentation for more information.
758
759                                 check_library = library-name
760                                      Library name that contains the password
761                                      check_function
762
763                                 check_function = function-name
764                                      Function name for checking passwords in
765                                      check_library
766
767                                 policy_libraries = library1 ... libraryN
768                                      List of libraries that can do password
769                                      policy checks
770
771                                 policies = policy1 ... policyN
772                                      List of policy names to apply to the
773                                      password. Builtin policies are among
774                                      other minimum-length, character-class,
775                                      external-check.
776

ENVIRONMENT

778     KRB5_CONFIG points to the configuration file to read.
779

FILES

781     /etc/krb5.conf  configuration file for Kerberos 5.
782

EXAMPLES

784           [libdefaults]
785                   default_realm = FOO.SE
786                   name_canon_rules = as-is:realm=FOO.SE
787                   name_canon_rules = qualify:domain=foo.se:realm=FOO.SE
788                   name_canon_rules = qualify:domain=bar.se:realm=FOO.SE
789                   name_canon_rules = nss
790           [domain_realm]
791                   .foo.se = FOO.SE
792                   .bar.se = FOO.SE
793           [realms]
794                   FOO.SE = {
795                           kdc = kerberos.foo.se
796                           default_domain = foo.se
797                   }
798           [logging]
799                   kdc = FILE:/var/heimdal/kdc.log
800                   kdc = SYSLOG:INFO
801                   default = SYSLOG:INFO:USER
802           [kadmin]
803                   default_key_rules = {
804                           */ppp@* = arcfour-hmac-md5:pw-salt
805                   }
806

DIAGNOSTICS

808     Since krb5.conf is read and parsed by the krb5 library, there is not a
809     lot of opportunities for programs to report parsing errors in any useful
810     format.  To help overcome this problem, there is a program
811     verify_krb5_conf that reads krb5.conf and tries to emit useful diagnos‐
812     tics from parsing errors.  Note that this program does not have any way
813     of knowing what options are actually used and thus cannot warn about
814     unknown or misspelled ones.
815

SEE ALSO

817     kinit(1), krb5_openlog(3), strftime(3), verify_krb5_conf(8)
818
819HEIMDAL                           May 4, 2005                          HEIMDAL
Impressum