1KRB5.CONF(5)                     MIT Kerberos                     KRB5.CONF(5)
2
3
4

NAME

6       krb5.conf - Kerberos configuration file
7
8       The krb5.conf file contains Kerberos configuration information, includ‐
9       ing the locations of KDCs and admin servers for the Kerberos realms  of
10       interest, defaults for the current realm and for Kerberos applications,
11       and mappings of hostnames onto Kerberos realms.  Normally,  you  should
12       install  your  krb5.conf  file in the directory /etc.  You can override
13       the default location by setting the environment  variable  KRB5_CONFIG.
14       Multiple colon-separated filenames may be specified in KRB5_CONFIG; all
15       files which are present will be read.  Starting in release 1.14, direc‐
16       tory  names  can also be specified in KRB5_CONFIG; all files within the
17       directory  whose  names  consist  solely  of  alphanumeric  characters,
18       dashes, or underscores will be read.
19

STRUCTURE

21       The krb5.conf file is set up in the style of a Windows INI file.  Lines
22       beginning with '#' or ';' (possibly after initial whitespace)  are  ig‐
23       nored  as comments.  Sections are headed by the section name, in square
24       brackets.  Each section may contain zero  or  more  relations,  of  the
25       form:
26
27          foo = bar
28
29       or:
30
31          fubar = {
32              foo = bar
33              baz = quux
34          }
35
36       Placing  a  '*'  after  the closing bracket of a section name indicates
37       that the section is final, meaning that if  the  same  section  appears
38       within  a  later  file specified in KRB5_CONFIG, it will be ignored.  A
39       subsection can be marked as final by placing a '*' after either the tag
40       name or the closing brace.
41
42       The  krb5.conf file can include other files using either of the follow‐
43       ing directives at the beginning of a line:
44
45          include FILENAME
46          includedir DIRNAME
47
48       FILENAME or DIRNAME should be an absolute path. The named file  or  di‐
49       rectory must exist and be readable.  Including a directory includes all
50       files within the directory whose names consist solely  of  alphanumeric
51       characters,  dashes,  or  underscores.  Starting in release 1.15, files
52       with names ending in ".conf" are also included, unless the name  begins
53       with  ".".   Included  profile  files  are syntactically independent of
54       their parents, so each included file must begin with a section  header.
55       Starting in release 1.17, files are read in alphanumeric order; in pre‐
56       vious releases, they may be read in any order.
57
58       The krb5.conf file can specify that configuration  should  be  obtained
59       from  a loadable module, rather than the file itself, using the follow‐
60       ing directive at the beginning of a line before any section headers:
61
62          module MODULEPATH:RESIDUAL
63
64       MODULEPATH may be relative to the library path of  the  krb5  installa‐
65       tion,  or it may be an absolute path.  RESIDUAL is provided to the mod‐
66       ule at initialization time.  If  krb5.conf  uses  a  module  directive,
67       kdc.conf(5) should also use one if it exists.
68

SECTIONS

70       The krb5.conf file may contain the following sections:
71
72                    ┌───────────────┬────────────────────────────┐
73[libdefaults]  │ Settings  used by the Ker‐ │
74                    │               │ beros V5 library           │
75                    ├───────────────┼────────────────────────────┤
76[realms]       │ Realm-specific contact in‐ │
77                    │               │ formation and settings     │
78                    ├───────────────┼────────────────────────────┤
79[domain_realm] │ Maps  server  hostnames to │
80                    │               │ Kerberos realms            │
81                    ├───────────────┼────────────────────────────┤
82[capaths]      │ Authentication  paths  for │
83                    │               │ non-hierarchical           │
84                    │               │ cross-realm                │
85                    ├───────────────┼────────────────────────────┤
86[appdefaults]  │ Settings used by some Ker‐ │
87                    │               │ beros V5 applications      │
88                    ├───────────────┼────────────────────────────┤
89[plugins]      │ Controls   plugin   module │
90                    │               │ registration               │
91                    └───────────────┴────────────────────────────┘
92
93       Additionally, krb5.conf may include any of the relations  described  in
94       kdc.conf(5), but it is not a recommended practice.
95
96   [libdefaults]
97       The libdefaults section may contain any of the following relations:
98
99       allow_weak_crypto
100              If  this  flag  is  set to false, then weak encryption types (as
101              noted in Encryption_types in kdc.conf(5)) will be  filtered  out
102              of  the  lists  default_tgs_enctypes,  default_tkt_enctypes, and
103              permitted_enctypes.  The default value for this tag is false.
104
105       canonicalize
106              If this flag is set to true, initial ticket requests to the  KDC
107              will  request canonicalization of the client principal name, and
108              answers with different  client  principals  than  the  requested
109              principal will be accepted.  The default value is false.
110
111       ccache_type
112              This  parameter  determines the format of credential cache types
113              created by kinit(1) or other programs.  The default value is  4,
114              which represents the most current format.  Smaller values can be
115              used for compatibility with very old implementations of Kerberos
116              which interact with credential caches on the same host.
117
118       clockskew
119              Sets  the  maximum allowable amount of clockskew in seconds that
120              the library will tolerate before assuming that a  Kerberos  mes‐
121              sage is invalid.  The default value is 300 seconds, or five min‐
122              utes.
123
124              The clockskew setting is also used when evaluating ticket  start
125              and  expiration  times.   For example, tickets that have reached
126              their expiration time can still be used (and renewed if they are
127              renewable tickets) if they have been expired for a shorter dura‐
128              tion than the clockskew setting.
129
130       default_ccache_name
131              This relation specifies  the  name  of  the  default  credential
132              cache.   The  default is FILE:/tmp/krb5cc_%{uid}.  This relation
133              is subject to parameter expansion (see below).  New  in  release
134              1.11.
135
136       default_client_keytab_name
137              This  relation  specifies the name of the default keytab for ob‐
138              taining  client  credentials.   The  default  is  FILE:/var/ker‐
139              beros/krb5/user/%{euid}/client.keytab.  This relation is subject
140              to parameter expansion (see below).  New in release 1.11.
141
142       default_keytab_name
143              This relation specifies the default keytab name to  be  used  by
144              application    servers   such   as   sshd.    The   default   is
145              FILE:/etc/krb5.keytab.  This relation is  subject  to  parameter
146              expansion (see below).
147
148       default_rcache_name
149              This  relation  specifies  the name of the default replay cache.
150              The default is dfl:.  This relation is subject to parameter  ex‐
151              pansion (see below).  New in release 1.18.
152
153       default_realm
154              Identifies  the  default Kerberos realm for the client.  Set its
155              value to your Kerberos realm.  If this value is not set, then  a
156              realm  must  be specified with every Kerberos principal when in‐
157              voking programs such as kinit(1).
158
159       default_tgs_enctypes
160              Identifies the supported list of session  key  encryption  types
161              that  the  client should request when making a TGS-REQ, in order
162              of preference from highest to lowest.  The list may be delimited
163              with  commas or whitespace.  See Encryption_types in kdc.conf(5)
164              for a list of the accepted values for this tag.  Starting in re‐
165              lease  1.18,  the  default  value is the value of permitted_enc‐
166              types.  For previous releases or if  permitted_enctypes  is  not
167              set,    the    default    value    is    aes256-cts-hmac-sha1-96
168              aes128-cts-hmac-sha1-96               aes256-cts-hmac-sha384-192
169              aes128-cts-hmac-sha256-128 arcfour-hmac-md5 camellia256-cts-cmac
170              camellia128-cts-cmac.
171
172              Do not set this unless required for specific  backward  compati‐
173              bility  purposes;  stale  values  of  this  setting  can prevent
174              clients from taking advantage of new stronger enctypes when  the
175              libraries are upgraded.
176
177       default_tkt_enctypes
178              Identifies  the  supported  list of session key encryption types
179              that the client should request when making an AS-REQ,  in  order
180              of preference from highest to lowest.  The format is the same as
181              for default_tgs_enctypes.  Starting in release 1.18, the default
182              value is the value of permitted_enctypes.  For previous releases
183              or if permitted_enctypes  is  not  set,  the  default  value  is
184              aes256-cts-hmac-sha1-96                  aes128-cts-hmac-sha1-96
185              aes256-cts-hmac-sha384-192    aes128-cts-hmac-sha256-128    arc‐
186              four-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac.
187
188              Do  not  set this unless required for specific backward compati‐
189              bility purposes;  stale  values  of  this  setting  can  prevent
190              clients  from taking advantage of new stronger enctypes when the
191              libraries are upgraded.
192
193       dns_canonicalize_hostname
194              Indicate whether name lookups will be used to canonicalize host‐
195              names  for use in service principal names.  Setting this flag to
196              false can improve security by  reducing  reliance  on  DNS,  but
197              means   that  short  hostnames  will  not  be  canonicalized  to
198              fully-qualified hostnames.  If this option is  set  to  fallback
199              (new  in  release  1.18), DNS canonicalization will only be per‐
200              formed the server hostname is not found with the  original  name
201              when requesting credentials.  The default value is true.
202
203       dns_lookup_kdc
204              Indicate  whether  DNS  SRV records should be used to locate the
205              KDCs and other servers for a realm, if they are  not  listed  in
206              the  krb5.conf  information  for  the realm.  (Note that the ad‐
207              min_server entry must be in the krb5.conf realm  information  in
208              order  to  contact  kadmind,  because the DNS implementation for
209              kadmin is incomplete.)
210
211              Enabling this option does open up a  type  of  denial-of-service
212              attack,  if  someone spoofs the DNS records and redirects you to
213              another server.  However, it's no worse than a  denial  of  ser‐
214              vice,  because  that  fake KDC will be unable to decode anything
215              you send it (besides the initial ticket request,  which  has  no
216              encrypted  data),  and  anything  the fake KDC sends will not be
217              trusted without verification using some  secret  that  it  won't
218              know.
219
220       dns_uri_lookup
221              Indicate  whether  DNS  URI records should be used to locate the
222              KDCs and other servers for a realm, if they are  not  listed  in
223              the  krb5.conf  information for the realm.  SRV records are used
224              as a fallback if no URI records were found.  The  default  value
225              is true.  New in release 1.15.
226
227       enforce_ok_as_delegate
228              If  this flag to true, GSSAPI credential delegation will be dis‐
229              abled when the ok-as-delegate flag is not  set  in  the  service
230              ticket.   If  this flag is false, the ok-as-delegate ticket flag
231              is only enforced when an application specifically  requests  en‐
232              forcement.  The default value is false.
233
234       err_fmt
235              This  relation allows for custom error message formatting.  If a
236              value is set, error messages will be formatted by substituting a
237              normal  error  message  for  %M  and an error code for %C in the
238              value.
239
240       extra_addresses
241              This allows a computer to use multiple local addresses, in order
242              to  allow  Kerberos  to  work  in a network that uses NATs while
243              still using address-restricted tickets.  The addresses should be
244              in  a  comma-separated list.  This option has no effect if noad‐
245              dresses is true.
246
247       forwardable
248              If this flag is true, initial tickets will be forwardable by de‐
249              fault, if allowed by the KDC.  The default value is false.
250
251       ignore_acceptor_hostname
252              When  accepting  GSSAPI or krb5 security contexts for host-based
253              service principals, ignore any hostname passed  by  the  calling
254              application,  and  allow  clients to authenticate to any service
255              principal in the keytab matching the service name and realm name
256              (if  given).   This option can improve the administrative flexi‐
257              bility of server applications on  multihomed  hosts,  but  could
258              compromise  the  security  of virtual hosting environments.  The
259              default value is false.  New in release 1.10.
260
261       k5login_authoritative
262              If this flag is true, principals  must  be  listed  in  a  local
263              user's k5login file to be granted login access, if a .k5login(5)
264              file exists.  If this flag is false, a principal  may  still  be
265              granted  login access through other mechanisms even if a k5login
266              file exists but does not list the principal.  The default  value
267              is true.
268
269       k5login_directory
270              If  set,  the  library will look for a local user's k5login file
271              within the named directory, with a filename corresponding to the
272              local  username.   If not set, the library will look for k5login
273              files in the user's home directory, with the filename  .k5login.
274              For  security reasons, .k5login files must be owned by the local
275              user or by root.
276
277       kcm_mach_service
278              On macOS only, determines the name of the bootstrap service used
279              to contact the KCM daemon for the KCM credential cache type.  If
280              the value is -, Mach RPC will not be used  to  contact  the  KCM
281              daemon.  The default value is org.h5l.kcm.
282
283       kcm_socket
284              Determines the path to the Unix domain socket used to access the
285              KCM daemon for the KCM credential cache type.  If the  value  is
286              -,  Unix domain sockets will not be used to contact the KCM dae‐
287              mon.  The default value is /var/run/.heim_org.h5l.kcm-socket.
288
289       kdc_default_options
290              Default KDC options (Xored for multiple values) when  requesting
291              initial   tickets.    By   default   it  is  set  to  0x00000010
292              (KDC_OPT_RENEWABLE_OK).
293
294       kdc_timesync
295              Accepted values for this relation are 1 or 0.  If it is nonzero,
296              client  machines  will compute the difference between their time
297              and the time returned by the KDC in the timestamps in the  tick‐
298              ets and use this value to correct for an inaccurate system clock
299              when requesting service tickets or authenticating  to  services.
300              This  corrective factor is only used by the Kerberos library; it
301              is not used to change the system clock.  The default value is 1.
302
303       noaddresses
304              If this flag is true, requests for initial tickets will  not  be
305              made  with  address restrictions set, allowing the tickets to be
306              used across NATs.  The default value is true.
307
308       permitted_enctypes
309              Identifies the encryption types that  servers  will  permit  for
310              session  keys  and  for ticket and authenticator encryption, or‐
311              dered by preference from highest to lowest.  Starting in release
312              1.18,   this  tag  also  acts  as  the  default  value  for  de‐
313              fault_tgs_enctypes and default_tkt_enctypes.  The default  value
314              for  this tag is aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
315              aes256-cts-hmac-sha384-192    aes128-cts-hmac-sha256-128    arc‐
316              four-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac.
317
318       plugin_base_dir
319              If set, determines the base directory where krb5 plugins are lo‐
320              cated.  The default value is the  krb5/plugins  subdirectory  of
321              the krb5 library directory.  This relation is subject to parame‐
322              ter expansion (see below) in release 1.17 and later.
323
324       preferred_preauth_types
325              This allows you to set  the  preferred  preauthentication  types
326              which  the client will attempt before others which may be adver‐
327              tised by a KDC.  The default value for this setting is "17,  16,
328              15,  14", which forces libkrb5 to attempt to use PKINIT if it is
329              supported.
330
331       proxiable
332              If this flag is true, initial tickets will be proxiable  by  de‐
333              fault, if allowed by the KDC.  The default value is false.
334
335       qualify_shortname
336              If  this string is set, it determines the domain suffix for sin‐
337              gle-component hostnames when DNS canonicalization  is  not  used
338              (either  because  dns_canonicalize_hostname  is false or because
339              forward canonicalization failed).   The  default  value  is  the
340              first  search domain of the system's DNS configuration.  To dis‐
341              able qualification of shortnames, set this relation to the empty
342              string with qualify_shortname = "".  (New in release 1.18.)
343
344       radius_md5_fips_override
345              Downstream-only option to enable use of MD5 in RADIUS communica‐
346              tion (libkrad).  This allows for  local  (or  protected  tunnel)
347              communication  with a RADIUS server that doesn't use krad (e.g.,
348              freeradius) while in FIPS mode.
349
350       rdns   If this flag is true, reverse name lookup will be used in  addi‐
351              tion  to forward name lookup to canonicalizing hostnames for use
352              in service principal names.  If dns_canonicalize_hostname is set
353              to false, this flag has no effect.  The default value is true.
354
355       realm_try_domains
356              Indicate  whether  a  host's domain components should be used to
357              determine the Kerberos realm of the host.   The  value  of  this
358              variable  is  an integer: -1 means not to search, 0 means to try
359              the host's domain itself, 1 means to also try the domain's imme‐
360              diate  parent,  and so forth.  The library's usual mechanism for
361              locating Kerberos realms is used to determine whether  a  domain
362              is   a   valid  realm,  which  may  involve  consulting  DNS  if
363              dns_lookup_kdc is set.  The default is not to search domain com‐
364              ponents.
365
366       renew_lifetime
367              (duration string.)  Sets the default renewable lifetime for ini‐
368              tial ticket requests.  The default value is 0.
369
370       spake_preauth_groups
371              A whitespace or comma-separated list of  words  which  specifies
372              the  groups  allowed  for SPAKE preauthentication.  The possible
373              values are:
374
375                        ┌─────────────┬────────────────────────────┐
376                        │edwards25519 │ Edwards25519  curve   (RFC
377                        │             │ 7748)                      │
378                        ├─────────────┼────────────────────────────┤
379                        │P-256        │ NIST   P-256   curve  (RFC
380                        │             │ 5480)                      │
381                        ├─────────────┼────────────────────────────┤
382                        │P-384        │ NIST  P-384   curve   (RFC
383                        │             │ 5480)                      │
384                        ├─────────────┼────────────────────────────┤
385                        │P-521        │ NIST   P-521   curve  (RFC
386                        │             │ 5480)                      │
387                        └─────────────┴────────────────────────────┘
388
389              The default value for the client is edwards25519.   The  default
390              value for the KDC is empty.  New in release 1.17.
391
392       ticket_lifetime
393              (duration string.)  Sets the default lifetime for initial ticket
394              requests.  The default value is 1 day.
395
396       udp_preference_limit
397              When sending a message to the KDC, the library  will  try  using
398              TCP  before  UDP if the size of the message is above udp_prefer‐
399              ence_limit.   If  the  message  is  smaller   than   udp_prefer‐
400              ence_limit,  then  UDP  will be tried before TCP.  Regardless of
401              the size, both protocols will be  tried  if  the  first  attempt
402              fails.
403
404       verify_ap_req_nofail
405              If  this flag is true, then an attempt to verify initial creden‐
406              tials will fail if the client machine does not  have  a  keytab.
407              The default value is false.
408
409       client_aware_channel_bindings
410              If  this flag is true, then all application protocol authentica‐
411              tion requests will be flagged to indicate that  the  application
412              supports  channel bindings when operating over a secure channel.
413              The default value is false.
414
415   [realms]
416       Each tag in the [realms] section of the file is the name of a  Kerberos
417       realm.  The value of the tag is a subsection with relations that define
418       the properties of that particular realm.  For each realm, the following
419       tags may be specified in the realm's subsection:
420
421       admin_server
422              Identifies  the host where the administration server is running.
423              Typically, this is the primary Kerberos server.  This  tag  must
424              be  given  a  value  in order to communicate with the kadmind(8)
425              server for the realm.
426
427       auth_to_local
428              This tag allows you to set a general rule for mapping  principal
429              names  to  local user names.  It will be used if there is not an
430              explicit mapping for the principal name  that  is  being  trans‐
431              lated. The possible values are:
432
433              RULE:exp
434                     The local name will be formulated from exp.
435
436                     The  format  for  exp  is [n:string](regexp)s/pattern/re‐
437                     placement/g.  The integer n indicates how many components
438                     the  target principal should have.  If this matches, then
439                     a string will be formed  from  string,  substituting  the
440                     realm  of  the principal for $0 and the n'th component of
441                     the principal for $n (e.g., if the  principal  was  john‐
442                     doe/admin then [2:$2$1foo] would result in the string ad‐
443                     minjohndoefoo).  If this string matches regexp, then  the
444                     s//[g]  substitution command will be run over the string.
445                     The optional g will cause the substitution to  be  global
446                     over  the  string,  instead  of  replacing only the first
447                     match in the string.
448
449              DEFAULT
450                     The principal name will be used as the local  user  name.
451                     If the principal has more than one component or is not in
452                     the default realm, this rule is not  applicable  and  the
453                     conversion will fail.
454
455              For example:
456
457                 [realms]
458                     ATHENA.MIT.EDU = {
459                         auth_to_local = RULE:[2:$1](johndoe)s/^.*$/guest/
460                         auth_to_local = RULE:[2:$1;$2](^.*;admin$)s/;admin$//
461                         auth_to_local = RULE:[2:$2](^.*;root)s/^.*$/root/
462                         auth_to_local = DEFAULT
463                     }
464
465              would  result in any principal without root or admin as the sec‐
466              ond component to be translated with the default rule.  A princi‐
467              pal  with a second component of admin will become its first com‐
468              ponent.  root will be used as the local name for  any  principal
469              with  a  second  component  of root.  The exception to these two
470              rules are any principals johndoe/*, which will  always  get  the
471              local name guest.
472
473       auth_to_local_names
474              This subsection allows you to set explicit mappings from princi‐
475              pal names to local user names.  The tag is the mapping name, and
476              the value is the corresponding local user name.
477
478       default_domain
479              This  tag  specifies  the  domain  used to expand hostnames when
480              translating Kerberos 4 service principals to Kerberos 5  princi‐
481              pals  (for  example, when converting rcmd.hostname to host/host‐
482              name.domain).
483
484       disable_encrypted_timestamp
485              If this flag is true, the  client  will  not  perform  encrypted
486              timestamp  preauthentication  if  requested by the KDC.  Setting
487              this flag can help to prevent dictionary attacks by  active  at‐
488              tackers,  if the realm's KDCs support SPAKE preauthentication or
489              if initial authentication always uses another mechanism  or  al‐
490              ways uses FAST.  This flag persists across client referrals dur‐
491              ing initial authentication.  This flag does not prevent the  KDC
492              from offering encrypted timestamp.  New in release 1.17.
493
494       http_anchors
495              When  KDCs  and kpasswd servers are accessed through HTTPS prox‐
496              ies, this tag can be used to specify the location of the CA cer‐
497              tificate  which should be trusted to issue the certificate for a
498              proxy server.  If left unspecified, the system-wide default  set
499              of CA certificates is used.
500
501              The  syntax  for  values  is  similar  to that of values for the
502              pkinit_anchors tag:
503
504              FILE: filename
505
506              filename is assumed to be the name of an OpenSSL-style ca-bundle
507              file.
508
509              DIR: dirname
510
511              dirname is assumed to be an directory which contains CA certifi‐
512              cates.  All files in the directory will  be  examined;  if  they
513              contain certificates (in PEM format), they will be used.
514
515              ENV: envvar
516
517              envvar  specifies  the name of an environment variable which has
518              been set to a value conforming to one of  the  previous  values.
519              For   example,  ENV:X509_PROXY_CA,  where  environment  variable
520              X509_PROXY_CA has been set to FILE:/tmp/my_proxy.pem.
521
522       kdc    The name or address of a host running a KDC for that realm.   An
523              optional  port  number,  separated from the hostname by a colon,
524              may be included.  If the name or address  contains  colons  (for
525              example,  if it is an IPv6 address), enclose it in square brack‐
526              ets to distinguish the colon from a port  separator.   For  your
527              computer  to be able to communicate with the KDC for each realm,
528              this tag must be given a value in each realm subsection  in  the
529              configuration  file, or there must be DNS SRV records specifying
530              the KDCs.
531
532       kpasswd_server
533              Points to the server where all the  password  changes  are  per‐
534              formed.   If there is no such entry, DNS will be queried (unless
535              forbidden by dns_lookup_kdc).  Finally,  port  464  on  the  ad‐
536              min_server host will be tried.
537
538       master_kdc
539              The  name  for  primary_kdc prior to release 1.19.  Its value is
540              used as a fallback if primary_kdc is not specified.
541
542       primary_kdc
543              Identifies the primary KDC(s).  Currently, this tag is  used  in
544              only one case: If an attempt to get credentials fails because of
545              an invalid password, the client software will attempt to contact
546              the  primary  KDC,  in  case  the  user's password has just been
547              changed, and the updated database has not been propagated to the
548              replica servers yet.  New in release 1.19.
549
550       v4_instance_convert
551              This subsection allows the administrator to configure exceptions
552              to the default_domain mapping rule.  It  contains  V4  instances
553              (the tag name) which should be translated to some specific host‐
554              name (the tag value) as the second component in  a  Kerberos  V5
555              principal name.
556
557       v4_realm
558              This  relation  is used by the krb524 library routines when con‐
559              verting a V5 principal name to a V4 principal name.  It is  used
560              when  the  V4 realm name and the V5 realm name are not the same,
561              but still share the same principal names and passwords. The  tag
562              value is the Kerberos V4 realm name.
563
564   [domain_realm]
565       The [domain_realm] section provides a translation from a domain name or
566       hostname to a Kerberos realm name.  The tag name can be a host name  or
567       domain  name,  where domain names are indicated by a prefix of a period
568       (.).  The value of the relation is the Kerberos  realm  name  for  that
569       particular  host  or  domain.  A host name relation implicitly provides
570       the corresponding domain name relation, unless an explicit domain  name
571       relation  is  provided.  The Kerberos realm may be identified either in
572       the realms section or using DNS SRV records.   Host  names  and  domain
573       names should be in lower case.  For example:
574
575          [domain_realm]
576              crash.mit.edu = TEST.ATHENA.MIT.EDU
577              .dev.mit.edu = TEST.ATHENA.MIT.EDU
578              mit.edu = ATHENA.MIT.EDU
579
580       maps  the host with the name crash.mit.edu into the TEST.ATHENA.MIT.EDU
581       realm.  The second entry maps all hosts under  the  domain  dev.mit.edu
582       into  the  TEST.ATHENA.MIT.EDU  realm,  but  not the host with the name
583       dev.mit.edu.  That host is matched by the third entry, which  maps  the
584       host mit.edu and all hosts under the domain mit.edu that do not match a
585       preceding rule into the realm ATHENA.MIT.EDU.
586
587       If no translation entry applies to a hostname used for a service  prin‐
588       cipal  for  a service ticket request, the library will try to get a re‐
589       ferral to the appropriate realm from the client realm's KDC.   If  that
590       does  not  succeed, the host's realm is considered to be the hostname's
591       domain portion converted to  uppercase,  unless  the  realm_try_domains
592       setting in [libdefaults] causes a different parent domain to be used.
593
594   [capaths]
595       In  order  to perform direct (non-hierarchical) cross-realm authentica‐
596       tion, configuration is needed to determine the authentication paths be‐
597       tween realms.
598
599       A  client will use this section to find the authentication path between
600       its realm and the realm of the server.  The server will use  this  sec‐
601       tion  to verify the authentication path used by the client, by checking
602       the transited field of the received ticket.
603
604       There is a tag for each participating client realm, and  each  tag  has
605       subtags  for each of the server realms.  The value of the subtags is an
606       intermediate realm which may participate in the cross-realm authentica‐
607       tion.  The subtags may be repeated if there is more then one intermedi‐
608       ate realm.  A value of "." means that the two  realms  share  keys  di‐
609       rectly, and no intermediate realms should be allowed to participate.
610
611       Only  those  entries  which  will be needed on the client or the server
612       need to be present.  A client needs a tag for its local realm with sub‐
613       tags  for all the realms of servers it will need to authenticate to.  A
614       server needs a tag for each realm of the clients it will serve, with  a
615       subtag of the server realm.
616
617       For example, ANL.GOV, PNL.GOV, and NERSC.GOV all wish to use the ES.NET
618       realm as an intermediate realm.  ANL has a sub  realm  of  TEST.ANL.GOV
619       which  will authenticate with NERSC.GOV but not PNL.GOV.  The [capaths]
620       section for ANL.GOV systems would look like this:
621
622          [capaths]
623              ANL.GOV = {
624                  TEST.ANL.GOV = .
625                  PNL.GOV = ES.NET
626                  NERSC.GOV = ES.NET
627                  ES.NET = .
628              }
629              TEST.ANL.GOV = {
630                  ANL.GOV = .
631              }
632              PNL.GOV = {
633                  ANL.GOV = ES.NET
634              }
635              NERSC.GOV = {
636                  ANL.GOV = ES.NET
637              }
638              ES.NET = {
639                  ANL.GOV = .
640              }
641
642       The [capaths] section of the configuration file used on NERSC.GOV  sys‐
643       tems would look like this:
644
645          [capaths]
646              NERSC.GOV = {
647                  ANL.GOV = ES.NET
648                  TEST.ANL.GOV = ES.NET
649                  TEST.ANL.GOV = ANL.GOV
650                  PNL.GOV = ES.NET
651                  ES.NET = .
652              }
653              ANL.GOV = {
654                  NERSC.GOV = ES.NET
655              }
656              PNL.GOV = {
657                  NERSC.GOV = ES.NET
658              }
659              ES.NET = {
660                  NERSC.GOV = .
661              }
662              TEST.ANL.GOV = {
663                  NERSC.GOV = ANL.GOV
664                  NERSC.GOV = ES.NET
665              }
666
667       When a subtag is used more than once within a tag, clients will use the
668       order of values to determine the path.  The order of values is not  im‐
669       portant to servers.
670
671   [appdefaults]
672       Each  tag  in the [appdefaults] section names a Kerberos V5 application
673       or an option that is used by  some  Kerberos  V5  application[s].   The
674       value of the tag defines the default behaviors for that application.
675
676       For example:
677
678          [appdefaults]
679              telnet = {
680                  ATHENA.MIT.EDU = {
681                      option1 = false
682                  }
683              }
684              telnet = {
685                  option1 = true
686                  option2 = true
687              }
688              ATHENA.MIT.EDU = {
689                  option2 = false
690              }
691              option2 = true
692
693       The  above  four ways of specifying the value of an option are shown in
694       order of decreasing precedence. In this example, if telnet  is  running
695       in  the  realm EXAMPLE.COM, it should, by default, have option1 and op‐
696       tion2  set  to  true.   However,  a  telnet  program   in   the   realm
697       ATHENA.MIT.EDU  should  have  option1  set  to false and option2 set to
698       true.  Any other programs in ATHENA.MIT.EDU should have option2 set  to
699       false by default.  Any programs running in other realms should have op‐
700       tion2 set to true.
701
702       The list of specifiable options for each application may  be  found  in
703       that  application's man pages.  The application defaults specified here
704       are overridden by those specified in the realms section.
705
706   [plugins]
707pwqual interface
708
709kadm5_hook interface
710
711clpreauth and kdcpreauth interfaces
712
713       Tags in the [plugins] section can be used to  register  dynamic  plugin
714       modules  and  to turn modules on and off.  Not every krb5 pluggable in‐
715       terface uses the [plugins] section; the ones  that  do  are  documented
716       here.
717
718       New in release 1.9.
719
720       Each pluggable interface corresponds to a subsection of [plugins].  All
721       subsections support the same tags:
722
723       disable
724              This tag may have multiple values. If there are values for  this
725              tag,  then  the named modules will be disabled for the pluggable
726              interface.
727
728       enable_only
729              This tag may have multiple values. If there are values for  this
730              tag,  then  only the named modules will be enabled for the plug‐
731              gable interface.
732
733       module This tag may have multiple values.  Each value is  a  string  of
734              the form modulename:pathname, which causes the shared object lo‐
735              cated at pathname to be registered as  a  dynamic  module  named
736              modulename  for  the pluggable interface.  If pathname is not an
737              absolute  path,  it  will  be  treated  as   relative   to   the
738              plugin_base_dir value from [libdefaults].
739
740       For pluggable interfaces where module order matters, modules registered
741       with a module tag normally come first, in the  order  they  are  regis‐
742       tered,  followed  by  built-in modules in the order they are documented
743       below.  If enable_only tags are used, then  the  order  of  those  tags
744       overrides the normal module order.
745
746       The  following subsections are currently supported within the [plugins]
747       section:
748
749   ccselect interface
750       The ccselect subsection controls modules for credential cache selection
751       within  a cache collection.  In addition to any registered dynamic mod‐
752       ules, the following built-in modules exist (and may  be  disabled  with
753       the disable tag):
754
755       k5identity
756              Uses a .k5identity file in the user's home directory to select a
757              client principal
758
759       realm  Uses the service realm to guess an appropriate  cache  from  the
760              collection
761
762       hostname
763              If  the  service principal is host-based, uses the service host‐
764              name to guess an appropriate cache from the collection
765
766   pwqual interface
767       The pwqual subsection controls modules for the password quality  inter‐
768       face,  which  is  used  to  reject  weak  passwords  when passwords are
769       changed.  The following built-in modules exist for this interface:
770
771       dict   Checks against the realm dictionary file
772
773       empty  Rejects empty passwords
774
775       hesiod Checks against user information stored in Hesiod (only  if  Ker‐
776              beros was built with Hesiod support)
777
778       princ  Checks against components of the principal name
779
780   kadm5_hook interface
781       The kadm5_hook interface provides plugins with information on principal
782       creation, modification, password changes and deletion.  This  interface
783       can  be used to write a plugin to synchronize MIT Kerberos with another
784       database such as Active Directory.  No plugins are built  in  for  this
785       interface.
786
787   kadm5_auth interface
788       The  kadm5_auth  section  (introduced in release 1.16) controls modules
789       for the kadmin authorization  interface,  which  determines  whether  a
790       client principal is allowed to perform a kadmin operation.  The follow‐
791       ing built-in modules exist for this interface:
792
793       acl    This module reads the kadm5.acl(5) file, and  authorizes  opera‐
794              tions which are allowed according to the rules in the file.
795
796       self   This  module  authorizes self-service operations including pass‐
797              word changes, creation of new random keys, fetching the client's
798              principal  record  or string attributes, and fetching the policy
799              record associated with the client principal.
800
801   clpreauth and kdcpreauth interfaces
802       The clpreauth and kdcpreauth interfaces allow plugin modules to provide
803       client  and  KDC  preauthentication mechanisms.  The following built-in
804       modules exist for these interfaces:
805
806       pkinit This module implements the PKINIT preauthentication mechanism.
807
808       encrypted_challenge
809              This module implements the encrypted challenge FAST factor.
810
811       encrypted_timestamp
812              This module implements the encrypted timestamp mechanism.
813
814   hostrealm interface
815       The hostrealm section (introduced in release 1.12) controls modules for
816       the  host-to-realm  interface, which affects the local mapping of host‐
817       names to realm names and the choice of default  realm.   The  following
818       built-in modules exist for this interface:
819
820       profile
821              This  module  consults the [domain_realm] section of the profile
822              for authoritative host-to-realm mappings, and the  default_realm
823              variable for the default realm.
824
825       dns    This  module  looks  for  DNS records for fallback host-to-realm
826              mappings and  the  default  realm.   It  only  operates  if  the
827              dns_lookup_realm variable is set to true.
828
829       domain This  module  applies heuristics for fallback host-to-realm map‐
830              pings.  It implements the realm_try_domains variable,  and  uses
831              the  uppercased  parent  domain of the hostname if that does not
832              produce a result.
833
834   localauth interface
835       The localauth section (introduced in release 1.12) controls modules for
836       the  local  authorization interface, which affects the relationship be‐
837       tween Kerberos principals and local  system  accounts.   The  following
838       built-in modules exist for this interface:
839
840       default
841              This  module  implements the DEFAULT type for auth_to_local val‐
842              ues.
843
844       rule   This module implements the RULE type for auth_to_local values.
845
846       names  This module looks for an  auth_to_local_names  mapping  for  the
847              principal name.
848
849       auth_to_local
850              This  module  processes  auth_to_local  values  in  the  default
851              realm's  section,  and  applies  the  default   method   if   no
852              auth_to_local values exist.
853
854       k5login
855              This  module authorizes a principal to a local account according
856              to the account's .k5login(5) file.
857
858       an2ln  This module authorizes a principal to a  local  account  if  the
859              principal name maps to the local account name.
860
861   certauth interface
862       The  certauth section (introduced in release 1.16) controls modules for
863       the certificate authorization interface,  which  determines  whether  a
864       certificate  is allowed to preauthenticate a user via PKINIT.  The fol‐
865       lowing built-in modules exist for this interface:
866
867       pkinit_san
868              This module authorizes the certificate if it contains  a  PKINIT
869              Subject  Alternative Name for the requested client principal, or
870              a Microsoft UPN SAN matching the principal  if  pkinit_allow_upn
871              is set to true for the realm.
872
873       pkinit_eku
874              This  module  rejects  the certificate if it does not contain an
875              Extended   Key   Usage    attribute    consistent    with    the
876              pkinit_eku_checking value for the realm.
877
878       dbmatch
879              This  module  authorizes or rejects the certificate according to
880              whether it matches the pkinit_cert_match string attribute on the
881              client principal, if that attribute is present.
882

PKINIT OPTIONS

884       NOTE:
885          The  following  are  PKINIT-specific  options.   These values may be
886          specified  in  [libdefaults]  as  global  defaults,  or   within   a
887          realm-specific  subsection  of [libdefaults], or may be specified as
888          realm-specific values in the  [realms]  section.   A  realm-specific
889          value overrides, not adds to, a generic [libdefaults] specification.
890          The search order is:
891
892       1. realm-specific subsection of [libdefaults]:
893
894             [libdefaults]
895                 EXAMPLE.COM = {
896                     pkinit_anchors = FILE:/usr/local/example.com.crt
897                 }
898
899       2. realm-specific value in the [realms] section:
900
901             [realms]
902                 OTHERREALM.ORG = {
903                     pkinit_anchors = FILE:/usr/local/otherrealm.org.crt
904                 }
905
906       3. generic value in the [libdefaults] section:
907
908             [libdefaults]
909                 pkinit_anchors = DIR:/usr/local/generic_trusted_cas/
910
911   Specifying PKINIT identity information
912       The syntax for specifying Public Key identity,  trust,  and  revocation
913       information for PKINIT is as follows:
914
915       FILE:filename[,keyfilename]
916              This option has context-specific behavior.
917
918              In  pkinit_identity or pkinit_identities, filename specifies the
919              name of a PEM-format file containing the user's certificate.  If
920              keyfilename is not specified, the user's private key is expected
921              to be in filename as well.  Otherwise, keyfilename is  the  name
922              of the file containing the private key.
923
924              In  pkinit_anchors or pkinit_pool, filename is assumed to be the
925              name of an OpenSSL-style ca-bundle file.
926
927       DIR:dirname
928              This option has context-specific behavior.
929
930              In pkinit_identity or pkinit_identities, dirname specifies a di‐
931              rectory with files named *.crt and *.key where the first part of
932              the file name is the same for matching pairs of certificate  and
933              private  key files.  When a file with a name ending with .crt is
934              found, a matching file ending with .key is  assumed  to  contain
935              the private key.  If no such file is found, then the certificate
936              in the .crt is not used.
937
938              In pkinit_anchors or pkinit_pool, dirname is assumed  to  be  an
939              OpenSSL-style  hashed  CA directory where each CA cert is stored
940              in a file named hash-of-ca-cert.#.  This infrastructure  is  en‐
941              couraged, but all files in the directory will be examined and if
942              they contain certificates (in PEM format), they will be used.
943
944              In pkinit_revoke, dirname is  assumed  to  be  an  OpenSSL-style
945              hashed  CA  directory  where each revocation list is stored in a
946              file named hash-of-ca-cert.r#.  This infrastructure  is  encour‐
947              aged,  but  all  files  in the directory will be examined and if
948              they contain a revocation list (in PEM  format),  they  will  be
949              used.
950
951       PKCS12:filename
952              filename  is  the name of a PKCS #12 format file, containing the
953              user's certificate and private key.
954
955       PKCS11:[module_name=]modname[:slotid=slot-id][:token=token-label][:cer‐
956       tid=cert-id][:certlabel=cert-label]
957              All keyword/values are optional.  modname specifies the location
958              of a library implementing PKCS #11.  If a value  is  encountered
959              with  no  keyword,  it is assumed to be the modname.  If no mod‐
960              ule-name is specified, the default is opensc-pkcs11.so.  slotid=
961              and/or  token= may be specified to force the use of a particular
962              smard card reader or token if there is more than one  available.
963              certid=  and/or  certlabel= may be specified to force the selec‐
964              tion of  a  particular  certificate  on  the  device.   See  the
965              pkinit_cert_match configuration option for more ways to select a
966              particular certificate to use for PKINIT.
967
968       ENV:envvar
969              envvar specifies the name of an environment variable  which  has
970              been  set  to  a value conforming to one of the previous values.
971              For  example,   ENV:X509_PROXY,   where   environment   variable
972              X509_PROXY has been set to FILE:/tmp/my_proxy.pem.
973
974   PKINIT krb5.conf options
975       pkinit_anchors
976              Specifies  the  location  of  trusted anchor (root) certificates
977              which the client trusts to sign KDC certificates.   This  option
978              may  be  specified multiple times.  These values from the config
979              file are not used if the user specifies X509_anchors on the com‐
980              mand line.
981
982       pkinit_cert_match
983              Specifies  matching rules that the client certificate must match
984              before it is used to attempt PKINIT authentication.  If  a  user
985              has  multiple  certificates  available  (on a smart card, or via
986              other media), there must be exactly one certificate  chosen  be‐
987              fore attempting PKINIT authentication.  This option may be spec‐
988              ified  multiple  times.   All  the  available  certificates  are
989              checked against each rule in order until there is a match of ex‐
990              actly one certificate.
991
992              The Subject and Issuer  comparison  strings  are  the  RFC  2253
993              string  representations  from the certificate Subject DN and Is‐
994              suer DN values.
995
996              The syntax of the matching rules is:
997                 [relation-operator]component-rule ...
998
999              where:
1000
1001              relation-operator
1002                     can be either &&, meaning all component rules must match,
1003                     or  ||,  meaning only one component rule must match.  The
1004                     default is &&.
1005
1006              component-rule
1007                     can be one of the following.  Note that there is no punc‐
1008                     tuation or whitespace between component rules.
1009                        <SUBJECT>regular-expression
1010                        <ISSUER>regular-expression
1011                        <SAN>regular-expression
1012                        <EKU>extended-key-usage-list
1013                        <KU>key-usage-list
1014
1015
1016                     extended-key-usage-list  is a comma-separated list of re‐
1017                     quired Extended Key Usage values.  All values in the list
1018                     must  be  present in the certificate.  Extended Key Usage
1019                     values can be:
1020
1021                     • pkinit
1022
1023                     • msScLogin
1024
1025                     • clientAuth
1026
1027                     • emailProtection
1028
1029                     key-usage-list is a comma-separated list of required  Key
1030                     Usage  values.  All values in the list must be present in
1031                     the certificate.  Key Usage values can be:
1032
1033                     • digitalSignature
1034
1035                     • keyEncipherment
1036
1037              Examples:
1038
1039                 pkinit_cert_match = ||<SUBJECT>.*DoE.*<SAN>.*@EXAMPLE.COM
1040                 pkinit_cert_match = &&<EKU>msScLogin,clientAuth<ISSUER>.*DoE.*
1041                 pkinit_cert_match = <EKU>msScLogin,clientAuth<KU>digitalSignature
1042
1043       pkinit_eku_checking
1044              This option specifies what Extended Key Usage value the KDC cer‐
1045              tificate  presented  to  the client must contain.  (Note that if
1046              the KDC certificate has the  pkinit  SubjectAlternativeName  en‐
1047              coded  as  the  Kerberos TGS name, EKU checking is not necessary
1048              since the issuing CA has certified this as a  KDC  certificate.)
1049              The values recognized in the krb5.conf file are:
1050
1051              kpKDC  This is the default value and specifies that the KDC must
1052                     have the id-pkinit-KPKdc EKU as defined in RFC 4556.
1053
1054              kpServerAuth
1055                     If kpServerAuth is specified, a KDC certificate with  the
1056                     id-kp-serverAuth  EKU  will  be accepted.  This key usage
1057                     value is used in most commercially issued server certifi‐
1058                     cates.
1059
1060              none   If  none  is specified, then the KDC certificate will not
1061                     be checked to verify it has an acceptable EKU.   The  use
1062                     of this option is not recommended.
1063
1064       pkinit_dh_min_bits
1065              Specifies the size of the Diffie-Hellman key the client will at‐
1066              tempt to use.  The acceptable values are 1024, 2048,  and  4096.
1067              The default is 2048.
1068
1069       pkinit_identities
1070              Specifies  the  location(s)  to be used to find the user's X.509
1071              identity information.  If  this  option  is  specified  multiple
1072              times,  each  value is attempted in order until certificates are
1073              found.  Note that these values are not used if the  user  speci‐
1074              fies X509_user_identity on the command line.
1075
1076       pkinit_kdc_hostname
1077              The presence of this option indicates that the client is willing
1078              to accept a KDC certificate with a dNSName SAN (Subject Alterna‐
1079              tive Name) rather than requiring the id-pkinit-san as defined in
1080              RFC 4556.  This option may be  specified  multiple  times.   Its
1081              value  should  contain  the  acceptable hostname for the KDC (as
1082              contained in its certificate).
1083
1084       pkinit_pool
1085              Specifies the location of intermediate certificates which may be
1086              used  by  the  client  to complete the trust chain between a KDC
1087              certificate and a trusted anchor.  This option may be  specified
1088              multiple times.
1089
1090       pkinit_require_crl_checking
1091              The  default  certificate verification process will always check
1092              the available revocation information to see if a certificate has
1093              been revoked.  If a match is found for the certificate in a CRL,
1094              verification fails.  If the certificate being  verified  is  not
1095              listed  in a CRL, or there is no CRL present for its issuing CA,
1096              and pkinit_require_crl_checking is false, then verification suc‐
1097              ceeds.
1098
1099              However,  if pkinit_require_crl_checking is true and there is no
1100              CRL information available for the issuing CA, then  verification
1101              fails.
1102
1103              pkinit_require_crl_checking  should be set to true if the policy
1104              is such that up-to-date CRLs must be present for every CA.
1105
1106       pkinit_revoke
1107              Specifies the location of Certificate Revocation List (CRL)  in‐
1108              formation  to  be used by the client when verifying the validity
1109              of the KDC certificate presented.  This option may be  specified
1110              multiple times.
1111

PARAMETER EXPANSION

1113       Starting   with   release   1.11,   several   variables,  such  as  de‐
1114       fault_keytab_name, allow parameters to be expanded.   Valid  parameters
1115       are:
1116
1117                    ┌──────────────────┬────────────────────────────┐
1118                    │%{TEMP}           │ Temporary directory        │
1119                    ├──────────────────┼────────────────────────────┤
1120                    │%{uid}            │ Unix  real  UID or Windows │
1121                    │                  │ SID                        │
1122                    ├──────────────────┼────────────────────────────┤
1123                    │%{euid}           │ Unix effective user ID  or │
1124                    │                  │ Windows SID                │
1125                    ├──────────────────┼────────────────────────────┤
1126                    │%{USERID}         │ Same as %{uid}             │
1127                    ├──────────────────┼────────────────────────────┤
1128                    │%{null}           │ Empty string               │
1129                    ├──────────────────┼────────────────────────────┤
1130                    │%{LIBDIR}         │ Installation  library  di‐ │
1131                    │                  │ rectory                    │
1132                    ├──────────────────┼────────────────────────────┤
1133                    │%{BINDIR}         │ Installation binary direc‐ │
1134                    │                  │ tory                       │
1135                    ├──────────────────┼────────────────────────────┤
1136                    │%{SBINDIR}        │ Installation  admin binary │
1137                    │                  │ directory                  │
1138                    ├──────────────────┼────────────────────────────┤
1139                    │%{username}       │ (Unix) Username of  effec‐ │
1140                    │                  │ tive user ID               │
1141                    ├──────────────────┼────────────────────────────┤
1142                    │%{APPDATA}        │ (Windows) Roaming applica‐ │
1143                    │                  │ tion data for current user │
1144                    ├──────────────────┼────────────────────────────┤
1145                    │%{COMMON_APPDATA} │ (Windows) Application data │
1146                    │                  │ for all users              │
1147                    ├──────────────────┼────────────────────────────┤
1148                    │%{LOCAL_APPDATA}  │ (Windows)  Local  applica‐ │
1149                    │                  │ tion data for current user │
1150                    └──────────────────┴────────────────────────────┘
1151
1152
1153                    │%{SYSTEM}         │ (Windows)  Windows  system │
1154                    │                  │ folder                     │
1155                    ├──────────────────┼────────────────────────────┤
1156                    │%{WINDOWS}        │ (Windows) Windows folder   │
1157                    ├──────────────────┼────────────────────────────┤
1158                    │%{USERCONFIG}     │ (Windows)   Per-user   MIT │
1159                    │                  │ krb5 config file directory │
1160                    ├──────────────────┼────────────────────────────┤
1161                    │%{COMMONCONFIG}   │ (Windows) Common MIT  krb5 │
1162                    │                  │ config file directory      │
1163                    └──────────────────┴────────────────────────────┘
1164

SAMPLE KRB5.CONF FILE

1166       Here is an example of a generic krb5.conf file:
1167
1168          [libdefaults]
1169              default_realm = ATHENA.MIT.EDU
1170              dns_lookup_kdc = true
1171              dns_lookup_realm = false
1172
1173          [realms]
1174              ATHENA.MIT.EDU = {
1175                  kdc = kerberos.mit.edu
1176                  kdc = kerberos-1.mit.edu
1177                  kdc = kerberos-2.mit.edu
1178                  admin_server = kerberos.mit.edu
1179                  primary_kdc = kerberos.mit.edu
1180              }
1181              EXAMPLE.COM = {
1182                  kdc = kerberos.example.com
1183                  kdc = kerberos-1.example.com
1184                  admin_server = kerberos.example.com
1185              }
1186
1187          [domain_realm]
1188              mit.edu = ATHENA.MIT.EDU
1189
1190          [capaths]
1191              ATHENA.MIT.EDU = {
1192                     EXAMPLE.COM = .
1193              }
1194              EXAMPLE.COM = {
1195                     ATHENA.MIT.EDU = .
1196              }
1197

FILES

1199       /etc/krb5.conf
1200

SEE ALSO

1202       syslog(3)
1203

AUTHOR

1205       MIT
1206
1208       1985-2021, MIT
1209
1210
1211
1212
12131.19.1                                                            KRB5.CONF(5)
Impressum