1KDC.CONF(5)                      MIT Kerberos                      KDC.CONF(5)
2
3
4

NAME

6       kdc.conf - Kerberos V5 KDC configuration file
7
8       The kdc.conf file supplements krb5.conf(5) for programs which are typi‐
9       cally only used on a KDC, such as the krb5kdc(8) and kadmind(8) daemons
10       and  the  kdb5_util(8)  program.  Relations documented here may also be
11       specified in krb5.conf; for the KDC programs mentioned,  krb5.conf  and
12       kdc.conf will be merged into a single configuration profile.
13
14       Normally,  the  kdc.conf  file  is  found  in  the KDC state directory,
15       /var/kerberos/krb5kdc.  You can override the default location  by  set‐
16       ting the environment variable KRB5_KDC_PROFILE.
17
18       Please  note that you need to restart the KDC daemon for any configura‐
19       tion changes to take effect.
20

STRUCTURE

22       The kdc.conf file is set up in the  same  format  as  the  krb5.conf(5)
23       file.
24

SECTIONS

26       The kdc.conf file may contain the following sections:
27
28                    ┌──────────────┬────────────────────────────┐
29[kdcdefaults] │ Default values for KDC be‐ │
30                    │              │ havior                     │
31                    ├──────────────┼────────────────────────────┤
32[realms]      │ Realm-specific    database │
33                    │              │ configuration and settings │
34                    ├──────────────┼────────────────────────────┤
35[dbdefaults]  │ Default database settings  │
36                    ├──────────────┼────────────────────────────┤
37[dbmodules]   │ Per-database settings      │
38                    ├──────────────┼────────────────────────────┤
39[logging]     │ Controls how Kerberos dae‐ │
40                    │              │ mons perform logging       │
41                    └──────────────┴────────────────────────────┘
42
43   [kdcdefaults]
44       Some relations in the [kdcdefaults] section specify default values  for
45       realm variables, to be used if the [realms] subsection does not contain
46       a relation for the tag.  See the [realms] section for  the  definitions
47       of these relations.
48
49host_based_services
50
51kdc_listen
52
53kdc_ports
54
55kdc_tcp_listen
56
57kdc_tcp_ports
58
59no_host_referral
60
61restrict_anonymous_to_tgt
62
63       The following [kdcdefaults] variables have no per-realm equivalent:
64
65       kdc_max_dgram_reply_size
66              Specifies  the  maximum  packet  size that can be sent over UDP.
67              The default value is 4096 bytes.
68
69       kdc_tcp_listen_backlog
70              (Integer.)  Set the size of the listen queue length for the  KDC
71              daemon.   The  value may be limited by OS settings.  The default
72              value is 5.
73
74       spake_preauth_kdc_challenge
75              (String.)  Specifies the group for a SPAKE optimistic challenge.
76              See  the spake_preauth_groups variable in libdefaults for possi‐
77              ble values.  The default is not to  issue  an  optimistic  chal‐
78              lenge.  (New in release 1.17.)
79
80   [realms]
81       Each  tag in the [realms] section is the name of a Kerberos realm.  The
82       value of the tag is a subsection where the relations define KDC parame‐
83       ters for that particular realm.  The following example shows how to de‐
84       fine one parameter for the ATHENA.MIT.EDU realm:
85
86          [realms]
87              ATHENA.MIT.EDU = {
88                  max_renewable_life = 7d 0h 0m 0s
89              }
90
91       The following tags may be specified in a [realms] subsection:
92
93       acl_file
94              (String.)  Location of the access control list  file  that  kad‐
95              mind(8)  uses  to  determine  which principals are allowed which
96              permissions on the Kerberos database.  To operate without an ACL
97              file,  set this relation to the empty string with acl_file = "".
98              The default value is /var/kerberos/krb5kdc/kadm5.acl.  For  more
99              information on Kerberos ACL file see kadm5.acl(5).
100
101       database_module
102              (String.)  This relation indicates the name of the configuration
103              section under [dbmodules] for database-specific parameters  used
104              by  the  loadable  database  library.   The default value is the
105              realm name.  If this configuration section does not  exist,  de‐
106              fault values will be used for all database parameters.
107
108       database_name
109              (String,  deprecated.)   This relation specifies the location of
110              the Kerberos database for this realm, if the DB2 module is being
111              used  and the [dbmodules] configuration section does not specify
112              a   database   name.    The   default   value    is    /var/ker‐
113              beros/krb5kdc/principal.
114
115       default_principal_expiration
116              (abstime  string.)   Specifies  the  default  expiration date of
117              principals created in this realm.  The default value is 0, which
118              means no expiration date.
119
120       default_principal_flags
121              (Flag  string.)   Specifies the default attributes of principals
122              created in  this  realm.   The  format  for  this  string  is  a
123              comma-separated  list  of  flags, with '+' before each flag that
124              should be enabled and '-' before each flag that should  be  dis‐
125              abled.   The  postdateable,  forwardable,  tgt-based, renewable,
126              proxiable, dup-skey, allow-tickets, and service flags default to
127              enabled.
128
129              There are a number of possible flags:
130
131              allow-tickets
132                     Enabling  this flag means that the KDC will issue tickets
133                     for this principal.  Disabling this flag essentially  de‐
134                     activates the principal within this realm.
135
136              dup-skey
137                     Enabling  this  flag allows the KDC to issue user-to-user
138                     service tickets for this principal.
139
140              forwardable
141                     Enabling this flag allows the principal  to  obtain  for‐
142                     wardable tickets.
143
144              hwauth If  this  flag is enabled, then the principal is required
145                     to preauthenticate using a hardware device before receiv‐
146                     ing any tickets.
147
148              no-auth-data-required
149                     Enabling  this  flag  prevents  PAC or AD-SIGNEDPATH data
150                     from being added to service tickets for the principal.
151
152              ok-as-delegate
153                     If this flag is enabled, it hints the client that creden‐
154                     tials  can and should be delegated when authenticating to
155                     the service.
156
157              ok-to-auth-as-delegate
158                     Enabling this flag allows the principal  to  use  S4USelf
159                     tickets.
160
161              postdateable
162                     Enabling  this  flag allows the principal to obtain post‐
163                     dateable tickets.
164
165              preauth
166                     If this flag is enabled on a client principal, then  that
167                     principal  is  required to preauthenticate to the KDC be‐
168                     fore receiving any tickets.  On a service principal,  en‐
169                     abling  this  flag  means  that  service tickets for this
170                     principal will only be issued to clients with a TGT  that
171                     has the preauthenticated bit set.
172
173              proxiable
174                     Enabling  this  flag allows the principal to obtain proxy
175                     tickets.
176
177              pwchange
178                     Enabling this flag forces  a  password  change  for  this
179                     principal.
180
181              pwservice
182                     If  this  flag  is  enabled, it marks this principal as a
183                     password change service.  This should  only  be  used  in
184                     special  cases, for example, if a user's password has ex‐
185                     pired, then the user has to get tickets for that  princi‐
186                     pal without going through the normal password authentica‐
187                     tion in order to be able to change the password.
188
189              renewable
190                     Enabling this flag allows the principal to obtain  renew‐
191                     able tickets.
192
193              service
194                     Enabling  this  flag  allows the the KDC to issue service
195                     tickets for this principal.  In release 1.17  and  later,
196                     user-to-user  service  tickets  are  still allowed if the
197                     dup-skey flag is set.
198
199              tgt-based
200                     Enabling this flag allows a principal to  obtain  tickets
201                     based  on a ticket-granting-ticket, rather than repeating
202                     the authentication process that was used  to  obtain  the
203                     TGT.
204
205       dict_file
206              (String.)   Location  of  the dictionary file containing strings
207              that are not allowed as passwords.  The file should contain  one
208              string  per  line,  with  no  additional whitespace.  If none is
209              specified or if there is no policy assigned to the principal, no
210              dictionary checks of passwords will be performed.
211
212       encrypted_challenge_indicator
213              (String.)  Specifies the authentication indicator value that the
214              KDC asserts into tickets obtained using FAST encrypted challenge
215              pre-authentication.  New in 1.16.
216
217       host_based_services
218              (Whitespace-  or  comma-separated  list.)   Lists services which
219              will get host-based referral processing even if the server prin‐
220              cipal is not marked as host-based by the client.
221
222       iprop_enable
223              (Boolean  value.)  Specifies whether incremental database propa‐
224              gation is enabled.  The default value is false.
225
226       iprop_ulogsize
227              (Integer.)  Specifies the maximum number of log  entries  to  be
228              retained  for  incremental  propagation.   The  default value is
229              1000.  Prior to release 1.11, the maximum value was  2500.   New
230              in release 1.19.
231
232       iprop_master_ulogsize
233              The name for iprop_ulogsize prior to release 1.19.  Its value is
234              used as a fallback if iprop_ulogsize is not specified.
235
236       iprop_replica_poll
237              (Delta time string.)  Specifies how often the replica KDC  polls
238              for new updates from the primary.  The default value is 2m (that
239              is, two minutes).  New in release 1.17.
240
241       iprop_slave_poll
242              (Delta time string.)  The name for iprop_replica_poll  prior  to
243              release   1.17.    Its   value   is   used   as  a  fallback  if
244              iprop_replica_poll is not specified.
245
246       iprop_listen
247              (Whitespace- or comma-separated list.)  Specifies the iprop  RPC
248              listening  addresses  and/or  ports  for  the kadmind(8) daemon.
249              Each entry may be an interface address, a port number, or an ad‐
250              dress and port number separated by a colon.  If the address con‐
251              tains colons, enclose it in square brackets.  If no  address  is
252              specified,  the  wildcard  address is used.  If kadmind fails to
253              bind to any of the specified addresses, it will fail  to  start.
254              The  default (when iprop_enable is true) is to bind to the wild‐
255              card address at the port specified in iprop_port.   New  in  re‐
256              lease 1.15.
257
258       iprop_port
259              (Port  number.)  Specifies the port number to be used for incre‐
260              mental propagation.  When iprop_enable is true, this relation is
261              required  in  the replica KDC configuration file, and this rela‐
262              tion or iprop_listen is required in  the  primary  configuration
263              file,  as  there is no default port number.  Port numbers speci‐
264              fied in iprop_listen entries will override this port number  for
265              the kadmind(8) daemon.
266
267       iprop_resync_timeout
268              (Delta time string.)  Specifies the amount of time to wait for a
269              full propagation to complete.  This is optional in configuration
270              files, and is used by replica KDCs only.  The default value is 5
271              minutes (5m).  New in release 1.11.
272
273       iprop_logfile
274              (File name.)  Specifies where the update log file for the  realm
275              database  is  to  be  stored.   The  default is to use the data‐
276              base_name entry from the realms section of the krb5 config file,
277              with .ulog appended.  (NOTE: If database_name isn't specified in
278              the realms section, perhaps because the LDAP database  back  end
279              is  being used, or the file name is specified in the [dbmodules]
280              section, then the hard-coded default for database_name is  used.
281              Determination  of  the  iprop_logfile default value will not use
282              values from the [dbmodules] section.)
283
284       kadmind_listen
285              (Whitespace- or comma-separated list.)  Specifies the kadmin RPC
286              listening  addresses  and/or  ports  for  the kadmind(8) daemon.
287              Each entry may be an interface address, a port number, or an ad‐
288              dress and port number separated by a colon.  If the address con‐
289              tains colons, enclose it in square brackets.  If no  address  is
290              specified,  the  wildcard  address is used.  If kadmind fails to
291              bind to any of the specified addresses, it will fail  to  start.
292              The default is to bind to the wildcard address at the port spec‐
293              ified in kadmind_port, or the standard kadmin port  (749).   New
294              in release 1.15.
295
296       kadmind_port
297              (Port  number.)  Specifies the port on which the kadmind(8) dae‐
298              mon is to listen for this realm.  Port numbers specified in kad‐
299              mind_listen  entries  will  override  this port number.  The as‐
300              signed port for kadmind is 749, which is used by default.
301
302       key_stash_file
303              (String.)  Specifies the location where the master key has  been
304              stored   (via   kdb5_util  stash).   The  default  is  /var/ker‐
305              beros/krb5kdc/.k5.REALM, where REALM is the Kerberos realm.
306
307       kdc_listen
308              (Whitespace- or comma-separated list.)  Specifies the  UDP  lis‐
309              tening  addresses  and/or ports for the krb5kdc(8) daemon.  Each
310              entry may be an interface address, a port number, or an  address
311              and  port  number separated by a colon.  If the address contains
312              colons, enclose it in square brackets.  If no address is  speci‐
313              fied,  the  wildcard  address is used.  If no port is specified,
314              the standard port (88) is used.  If the KDC daemon fails to bind
315              to  any  of the specified addresses, it will fail to start.  The
316              default is to bind to the wildcard address on the standard port.
317              New in release 1.15.
318
319       kdc_ports
320              (Whitespace- or comma-separated list, deprecated.)  Prior to re‐
321              lease 1.15, this relation lists the  ports  for  the  krb5kdc(8)
322              daemon  to  listen  on  for  UDP  requests.  In release 1.15 and
323              later, it has the same meaning as kdc_listen if that relation is
324              not defined.
325
326       kdc_tcp_listen
327              (Whitespace-  or  comma-separated list.)  Specifies the TCP lis‐
328              tening addresses and/or ports for the krb5kdc(8)  daemon.   Each
329              entry  may be an interface address, a port number, or an address
330              and port number separated by a colon.  If the  address  contains
331              colons,  enclose it in square brackets.  If no address is speci‐
332              fied, the wildcard address is used.  If no  port  is  specified,
333              the  standard  port  (88) is used.  To disable listening on TCP,
334              set this relation to the empty string with kdc_tcp_listen =  "".
335              If  the  KDC  daemon  fails  to bind to any of the specified ad‐
336              dresses, it will fail to start.  The default is to bind  to  the
337              wildcard address on the standard port.  New in release 1.15.
338
339       kdc_tcp_ports
340              (Whitespace- or comma-separated list, deprecated.)  Prior to re‐
341              lease 1.15, this relation lists the  ports  for  the  krb5kdc(8)
342              daemon  to  listen  on  for  UDP  requests.  In release 1.15 and
343              later, it has the same meaning as kdc_tcp_listen if  that  rela‐
344              tion is not defined.
345
346       kpasswd_listen
347              (Comma-separated  list.)   Specifies  the  kpasswd listening ad‐
348              dresses and/or ports for the kadmind(8) daemon.  Each entry  may
349              be  an  interface address, a port number, or an address and port
350              number separated by a colon.  If the  address  contains  colons,
351              enclose  it in square brackets.  If no address is specified, the
352              wildcard address is used.  If kadmind fails to bind  to  any  of
353              the  specified addresses, it will fail to start.  The default is
354              to bind to  the  wildcard  address  at  the  port  specified  in
355              kpasswd_port,  or  the  standard kpasswd port (464).  New in re‐
356              lease 1.15.
357
358       kpasswd_port
359              (Port number.)  Specifies the port on which the kadmind(8)  dae‐
360              mon  is  to  listen for password change requests for this realm.
361              Port numbers specified in kpasswd_listen entries  will  override
362              this  port  number.   The  assigned port for password change re‐
363              quests is 464, which is used by default.
364
365       master_key_name
366              (String.)  Specifies the name of the principal  associated  with
367              the master key.  The default is K/M.
368
369       master_key_type
370              (Key  type  string.)   Specifies the master key's key type.  The
371              default value for this is aes256-cts-hmac-sha1-96.  For  a  list
372              of all possible values, see Encryption types.
373
374       max_life
375              (duration  string.)  Specifies the maximum time period for which
376              a ticket may be valid in this realm.  The default  value  is  24
377              hours.
378
379       max_renewable_life
380              (duration  string.)   Specifies  the  maximum time period during
381              which a valid ticket may be renewed in this realm.  The  default
382              value is 0.
383
384       no_host_referral
385              (Whitespace-  or comma-separated list.)  Lists services to block
386              from getting host-based referral processing, even if the  client
387              marks  the server principal as host-based or the service is also
388              listed in host_based_services.  no_host_referral = *  will  dis‐
389              able referral processing altogether.
390
391       reject_bad_transit
392              (Boolean value.)  If set to true, the KDC will check the list of
393              transited realms for cross-realm  tickets  against  the  transit
394              path  computed  from  the realm names and the capaths section of
395              its krb5.conf(5) file; if the path in the ticket  to  be  issued
396              contains  any  realms  not in the computed path, the ticket will
397              not be issued, and an error will be returned to the  client  in‐
398              stead.   If this value is set to false, such tickets will be is‐
399              sued anyways, and it will be left up to the  application  server
400              to validate the realm transit path.
401
402              If  the  disable-transited-check flag is set in the incoming re‐
403              quest, this check is not  performed  at  all.   Having  the  re‐
404              ject_bad_transit  option  will  cause such ticket requests to be
405              rejected always.
406
407              This transit path checking and config file option currently  ap‐
408              ply only to TGS requests.
409
410              The default value is true.
411
412       restrict_anonymous_to_tgt
413              (Boolean value.)  If set to true, the KDC will reject ticket re‐
414              quests from anonymous principals  to  service  principals  other
415              than  the  realm's  ticket-granting service.  This option allows
416              anonymous PKINIT to be enabled for use  as  FAST  armor  tickets
417              without  allowing anonymous authentication to services.  The de‐
418              fault value is false.  New in release 1.9.
419
420       spake_preauth_indicator
421              (String.)  Specifies an authentication indicator value that  the
422              KDC  asserts  into  tickets obtained using SPAKE pre-authentica‐
423              tion.  The default is not to add any  indicators.   This  option
424              may be specified multiple times.  New in release 1.17.
425
426       supported_enctypes
427              (List of key:salt strings.)  Specifies the default key/salt com‐
428              binations of principals for this realm.  Any principals  created
429              through  kadmin(1)  will  have keys of these types.  The default
430              value   for   this   tag    is    aes256-cts-hmac-sha1-96:normal
431              aes128-cts-hmac-sha1-96:normal.   For  lists of possible values,
432              see Keysalt lists.
433
434   [dbdefaults]
435       The [dbdefaults] section specifies default values for some database pa‐
436       rameters,  to  be used if the [dbmodules] subsection does not contain a
437       relation for the tag.  See the [dbmodules] section for the  definitions
438       of these relations.
439
440ldap_kerberos_container_dn
441
442ldap_kdc_dn
443
444ldap_kdc_sasl_authcid
445
446ldap_kdc_sasl_authzid
447
448ldap_kdc_sasl_mech
449
450ldap_kdc_sasl_realm
451
452ldap_kadmind_dn
453
454ldap_kadmind_sasl_authcid
455
456ldap_kadmind_sasl_authzid
457
458ldap_kadmind_sasl_mech
459
460ldap_kadmind_sasl_realm
461
462ldap_service_password_file
463
464ldap_conns_per_server
465
466   [dbmodules]
467       The  [dbmodules]  section  contains parameters used by the KDC database
468       library and database modules.  Each tag in the [dbmodules]  section  is
469       the  name  of a Kerberos realm or a section name specified by a realm's
470       database_module parameter.  The following example shows how  to  define
471       one database parameter for the ATHENA.MIT.EDU realm:
472
473          [dbmodules]
474              ATHENA.MIT.EDU = {
475                  disable_last_success = true
476              }
477
478       The following tags may be specified in a [dbmodules] subsection:
479
480       database_name
481              This  DB2-specific tag indicates the location of the database in
482              the filesystem.  The default is /var/kerberos/krb5kdc/principal.
483
484       db_library
485              This tag indicates the name of  the  loadable  database  module.
486              The  value  should be db2 for the DB2 module, klmdb for the LMDB
487              module, or kldap for the LDAP module.
488
489       disable_last_success
490              If set to true, suppresses KDC updates to the  "Last  successful
491              authentication"  field of principal entries requiring preauthen‐
492              tication.  Setting this flag may improve performance.   (Princi‐
493              pal  entries which do not require preauthentication never update
494              the "Last successful authentication" field.).  First  introduced
495              in release 1.9.
496
497       disable_lockout
498              If  set  to true, suppresses KDC updates to the "Last failed au‐
499              thentication" and "Failed password attempts" fields of principal
500              entries  requiring preauthentication.  Setting this flag may im‐
501              prove performance, but also disables account lockout.  First in‐
502              troduced in release 1.9.
503
504       ldap_conns_per_server
505              This LDAP-specific tag indicates the number of connections to be
506              maintained per LDAP server.
507
508       ldap_kdc_dn and ldap_kadmind_dn
509              These LDAP-specific tags indicate the default DN for binding  to
510              the  LDAP server.  The krb5kdc(8) daemon uses ldap_kdc_dn, while
511              the kadmind(8) daemon  and  other  administrative  programs  use
512              ldap_kadmind_dn.   The  kadmind  DN must have the rights to read
513              and write the Kerberos data in the LDAP database.   The  KDC  DN
514              must  have  the  same  rights,  unless  disable_lockout and dis‐
515              able_last_success are true, in which case it only needs to  have
516              rights  to  read the Kerberos data.  These tags are ignored if a
517              SASL mechanism  is  set  with  ldap_kdc_sasl_mech  or  ldap_kad‐
518              mind_sasl_mech.
519
520       ldap_kdc_sasl_mech and ldap_kadmind_sasl_mech
521              These LDAP-specific tags specify the SASL mechanism (such as EX‐
522              TERNAL) to use when binding to the LDAP server.  New in  release
523              1.13.
524
525       ldap_kdc_sasl_authcid and ldap_kadmind_sasl_authcid
526              These  LDAP-specific  tags specify the SASL authentication iden‐
527              tity to use when binding to the LDAP server.  Not all SASL mech‐
528              anisms  require  an authentication identity.  If the SASL mecha‐
529              nism requires a secret (such as the  password  for  DIGEST-MD5),
530              these tags also determine the name within the ldap_service_pass‐
531              word_file where the secret is stashed.  New in release 1.13.
532
533       ldap_kdc_sasl_authzid and ldap_kadmind_sasl_authzid
534              These LDAP-specific tags specify the SASL authorization identity
535              to  use  when binding to the LDAP server.  In most circumstances
536              they do not need to be specified.  New in release 1.13.
537
538       ldap_kdc_sasl_realm and ldap_kadmind_sasl_realm
539              These LDAP-specific tags specify the  SASL  realm  to  use  when
540              binding  to  the LDAP server.  In most circumstances they do not
541              need to be set.  New in release 1.13.
542
543       ldap_kerberos_container_dn
544              This LDAP-specific tag indicates the DN of the container  object
545              where the realm objects will be located.
546
547       ldap_servers
548              This  LDAP-specific  tag indicates the list of LDAP servers that
549              the Kerberos servers can connect to.  The list of  LDAP  servers
550              is whitespace-separated.  The LDAP server is specified by a LDAP
551              URI.  It is recommended to use ldapi: or ldaps: URLs to  connect
552              to the LDAP server.
553
554       ldap_service_password_file
555              This LDAP-specific tag indicates the file containing the stashed
556              passwords  (created  by  kdb5_ldap_util  stashsrvpw)   for   the
557              ldap_kdc_dn    and   ldap_kadmind_dn   objects,   or   for   the
558              ldap_kdc_sasl_authcid  or  ldap_kadmind_sasl_authcid  names  for
559              SASL authentication.  This file must be kept secure.
560
561       mapsize
562              This  LMDB-specific  tag  indicates  the maximum size of the two
563              database environments in megabytes.  The default value  is  128.
564              Increase  this  value  to  address  "Environment  mapsize  limit
565              reached" errors.  New in release 1.17.
566
567       max_readers
568              This LMDB-specific tag indicates the maximum number  of  concur‐
569              rent  reading processes for the databases.  The default value is
570              128.  New in release 1.17.
571
572       nosync This LMDB-specific tag can be set to improve the  throughput  of
573              kadmind and other administrative agents, at the expense of dura‐
574              bility (recent database changes may not survive a  power  outage
575              or  other  sudden reboot).  It does not affect the throughput of
576              the KDC.  The default value is false.  New in release 1.17.
577
578       unlockiter
579              If set to true, this DB2-specific tag  causes  iteration  opera‐
580              tions to release the database lock while processing each princi‐
581              pal.  Setting this flag to true can prevent extended blocking of
582              KDC  or  kadmin  operations when dumps of large databases are in
583              progress.  First introduced in release 1.13.
584
585       The following tag may be specified directly in the [dbmodules]  section
586       to control where database modules are loaded from:
587
588       db_module_dir
589              This  tag  controls  where  the plugin system looks for database
590              modules.  The value should be an absolute path.
591
592   [logging]
593       The [logging] section indicates how krb5kdc(8) and  kadmind(8)  perform
594       logging.  It may contain the following relations:
595
596       admin_server
597              Specifies how kadmind(8) performs logging.
598
599       kdc    Specifies how krb5kdc(8) performs logging.
600
601       default
602              Specifies  how  either daemon performs logging in the absence of
603              relations specific to the daemon.
604
605       debug  (Boolean value.)  Specifies whether debugging messages  are  in‐
606              cluded in log outputs other than SYSLOG.  Debugging messages are
607              always included in the system log output because syslog performs
608              its own priority filtering.  The default value is false.  New in
609              release 1.15.
610
611       Logging specifications may have the following forms:
612
613       FILE=filename or FILE:filename
614              This value causes the daemon's logging messages  to  go  to  the
615              filename.   If  the = form is used, the file is overwritten.  If
616              the : form is used, the file is appended to.
617
618       STDERR This value causes the daemon's logging messages  to  go  to  its
619              standard error stream.
620
621       CONSOLE
622              This  value  causes  the  daemon's logging messages to go to the
623              console, if the system supports it.
624
625       DEVICE=<devicename>
626              This causes the daemon's logging messages to go to the specified
627              device.
628
629       SYSLOG[:severity[:facility]]
630              This  causes  the  daemon's logging messages to go to the system
631              log.
632
633              For backward compatibility, a severity argument  may  be  speci‐
634              fied,  and  must  be  specified  in order to specify a facility.
635              This argument will be ignored.
636
637              The facility argument specifies the  facility  under  which  the
638              messages  are  logged.  This may be any of the following facili‐
639              ties supported by the syslog(3)  call  minus  the  LOG_  prefix:
640              KERN,  USER,  MAIL, DAEMON, AUTH, LPR, NEWS, UUCP, CRON, and LO‐
641              CAL0 through LOCAL7.  If no facility is specified,  the  default
642              is AUTH.
643
644       In  the following example, the logging messages from the KDC will go to
645       the console and to the system log under the  facility  LOG_DAEMON,  and
646       the logging messages from the administrative server will be appended to
647       the file /var/adm/kadmin.log and sent to the device /dev/tty04.
648
649          [logging]
650              kdc = CONSOLE
651              kdc = SYSLOG:INFO:DAEMON
652              admin_server = FILE:/var/adm/kadmin.log
653              admin_server = DEVICE=/dev/tty04
654
655       If no logging specification is given, the default is to use syslog.  To
656       disable logging entirely, specify default = DEVICE=/dev/null.
657
658   [otp]
659       Each  subsection  of  [otp] is the name of an OTP token type.  The tags
660       within the subsection define the configuration required  to  forward  a
661       One Time Password request to a RADIUS server.
662
663       For each token type, the following tags may be specified:
664
665       server This  is  the server to send the RADIUS request to.  It can be a
666              hostname with optional port, an ip address with  optional  port,
667              or  a  Unix  domain  socket  address.   The default is /var/ker‐
668              beros/krb5kdc/<name>.socket.
669
670       secret This  tag  indicates  a  filename  (which  may  be  relative  to
671              /var/kerberos/krb5kdc) containing the secret used to encrypt the
672              RADIUS packets.  The secret should appear in the first  line  of
673              the  file by itself; leading and trailing whitespace on the line
674              will be removed.  If the value of server is a Unix domain socket
675              address,  this tag is optional, and an empty secret will be used
676              if it is not specified.  Otherwise, this tag is required.
677
678       timeout
679              An integer which specifies the time in seconds during which  the
680              KDC  should  attempt  to contact the RADIUS server.  This tag is
681              the total time across all retries and should be  less  than  the
682              time  which  an  OTP  value remains valid for.  The default is 5
683              seconds.
684
685       retries
686              This tag specifies the number of retries to make to  the  RADIUS
687              server.  The default is 3 retries (4 tries).
688
689       strip_realm
690              If  this  tag  is  true, the principal without the realm will be
691              passed to the RADIUS server.  Otherwise, the realm will  be  in‐
692              cluded.  The default value is true.
693
694       indicator
695              This tag specifies an authentication indicator to be included in
696              the ticket if this token type is used to authenticate.  This op‐
697              tion may be specified multiple times.  (New in release 1.14.)
698
699       In the following example, requests are sent to a remote server via UDP:
700
701          [otp]
702              MyRemoteTokenType = {
703                  server = radius.mydomain.com:1812
704                  secret = SEmfiajf42$
705                  timeout = 15
706                  retries = 5
707                  strip_realm = true
708              }
709
710       An  implicit  default  token type named DEFAULT is defined for when the
711       per-principal configuration does not specify a token type.  Its config‐
712       uration  is shown below.  You may override this token type to something
713       applicable for your situation:
714
715          [otp]
716              DEFAULT = {
717                  strip_realm = false
718              }
719

PKINIT OPTIONS

721       NOTE:
722          The following are pkinit-specific  options.   These  values  may  be
723          specified   in   [kdcdefaults]  as  global  defaults,  or  within  a
724          realm-specific subsection of [realms].  Also note that a  realm-spe‐
725          cific  value  over-rides,  does  not add to, a generic [kdcdefaults]
726          specification.  The search order is:
727
728       1. realm-specific subsection of [realms]:
729
730             [realms]
731                 EXAMPLE.COM = {
732                     pkinit_anchors = FILE:/usr/local/example.com.crt
733                 }
734
735       2. generic value in the [kdcdefaults] section:
736
737             [kdcdefaults]
738                 pkinit_anchors = DIR:/usr/local/generic_trusted_cas/
739
740       For information about the syntax of some of these options, see Specify‐
741       ing PKINIT identity information in krb5.conf(5).
742
743       pkinit_anchors
744              Specifies  the  location  of  trusted anchor (root) certificates
745              which the KDC trusts to sign client certificates.   This  option
746              is  required  if pkinit is to be supported by the KDC.  This op‐
747              tion may be specified multiple times.
748
749       pkinit_dh_min_bits
750              Specifies the minimum number of bits the KDC is willing  to  ac‐
751              cept for a client's Diffie-Hellman key.  The default is 2048.
752
753       pkinit_allow_upn
754              Specifies  that the KDC is willing to accept client certificates
755              with the Microsoft UserPrincipalName (UPN)  Subject  Alternative
756              Name  (SAN).   This means the KDC accepts the binding of the UPN
757              in the certificate to the Kerberos principal name.  The  default
758              value is false.
759
760              Without  this option, the KDC will only accept certificates with
761              the id-pkinit-san as defined in RFC 4556.  There is currently no
762              option to disable SAN checking in the KDC.
763
764       pkinit_eku_checking
765              This  option  specifies what Extended Key Usage (EKU) values the
766              KDC is willing to accept in  client  certificates.   The  values
767              recognized in the kdc.conf file are:
768
769              kpClientAuth
770                     This  is the default value and specifies that client cer‐
771                     tificates must have the id-pkinit-KPClientAuth EKU as de‐
772                     fined in RFC 4556.
773
774              scLogin
775                     If scLogin is specified, client certificates with the Mi‐
776                     crosoft Smart Card Login EKU (id-ms-kp-sc-logon) will  be
777                     accepted.
778
779              none   If  none  is specified, then client certificates will not
780                     be checked to verify they have an  acceptable  EKU.   The
781                     use of this option is not recommended.
782
783       pkinit_identity
784              Specifies  the location of the KDC's X.509 identity information.
785              This option is required if pkinit is to be supported by the KDC.
786
787       pkinit_indicator
788              Specifies an authentication indicator to include in  the  ticket
789              if pkinit is used to authenticate.  This option may be specified
790              multiple times.  (New in release 1.14.)
791
792       pkinit_pool
793              Specifies the location of intermediate certificates which may be
794              used  by  the KDC to complete the trust chain between a client's
795              certificate and a trusted anchor.  This option may be  specified
796              multiple times.
797
798       pkinit_revoke
799              Specifies  the location of Certificate Revocation List (CRL) in‐
800              formation to be used by the KDC when verifying the  validity  of
801              client  certificates.   This  option  may  be specified multiple
802              times.
803
804       pkinit_require_crl_checking
805              The default certificate verification process will  always  check
806              the available revocation information to see if a certificate has
807              been revoked.  If a match is found for the certificate in a CRL,
808              verification  fails.   If  the certificate being verified is not
809              listed in a CRL, or there is no CRL present for its issuing  CA,
810              and pkinit_require_crl_checking is false, then verification suc‐
811              ceeds.
812
813              However, if pkinit_require_crl_checking is true and there is  no
814              CRL  information available for the issuing CA, then verification
815              fails.
816
817              pkinit_require_crl_checking should be set to true if the  policy
818              is such that up-to-date CRLs must be present for every CA.
819
820       pkinit_require_freshness
821              Specifies  whether to require clients to include a freshness to‐
822              ken in PKINIT requests.  The default value is  false.   (New  in
823              release 1.17.)
824

ENCRYPTION TYPES

826       Any  tag in the configuration files which requires a list of encryption
827       types can be set to some combination of the following strings.  Encryp‐
828       tion types marked as "weak" and "deprecated" are available for compati‐
829       bility but not recommended for use.
830
831             ┌───────────────────────────┬─────────────────────────────┐
832             │aes256-cts-hmac-sha1-96    │ AES-256   CTS   mode  with  │
833             │aes256-cts aes256-sha1     │ 96-bit SHA-1 HMAC           │
834             ├───────────────────────────┼─────────────────────────────┤
835             │aes128-cts-hmac-sha1-96    │ AES-128   CTS   mode  with  │
836             │aes128-cts aes128-sha1     │ 96-bit SHA-1 HMAC           │
837             ├───────────────────────────┼─────────────────────────────┤
838             │aes256-cts-hmac-sha384-192 │ AES-256   CTS   mode  with  │
839             │aes256-sha2                │ 192-bit SHA-384 HMAC        │
840             ├───────────────────────────┼─────────────────────────────┤
841             │aes128-cts-hmac-sha256-128 │ AES-128   CTS   mode  with  │
842             │aes128-sha2                │ 128-bit SHA-256 HMAC        │
843             ├───────────────────────────┼─────────────────────────────┤
844             │arcfour-hmac rc4-hmac arc‐ │ RC4  with HMAC/MD5 (depre‐  │
845             │four-hmac-md5              │ cated)                      │
846             ├───────────────────────────┼─────────────────────────────┤
847             │arcfour-hmac-exp           │ Exportable    RC4     with  │
848             │rc4-hmac-exp          arc‐ │ HMAC/MD5 (weak)             │
849             │four-hmac-md5-exp          │                             │
850             ├───────────────────────────┼─────────────────────────────┤
851             │camellia256-cts-cmac       │ Camellia-256 CTS mode with  │
852             │camellia256-cts            │ CMAC                        │
853             ├───────────────────────────┼─────────────────────────────┤
854             │camellia128-cts-cmac       │ Camellia-128 CTS mode with  │
855             │camellia128-cts            │ CMAC                        │
856             ├───────────────────────────┼─────────────────────────────┤
857             │aes                        │ The       AES      family:  │
858             │                           │ aes256-cts-hmac-sha1-96,    │
859             │                           │ aes128-cts-hmac-sha1-96,    │
860             │                           │ aes256-cts-hmac-sha384-192, │
861             │                           │ and                         │
862             │                           │ aes128-cts-hmac-sha256-128  │
863             ├───────────────────────────┼─────────────────────────────┤
864             │rc4                        │ The   RC4   family:    arc‐ │
865             │                           │ four-hmac                   │
866             ├───────────────────────────┼─────────────────────────────┤
867             │camellia                   │ The Camellia family: camel‐ │
868             │                           │ lia256-cts-cmac and  camel‐ │
869             │                           │ lia128-cts-cmac             │
870             └───────────────────────────┴─────────────────────────────┘
871
872       The string DEFAULT can be used to refer to the default set of types for
873       the variable in question.  Types or families can be  removed  from  the
874       current list by prefixing them with a minus sign ("-").  Types or fami‐
875       lies can be prefixed with a plus sign ("+") for symmetry;  it  has  the
876       same meaning as just listing the type or family.  For example, "DEFAULT
877       -rc4" would be the default set of encryption types with RC4  types  re‐
878       moved, and "aes128-sha2 DEFAULT" would be the default set of encryption
879       types with aes128-sha2 moved to the front.
880
881       While aes128-cts and aes256-cts are supported for all  Kerberos  opera‐
882       tions, they are not supported by very old versions of our GSSAPI imple‐
883       mentation (krb5-1.3.1 and earlier).  Services running versions of  krb5
884       without AES support must not be given keys of these encryption types in
885       the KDC database.
886
887       The aes128-sha2 and aes256-sha2 encryption types  are  new  in  release
888       1.15.   Services  running  versions  of  krb5 without support for these
889       newer encryption types must not be given keys of these encryption types
890       in the KDC database.
891

KEYSALT LISTS

893       Kerberos  keys  for users are usually derived from passwords.  Kerberos
894       commands and configuration parameters that affect  generation  of  keys
895       take  lists  of  enctype-salttype  ("keysalt")  pairs, known as keysalt
896       lists.  Each keysalt pair is an enctype name  followed  by  a  salttype
897       name, in the format enc:salt.  Individual keysalt list members are sep‐
898       arated by comma (",") characters or space characters.  For example:
899
900          kadmin -e aes256-cts:normal,aes128-cts:normal
901
902       would start up kadmin so that by default it would generate password-de‐
903       rived  keys for the aes256-cts and aes128-cts encryption types, using a
904       normal salt.
905
906       To ensure that people who happen to pick the same password do not  have
907       the same key, Kerberos 5 incorporates more information into the key us‐
908       ing something called a salt.  The supported salt types are as follows:
909
910                      ┌──────────┬────────────────────────────┐
911                      │normal    │ default for Kerberos  Ver‐ │
912                      │          │ sion 5                     │
913                      ├──────────┼────────────────────────────┤
914                      │norealm   │ same as the default, with‐ │
915                      │          │ out using  realm  informa‐ │
916                      │          │ tion                       │
917                      ├──────────┼────────────────────────────┤
918                      │onlyrealm │ uses  only  realm informa‐ │
919                      │          │ tion as the salt           │
920                      ├──────────┼────────────────────────────┤
921                      │special   │ generate a random salt     │
922                      └──────────┴────────────────────────────┘
923

SAMPLE KDC.CONF FILE

925       Here's an example of a kdc.conf file:
926
927          [kdcdefaults]
928              kdc_listen = 88
929              kdc_tcp_listen = 88
930          [realms]
931              ATHENA.MIT.EDU = {
932                  kadmind_port = 749
933                  max_life = 12h 0m 0s
934                  max_renewable_life = 7d 0h 0m 0s
935                  master_key_type = aes256-cts-hmac-sha1-96
936                  supported_enctypes = aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal
937                  database_module = openldap_ldapconf
938              }
939
940          [logging]
941              kdc = FILE:/usr/local/var/krb5kdc/kdc.log
942              admin_server = FILE:/usr/local/var/krb5kdc/kadmin.log
943
944          [dbdefaults]
945              ldap_kerberos_container_dn = cn=krbcontainer,dc=mit,dc=edu
946
947          [dbmodules]
948              openldap_ldapconf = {
949                  db_library = kldap
950                  disable_last_success = true
951                  ldap_kdc_dn = "cn=krbadmin,dc=mit,dc=edu"
952                      # this object needs to have read rights on
953                      # the realm container and principal subtrees
954                  ldap_kadmind_dn = "cn=krbadmin,dc=mit,dc=edu"
955                      # this object needs to have read and write rights on
956                      # the realm container and principal subtrees
957                  ldap_service_password_file = /etc/kerberos/service.keyfile
958                  ldap_servers = ldaps://kerberos.mit.edu
959                  ldap_conns_per_server = 5
960              }
961

FILES

963       /var/kerberos/krb5kdc/kdc.conf
964

SEE ALSO

966       krb5.conf(5), krb5kdc(8), kadm5.acl(5)
967

AUTHOR

969       MIT
970
972       1985-2022, MIT
973
974
975
976
9771.19.2                                                             KDC.CONF(5)
Impressum