1KRB5.CONF(5)                BSD File Formats Manual               KRB5.CONF(5)
2

NAME

4     krb5.conf — configuration file for Kerberos 5
5

SYNOPSIS

7     #include <krb5.h>
8

DESCRIPTION

10     The krb5.conf file specifies several configuration parameters for the
11     Kerberos 5 library, as well as for some programs.
12
13     The file consists of one or more sections, containing a number of bind‐
14     ings.  The value of each binding can be either a string or a list of
15     other bindings.  The grammar looks like:
16
17           file:
18                   /* empty */
19                   sections
20
21           sections:
22                   section sections
23                   section
24
25           section:
26                   '[' section_name ']' bindings
27
28           section_name:
29                   STRING
30
31           bindings:
32                   binding bindings
33                   binding
34
35           binding:
36                   name '=' STRING
37                   name '=' '{' bindings '}'
38
39           name:
40                   STRING
41
42     STRINGs consists of one or more non-whitespace characters.
43
44     STRINGs that are specified later in this man-page uses the following no‐
45     tation.
46
47           boolean
48                values can be either yes/true or no/false.
49
50           time
51                values can be a list of year, month, day, hour, min, second.
52                Example: 1 month 2 days 30 min.  If no unit is given, seconds
53                is assumed.
54
55           etypes
56                valid encryption types are: des-cbc-crc, des-cbc-md4, des-cbc-
57                md5, des3-cbc-sha1, arcfour-hmac-md5, aes128-cts-hmac-sha1-96,
58                and aes256-cts-hmac-sha1-96 .
59
60           address
61                an address can be either a IPv4 or a IPv6 address.
62
63     Currently recognised sections and bindings are:
64
65           [appdefaults]
66                Specifies the default values to be used for Kerberos applica‐
67                tions.  You can specify defaults per application, realm, or a
68                combination of these.  The preference order is:
69                1.   application realm option
70                2.   application option
71                3.   realm option
72                4.   option
73
74                The supported options are:
75
76                      forwardable = boolean
77                           When obtaining initial credentials, make the cre‐
78                           dentials forwardable.
79
80                      proxiable = boolean
81                           When obtaining initial credentials, make the cre‐
82                           dentials proxiable.
83
84                      no-addresses = boolean
85                           When obtaining initial credentials, request them
86                           for an empty set of addresses, making the tickets
87                           valid from any address.
88
89                      ticket_lifetime = time
90                           Default ticket lifetime.
91
92                      renew_lifetime = time
93                           Default renewable ticket lifetime.
94
95                      encrypt = boolean
96                           Use encryption, when available.
97
98                      forward = boolean
99                           Forward credentials to remote host (for rsh(1),
100                           telnet(1), etc).
101
102                      historical_anon_pkinit = boolean
103                           Enable legacy anonymous pkinit command-line syntax.
104                           With this option set to true, the kinit(1)
105                           --anonymous command with no principal argument
106                           specified will request an anonymous pkinit ticket
107                           from the default realm.  If a principal argument is
108                           specified, it is used as an explicit realm name for
109                           anonymous pkinit even without an @ prefix.
110
111           [libdefaults]
112
113                      default_realm = REALM
114                           Default realm to use, this is also known as your
115                           “local realm”.  The default is the result of
116                           krb5_get_host_realm(local hostname).
117
118                      allow_weak_crypto = boolean
119                           are weak crypto algorithms allowed to be used,
120                           among others, DES is considered weak.
121
122                      clockskew = time
123                           Maximum time differential (in seconds) allowed when
124                           comparing times.  Default is 300 seconds (five min‐
125                           utes).
126
127                      kdc_timeout = time
128                           Maximum time to wait for a reply from the kdc, de‐
129                           fault is 3 seconds.
130
131                      capath = {
132
133                                 destination-realm = next-hop-realm
134
135                                 ...
136
137                                 }
138                           This is deprecated, see the capaths section below.
139
140                      default_cc_type = cctype
141                           sets the default credentials type.
142
143                      default_cc_name = ccname
144                           the default credentials cache name.  If you want to
145                           change the type only use default_cc_type.  The
146                           string can contain variables that are expanded on
147                           runtime.  The Only supported variable currently is
148                           %{uid} which expands to the current user id.
149
150                      default_etypes = etypes ...
151                           A list of default encryption types to use. (De‐
152                           fault: all enctypes if allow_weak_crypto = TRUE,
153                           else all enctypes except single DES enctypes.)
154
155                      default_as_etypes = etypes ...
156                           A list of default encryption types to use in AS re‐
157                           quests.  (Default: the value of default_etypes.)
158
159                      default_tgs_etypes = etypes ...
160                           A list of default encryption types to use in TGS
161                           requests.  (Default: the value of default_etypes.)
162
163                      default_etypes_des = etypes ...
164                           A list of default encryption types to use when re‐
165                           questing a DES credential.
166
167                      default_keytab_name = keytab
168                           The keytab to use if no other is specified, default
169                           is “FILE:/etc/krb5.keytab”.
170
171                      dns_lookup_kdc = boolean
172                           Use DNS SRV records to lookup KDC services loca‐
173                           tion.
174
175                      dns_lookup_realm = boolean
176                           Use DNS TXT records to lookup domain to realm map‐
177                           pings.
178
179                      kdc_timesync = boolean
180                           Try to keep track of the time differential between
181                           the local machine and the KDC, and then compensate
182                           for that when issuing requests.
183
184                      max_retries = number
185                           The max number of times to try to contact each KDC.
186
187                      large_msg_size = number
188                           The threshold where protocols with tiny maximum
189                           message sizes are not considered usable to send
190                           messages to the KDC.
191
192                      ticket_lifetime = time
193                           Default ticket lifetime.
194
195                      renew_lifetime = time
196                           Default renewable ticket lifetime.
197
198                      forwardable = boolean
199                           When obtaining initial credentials, make the cre‐
200                           dentials forwardable.  This option is also valid in
201                           the [realms] section.
202
203                      proxiable = boolean
204                           When obtaining initial credentials, make the cre‐
205                           dentials proxiable.  This option is also valid in
206                           the [realms] section.
207
208                      verify_ap_req_nofail = boolean
209                           If enabled, failure to verify credentials against a
210                           local key is a fatal error.  The application has to
211                           be able to read the corresponding service key for
212                           this to work.  Some applications, like su(1), en‐
213                           able this option unconditionally.
214
215                      warn_pwexpire = time
216                           How soon to warn for expiring password.  Default is
217                           seven days.
218
219                      http_proxy = proxy-spec
220                           A HTTP-proxy to use when talking to the KDC via
221                           HTTP.
222
223                      dns_proxy = proxy-spec
224                           Enable using DNS via HTTP.
225
226                      extra_addresses = address ...
227                           A list of addresses to get tickets for along with
228                           all local addresses.
229
230                      time_format = string
231                           How to print time strings in logs, this string is
232                           passed to strftime(3).
233
234                      date_format = string
235                           How to print date strings in logs, this string is
236                           passed to strftime(3).
237
238                      log_utc = boolean
239                           Write log-entries using UTC instead of your local
240                           time zone.
241
242                      scan_interfaces = boolean
243                           Scan all network interfaces for addresses, as op‐
244                           posed to simply using the address associated with
245                           the system's host name.
246
247                      fcache_version = int
248                           Use file credential cache format version specified.
249
250                      fcc-mit-ticketflags = boolean
251                           Use MIT compatible format for file credential
252                           cache.  It's the field ticketflags that is stored
253                           in reverse bit order for older than Heimdal 0.7.
254                           Setting this flag to TRUE makes it store the MIT
255                           way, this is default for Heimdal 0.7.
256
257                      check-rd-req-server
258                           If set to "ignore", the framework will ignore any
259                           of the server input to krb5_rd_req(3), this is very
260                           useful when the GSS-API server input the wrong
261                           server name into the gss_accept_sec_context call.
262
263                      k5login_directory = directory
264                           Alternative location for user .k5login files. This
265                           option is provided for compatibility with MIT krb5
266                           configuration files.
267
268                      k5login_authoritative = boolean
269                           If true then if a principal is not found in k5login
270                           files then krb5_userok(3) will not fallback on
271                           principal to username mapping. This option is pro‐
272                           vided for compatibility with MIT krb5 configuration
273                           files.
274
275                      kuserok = rule ...
276                           Specifies krb5_userok(3) behavior.  If multiple
277                           values are given, then krb5_userok(3) will evaluate
278                           them in order until one succeeds or all fail.
279                           Rules are implemented by plugins, with three built-
280                           in plugins described below. Default: USER-K5LOGIN
281                           SIMPLE DENY.
282
283                      kuserok = DENY
284                           If set and evaluated then krb5_userok(3) will deny
285                           access to the given username no matter what the
286                           principal name might be.
287
288                      kuserok = SIMPLE
289                           If set and evaluated then krb5_userok(3) will use
290                           principal to username mapping (see auth_to_local
291                           below).  If the principal maps to the requested
292                           username then access is allowed.
293
294                      kuserok = SYSTEM-K5LOGIN[:directory]
295                           If set and evaluated then krb5_userok(3) will use
296                           k5login files named after the luser argument to
297                           krb5_userok(3) in the given directory or in
298                           /etc/k5login.d/.  K5login files are text files,
299                           with each line containing just a principal name;
300                           principals apearing in a user's k5login file are
301                           permitted access to the user's account. Note: this
302                           rule performs no ownership nor permissions checks
303                           on k5login files; proper ownership and permis‐
304                           sions/ACLs are expected due to the k5login location
305                           being a system location.
306
307                      kuserok = USER-K5LOGIN
308                           If set and evaluated then krb5_userok(3) will use
309                           ~luser/.k5login and ~luser/.k5login.d/*.  User
310                           k5login files and directories must be owned by the
311                           user and must not have world nor group write per‐
312                           missions.
313
314                      aname2lname-text-db = filename
315                           The named file must be a sorted (in increasing or‐
316                           der) text file where every line consists of an un‐
317                           parsed principal name optionally followed by white‐
318                           space and a username.  The aname2lname function
319                           will do a binary search on this file, if config‐
320                           ured, looking for lines that match the given prin‐
321                           cipal name, and if found the given username will be
322                           used, or, if the username is missing, an error will
323                           be returned.  If the file doesn't exist, or if no
324                           matching line is found then other plugins will be
325                           allowed to run.
326
327                      fcache_strict_checking
328                           strict checking in FILE credential caches that
329                           owner, no symlink and permissions is correct.
330
331                      name_canon_rules = rules
332                           One or more service principal name canonicalization
333                           rules.  Each rule consists of one or more tokens
334                           separated by colon (':').  Currently these rules
335                           are used only for hostname canonicalization (usu‐
336                           ally when getting a service ticket, from a ccache
337                           or a TGS, but also when acquiring GSS initiator
338                           credentials from a keytab).  These rules can be
339                           used to implement DNS resolver-like search lists
340                           without having to use DNS.
341
342                           NOTE: Name canonicalization rules are an experimen‐
343                           tal feature.
344
345                           The first token is a rule type, one of: as-is,
346                           qualify, or nss.
347
348                           Any remaining tokens must be options tokens:
349                           use_fast (use FAST to protect TGS exchanges; cur‐
350                           rently not supported), use_dnssec (use DNSSEC to
351                           protect hostname lookups; currently not supported),
352                           ccache_only , use_referrals, no_referrals,
353                           lookup_realm, mindots=N, maxdots=N, order=N, do‐
354                           main= domain, realm= realm, match_domain= domain,
355                           and match_realm= realm.
356
357                           When trying to obtain a service ticket for a host-
358                           based service principal name, name canonicalization
359                           rules are applied to that name in the order given,
360                           one by one, until one succeds (a service ticket is
361                           obtained), or all fail.  Similarly when acquiring
362                           GSS initiator credentials from a keytab, and when
363                           comparing a non-canonical GSS name to a canonical
364                           one.
365
366                           For each rule the system checks that the hostname
367                           has at least mindots periods (if given) in it, at
368                           most maxdots periods (if given), that the hostname
369                           ends in the given match_domain (if given), and that
370                           the realm of the principal matches the match_realm
371                           (if given).
372
373                           As-is rules leave the hostname unmodified but may
374                           set a realm.  Qualify rules qualify the hostname
375                           with the given domain and also may set the realm.
376                           The nss rule uses the system resolver to lookup the
377                           host's canonical name and is usually not secure.
378                           Note that using the nss rule type implies having to
379                           have principal aliases in the HDB (though not nec‐
380                           essarily in keytabs).
381
382                           The empty realm denotes "ask the client's realm's
383                           TGS".  The empty realm may be set as well as
384                           matched.
385
386                           The order in which rules are applied is as follows:
387                           first all the rules with explicit order then all
388                           other rules in the order in which they appear.  If
389                           any two rules have the same explicit order, their
390                           order of appearance in krb5.conf breaks the tie.
391                           Explicitly specifying order can be useful where
392                           tools read and write the configuration file without
393                           preserving parameter order.
394
395                           Malformed rules are ignored.
396
397                      allow_hierarchical_capaths = boolean
398                           When validating cross-realm transit paths, absent
399                           any explicit capath from the client realm to the
400                           server realm, allow a hierarchical transit path via
401                           the common ancestor domain of the two realms.  De‐
402                           faults to true.  Note, absent an explicit setting,
403                           hierarchical capaths are always used by the KDC
404                           when generating a referral to a destination with
405                           which is no direct trust.
406
407           [domain_realm]
408                This is a list of mappings from DNS domain to Kerberos realm.
409                Each binding in this section looks like:
410
411                      domain = realm
412
413                The domain can be either a full name of a host or a trailing
414                component, in the latter case the domain-string should start
415                with a period.  The trailing component only matches hosts that
416                are in the same domain, ie “.example.com” matches
417                “foo.example.com”, but not “foo.test.example.com”.
418
419                The realm may be the token `dns_locate', in which case the ac‐
420                tual realm will be determined using DNS (independently of the
421                setting of the `dns_lookup_realm' option).
422
423           [realms]
424
425                      REALM = {
426
427                                 kdc = [service/]host[:port]
428                                      Specifies a list of kdcs for this realm.
429                                      If the optional port is absent, the de‐
430                                      fault value for the “kerberos/udp”
431                                      “kerberos/tcp”, and “http/tcp” port (de‐
432                                      pending on service) will be used.  The
433                                      kdcs will be used in the order that they
434                                      are specified.
435
436                                      The optional service specifies over what
437                                      medium the kdc should be contacted.
438                                      Possible services are “udp”, “tcp”, and
439                                      “http”.  Http can also be written as
440                                      “http://”.  Default service is “udp” and
441                                      “tcp”.
442
443                                 admin_server = host[:port]
444                                      Specifies the admin server for this
445                                      realm, where all the modifications to
446                                      the database are performed.
447
448                                 kpasswd_server = host[:port]
449                                      Points to the server where all the pass‐
450                                      word changes are performed.  If there is
451                                      no such entry, the kpasswd port on the
452                                      admin_server host will be tried.
453
454                                 tgs_require_subkey
455                                      a boolan variable that defaults to
456                                      false.  Old DCE secd (pre 1.1) might
457                                      need this to be true.
458
459                                 auth_to_local_names = {
460
461                                            principal_name = username
462                                                 The given principal_name will
463                                                 be mapped to the given
464                                                 username if the REALM is a
465                                                 default realm.
466
467                                 }
468
469                                 auth_to_local = HEIMDAL_DEFAULT
470                                      Use the Heimdal default principal to
471                                      username mapping.  Applies to principals
472                                      from the REALM if and only if REALM is a
473                                      default realm.
474
475                                 auth_to_local = DEFAULT
476                                      Use the MIT default principal to user‐
477                                      name mapping.  Applies to principals
478                                      from the REALM if and only if REALM is a
479                                      default realm.
480
481                                 auth_to_local = DB:/path/to/db.txt
482                                      Use a binary search of the given DB.
483                                      The DB must be a flat-text file sortedf
484                                      in the "C" locale, with each record be‐
485                                      ing a line (separated by either LF or
486                                      CRLF) consisting of a principal name
487                                      followed by whitespace followed by a
488                                      username.  Applies to principals from
489                                      the REALM if and only if REALM is a de‐
490                                      fault realm.
491
492                                 auth_to_local = DB:/path/to/db
493                                      Use the given DB, if there's a plugin
494                                      for it.  Applies to principals from the
495                                      REALM if and only if REALM is a default
496                                      realm.
497
498                                 auth_to_local = RULE:...
499                                      Use the given rule, if there's a plugin
500                                      for it.  Applies to principals from the
501                                      REALM if and only if REALM is a default
502                                      realm.
503
504                                 auth_to_local = NONE
505                                      No additional principal to username map‐
506                                      ping is done. Note that
507                                      auth_to_local_names and any preceding
508                                      auth_to_local rules have precedence.
509
510                      }
511
512           [capaths]
513
514                      client-realm = {
515
516                                 server-realm = hop-realm ...
517                                      This serves two purposes. First the
518                                      first listed hop-realm tells a client
519                                      which realm it should contact in order
520                                      to ultimately obtain credentials for a
521                                      service in the server-realm.  Secondly,
522                                      it tells the KDC (and other servers)
523                                      which realms are allowed in a multi-hop
524                                      traversal from client-realm to
525                                      server-realm.  Except for the client
526                                      case, the order of the realms are not
527                                      important.
528
529                      }
530
531           [logging]
532
533                      entity = destination
534                           Specifies that entity should use the specified
535                           destination for logging.  See the krb5_openlog(3)
536                           manual page for a list of defined destinations.
537
538           [kdc]
539
540                      database = {
541
542                                 dbname = [DATBASETYPE:]DATABASENAME
543                                      Use this database for this realm.  The
544                                      DATABASETYPE should be one of 'lmdb',
545                                      'db3', 'db1', 'db', 'sqlite', or 'ldap'.
546                                      See the info documetation how to config‐
547                                      ure different database backends.
548
549                                 realm = REALM
550                                      Specifies the realm that will be stored
551                                      in this database.  It realm isn't set,
552                                      it will used as the default database,
553                                      there can only be one entry that doesn't
554                                      have a realm stanza.
555
556                                 mkey_file = FILENAME
557                                      Use this keytab file for the master key
558                                      of this database.  If not specified
559                                      DATABASENAME.mkey will be used.
560
561                                 acl_file = PA FILENAME
562                                      Use this file for the ACL list of this
563                                      database.
564
565                                 log_file = FILENAME
566                                      Use this file as the log of changes per‐
567                                      formed to the database.  This file is
568                                      used by ipropd-master for propagating
569                                      changes to slaves.  It is also used by
570                                      kadmind and kadmin (when used with the
571                                      -l option), and by all applications us‐
572                                      ing libkadm5 with the local backend, for
573                                      two-phase commit functionality.  Slaves
574                                      also use this.  Setting this to
575                                      /dev/null disables two-phase commit and
576                                      incremental propagation.  Use iprop-log
577                                      to show the contents of this log file.
578
579                                 log-max-size = number
580                                      When the log reaches this size (in
581                                      bytes), the log will be truncated, sav‐
582                                      ing some entries, and keeping the latest
583                                      version number so as to not disrupt in‐
584                                      cremental propagation.  If set to a neg‐
585                                      ative value then automatic log trunca‐
586                                      tion will be disabled.  Defaults to
587                                      52428800 (50MB).
588
589                      }
590
591                      max-request = SIZE
592                           Maximum size of a kdc request.
593
594                      require-preauth = BOOL
595                           If set pre-authentication is required.
596
597                      ports = list of ports
598                           List of ports the kdc should listen to.
599
600                      addresses = list of interfaces
601                           List of addresses the kdc should bind to.
602
603                      enable-http = BOOL
604                           Should the kdc answer kdc-requests over http.
605
606                      tgt-use-strongest-session-key = BOOL
607                           If this is TRUE then the KDC will prefer the
608                           strongest key from the client's AS-REQ or TGS-REQ
609                           enctype list for the ticket session key that is
610                           supported by the KDC and the target principal when
611                           the target principal is a krbtgt principal.  Else
612                           it will prefer the first key from the client's AS-
613                           REQ enctype list that is also supported by the KDC
614                           and the target principal.  Defaults to FALSE.
615
616                      svc-use-strongest-session-key = BOOL
617                           Like tgt-use-strongest-session-key, but applies to
618                           the session key enctype of tickets for services
619                           other than krbtgt principals. Defaults to FALSE.
620
621                      preauth-use-strongest-session-key = BOOL
622                           If TRUE then select the strongest possible enctype
623                           from the client's AS-REQ for PA-ETYPE-INFO2 (i.e.,
624                           for password-based pre-authentication).  Else pick
625                           the first supported enctype from the client's AS-
626                           REQ.  Defaults to FALSE.
627
628                      use-strongest-server-key = BOOL
629                           If TRUE then the KDC picks, for the ticket en‐
630                           crypted part's key, the first supported enctype
631                           from the target service principal's hdb entry's
632                           current keyset. Else the KDC picks the first sup‐
633                           ported enctype from the target service principal's
634                           hdb entry's current keyset.  Defaults to TRUE.
635
636                      check-ticket-addresses = BOOL
637                           Verify the addresses in the tickets used in tgs re‐
638                           quests.
639
640                      allow-null-ticket-addresses = BOOL
641                           Allow address-less tickets.
642
643                      allow-anonymous = BOOL
644                           If the kdc is allowed to hand out anonymous tick‐
645                           ets.
646
647                      historical_anon_realm = boolean
648                           Enables pre-7.0 non-RFC-comformant KDC behavior.
649                           With this option set to true the client realm in
650                           anonymous pkinit AS replies will be the requested
651                           realm, rather than the RFC-conformant
652                           WELLKNOWN:ANONYMOUS realm.  This can have a secu‐
653                           rity impact on servers that expect to grant access
654                           to anonymous-but-authenticated to the KDC users of
655                           the realm in question: they would also grant access
656                           to unauthenticated anonymous users.  As such, it is
657                           not recommend to set this option to true.
658
659                      encode_as_rep_as_tgs_rep = BOOL
660                           Encode as-rep as tgs-rep to be compatible with mis‐
661                           takes older DCE secd did.
662
663                      kdc_warn_pwexpire = TIME
664                           The time before expiration that the user should be
665                           warned that her password is about to expire.
666
667                      logging = Logging
668                           What type of logging the kdc should use, see also
669                           [logging]/kdc.
670
671                      hdb-ldap-structural-object structural object
672                           If the LDAP backend is used for storing principals,
673                           this is the structural object that will be used
674                           when creating and when reading objects.  The de‐
675                           fault value is account .
676
677                      hdb-ldap-create-base creation dn
678                           is the dn that will be appended to the principal
679                           when creating entries.  Default value is the search
680                           dn.
681
682                      enable-digest = BOOL
683                           Should the kdc answer digest requests. The default
684                           is FALSE.
685
686                      digests_allowed = list of digests
687                           Specifies the digests the kdc will reply to. The
688                           default is ntlm-v2.
689
690                      kx509_ca = file
691                           Specifies the PEM credentials for the kx509 certi‐
692                           fication authority.
693
694                      require_initial_kca_tickets = boolean
695                           Specified whether to require that tickets for the
696                           kca_service service principal be INITIAL.  This may
697                           be set on a per-realm basis as well as globally.
698                           Defaults to true for the global setting.
699
700                      kx509_include_pkinit_san = boolean
701                           If true then the kx509 client principal's name and
702                           realm will be included in an id-pkinit-san certifi‐
703                           cate extension.  This can be set on a per-realm ba‐
704                           sis as well as globally.  Defaults to true for the
705                           global setting.
706
707                      kx509_template = file
708                           Specifies the PEM file with a template for the cer‐
709                           tificates to be issued.  The following variables
710                           can be interpolated in the subject name using
711                           ${variable} syntax:
712
713                                 principal-name
714                                      The full name of the kx509 client prin‐
715                                      cipal.
716
717                                 principal-name-without-realm
718                                      The full name of the kx509 client prin‐
719                                      cipal, excluding the realm name.
720
721                                 principal-name-realm
722                                      The name of the client principal's
723                                      realm.
724                The kx509, kx509_template, kx509_include_pkinit_san, and
725                require_initial_kca_tickets parameters may be set on a per-
726                realm basis as well.
727
728           [kadmin]
729
730                      password_lifetime = time
731                           If a principal already have its password set for
732                           expiration, this is the time it will be valid for
733                           after a change.
734
735                      default_keys = keytypes...
736                           For each entry in default_keys try to parse it as a
737                           sequence of etype:salttype:salt syntax of this if
738                           something like:
739
740                           [(des|des3|etype):](pw-salt|afs3-salt)[:string]
741
742                           If etype is omitted it means everything, and if
743                           string is omitted it means the default salt string
744                           (for that principal and encryption type).  Addi‐
745                           tional special values of keytypes are:
746
747                                 v5   The Kerberos 5 salt pw-salt
748
749                      default_key_rules = {
750
751                                 globing-rule = keytypes...
752                                      a globbing rule to matching a principal,
753                                      and when true, use the keytypes as spec‐
754                                      ified the same format as [kadmin]de‐
755                                      fault_keys .
756
757                      }
758
759                      prune-key-history = BOOL
760                           When adding keys to the key history, drop keys that
761                           are too old to match unexpired tickets (based on
762                           the principal's maximum ticket lifetime).  If the
763                           KDC keystore is later compromised traffic protected
764                           with the discarded older keys may remain protected.
765                           This also keeps the HDB records for principals with
766                           key history from growing without bound.  The de‐
767                           fault (backwards compatible) value is "false".
768
769                      use_v4_salt = BOOL
770                           When true, this is the same as
771
772                           default_keys = des3:pw-salt v4
773
774                           and is only left for backwards compatibility.
775
776                      [password_quality]
777                           Check the Password quality assurance in the info
778                           documentation for more information.
779
780                                 check_library = library-name
781                                      Library name that contains the password
782                                      check_function
783
784                                 check_function = function-name
785                                      Function name for checking passwords in
786                                      check_library
787
788                                 policy_libraries = library1 ... libraryN
789                                      List of libraries that can do password
790                                      policy checks
791
792                                 policies = policy1 ... policyN
793                                      List of policy names to apply to the
794                                      password. Builtin policies are among
795                                      other minimum-length, character-class,
796                                      external-check.
797

ENVIRONMENT

799     KRB5_CONFIG points to the configuration file to read.
800

FILES

802     /etc/krb5.conf  configuration file for Kerberos 5.
803

EXAMPLES

805           [libdefaults]
806                   default_realm = FOO.SE
807                   name_canon_rules = as-is:realm=FOO.SE
808                   name_canon_rules = qualify:domain=foo.se:realm=FOO.SE
809                   name_canon_rules = qualify:domain=bar.se:realm=FOO.SE
810                   name_canon_rules = nss
811           [domain_realm]
812                   .foo.se = FOO.SE
813                   .bar.se = FOO.SE
814           [realms]
815                   FOO.SE = {
816                           kdc = kerberos.foo.se
817                           default_domain = foo.se
818                   }
819           [logging]
820                   kdc = FILE:/var/heimdal/kdc.log
821                   kdc = SYSLOG:INFO
822                   default = SYSLOG:INFO:USER
823           [kadmin]
824                   default_key_rules = {
825                           */ppp@* = arcfour-hmac-md5:pw-salt
826                   }
827

DIAGNOSTICS

829     Since krb5.conf is read and parsed by the krb5 library, there is not a
830     lot of opportunities for programs to report parsing errors in any useful
831     format.  To help overcome this problem, there is a program
832     verify_krb5_conf that reads krb5.conf and tries to emit useful diagnos‐
833     tics from parsing errors.  Note that this program does not have any way
834     of knowing what options are actually used and thus cannot warn about un‐
835     known or misspelled ones.
836

SEE ALSO

838     kinit(1), krb5_openlog(3), strftime(3), verify_krb5_conf(8)
839
840HEIMDAL                           May 4, 2005                          HEIMDAL
Impressum