1KRB5.CONF(5) BSD File Formats Manual KRB5.CONF(5)
2
4 krb5.conf — configuration file for Kerberos 5
5
7 #include <krb5.h>
8
10 The krb5.conf file specifies several configuration parameters for the
11 Kerberos 5 library, as well as for some programs.
12
13 The file consists of one or more sections, containing a number of bind‐
14 ings. The value of each binding can be either a string or a list of
15 other bindings. The grammar looks like:
16
17 file:
18 /* empty */
19 sections
20
21 sections:
22 section sections
23 section
24
25 section:
26 '[' section_name ']' bindings
27
28 section_name:
29 STRING
30
31 bindings:
32 binding bindings
33 binding
34
35 binding:
36 name '=' STRING
37 name '=' '{' bindings '}'
38
39 name:
40 STRING
41
42 STRINGs consists of one or more non-whitespace characters.
43
44 STRINGs that are specified later in this man-page uses the following no‐
45 tation.
46
47 boolean
48 values can be either yes/true or no/false.
49
50 time
51 values can be a list of year, month, day, hour, min, second.
52 Example: 1 month 2 days 30 min. If no unit is given, seconds
53 is assumed.
54
55 etypes
56 valid encryption types are: des-cbc-crc, des-cbc-md4, des-cbc-
57 md5, des3-cbc-sha1, arcfour-hmac-md5, aes128-cts-hmac-sha1-96,
58 and aes256-cts-hmac-sha1-96 .
59
60 address
61 an address can be either a IPv4 or a IPv6 address.
62
63 Currently recognised sections and bindings are:
64
65 [appdefaults]
66 Specifies the default values to be used for Kerberos applica‐
67 tions. You can specify defaults per application, realm, or a
68 combination of these. The preference order is:
69 1. application realm option
70 2. application option
71 3. realm option
72 4. option
73
74 The supported options are:
75
76 forwardable = boolean
77 When obtaining initial credentials, make the cre‐
78 dentials forwardable.
79
80 proxiable = boolean
81 When obtaining initial credentials, make the cre‐
82 dentials proxiable.
83
84 no-addresses = boolean
85 When obtaining initial credentials, request them
86 for an empty set of addresses, making the tickets
87 valid from any address.
88
89 ticket_lifetime = time
90 Default ticket lifetime.
91
92 renew_lifetime = time
93 Default renewable ticket lifetime.
94
95 encrypt = boolean
96 Use encryption, when available.
97
98 forward = boolean
99 Forward credentials to remote host (for rsh(1),
100 telnet(1), etc).
101
102 historical_anon_pkinit = boolean
103 Enable legacy anonymous pkinit command-line syntax.
104 With this option set to true, the kinit(1)
105 --anonymous command with no principal argument
106 specified will request an anonymous pkinit ticket
107 from the default realm. If a principal argument is
108 specified, it is used as an explicit realm name for
109 anonymous pkinit even without an @ prefix.
110
111 [libdefaults]
112
113 default_realm = REALM
114 Default realm to use, this is also known as your
115 “local realm”. The default is the result of
116 krb5_get_host_realm(local hostname).
117
118 allow_weak_crypto = boolean
119 are weak crypto algorithms allowed to be used,
120 among others, DES is considered weak.
121
122 clockskew = time
123 Maximum time differential (in seconds) allowed when
124 comparing times. Default is 300 seconds (five min‐
125 utes).
126
127 kdc_timeout = time
128 Maximum time to wait for a reply from the kdc, de‐
129 fault is 3 seconds.
130
131 capath = {
132
133 destination-realm = next-hop-realm
134
135 ...
136
137 }
138 This is deprecated, see the capaths section below.
139
140 default_cc_type = cctype
141 sets the default credentials type.
142
143 default_cc_name = ccname
144 the default credentials cache name. If you want to
145 change the type only use default_cc_type. The
146 string can contain variables that are expanded on
147 runtime. The Only supported variable currently is
148 %{uid} which expands to the current user id.
149
150 default_etypes = etypes ...
151 A list of default encryption types to use. (De‐
152 fault: all enctypes if allow_weak_crypto = TRUE,
153 else all enctypes except single DES enctypes.)
154
155 default_as_etypes = etypes ...
156 A list of default encryption types to use in AS re‐
157 quests. (Default: the value of default_etypes.)
158
159 default_tgs_etypes = etypes ...
160 A list of default encryption types to use in TGS
161 requests. (Default: the value of default_etypes.)
162
163 default_etypes_des = etypes ...
164 A list of default encryption types to use when re‐
165 questing a DES credential.
166
167 default_keytab_name = keytab
168 The keytab to use if no other is specified, default
169 is “FILE:/etc/krb5.keytab”.
170
171 dns_lookup_kdc = boolean
172 Use DNS SRV records to lookup KDC services loca‐
173 tion.
174
175 dns_lookup_realm = boolean
176 Use DNS TXT records to lookup domain to realm map‐
177 pings.
178
179 kdc_timesync = boolean
180 Try to keep track of the time differential between
181 the local machine and the KDC, and then compensate
182 for that when issuing requests.
183
184 max_retries = number
185 The max number of times to try to contact each KDC.
186
187 large_msg_size = number
188 The threshold where protocols with tiny maximum
189 message sizes are not considered usable to send
190 messages to the KDC.
191
192 ticket_lifetime = time
193 Default ticket lifetime.
194
195 renew_lifetime = time
196 Default renewable ticket lifetime.
197
198 forwardable = boolean
199 When obtaining initial credentials, make the cre‐
200 dentials forwardable. This option is also valid in
201 the [realms] section.
202
203 proxiable = boolean
204 When obtaining initial credentials, make the cre‐
205 dentials proxiable. This option is also valid in
206 the [realms] section.
207
208 verify_ap_req_nofail = boolean
209 If enabled, failure to verify credentials against a
210 local key is a fatal error. The application has to
211 be able to read the corresponding service key for
212 this to work. Some applications, like su(1), en‐
213 able this option unconditionally.
214
215 warn_pwexpire = time
216 How soon to warn for expiring password. Default is
217 seven days.
218
219 http_proxy = proxy-spec
220 A HTTP-proxy to use when talking to the KDC via
221 HTTP.
222
223 dns_proxy = proxy-spec
224 Enable using DNS via HTTP.
225
226 extra_addresses = address ...
227 A list of addresses to get tickets for along with
228 all local addresses.
229
230 time_format = string
231 How to print time strings in logs, this string is
232 passed to strftime(3).
233
234 date_format = string
235 How to print date strings in logs, this string is
236 passed to strftime(3).
237
238 log_utc = boolean
239 Write log-entries using UTC instead of your local
240 time zone.
241
242 scan_interfaces = boolean
243 Scan all network interfaces for addresses, as op‐
244 posed to simply using the address associated with
245 the system's host name.
246
247 fcache_version = int
248 Use file credential cache format version specified.
249
250 fcc-mit-ticketflags = boolean
251 Use MIT compatible format for file credential
252 cache. It's the field ticketflags that is stored
253 in reverse bit order for older than Heimdal 0.7.
254 Setting this flag to TRUE makes it store the MIT
255 way, this is default for Heimdal 0.7.
256
257 check-rd-req-server
258 If set to "ignore", the framework will ignore any
259 of the server input to krb5_rd_req(3), this is very
260 useful when the GSS-API server input the wrong
261 server name into the gss_accept_sec_context call.
262
263 k5login_directory = directory
264 Alternative location for user .k5login files. This
265 option is provided for compatibility with MIT krb5
266 configuration files.
267
268 k5login_authoritative = boolean
269 If true then if a principal is not found in k5login
270 files then krb5_userok(3) will not fallback on
271 principal to username mapping. This option is pro‐
272 vided for compatibility with MIT krb5 configuration
273 files.
274
275 kuserok = rule ...
276 Specifies krb5_userok(3) behavior. If multiple
277 values are given, then krb5_userok(3) will evaluate
278 them in order until one succeeds or all fail.
279 Rules are implemented by plugins, with three built-
280 in plugins described below. Default: USER-K5LOGIN
281 SIMPLE DENY.
282
283 kuserok = DENY
284 If set and evaluated then krb5_userok(3) will deny
285 access to the given username no matter what the
286 principal name might be.
287
288 kuserok = SIMPLE
289 If set and evaluated then krb5_userok(3) will use
290 principal to username mapping (see auth_to_local
291 below). If the principal maps to the requested
292 username then access is allowed.
293
294 kuserok = SYSTEM-K5LOGIN[:directory]
295 If set and evaluated then krb5_userok(3) will use
296 k5login files named after the luser argument to
297 krb5_userok(3) in the given directory or in
298 /etc/k5login.d/. K5login files are text files,
299 with each line containing just a principal name;
300 principals apearing in a user's k5login file are
301 permitted access to the user's account. Note: this
302 rule performs no ownership nor permissions checks
303 on k5login files; proper ownership and permis‐
304 sions/ACLs are expected due to the k5login location
305 being a system location.
306
307 kuserok = USER-K5LOGIN
308 If set and evaluated then krb5_userok(3) will use
309 ~luser/.k5login and ~luser/.k5login.d/*. User
310 k5login files and directories must be owned by the
311 user and must not have world nor group write per‐
312 missions.
313
314 aname2lname-text-db = filename
315 The named file must be a sorted (in increasing or‐
316 der) text file where every line consists of an un‐
317 parsed principal name optionally followed by white‐
318 space and a username. The aname2lname function
319 will do a binary search on this file, if config‐
320 ured, looking for lines that match the given prin‐
321 cipal name, and if found the given username will be
322 used, or, if the username is missing, an error will
323 be returned. If the file doesn't exist, or if no
324 matching line is found then other plugins will be
325 allowed to run.
326
327 fcache_strict_checking
328 strict checking in FILE credential caches that
329 owner, no symlink and permissions is correct.
330
331 name_canon_rules = rules
332 One or more service principal name canonicalization
333 rules. Each rule consists of one or more tokens
334 separated by colon (':'). Currently these rules
335 are used only for hostname canonicalization (usu‐
336 ally when getting a service ticket, from a ccache
337 or a TGS, but also when acquiring GSS initiator
338 credentials from a keytab). These rules can be
339 used to implement DNS resolver-like search lists
340 without having to use DNS.
341
342 NOTE: Name canonicalization rules are an experimen‐
343 tal feature.
344
345 The first token is a rule type, one of: as-is,
346 qualify, or nss.
347
348 Any remaining tokens must be options tokens:
349 use_fast (use FAST to protect TGS exchanges; cur‐
350 rently not supported), use_dnssec (use DNSSEC to
351 protect hostname lookups; currently not supported),
352 ccache_only , use_referrals, no_referrals,
353 lookup_realm, mindots=N, maxdots=N, order=N, do‐
354 main= domain, realm= realm, match_domain= domain,
355 and match_realm= realm.
356
357 When trying to obtain a service ticket for a host-
358 based service principal name, name canonicalization
359 rules are applied to that name in the order given,
360 one by one, until one succeds (a service ticket is
361 obtained), or all fail. Similarly when acquiring
362 GSS initiator credentials from a keytab, and when
363 comparing a non-canonical GSS name to a canonical
364 one.
365
366 For each rule the system checks that the hostname
367 has at least mindots periods (if given) in it, at
368 most maxdots periods (if given), that the hostname
369 ends in the given match_domain (if given), and that
370 the realm of the principal matches the match_realm
371 (if given).
372
373 As-is rules leave the hostname unmodified but may
374 set a realm. Qualify rules qualify the hostname
375 with the given domain and also may set the realm.
376 The nss rule uses the system resolver to lookup the
377 host's canonical name and is usually not secure.
378 Note that using the nss rule type implies having to
379 have principal aliases in the HDB (though not nec‐
380 essarily in keytabs).
381
382 The empty realm denotes "ask the client's realm's
383 TGS". The empty realm may be set as well as
384 matched.
385
386 The order in which rules are applied is as follows:
387 first all the rules with explicit order then all
388 other rules in the order in which they appear. If
389 any two rules have the same explicit order, their
390 order of appearance in krb5.conf breaks the tie.
391 Explicitly specifying order can be useful where
392 tools read and write the configuration file without
393 preserving parameter order.
394
395 Malformed rules are ignored.
396
397 allow_hierarchical_capaths = boolean
398 When validating cross-realm transit paths, absent
399 any explicit capath from the client realm to the
400 server realm, allow a hierarchical transit path via
401 the common ancestor domain of the two realms. De‐
402 faults to true. Note, absent an explicit setting,
403 hierarchical capaths are always used by the KDC
404 when generating a referral to a destination with
405 which is no direct trust.
406
407 [domain_realm]
408 This is a list of mappings from DNS domain to Kerberos realm.
409 Each binding in this section looks like:
410
411 domain = realm
412
413 The domain can be either a full name of a host or a trailing
414 component, in the latter case the domain-string should start
415 with a period. The trailing component only matches hosts that
416 are in the same domain, ie “.example.com” matches
417 “foo.example.com”, but not “foo.test.example.com”.
418
419 The realm may be the token `dns_locate', in which case the ac‐
420 tual realm will be determined using DNS (independently of the
421 setting of the `dns_lookup_realm' option).
422
423 [realms]
424
425 REALM = {
426
427 kdc = [service/]host[:port]
428 Specifies a list of kdcs for this realm.
429 If the optional port is absent, the de‐
430 fault value for the “kerberos/udp”
431 “kerberos/tcp”, and “http/tcp” port (de‐
432 pending on service) will be used. The
433 kdcs will be used in the order that they
434 are specified.
435
436 The optional service specifies over what
437 medium the kdc should be contacted.
438 Possible services are “udp”, “tcp”, and
439 “http”. Http can also be written as
440 “http://”. Default service is “udp” and
441 “tcp”.
442
443 admin_server = host[:port]
444 Specifies the admin server for this
445 realm, where all the modifications to
446 the database are performed.
447
448 kpasswd_server = host[:port]
449 Points to the server where all the pass‐
450 word changes are performed. If there is
451 no such entry, the kpasswd port on the
452 admin_server host will be tried.
453
454 tgs_require_subkey
455 a boolan variable that defaults to
456 false. Old DCE secd (pre 1.1) might
457 need this to be true.
458
459 auth_to_local_names = {
460
461 principal_name = username
462 The given principal_name will
463 be mapped to the given
464 username if the REALM is a
465 default realm.
466
467 }
468
469 auth_to_local = HEIMDAL_DEFAULT
470 Use the Heimdal default principal to
471 username mapping. Applies to principals
472 from the REALM if and only if REALM is a
473 default realm.
474
475 auth_to_local = DEFAULT
476 Use the MIT default principal to user‐
477 name mapping. Applies to principals
478 from the REALM if and only if REALM is a
479 default realm.
480
481 auth_to_local = DB:/path/to/db.txt
482 Use a binary search of the given DB.
483 The DB must be a flat-text file sortedf
484 in the "C" locale, with each record be‐
485 ing a line (separated by either LF or
486 CRLF) consisting of a principal name
487 followed by whitespace followed by a
488 username. Applies to principals from
489 the REALM if and only if REALM is a de‐
490 fault realm.
491
492 auth_to_local = DB:/path/to/db
493 Use the given DB, if there's a plugin
494 for it. Applies to principals from the
495 REALM if and only if REALM is a default
496 realm.
497
498 auth_to_local = RULE:...
499 Use the given rule, if there's a plugin
500 for it. Applies to principals from the
501 REALM if and only if REALM is a default
502 realm.
503
504 auth_to_local = NONE
505 No additional principal to username map‐
506 ping is done. Note that
507 auth_to_local_names and any preceding
508 auth_to_local rules have precedence.
509
510 }
511
512 [capaths]
513
514 client-realm = {
515
516 server-realm = hop-realm ...
517 This serves two purposes. First the
518 first listed hop-realm tells a client
519 which realm it should contact in order
520 to ultimately obtain credentials for a
521 service in the server-realm. Secondly,
522 it tells the KDC (and other servers)
523 which realms are allowed in a multi-hop
524 traversal from client-realm to
525 server-realm. Except for the client
526 case, the order of the realms are not
527 important.
528
529 }
530
531 [logging]
532
533 entity = destination
534 Specifies that entity should use the specified
535 destination for logging. See the krb5_openlog(3)
536 manual page for a list of defined destinations.
537
538 [kdc]
539
540 database = {
541
542 dbname = [DATBASETYPE:]DATABASENAME
543 Use this database for this realm. The
544 DATABASETYPE should be one of 'lmdb',
545 'db3', 'db1', 'db', 'sqlite', or 'ldap'.
546 See the info documetation how to config‐
547 ure different database backends.
548
549 realm = REALM
550 Specifies the realm that will be stored
551 in this database. It realm isn't set,
552 it will used as the default database,
553 there can only be one entry that doesn't
554 have a realm stanza.
555
556 mkey_file = FILENAME
557 Use this keytab file for the master key
558 of this database. If not specified
559 DATABASENAME.mkey will be used.
560
561 acl_file = PA FILENAME
562 Use this file for the ACL list of this
563 database.
564
565 log_file = FILENAME
566 Use this file as the log of changes per‐
567 formed to the database. This file is
568 used by ipropd-master for propagating
569 changes to slaves. It is also used by
570 kadmind and kadmin (when used with the
571 -l option), and by all applications us‐
572 ing libkadm5 with the local backend, for
573 two-phase commit functionality. Slaves
574 also use this. Setting this to
575 /dev/null disables two-phase commit and
576 incremental propagation. Use iprop-log
577 to show the contents of this log file.
578
579 log-max-size = number
580 When the log reaches this size (in
581 bytes), the log will be truncated, sav‐
582 ing some entries, and keeping the latest
583 version number so as to not disrupt in‐
584 cremental propagation. If set to a neg‐
585 ative value then automatic log trunca‐
586 tion will be disabled. Defaults to
587 52428800 (50MB).
588
589 }
590
591 max-request = SIZE
592 Maximum size of a kdc request.
593
594 require-preauth = BOOL
595 If set pre-authentication is required.
596
597 ports = list of ports
598 List of ports the kdc should listen to.
599
600 addresses = list of interfaces
601 List of addresses the kdc should bind to.
602
603 enable-http = BOOL
604 Should the kdc answer kdc-requests over http.
605
606 tgt-use-strongest-session-key = BOOL
607 If this is TRUE then the KDC will prefer the
608 strongest key from the client's AS-REQ or TGS-REQ
609 enctype list for the ticket session key that is
610 supported by the KDC and the target principal when
611 the target principal is a krbtgt principal. Else
612 it will prefer the first key from the client's AS-
613 REQ enctype list that is also supported by the KDC
614 and the target principal. Defaults to FALSE.
615
616 svc-use-strongest-session-key = BOOL
617 Like tgt-use-strongest-session-key, but applies to
618 the session key enctype of tickets for services
619 other than krbtgt principals. Defaults to FALSE.
620
621 preauth-use-strongest-session-key = BOOL
622 If TRUE then select the strongest possible enctype
623 from the client's AS-REQ for PA-ETYPE-INFO2 (i.e.,
624 for password-based pre-authentication). Else pick
625 the first supported enctype from the client's AS-
626 REQ. Defaults to FALSE.
627
628 use-strongest-server-key = BOOL
629 If TRUE then the KDC picks, for the ticket en‐
630 crypted part's key, the first supported enctype
631 from the target service principal's hdb entry's
632 current keyset. Else the KDC picks the first sup‐
633 ported enctype from the target service principal's
634 hdb entry's current keyset. Defaults to TRUE.
635
636 check-ticket-addresses = BOOL
637 Verify the addresses in the tickets used in tgs re‐
638 quests.
639
640 allow-null-ticket-addresses = BOOL
641 Allow address-less tickets.
642
643 allow-anonymous = BOOL
644 If the kdc is allowed to hand out anonymous tick‐
645 ets.
646
647 historical_anon_realm = boolean
648 Enables pre-7.0 non-RFC-comformant KDC behavior.
649 With this option set to true the client realm in
650 anonymous pkinit AS replies will be the requested
651 realm, rather than the RFC-conformant
652 WELLKNOWN:ANONYMOUS realm. This can have a secu‐
653 rity impact on servers that expect to grant access
654 to anonymous-but-authenticated to the KDC users of
655 the realm in question: they would also grant access
656 to unauthenticated anonymous users. As such, it is
657 not recommend to set this option to true.
658
659 encode_as_rep_as_tgs_rep = BOOL
660 Encode as-rep as tgs-rep to be compatible with mis‐
661 takes older DCE secd did.
662
663 kdc_warn_pwexpire = TIME
664 The time before expiration that the user should be
665 warned that her password is about to expire.
666
667 logging = Logging
668 What type of logging the kdc should use, see also
669 [logging]/kdc.
670
671 hdb-ldap-structural-object structural object
672 If the LDAP backend is used for storing principals,
673 this is the structural object that will be used
674 when creating and when reading objects. The de‐
675 fault value is account .
676
677 hdb-ldap-create-base creation dn
678 is the dn that will be appended to the principal
679 when creating entries. Default value is the search
680 dn.
681
682 enable-digest = BOOL
683 Should the kdc answer digest requests. The default
684 is FALSE.
685
686 digests_allowed = list of digests
687 Specifies the digests the kdc will reply to. The
688 default is ntlm-v2.
689
690 kx509_ca = file
691 Specifies the PEM credentials for the kx509 certi‐
692 fication authority.
693
694 require_initial_kca_tickets = boolean
695 Specified whether to require that tickets for the
696 kca_service service principal be INITIAL. This may
697 be set on a per-realm basis as well as globally.
698 Defaults to true for the global setting.
699
700 kx509_include_pkinit_san = boolean
701 If true then the kx509 client principal's name and
702 realm will be included in an id-pkinit-san certifi‐
703 cate extension. This can be set on a per-realm ba‐
704 sis as well as globally. Defaults to true for the
705 global setting.
706
707 kx509_template = file
708 Specifies the PEM file with a template for the cer‐
709 tificates to be issued. The following variables
710 can be interpolated in the subject name using
711 ${variable} syntax:
712
713 principal-name
714 The full name of the kx509 client prin‐
715 cipal.
716
717 principal-name-without-realm
718 The full name of the kx509 client prin‐
719 cipal, excluding the realm name.
720
721 principal-name-realm
722 The name of the client principal's
723 realm.
724 The kx509, kx509_template, kx509_include_pkinit_san, and
725 require_initial_kca_tickets parameters may be set on a per-
726 realm basis as well.
727
728 [kadmin]
729
730 password_lifetime = time
731 If a principal already have its password set for
732 expiration, this is the time it will be valid for
733 after a change.
734
735 default_keys = keytypes...
736 For each entry in default_keys try to parse it as a
737 sequence of etype:salttype:salt syntax of this if
738 something like:
739
740 [(des|des3|etype):](pw-salt|afs3-salt)[:string]
741
742 If etype is omitted it means everything, and if
743 string is omitted it means the default salt string
744 (for that principal and encryption type). Addi‐
745 tional special values of keytypes are:
746
747 v5 The Kerberos 5 salt pw-salt
748
749 default_key_rules = {
750
751 globing-rule = keytypes...
752 a globbing rule to matching a principal,
753 and when true, use the keytypes as spec‐
754 ified the same format as [kadmin]de‐
755 fault_keys .
756
757 }
758
759 prune-key-history = BOOL
760 When adding keys to the key history, drop keys that
761 are too old to match unexpired tickets (based on
762 the principal's maximum ticket lifetime). If the
763 KDC keystore is later compromised traffic protected
764 with the discarded older keys may remain protected.
765 This also keeps the HDB records for principals with
766 key history from growing without bound. The de‐
767 fault (backwards compatible) value is "false".
768
769 use_v4_salt = BOOL
770 When true, this is the same as
771
772 default_keys = des3:pw-salt v4
773
774 and is only left for backwards compatibility.
775
776 [password_quality]
777 Check the Password quality assurance in the info
778 documentation for more information.
779
780 check_library = library-name
781 Library name that contains the password
782 check_function
783
784 check_function = function-name
785 Function name for checking passwords in
786 check_library
787
788 policy_libraries = library1 ... libraryN
789 List of libraries that can do password
790 policy checks
791
792 policies = policy1 ... policyN
793 List of policy names to apply to the
794 password. Builtin policies are among
795 other minimum-length, character-class,
796 external-check.
797
799 KRB5_CONFIG points to the configuration file to read.
800
802 /etc/krb5.conf configuration file for Kerberos 5.
803
805 [libdefaults]
806 default_realm = FOO.SE
807 name_canon_rules = as-is:realm=FOO.SE
808 name_canon_rules = qualify:domain=foo.se:realm=FOO.SE
809 name_canon_rules = qualify:domain=bar.se:realm=FOO.SE
810 name_canon_rules = nss
811 [domain_realm]
812 .foo.se = FOO.SE
813 .bar.se = FOO.SE
814 [realms]
815 FOO.SE = {
816 kdc = kerberos.foo.se
817 default_domain = foo.se
818 }
819 [logging]
820 kdc = FILE:/var/heimdal/kdc.log
821 kdc = SYSLOG:INFO
822 default = SYSLOG:INFO:USER
823 [kadmin]
824 default_key_rules = {
825 */ppp@* = arcfour-hmac-md5:pw-salt
826 }
827
829 Since krb5.conf is read and parsed by the krb5 library, there is not a
830 lot of opportunities for programs to report parsing errors in any useful
831 format. To help overcome this problem, there is a program
832 verify_krb5_conf that reads krb5.conf and tries to emit useful diagnos‐
833 tics from parsing errors. Note that this program does not have any way
834 of knowing what options are actually used and thus cannot warn about un‐
835 known or misspelled ones.
836
838 kinit(1), krb5_openlog(3), strftime(3), verify_krb5_conf(8)
839
840HEIMDAL May 4, 2005 HEIMDAL