1KDC.CONF(5) MIT Kerberos KDC.CONF(5)
2
3
4
6 kdc.conf - Kerberos V5 KDC configuration file
7
8 The kdc.conf file supplements krb5.conf for programs which are typi‐
9 cally only used on a KDC, such as the krb5kdc and kadmind daemons and
10 the kdb5_util program. Relations documented here may also be specified
11 in krb5.conf; for the KDC programs mentioned, krb5.conf and kdc.conf
12 will be merged into a single configuration profile.
13
14 Normally, the kdc.conf file is found in the KDC state directory,
15 /var/kerberos/krb5kdc. You can override the default location by set‐
16 ting the environment variable KRB5_KDC_PROFILE.
17
18 Please note that you need to restart the KDC daemon for any configura‐
19 tion changes to take effect.
20
22 The kdc.conf file is set up in the same format as the krb5.conf file.
23
25 The kdc.conf file may contain the following sections:
26
27 ┌──────────────┬────────────────────────────┐
28 │[kdcdefaults] │ Default values for KDC be‐ │
29 │ │ havior │
30 ├──────────────┼────────────────────────────┤
31 │[realms] │ Realm-specific database │
32 │ │ configuration and settings │
33 ├──────────────┼────────────────────────────┤
34 │[dbdefaults] │ Default database settings │
35 ├──────────────┼────────────────────────────┤
36 │[dbmodules] │ Per-database settings │
37 ├──────────────┼────────────────────────────┤
38 │[logging] │ Controls how Kerberos dae‐ │
39 │ │ mons perform logging │
40 └──────────────┴────────────────────────────┘
41
42 [kdcdefaults]
43 Some relations in the [kdcdefaults] section specify default values for
44 realm variables, to be used if the [realms] subsection does not contain
45 a relation for the tag. See the [realms] section for the definitions
46 of these relations.
47
48 • host_based_services
49
50 • kdc_listen
51
52 • kdc_ports
53
54 • kdc_tcp_listen
55
56 • kdc_tcp_ports
57
58 • no_host_referral
59
60 • restrict_anonymous_to_tgt
61
62 The following [kdcdefaults] variables have no per-realm equivalent:
63
64 kdc_max_dgram_reply_size
65 Specifies the maximum packet size that can be sent over UDP.
66 The default value is 4096 bytes.
67
68 kdc_tcp_listen_backlog
69 (Integer.) Set the size of the listen queue length for the KDC
70 daemon. The value may be limited by OS settings. The default
71 value is 5.
72
73 spake_preauth_kdc_challenge
74 (String.) Specifies the group for a SPAKE optimistic challenge.
75 See the spake_preauth_groups variable in [libdefaults] for pos‐
76 sible values. The default is not to issue an optimistic chal‐
77 lenge. (New in release 1.17.)
78
79 [realms]
80 Each tag in the [realms] section is the name of a Kerberos realm. The
81 value of the tag is a subsection where the relations define KDC parame‐
82 ters for that particular realm. The following example shows how to de‐
83 fine one parameter for the ATHENA.MIT.EDU realm:
84
85 [realms]
86 ATHENA.MIT.EDU = {
87 max_renewable_life = 7d 0h 0m 0s
88 }
89
90 The following tags may be specified in a [realms] subsection:
91
92 acl_file
93 (String.) Location of the access control list file that kadmind
94 uses to determine which principals are allowed which permissions
95 on the Kerberos database. To operate without an ACL file, set
96 this relation to the empty string with acl_file = "". The de‐
97 fault value is /var/kerberos/krb5kdc/kadm5.acl. For more infor‐
98 mation on Kerberos ACL file see kadm5.acl.
99
100 database_module
101 (String.) This relation indicates the name of the configuration
102 section under [dbmodules] for database-specific parameters used
103 by the loadable database library. The default value is the
104 realm name. If this configuration section does not exist, de‐
105 fault values will be used for all database parameters.
106
107 database_name
108 (String, deprecated.) This relation specifies the location of
109 the Kerberos database for this realm, if the DB2 module is being
110 used and the [dbmodules] configuration section does not specify
111 a database name. The default value is /var/ker‐
112 beros/krb5kdc/principal.
113
114 default_principal_expiration
115 (Absolute time string.) Specifies the default expiration date
116 of principals created in this realm. The default value is 0,
117 which means no expiration date.
118
119 default_principal_flags
120 (Flag string.) Specifies the default attributes of principals
121 created in this realm. The format for this string is a
122 comma-separated list of flags, with '+' before each flag that
123 should be enabled and '-' before each flag that should be dis‐
124 abled. The postdateable, forwardable, tgt-based, renewable,
125 proxiable, dup-skey, allow-tickets, and service flags default to
126 enabled.
127
128 There are a number of possible flags:
129
130 allow-tickets
131 Enabling this flag means that the KDC will issue tickets
132 for this principal. Disabling this flag essentially de‐
133 activates the principal within this realm.
134
135 dup-skey
136 Enabling this flag allows the KDC to issue user-to-user
137 service tickets for this principal.
138
139 forwardable
140 Enabling this flag allows the principal to obtain for‐
141 wardable tickets.
142
143 hwauth If this flag is enabled, then the principal is required
144 to preauthenticate using a hardware device before receiv‐
145 ing any tickets.
146
147 no-auth-data-required
148 Enabling this flag prevents PAC or AD-SIGNEDPATH data
149 from being added to service tickets for the principal.
150
151 ok-as-delegate
152 If this flag is enabled, it hints the client that creden‐
153 tials can and should be delegated when authenticating to
154 the service.
155
156 ok-to-auth-as-delegate
157 Enabling this flag allows the principal to use S4USelf
158 tickets.
159
160 postdateable
161 Enabling this flag allows the principal to obtain post‐
162 dateable tickets.
163
164 preauth
165 If this flag is enabled on a client principal, then that
166 principal is required to preauthenticate to the KDC be‐
167 fore receiving any tickets. On a service principal, en‐
168 abling this flag means that service tickets for this
169 principal will only be issued to clients with a TGT that
170 has the preauthenticated bit set.
171
172 proxiable
173 Enabling this flag allows the principal to obtain proxy
174 tickets.
175
176 pwchange
177 Enabling this flag forces a password change for this
178 principal.
179
180 pwservice
181 If this flag is enabled, it marks this principal as a
182 password change service. This should only be used in
183 special cases, for example, if a user's password has ex‐
184 pired, then the user has to get tickets for that princi‐
185 pal without going through the normal password authentica‐
186 tion in order to be able to change the password.
187
188 renewable
189 Enabling this flag allows the principal to obtain renew‐
190 able tickets.
191
192 service
193 Enabling this flag allows the the KDC to issue service
194 tickets for this principal. In release 1.17 and later,
195 user-to-user service tickets are still allowed if the
196 dup-skey flag is set.
197
198 tgt-based
199 Enabling this flag allows a principal to obtain tickets
200 based on a ticket-granting-ticket, rather than repeating
201 the authentication process that was used to obtain the
202 TGT.
203
204 dict_file
205 (String.) Location of the dictionary file containing strings
206 that are not allowed as passwords. The file should contain one
207 string per line, with no additional whitespace. If none is
208 specified or if there is no policy assigned to the principal, no
209 dictionary checks of passwords will be performed.
210
211 disable_pac
212 (Boolean value.) If true, the KDC will not issue PACs for this
213 realm, and S4U2Self and S4U2Proxy operations will be disabled.
214 The default is false, which will permit the KDC to issue PACs.
215 New in release 1.20.
216
217 encrypted_challenge_indicator
218 (String.) Specifies the authentication indicator value that the
219 KDC asserts into tickets obtained using FAST encrypted challenge
220 pre-authentication. New in 1.16.
221
222 host_based_services
223 (Whitespace- or comma-separated list.) Lists services which
224 will get host-based referral processing even if the server prin‐
225 cipal is not marked as host-based by the client.
226
227 iprop_enable
228 (Boolean value.) Specifies whether incremental database propa‐
229 gation is enabled. The default value is false.
230
231 iprop_ulogsize
232 (Integer.) Specifies the maximum number of log entries to be
233 retained for incremental propagation. The default value is
234 1000. Prior to release 1.11, the maximum value was 2500. New
235 in release 1.19.
236
237 iprop_master_ulogsize
238 The name for iprop_ulogsize prior to release 1.19. Its value is
239 used as a fallback if iprop_ulogsize is not specified.
240
241 iprop_replica_poll
242 (Delta time string.) Specifies how often the replica KDC polls
243 for new updates from the primary. The default value is 2m (that
244 is, two minutes). New in release 1.17.
245
246 iprop_slave_poll
247 (Delta time string.) The name for iprop_replica_poll prior to
248 release 1.17. Its value is used as a fallback if
249 iprop_replica_poll is not specified.
250
251 iprop_listen
252 (Whitespace- or comma-separated list.) Specifies the iprop RPC
253 listening addresses and/or ports for the kadmind daemon. Each
254 entry may be an interface address, a port number, or an address
255 and port number separated by a colon. If the address contains
256 colons, enclose it in square brackets. If no address is speci‐
257 fied, the wildcard address is used. If kadmind fails to bind to
258 any of the specified addresses, it will fail to start. The de‐
259 fault (when iprop_enable is true) is to bind to the wildcard ad‐
260 dress at the port specified in iprop_port. New in release 1.15.
261
262 iprop_port
263 (Port number.) Specifies the port number to be used for incre‐
264 mental propagation. When iprop_enable is true, this relation is
265 required in the replica KDC configuration file, and this rela‐
266 tion or iprop_listen is required in the primary configuration
267 file, as there is no default port number. Port numbers speci‐
268 fied in iprop_listen entries will override this port number for
269 the kadmind daemon.
270
271 iprop_resync_timeout
272 (Delta time string.) Specifies the amount of time to wait for a
273 full propagation to complete. This is optional in configuration
274 files, and is used by replica KDCs only. The default value is 5
275 minutes (5m). New in release 1.11.
276
277 iprop_logfile
278 (File name.) Specifies where the update log file for the realm
279 database is to be stored. The default is to use the data‐
280 base_name entry from the realms section of the krb5 config file,
281 with .ulog appended. (NOTE: If database_name isn't specified in
282 the realms section, perhaps because the LDAP database back end
283 is being used, or the file name is specified in the [dbmodules]
284 section, then the hard-coded default for database_name is used.
285 Determination of the iprop_logfile default value will not use
286 values from the [dbmodules] section.)
287
288 kadmind_listen
289 (Whitespace- or comma-separated list.) Specifies the kadmin RPC
290 listening addresses and/or ports for the kadmind daemon. Each
291 entry may be an interface address, a port number, or an address
292 and port number separated by a colon. If the address contains
293 colons, enclose it in square brackets. If no address is speci‐
294 fied, the wildcard address is used. If kadmind fails to bind to
295 any of the specified addresses, it will fail to start. The de‐
296 fault is to bind to the wildcard address at the port specified
297 in kadmind_port, or the standard kadmin port (749). New in re‐
298 lease 1.15.
299
300 kadmind_port
301 (Port number.) Specifies the port on which the kadmind daemon
302 is to listen for this realm. Port numbers specified in kad‐
303 mind_listen entries will override this port number. The as‐
304 signed port for kadmind is 749, which is used by default.
305
306 key_stash_file
307 (String.) Specifies the location where the master key has been
308 stored (via kdb5_util stash). The default is /var/ker‐
309 beros/krb5kdc/.k5.REALM, where REALM is the Kerberos realm.
310
311 kdc_listen
312 (Whitespace- or comma-separated list.) Specifies the UDP lis‐
313 tening addresses and/or ports for the krb5kdc daemon. Each en‐
314 try may be an interface address, a port number, or an address
315 and port number separated by a colon. If the address contains
316 colons, enclose it in square brackets. If no address is speci‐
317 fied, the wildcard address is used. If no port is specified,
318 the standard port (88) is used. If the KDC daemon fails to bind
319 to any of the specified addresses, it will fail to start. The
320 default is to bind to the wildcard address on the standard port.
321 New in release 1.15.
322
323 kdc_ports
324 (Whitespace- or comma-separated list, deprecated.) Prior to re‐
325 lease 1.15, this relation lists the ports for the krb5kdc daemon
326 to listen on for UDP requests. In release 1.15 and later, it
327 has the same meaning as kdc_listen if that relation is not de‐
328 fined.
329
330 kdc_tcp_listen
331 (Whitespace- or comma-separated list.) Specifies the TCP lis‐
332 tening addresses and/or ports for the krb5kdc daemon. Each en‐
333 try may be an interface address, a port number, or an address
334 and port number separated by a colon. If the address contains
335 colons, enclose it in square brackets. If no address is speci‐
336 fied, the wildcard address is used. If no port is specified,
337 the standard port (88) is used. To disable listening on TCP,
338 set this relation to the empty string with kdc_tcp_listen = "".
339 If the KDC daemon fails to bind to any of the specified ad‐
340 dresses, it will fail to start. The default is to bind to the
341 wildcard address on the standard port. New in release 1.15.
342
343 kdc_tcp_ports
344 (Whitespace- or comma-separated list, deprecated.) Prior to re‐
345 lease 1.15, this relation lists the ports for the krb5kdc daemon
346 to listen on for UDP requests. In release 1.15 and later, it
347 has the same meaning as kdc_tcp_listen if that relation is not
348 defined.
349
350 kpasswd_listen
351 (Comma-separated list.) Specifies the kpasswd listening ad‐
352 dresses and/or ports for the kadmind daemon. Each entry may be
353 an interface address, a port number, or an address and port num‐
354 ber separated by a colon. If the address contains colons, en‐
355 close it in square brackets. If no address is specified, the
356 wildcard address is used. If kadmind fails to bind to any of
357 the specified addresses, it will fail to start. The default is
358 to bind to the wildcard address at the port specified in
359 kpasswd_port, or the standard kpasswd port (464). New in re‐
360 lease 1.15.
361
362 kpasswd_port
363 (Port number.) Specifies the port on which the kadmind daemon
364 is to listen for password change requests for this realm. Port
365 numbers specified in kpasswd_listen entries will override this
366 port number. The assigned port for password change requests is
367 464, which is used by default.
368
369 master_key_name
370 (String.) Specifies the name of the principal associated with
371 the master key. The default is K/M.
372
373 master_key_type
374 (Key type string.) Specifies the master key's key type. The
375 default value for this is aes256-cts-hmac-sha1-96. For a list
376 of all possible values, see Encryption types.
377
378 max_life
379 (Time duration string.) Specifies the maximum time period for
380 which a ticket may be valid in this realm. The default value is
381 24 hours.
382
383 max_renewable_life
384 (Time duration string.) Specifies the maximum time period dur‐
385 ing which a valid ticket may be renewed in this realm. The de‐
386 fault value is 0.
387
388 no_host_referral
389 (Whitespace- or comma-separated list.) Lists services to block
390 from getting host-based referral processing, even if the client
391 marks the server principal as host-based or the service is also
392 listed in host_based_services. no_host_referral = * will dis‐
393 able referral processing altogether.
394
395 reject_bad_transit
396 (Boolean value.) If set to true, the KDC will check the list of
397 transited realms for cross-realm tickets against the transit
398 path computed from the realm names and the capaths section of
399 its krb5.conf file; if the path in the ticket to be issued con‐
400 tains any realms not in the computed path, the ticket will not
401 be issued, and an error will be returned to the client instead.
402 If this value is set to false, such tickets will be issued any‐
403 ways, and it will be left up to the application server to vali‐
404 date the realm transit path.
405
406 If the disable-transited-check flag is set in the incoming re‐
407 quest, this check is not performed at all. Having the re‐
408 ject_bad_transit option will cause such ticket requests to be
409 rejected always.
410
411 This transit path checking and config file option currently ap‐
412 ply only to TGS requests.
413
414 The default value is true.
415
416 restrict_anonymous_to_tgt
417 (Boolean value.) If set to true, the KDC will reject ticket re‐
418 quests from anonymous principals to service principals other
419 than the realm's ticket-granting service. This option allows
420 anonymous PKINIT to be enabled for use as FAST armor tickets
421 without allowing anonymous authentication to services. The de‐
422 fault value is false. New in release 1.9.
423
424 spake_preauth_indicator
425 (String.) Specifies an authentication indicator value that the
426 KDC asserts into tickets obtained using SPAKE pre-authentica‐
427 tion. The default is not to add any indicators. This option
428 may be specified multiple times. New in release 1.17.
429
430 supported_enctypes
431 (List of key:salt strings.) Specifies the default key/salt com‐
432 binations of principals for this realm. Any principals created
433 through kadmin will have keys of these types. The default value
434 for this tag is aes256-cts-hmac-sha1-96:normal
435 aes128-cts-hmac-sha1-96:normal. For lists of possible values,
436 see Keysalt lists.
437
438 [dbdefaults]
439 The [dbdefaults] section specifies default values for some database pa‐
440 rameters, to be used if the [dbmodules] subsection does not contain a
441 relation for the tag. See the [dbmodules] section for the definitions
442 of these relations.
443
444 • ldap_kerberos_container_dn
445
446 • ldap_kdc_dn
447
448 • ldap_kdc_sasl_authcid
449
450 • ldap_kdc_sasl_authzid
451
452 • ldap_kdc_sasl_mech
453
454 • ldap_kdc_sasl_realm
455
456 • ldap_kadmind_dn
457
458 • ldap_kadmind_sasl_authcid
459
460 • ldap_kadmind_sasl_authzid
461
462 • ldap_kadmind_sasl_mech
463
464 • ldap_kadmind_sasl_realm
465
466 • ldap_service_password_file
467
468 • ldap_conns_per_server
469
470 [dbmodules]
471 The [dbmodules] section contains parameters used by the KDC database
472 library and database modules. Each tag in the [dbmodules] section is
473 the name of a Kerberos realm or a section name specified by a realm's
474 database_module parameter. The following example shows how to define
475 one database parameter for the ATHENA.MIT.EDU realm:
476
477 [dbmodules]
478 ATHENA.MIT.EDU = {
479 disable_last_success = true
480 }
481
482 The following tags may be specified in a [dbmodules] subsection:
483
484 database_name
485 This DB2-specific tag indicates the location of the database in
486 the filesystem. The default is /var/kerberos/krb5kdc/principal.
487
488 db_library
489 This tag indicates the name of the loadable database module.
490 The value should be db2 for the DB2 module, klmdb for the LMDB
491 module, or kldap for the LDAP module.
492
493 disable_last_success
494 If set to true, suppresses KDC updates to the "Last successful
495 authentication" field of principal entries requiring preauthen‐
496 tication. Setting this flag may improve performance. (Princi‐
497 pal entries which do not require preauthentication never update
498 the "Last successful authentication" field.). First introduced
499 in release 1.9.
500
501 disable_lockout
502 If set to true, suppresses KDC updates to the "Last failed au‐
503 thentication" and "Failed password attempts" fields of principal
504 entries requiring preauthentication. Setting this flag may im‐
505 prove performance, but also disables account lockout. First in‐
506 troduced in release 1.9.
507
508 ldap_conns_per_server
509 This LDAP-specific tag indicates the number of connections to be
510 maintained per LDAP server.
511
512 ldap_kdc_dn and ldap_kadmind_dn
513 These LDAP-specific tags indicate the default DN for binding to
514 the LDAP server. The krb5kdc daemon uses ldap_kdc_dn, while the
515 kadmind daemon and other administrative programs use ldap_kad‐
516 mind_dn. The kadmind DN must have the rights to read and write
517 the Kerberos data in the LDAP database. The KDC DN must have
518 the same rights, unless disable_lockout and disable_last_success
519 are true, in which case it only needs to have rights to read the
520 Kerberos data. These tags are ignored if a SASL mechanism is
521 set with ldap_kdc_sasl_mech or ldap_kadmind_sasl_mech.
522
523 ldap_kdc_sasl_mech and ldap_kadmind_sasl_mech
524 These LDAP-specific tags specify the SASL mechanism (such as EX‐
525 TERNAL) to use when binding to the LDAP server. New in release
526 1.13.
527
528 ldap_kdc_sasl_authcid and ldap_kadmind_sasl_authcid
529 These LDAP-specific tags specify the SASL authentication iden‐
530 tity to use when binding to the LDAP server. Not all SASL mech‐
531 anisms require an authentication identity. If the SASL mecha‐
532 nism requires a secret (such as the password for DIGEST-MD5),
533 these tags also determine the name within the ldap_service_pass‐
534 word_file where the secret is stashed. New in release 1.13.
535
536 ldap_kdc_sasl_authzid and ldap_kadmind_sasl_authzid
537 These LDAP-specific tags specify the SASL authorization identity
538 to use when binding to the LDAP server. In most circumstances
539 they do not need to be specified. New in release 1.13.
540
541 ldap_kdc_sasl_realm and ldap_kadmind_sasl_realm
542 These LDAP-specific tags specify the SASL realm to use when
543 binding to the LDAP server. In most circumstances they do not
544 need to be set. New in release 1.13.
545
546 ldap_kerberos_container_dn
547 This LDAP-specific tag indicates the DN of the container object
548 where the realm objects will be located.
549
550 ldap_servers
551 This LDAP-specific tag indicates the list of LDAP servers that
552 the Kerberos servers can connect to. The list of LDAP servers
553 is whitespace-separated. The LDAP server is specified by a LDAP
554 URI. It is recommended to use ldapi: or ldaps: URLs to connect
555 to the LDAP server.
556
557 ldap_service_password_file
558 This LDAP-specific tag indicates the file containing the stashed
559 passwords (created by kdb5_ldap_util stashsrvpw) for the
560 ldap_kdc_dn and ldap_kadmind_dn objects, or for the
561 ldap_kdc_sasl_authcid or ldap_kadmind_sasl_authcid names for
562 SASL authentication. This file must be kept secure.
563
564 mapsize
565 This LMDB-specific tag indicates the maximum size of the two
566 database environments in megabytes. The default value is 128.
567 Increase this value to address "Environment mapsize limit
568 reached" errors. New in release 1.17.
569
570 max_readers
571 This LMDB-specific tag indicates the maximum number of concur‐
572 rent reading processes for the databases. The default value is
573 128. New in release 1.17.
574
575 nosync This LMDB-specific tag can be set to improve the throughput of
576 kadmind and other administrative agents, at the expense of dura‐
577 bility (recent database changes may not survive a power outage
578 or other sudden reboot). It does not affect the throughput of
579 the KDC. The default value is false. New in release 1.17.
580
581 unlockiter
582 If set to true, this DB2-specific tag causes iteration opera‐
583 tions to release the database lock while processing each princi‐
584 pal. Setting this flag to true can prevent extended blocking of
585 KDC or kadmin operations when dumps of large databases are in
586 progress. First introduced in release 1.13.
587
588 The following tag may be specified directly in the [dbmodules] section
589 to control where database modules are loaded from:
590
591 db_module_dir
592 This tag controls where the plugin system looks for database
593 modules. The value should be an absolute path.
594
595 [logging]
596 The [logging] section indicates how krb5kdc and kadmind perform log‐
597 ging. It may contain the following relations:
598
599 admin_server
600 Specifies how kadmind performs logging.
601
602 kdc Specifies how krb5kdc performs logging.
603
604 default
605 Specifies how either daemon performs logging in the absence of
606 relations specific to the daemon.
607
608 debug (Boolean value.) Specifies whether debugging messages are in‐
609 cluded in log outputs other than SYSLOG. Debugging messages are
610 always included in the system log output because syslog performs
611 its own priority filtering. The default value is false. New in
612 release 1.15.
613
614 Logging specifications may have the following forms:
615
616 FILE=filename or FILE:filename
617 This value causes the daemon's logging messages to go to the
618 filename. If the = form is used, the file is overwritten. If
619 the : form is used, the file is appended to.
620
621 STDERR This value causes the daemon's logging messages to go to its
622 standard error stream.
623
624 CONSOLE
625 This value causes the daemon's logging messages to go to the
626 console, if the system supports it.
627
628 DEVICE=<devicename>
629 This causes the daemon's logging messages to go to the specified
630 device.
631
632 SYSLOG[:severity[:facility]]
633 This causes the daemon's logging messages to go to the system
634 log.
635
636 For backward compatibility, a severity argument may be speci‐
637 fied, and must be specified in order to specify a facility.
638 This argument will be ignored.
639
640 The facility argument specifies the facility under which the
641 messages are logged. This may be any of the following facili‐
642 ties supported by the syslog(3) call minus the LOG_ prefix:
643 KERN, USER, MAIL, DAEMON, AUTH, LPR, NEWS, UUCP, CRON, and LO‐
644 CAL0 through LOCAL7. If no facility is specified, the default
645 is AUTH.
646
647 In the following example, the logging messages from the KDC will go to
648 the console and to the system log under the facility LOG_DAEMON, and
649 the logging messages from the administrative server will be appended to
650 the file /var/adm/kadmin.log and sent to the device /dev/tty04.
651
652 [logging]
653 kdc = CONSOLE
654 kdc = SYSLOG:INFO:DAEMON
655 admin_server = FILE:/var/adm/kadmin.log
656 admin_server = DEVICE=/dev/tty04
657
658 If no logging specification is given, the default is to use syslog. To
659 disable logging entirely, specify default = DEVICE=/dev/null.
660
661 [otp]
662 Each subsection of [otp] is the name of an OTP token type. The tags
663 within the subsection define the configuration required to forward a
664 One Time Password request to a RADIUS server.
665
666 For each token type, the following tags may be specified:
667
668 server This is the server to send the RADIUS request to. It can be a
669 hostname with optional port, an ip address with optional port,
670 or a Unix domain socket address. The default is /var/ker‐
671 beros/krb5kdc/<name>.socket.
672
673 secret This tag indicates a filename (which may be relative to
674 /var/kerberos/krb5kdc) containing the secret used to encrypt the
675 RADIUS packets. The secret should appear in the first line of
676 the file by itself; leading and trailing whitespace on the line
677 will be removed. If the value of server is a Unix domain socket
678 address, this tag is optional, and an empty secret will be used
679 if it is not specified. Otherwise, this tag is required.
680
681 timeout
682 An integer which specifies the time in seconds during which the
683 KDC should attempt to contact the RADIUS server. This tag is
684 the total time across all retries and should be less than the
685 time which an OTP value remains valid for. The default is 5
686 seconds.
687
688 retries
689 This tag specifies the number of retries to make to the RADIUS
690 server. The default is 3 retries (4 tries).
691
692 strip_realm
693 If this tag is true, the principal without the realm will be
694 passed to the RADIUS server. Otherwise, the realm will be in‐
695 cluded. The default value is true.
696
697 indicator
698 This tag specifies an authentication indicator to be included in
699 the ticket if this token type is used to authenticate. This op‐
700 tion may be specified multiple times. (New in release 1.14.)
701
702 In the following example, requests are sent to a remote server via UDP:
703
704 [otp]
705 MyRemoteTokenType = {
706 server = radius.mydomain.com:1812
707 secret = SEmfiajf42$
708 timeout = 15
709 retries = 5
710 strip_realm = true
711 }
712
713 An implicit default token type named DEFAULT is defined for when the
714 per-principal configuration does not specify a token type. Its config‐
715 uration is shown below. You may override this token type to something
716 applicable for your situation:
717
718 [otp]
719 DEFAULT = {
720 strip_realm = false
721 }
722
724 NOTE:
725 The following are pkinit-specific options. These values may be
726 specified in [kdcdefaults] as global defaults, or within a
727 realm-specific subsection of [realms]. Also note that a realm-spe‐
728 cific value over-rides, does not add to, a generic [kdcdefaults]
729 specification. The search order is:
730
731 1. realm-specific subsection of [realms]:
732
733 [realms]
734 EXAMPLE.COM = {
735 pkinit_anchors = FILE:/usr/local/example.com.crt
736 }
737
738 2. generic value in the [kdcdefaults] section:
739
740 [kdcdefaults]
741 pkinit_anchors = DIR:/usr/local/generic_trusted_cas/
742
743 For information about the syntax of some of these options, see
744 Specifying PKINIT identity information in krb5.conf.
745
746 pkinit_anchors
747 Specifies the location of trusted anchor (root) certificates
748 which the KDC trusts to sign client certificates. This option
749 is required if pkinit is to be supported by the KDC. This op‐
750 tion may be specified multiple times.
751
752 pkinit_dh_min_bits
753 Specifies the minimum number of bits the KDC is willing to ac‐
754 cept for a client's Diffie-Hellman key. The default is 2048.
755
756 pkinit_allow_upn
757 Specifies that the KDC is willing to accept client certificates
758 with the Microsoft UserPrincipalName (UPN) Subject Alternative
759 Name (SAN). This means the KDC accepts the binding of the UPN
760 in the certificate to the Kerberos principal name. The default
761 value is false.
762
763 Without this option, the KDC will only accept certificates with
764 the id-pkinit-san as defined in RFC 4556. There is currently no
765 option to disable SAN checking in the KDC.
766
767 pkinit_eku_checking
768 This option specifies what Extended Key Usage (EKU) values the
769 KDC is willing to accept in client certificates. The values
770 recognized in the kdc.conf file are:
771
772 kpClientAuth
773 This is the default value and specifies that client cer‐
774 tificates must have the id-pkinit-KPClientAuth EKU as de‐
775 fined in RFC 4556.
776
777 scLogin
778 If scLogin is specified, client certificates with the Mi‐
779 crosoft Smart Card Login EKU (id-ms-kp-sc-logon) will be
780 accepted.
781
782 none If none is specified, then client certificates will not
783 be checked to verify they have an acceptable EKU. The
784 use of this option is not recommended.
785
786 pkinit_identity
787 Specifies the location of the KDC's X.509 identity information.
788 This option is required if pkinit is to be supported by the KDC.
789
790 pkinit_indicator
791 Specifies an authentication indicator to include in the ticket
792 if pkinit is used to authenticate. This option may be specified
793 multiple times. (New in release 1.14.)
794
795 pkinit_pool
796 Specifies the location of intermediate certificates which may be
797 used by the KDC to complete the trust chain between a client's
798 certificate and a trusted anchor. This option may be specified
799 multiple times.
800
801 pkinit_revoke
802 Specifies the location of Certificate Revocation List (CRL) in‐
803 formation to be used by the KDC when verifying the validity of
804 client certificates. This option may be specified multiple
805 times.
806
807 pkinit_require_crl_checking
808 The default certificate verification process will always check
809 the available revocation information to see if a certificate has
810 been revoked. If a match is found for the certificate in a CRL,
811 verification fails. If the certificate being verified is not
812 listed in a CRL, or there is no CRL present for its issuing CA,
813 and pkinit_require_crl_checking is false, then verification suc‐
814 ceeds.
815
816 However, if pkinit_require_crl_checking is true and there is no
817 CRL information available for the issuing CA, then verification
818 fails.
819
820 pkinit_require_crl_checking should be set to true if the policy
821 is such that up-to-date CRLs must be present for every CA.
822
823 pkinit_require_freshness
824 Specifies whether to require clients to include a freshness to‐
825 ken in PKINIT requests. The default value is false. (New in
826 release 1.17.)
827
829 Any tag in the configuration files which requires a list of encryption
830 types can be set to some combination of the following strings. Encryp‐
831 tion types marked as "weak" and "deprecated" are available for compati‐
832 bility but not recommended for use.
833
834 ┌───────────────────────────┬─────────────────────────────┐
835 │aes256-cts-hmac-sha1-96 │ AES-256 CTS mode with │
836 │aes256-cts aes256-sha1 │ 96-bit SHA-1 HMAC │
837 ├───────────────────────────┼─────────────────────────────┤
838 │aes128-cts-hmac-sha1-96 │ AES-128 CTS mode with │
839 │aes128-cts aes128-sha1 │ 96-bit SHA-1 HMAC │
840 ├───────────────────────────┼─────────────────────────────┤
841 │aes256-cts-hmac-sha384-192 │ AES-256 CTS mode with │
842 │aes256-sha2 │ 192-bit SHA-384 HMAC │
843 ├───────────────────────────┼─────────────────────────────┤
844 │aes128-cts-hmac-sha256-128 │ AES-128 CTS mode with │
845 │aes128-sha2 │ 128-bit SHA-256 HMAC │
846 ├───────────────────────────┼─────────────────────────────┤
847 │arcfour-hmac rc4-hmac arc‐ │ RC4 with HMAC/MD5 (depre‐ │
848 │four-hmac-md5 │ cated) │
849 ├───────────────────────────┼─────────────────────────────┤
850 │arcfour-hmac-exp │ Exportable RC4 with │
851 │rc4-hmac-exp arc‐ │ HMAC/MD5 (weak) │
852 │four-hmac-md5-exp │ │
853 ├───────────────────────────┼─────────────────────────────┤
854 │camellia256-cts-cmac │ Camellia-256 CTS mode with │
855 │camellia256-cts │ CMAC │
856 ├───────────────────────────┼─────────────────────────────┤
857 │camellia128-cts-cmac │ Camellia-128 CTS mode with │
858 │camellia128-cts │ CMAC │
859 ├───────────────────────────┼─────────────────────────────┤
860 │aes │ The AES family: │
861 │ │ aes256-cts-hmac-sha1-96, │
862 │ │ aes128-cts-hmac-sha1-96, │
863 │ │ aes256-cts-hmac-sha384-192, │
864 │ │ and │
865 │ │ aes128-cts-hmac-sha256-128 │
866 ├───────────────────────────┼─────────────────────────────┤
867 │rc4 │ The RC4 family: arc‐ │
868 │ │ four-hmac │
869 ├───────────────────────────┼─────────────────────────────┤
870 │camellia │ The Camellia family: camel‐ │
871 │ │ lia256-cts-cmac and camel‐ │
872 │ │ lia128-cts-cmac │
873 └───────────────────────────┴─────────────────────────────┘
874
875 The string DEFAULT can be used to refer to the default set of types for
876 the variable in question. Types or families can be removed from the
877 current list by prefixing them with a minus sign ("-"). Types or fami‐
878 lies can be prefixed with a plus sign ("+") for symmetry; it has the
879 same meaning as just listing the type or family. For example, "DEFAULT
880 -rc4" would be the default set of encryption types with RC4 types re‐
881 moved, and "aes128-sha2 DEFAULT" would be the default set of encryption
882 types with aes128-sha2 moved to the front.
883
884 While aes128-cts and aes256-cts are supported for all Kerberos opera‐
885 tions, they are not supported by very old versions of our GSSAPI imple‐
886 mentation (krb5-1.3.1 and earlier). Services running versions of krb5
887 without AES support must not be given keys of these encryption types in
888 the KDC database.
889
890 The aes128-sha2 and aes256-sha2 encryption types are new in release
891 1.15. Services running versions of krb5 without support for these
892 newer encryption types must not be given keys of these encryption types
893 in the KDC database.
894
896 Kerberos keys for users are usually derived from passwords. Kerberos
897 commands and configuration parameters that affect generation of keys
898 take lists of enctype-salttype ("keysalt") pairs, known as keysalt
899 lists. Each keysalt pair is an enctype name followed by a salttype
900 name, in the format enc:salt. Individual keysalt list members are sep‐
901 arated by comma (",") characters or space characters. For example:
902
903 kadmin -e aes256-cts:normal,aes128-cts:normal
904
905 would start up kadmin so that by default it would generate password-de‐
906 rived keys for the aes256-cts and aes128-cts encryption types, using a
907 normal salt.
908
909 To ensure that people who happen to pick the same password do not have
910 the same key, Kerberos 5 incorporates more information into the key us‐
911 ing something called a salt. The supported salt types are as follows:
912
913 ┌──────────┬────────────────────────────┐
914 │normal │ default for Kerberos Ver‐ │
915 │ │ sion 5 │
916 ├──────────┼────────────────────────────┤
917 │norealm │ same as the default, with‐ │
918 │ │ out using realm informa‐ │
919 │ │ tion │
920 ├──────────┼────────────────────────────┤
921 │onlyrealm │ uses only realm informa‐ │
922 │ │ tion as the salt │
923 ├──────────┼────────────────────────────┤
924 │special │ generate a random salt │
925 └──────────┴────────────────────────────┘
926
928 Here's an example of a kdc.conf file:
929
930 [kdcdefaults]
931 kdc_listen = 88
932 kdc_tcp_listen = 88
933 [realms]
934 ATHENA.MIT.EDU = {
935 kadmind_port = 749
936 max_life = 12h 0m 0s
937 max_renewable_life = 7d 0h 0m 0s
938 master_key_type = aes256-cts-hmac-sha1-96
939 supported_enctypes = aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal
940 database_module = openldap_ldapconf
941 }
942
943 [logging]
944 kdc = FILE:/usr/local/var/krb5kdc/kdc.log
945 admin_server = FILE:/usr/local/var/krb5kdc/kadmin.log
946
947 [dbdefaults]
948 ldap_kerberos_container_dn = cn=krbcontainer,dc=mit,dc=edu
949
950 [dbmodules]
951 openldap_ldapconf = {
952 db_library = kldap
953 disable_last_success = true
954 ldap_kdc_dn = "cn=krbadmin,dc=mit,dc=edu"
955 # this object needs to have read rights on
956 # the realm container and principal subtrees
957 ldap_kadmind_dn = "cn=krbadmin,dc=mit,dc=edu"
958 # this object needs to have read and write rights on
959 # the realm container and principal subtrees
960 ldap_service_password_file = /etc/kerberos/service.keyfile
961 ldap_servers = ldaps://kerberos.mit.edu
962 ldap_conns_per_server = 5
963 }
964
966 /var/kerberos/krb5kdc/kdc.conf
967
969 krb5.conf, krb5kdc, kadm5.acl
970
972 MIT
973
975 1985-2023, MIT
976
977
978
979
9801.21.2 KDC.CONF(5)