1kdc.conf(4) File Formats kdc.conf(4)
2
6 kdc.conf - Key Distribution Center (KDC) configuration file
7
9 /etc/krb5/kdc.conf
10
13 The kdc.conf file contains KDC configuration information, including
14 defaults used when issuing Kerberos tickets. This file must reside on
15 all KDC servers. After you make any changes to the kdc.conf file, stop
16 and restart the krb5kdc daemon on the KDC for the changes to take
17 effect.
18 The format of the kdc.conf consists of section headings in square
21 brackets ([]). Each section contains zero or more configuration vari‐
22 ables (called relations), of the form of:
23 relation = relation-value
25 or
30 relation-subsection = {
32 relation = relation-value
33 relation = relation-value
34 }
35 The kdc.conf file contains one of more of the following three sections:
40 kdcdefaults
42 Contains default values for overall behavior of the KDC.
44 realms
47 Contains subsections for Kerberos realms, where relation-subsection
49 is the name of a realm. Each subsection contains relations that
50 define KDC properties for that particular realm, including where to
51 find the Kerberos servers for that realm.
52 logging
55 Contains relations that determine how Kerberos programs perform
57 logging.
58 The kdcdefaults Section
61 The following relation can be defined in the [kdcdefaults] section:
62 kdc_ports
64 This relation lists the UDP ports on which the Kerberos server
66 should listen by default. This list is a comma-separated list of
67 integers. If the assigned value is 0, the Kerberos server does not
68 listen on any UDP port. If this relation is not specified, the Ker‐
69 beros server listens on port 750 and port 88.
70 kdc_tcp_ports
73 This relation lists the TCP ports on which the Kerberos server
75 should listen by default. This list is a comma-separated list of
76 integers. If the assigned value is 0, the Kerberos server does not
77 listen on any TCP port. If this relation is not specified, the Ker‐
78 beros server listens on the kdc TCP port specified in /etc/ser‐
79 vices. If this port is not found in /etc/services the Kerberos
80 server defaults to listen on TCP port 88.
81 kdc_max_tcp_connections
84 This relation controls the maximum number of TCP connections the
86 KDC allows. The minimum value is 10. If this relation is not speci‐
87 fied, the Kerberos server allows a maximum of 30 TCP connections.
88 The realms Section
91 This section contains subsections for Kerberos realms, where relation-
92 subsection is the name of a realm. Each subsection contains relations
93 that define KDC properties for that particular realm.
94 The following relations can be specified in each subsection:
97 acl_file
99 (string) Location of the Kerberos V5 access control list (ACL) file
101 that kadmin uses to determine the privileges allowed to each prin‐
102 cipal on the database. The default location is /etc/krb5/kadm5.acl.
103 admin_keytab
106 (string) Location of the keytab file that kadmin uses to authenti‐
108 cate to the database. The default location is
109 /etc/krb5/kadm5.keytab.
110 database_name
113 (string) Location of the Kerberos database for this realm. The
115 default location is /var/krb5/principal.
116 default_principal_expiration
119 (absolute time string) The default expiration date of principals
121 created in this realm. See the Time Format section in kinit(1) for
122 the valid absolute time formats you can use for default_princi‐
123 pal_expiration.
124 default_principal_flags
127 (flag string) The default attributes of principals created in this
129 realm. Some of these flags are better to set on an individual prin‐
130 cipal basis through the use of the attribute modifiers when using
131 the kadmin command to create and modify principals. However, some
132 of these options can be applied to all principals in the realm by
133 adding them to the list of flags associated with this relation.
134 A "flag string" is a list of one or more of the flags listed below
136 preceded by a minus (-) or a plus (+) character, indicating that
137 the option that follows should be enabled or disabled.
138 Flags below marked with an asterisk (*) are flags that are best
140 applied on an individual principal basis through the kadmin or
141 gkadmin interface rather than as a blanket attribute to be applied
142 to all principals.
143 postdateable
145 Create postdatable tickets.
147 forwardable
150 Create forwardable tickets.
152 tgt-based
155 Allow TGT-based requests.
157 renewable
160 Create Renewable tickets.
162 proxiable
165 Create Proxiable tickets.
167 dup-skey
170 Allow DUP_SKEY requests, this enables user-to-user authentica‐
172 tion.
173 preauth
176 Require the use of pre-authentication data whenever principals
178 request TGTs.
179 hwauth
182 Require the use of hardware-based pre-authentication data when‐
184 ever principals request TGTs.
185 * allow-tickets
188 Allow tickets to be issued for all principals.
190 * pwdchange
193 Require principal's to change their password.
195 * service
198 Enable or disable a service.
200 * pwservice
203 Mark principals as password changing principals.
205 An example of default_principal_flags is shown in EXAMPLES, below.
207 dict_file
210 (string) Location of the dictionary file containing strings that
212 are not allowed as passwords. A principal with any password policy
213 is not allowed to select a password in the dictionary. The default
214 location is /var/krb5/kadm5.dict.
215 kadmind_port
218 (port number) The port that the kadmind daemon is to listen on for
220 this realm. The assigned port for kadmind is 749.
221 key_stash_file
224 (string) Location where the master key has been stored (by
226 kdb5_util stash). The default location is /var/krb5/.k5.realm,
227 where realm is the Kerberos realm.
228 kdc_ports
231 (string) The list of UDP ports that the KDC listens on for this
233 realm. By default, the value of kdc_ports as specified in the
234 [kdcdefaults] section is used.
235 kdc_tcp_ports
238 (string) The list of TCP ports that the KDC listens on (in addition
240 to the UDP ports specified by kdc_ports) for this realm. By
241 default, the value of kdc_tcp_ports as specified in the [kdcde‐
242 faults] section is used.
243 master_key_name
246 (string) The name of the master key.
248 master_key_type
251 (key type string) The master key's key type. This is used to deter‐
253 mine the type of encryption that encrypts the entries in the prin‐
254 cipal db. des-cbc-crc, des3-cbc-md5, des3-cbc-sha1-kd, arcfour-
255 hmac-md5, arcfour-hmac-md5-exp, aes128-cts-hmac-sha1-96, and
256 aes256-cts-hmac-sha1-96 are supported at this time (des-cbc-crc is
257 the default). If you set this to des3-cbc-sha1-kd all systems that
258 receive copies of the principal db, such as those running slave
259 KDC's, must support des3-cbc-sha1-kd.
260 max_life
263 (delta time string) The maximum time period for which a ticket is
265 valid in this realm. See the Time Format section in kinit(1) for
266 the valid time duration formats you can use for max_life.
267 max_renewable_life
270 (delta time string) The maximum time period during which a valid
272 ticket can be renewed in this realm. See the Time Format section in
273 kinit(1) for the valid time duration formats you can use for
274 max_renewable_life.
275 sunw_dbprop_enable = [true | false]
278 Enable or disable incremental database propagation. Default is
280 false.
281 sunw_dbprop_master_ulogsize = N
284 Specifies the maximum number of log entries available for incremen‐
286 tal propagation to the slave KDC servers. The maximum value that
287 this can be is 2500 entries. Default value is 1000 entries.
288 sunw_dbprop_slave_poll = N[s, m, h]
291 Specifies how often the slave KDC polls for new updates that the
293 master might have. Default is 2m (two minutes).
294 supported_enctypes
297 List of key/salt strings. The default key/salt combinations of
299 principals for this realm. The key is separated from the salt by a
300 colon (:) or period (.). Multiple key/salt strings can be used by
301 separating each string with a space. The salt is additional infor‐
302 mation encoded within the key that tells what kind of key it is.
303 Only the normal salt is supported at this time, for example, des-
304 cbc-crc:normal. If this relation is not specified, the default set‐
305 ting is:
306 aes256-cts-hmac-sha1-96:normal \ (see note below)
308 aes128-cts-hmac-sha1-96:normal \
309 des3-cbc-sha1-kd:normal \
310 arcfour-hmac-md5:normal \
311 des-cbc-md5:normal
312 Note -
315 The unbundled Strong Cryptographic packages must be installed for
317 the aes256-cts-hmac-sha1-96:normal enctype to be available for
318 Kerberos.
319 reject_bad_transit
322 This boolean specifies whether the list of transited realms for
324 cross-realm tickets should be checked against the transit path com‐
325 puted from the realm names and the [capaths] section of its
326 krb5.conf(4) file.
327 The default for reject_bad_transit is true.
329 The logging Section
332 This section indicates how Kerberos programs perform logging. The same
333 relation can be repeated if you want to assign it multiple logging
334 methods. The following relations can be defined in the [logging] sec‐
335 tion:
336 kdc
338 Specifies how the KDC is to perform its logging. The default is
340 FILE:/var/krb5/kdc.log.
341 admin_server
344 Specifies how the administration server is to perform its logging.
346 The default is FILE:/var/krb5/kadmin.log.
347 default
350 Specifies how to perform logging in the absence of explicit speci‐
352 fications.
353 The [logging] relations can have the following values:
357 FILE:filename
360 or
363 FILE=filename
365 This value causes the entity's logging messages to go to the speci‐
367 fied file. If the `=' form is used, the file is overwritten. If the
368 `:' form is used, the file is appended to.
369 STDERR
372 This value sends the entity's logging messages to its standard
374 error stream.
375 CONSOLE
378 This value sends the entity's logging messages to the console, if
380 the system supports it.
381 DEVICE=devicename
384 This sends the entity's logging messages to the specified device.
386 SYSLOG[:severity[:facility]]
389 This sends the entity's logging messages to the system log.
391 The severity argument specifies the default severity of system log
393 messages. This default can be any of the following severities sup‐
394 ported by the syslog(3C) call, minus the LOG_ prefix: LOG_EMERG,
395 LOG_ALERT, LOG_CRIT, LOG_ERR, LOG_WARNING, LOG_NOTICE, LOG_INFO,
396 and LOG_DEBUG. For example, a value of CRIT would specify LOG_CRIT
397 severity.
398 The facility argument specifies the facility under which the mes‐
400 sages are logged. This can be any of the following facilities sup‐
401 ported by the syslog(3C) call minus the LOG_ prefix: LOG_KERN,
402 LOG_USER, LOG_MAIL, LOG_DAEMON, LOG_AUTH, LOG_LPR, LOG_NEWS,
403 LOG_UUCP, LOG_CRON, and LOG_LOCAL0 through LOG_LOCAL7.
404 If no severity is specified, the default is ERR. If no facility is
406 specified, the default is AUTH.
407 In the following example, the logging messages from the KDC go to
409 the console and to the system log under the facility LOG_DAEMON
410 with default severity of LOG_INFO; the logging messages from the
411 administration server are appended to the /var/krb5/kadmin.log file
412 and sent to the /dev/tty04 device.
413 [logging]
415 kdc = CONSOLE
416 kdc = SYSLOG:INFO:DAEMON
417 admin_server = FILE:/export/logging/kadmin.log
418 admin_server = DEVICE=/dev/tty04
419 PKINIT-specific Options
424 The following are pkinit-specific options. These values can be speci‐
425 fied in [kdcdefaults] as global defaults, or within a realm-specific
426 subsection of [realms]. A realm-specific value overrides, does not add
427 to, a generic [kdcdefaults] specification. The search order is
428 1. realm-specific subsection of [realms]
430 [realms]
432 [realms]
433 EXAMPLE.COM = {
434 pkinit_anchors = FILE:/usr/local/example.com.crt
435 }
436 2. generic value in the [kdcdefaults] section
440 [kdcdefaults]
442 pkinit_anchors = DIR:/usr/local/generic_trusted_cas/
443 pkinit_identity = URI Specifies the location of the KDC's X.509
446 identity information. This option is required
447 if pkinit is supported by the KDC. Valid URI
448 types are FILE, DIR, PKCS11, PKCS12, and ENV.
449 See the PKINIT URI Types section for more
450 details.
451 pkinit_anchors = URI Specifies the location of trusted anchor
454 (root) certificates which the KDC trusts to
455 sign client certificates. This option is
456 required if pkinit is supported by the KDC.
457 This option can be specified multiple times.
458 Valid URI types are FILE and DIR. See the
459 PKINIT URI Types section for details.
460 pkinit_pool Specifies the location of intermediate cer‐
463 tificates which can be used by the KDC to com‐
464 plete the trust chain between a client's cer‐
465 tificate and a trusted anchor. This option can
466 be specified multiple times. Valid URI types
467 are FILE and DIR. See the PKINIT URI Types
468 section for more details.
469 pkinit_revoke Specifies the location of Certificate Revoca‐
472 tion List (CRL) information to be used by the
473 KDC when verifying the validity of client cer‐
474 tificates. This option can be specified multi‐
475 ple times. The default certificate verifica‐
476 tion process always checks the available revo‐
477 cation information to see if a certificate has
478 been revoked. If a match is found for the cer‐
479 tificate in a CRL, verification fails. If the
480 certificate being verified is not listed in a
481 CRL, or there is no CRL present for its issu‐
482 ing CA, and pkinit_require_crl_checking is
483 false, then verification succeeds. The only
484 valid URI types is DIR. See the PKINIT URI
485 Types section for more details. If
486 pkinit_require_crl_checking is true and there
487 is no CRL information available for the issu‐
488 ing CA, verification fails.
489 pkinit_require_crl_checking should be set to
490 true if the policy is such that up-to-date
491 CRLs must be present for every CA.
492 pkinit_dh_min_bits Specifies the minimum number of bits the KDC
495 is willing to accept for a client's Diffie-
496 Hellman key.
497 pkinit_allow_upn Specifies that the KDC is willing to accept
500 client certificates with the Microsoft User‐
501 PrincipalName (UPN) Subject Alternative Name
502 (SAN). This means the KDC accepts the binding
503 of the UPN in the certificate to the Kerberos
504 principal name.
505 The default is false.
507 Without this option, the KDC only accepts cer‐
509 tificates with the id-pkinit-san as defined in
510 RFC4556. There is currently no option to dis‐
511 able SAN checking in the KDC.
512 pkinit_eku_checking This option specifies what Extended Key Usage
515 (EKU) values the KDC is willing to accept in
516 client certificates. The values recognized in
517 the kdc.conf file are:
518 kpClientAuth This is the default value and
520 specifies that client certifi‐
521 cates must have the id-pkinit-
522 KPClientAuth EKU as defined in
523 RFC4556.
524 scLogin If scLogin is specified,
527 client certificates with the
528 Microsoft Smart Card Login EKU
529 (id-ms-kp-sc-logon) is
530 accepted.
531 PKINIT URI Types
535 FILE:file-name[,key-file-name]
536 This option has context-specific behavior.
538 pkinit_identity file-name specifies the name of a PEM-format
540 file containing the user's certificate. If key-
541 file-name is not specified, the user's private
542 key is expected to be in file-name as well. Oth‐
543 erwise, key-file-name is the name of the file
544 containing the private key.
545 pkinit_anchors file-name is assumed to be the name of an
548 pkinit_pool OpenSSL-style ca-bundle file. The ca-bundle file
549 should be base-64 encoded.
550 DIR:directory-name
554 This option has context-specific behavior.
556 pkinit_identity directory-name specifies a directory with files
558 named *.crt and *.key, where the first part of
559 the file name is the same for matching pairs of
560 certificate and private key files. When a file
561 with a name ending with .crt is found, a match‐
562 ing file ending with .key is assumed to contain
563 the private key. If no such file is found, then
564 the certificate in the .crt is not used.
565 pkinit_anchors directory-name is assumed to be an OpenSSL-style
568 pkinit_pool hashed CA directory where each CA cert is stored
569 in a file named hash-of-ca-cert.#. This infra‐
570 structure is encouraged, but all files in the
571 directory is examined and if they contain cer‐
572 tificates (in PEM format), they are used.
573 pkinit_revoke directory-name is assumed to be an OpenSSL-style
576 hashed CA directory where each revocation list
577 is stored in a file named hash-of-ca-cert.r#.
578 This infrastructure is encouraged, but all files
579 in the directory is examined and if they contain
580 a revocation list (in PEM format), they are
581 used.
582 PKCS12:pkcs12-file-name
586 pkcs12-file-name is the name of a PKCS #12 format file, containing
588 the user's certificate and private key.
589 PKCS11:[slotid=slot-id][:token=token-label][:certid=cert-id][:certla‐
592 bel=cert-label]
593 All keyword/values are optional. PKCS11 modules (for example,
595 opensc-pkcs11.so) must be installed as a crypto provider under
596 libpkcs11(3LIB). slotid= and/or token= can be specified to force
597 the use of a particular smard card reader or token if there is more
598 than one available. certid= and/or certlabel= can be specified to
599 force the selection of a particular certificate on the device. See
600 the pkinit_cert_match configuration option for more ways to select
601 a particular certificate to use for pkinit.
602 ENV:environment-variable-name
605 environment-variable-name specifies the name of an environment
607 variable which has been set to a value conforming to one of the
608 previous values. For example, ENV:X509_PROXY, where environment
609 variable X509_PROXY has been set to FILE:/tmp/my_proxy.pem.
610
613 Example 1 Sample kdc.conf File
614 The following is an example of a kdc.conf file:
617 [kdcdefaults]
620 kdc_ports = 88
621 [realms]
623 ATHENA.MIT.EDU = {
624 kadmind_port = 749
625 max_life = 10h 0m 0s
626 max_renewable_life = 7d 0h 0m 0s
627 default_principal_flags = +preauth,+forwardable,-postdateable
628 master_key_type = des-cbc-crc
629 supported_enctypes = des-cbc-crc:normal
630 }
631 [logging]
633 kdc = FILE:/export/logging/kdc.log
634 admin_server = FILE:/export/logging/kadmin.log
635
638 /etc/krb5/kadm5.acl
639 List of principals and their kadmin administrative privileges.
641 /etc/krb5/kadm5.keytab
644 Keytab for kadmind principals: kadmin/fqdn, changepw/fqdn, and kad‐
646 min/changepw.
647 /var/krb5/principal
650 Kerberos principal database.
652 /var/krb5/principal.ulog
655 The update log file for incremental propagation.
657 /var/krb5/kadm5.dict
660 Dictionary of strings explicitly disallowed as passwords.
662 /var/krb5/kdc.log
665 KDC logging file.
667 /var/krb5/kadmin.log
670 Kerberos administration server logging file.
672
675 See attributes(5) for descriptions of the following attributes:
676 ┌─────────────────────────────┬─────────────────────────────┐
681 │ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
682 ├─────────────────────────────┼─────────────────────────────┤
683 │Availability │SUNWkdcu │
684 ├─────────────────────────────┼─────────────────────────────┤
685 │Interface Stability │See below. │
686 └─────────────────────────────┴─────────────────────────────┘
687 All of the keywords, except for the PKINIT keywords are Committed. The
690 PKINIT keywords are Volatile.
691
693 kpasswd(1), gkadmin(1M), kadmind(1M), kadmin.local(1M), kdb5_util(1M),
694 kpropd(1M), libpkcs11(3LIB), syslog(3C), kadm5.acl(4), krb5.conf(4),
695 attributes(5), kerberos(5)
696SunOS 5.11 12 Nov 2008 kdc.conf(4)