1warn.conf(4) File Formats warn.conf(4)
2
3
4
6 warn.conf - Kerberos warning configuration file
7
9 /etc/krb5/warn.conf
10
11
13 The warn.conf file contains configuration information specifying how
14 users will be warned by the ktkt_warnd daemon about ticket expiration.
15 In addition, this file can be used to auto-renew the user's Ticket-
16 Granting Ticket (TGT) instead of warning the user. Credential expira‐
17 tion warnings and auto-renew results are sent, by means of syslog, to
18 auth.notice.
19
20
21 Each Kerberos client host must have a warn.conf file in order for users
22 on that host to get Kerberos warnings from the client. Entries in the
23 warn.conf file must have the following format:
24
25 principal [renew[:opt1,...optN]] syslog|terminal time
26
27
28
29 or:
30
31 principal [renew[:opt1,...optN]] mail time [email address]
32
33
34 principal Specifies the principal name to be warned. The aster‐
35 isk (*) wildcard can be used to specify groups of
36 principals.
37
38
39 renew Automatically renew the credentials (TGT) until renew‐
40 able lifetime expires. This is equivalent to the user
41 running kinit -R.
42
43 The renew options include:
44
45 log-success Log the result of the renew attempt on
46 success using the specified method
47 (syslog|terminal|mail).
48
49
50 log-failure Log the result of the renew attempt on
51 failure using the specified method
52 (syslog|terminal|mail). Some renew
53 failure conditions are: TGT renewable
54 lifetime has expired, the KDCs are
55 unavailable, or the cred cache file has
56 been removed.
57
58
59 log Same as specifing both log-success and
60 log-failure.
61
62
63 Note -
64
65 If no log options are given, no logging is done.
66
67
68 syslog Sends the warnings to the system's syslog. Depending
69 on the /etc/syslog.conf file, syslog entries are writ‐
70 ten to the /var/adm/messages file and/or displayed on
71 the terminal.
72
73
74 terminal Sends the warnings to display on the terminal.
75
76
77 mail Sends the warnings as email to the address specified
78 by email_address.
79
80
81 time Specifies how much time before the TGT expires when a
82 warning should be sent. The default time value is sec‐
83 onds, but you can specify h (hours) and m (minutes)
84 after the number to specify other time values.
85
86
87 email_address Specifies the email address at which to send the warn‐
88 ings. This field must be specified only with the mail
89 field.
90
91
93 Example 1 Specifying Warnings
94
95
96 The following warn.conf entry
97
98
99 * syslog 5m
100
101
102
103
104 specifies that warnings will be sent to the syslog five minutes before
105 the expiration of the TGT for all principals. The form of the message
106 is:
107
108
109 jdb@ACME.COM: your kerberos credentials expire in 5 minutes
110
111
112
113 Example 2 Specifying Renewal
114
115
116 The following warn.conf entry:
117
118
119 * renew:log terminal 30m
120
121
122
123 ...specifies that renew results will be sent to the user's terminal 30
124 minutes before the expiration of the TGT for all principals. The form
125 of the message (on renew success) is:
126
127
128 myname@ACME.COM: your kerberos credentials have been renewed
129
130
132 /usr/lib/krb5/ktkt_warnd Kerberos warning daemon
133
134
136 See attributes(5) for descriptions of the following attributes:
137
138
139
140
141 ┌─────────────────────────────┬─────────────────────────────┐
142 │ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
143 ├─────────────────────────────┼─────────────────────────────┤
144 │Interface Stability │Evolving │
145 └─────────────────────────────┴─────────────────────────────┘
146
148 kinit(1), kdestroy(1), ktkt_warnd(1M), syslog.conf(4), utmpx(4),
149 attributes(5), kerberos(5), pam_krb5(5)
150
152 The auto-renew of the TGT is attempted only if the user is logged-in,
153 as determined by examining utmpx(4).
154
155
156
157SunOS 5.11 30 Mar 2005 warn.conf(4)