1 '\" te 2 .\" Copyright 1987, 1989 by the Student Information Processing Board of the Massachusetts Institute of Technology. For copying and distribution information, please see the file kerberosv5/mit-sipb-copyright.h. 3 .\" Portions Copyright (c) 2004, Sun Microsystems, Inc. All Rights Reserved 4 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. 5 .\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. See the License for the specific language governing permissions and limitations under the License. 6 .\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner] 7 .TH WARN.CONF 4 "Mar 30, 2005" 8 .SH NAME 9 warn.conf \- Kerberos warning configuration file 10 .SH SYNOPSIS 11 .LP 12 .nf 13 /etc/krb5/warn.conf 14 .fi 15 16 .SH DESCRIPTION 17 .LP 18 The \fBwarn.conf\fR file contains configuration information specifying how 19 users will be warned by the \fBktkt_warnd\fR daemon about ticket expiration. In 20 addition, this file can be used to auto-renew the user's Ticket-Granting Ticket 21 (TGT) instead of warning the user. Credential expiration warnings and 22 auto-renew results are sent, by means of syslog, to \fBauth.notice\fR. 23 .sp 24 .LP 25 Each Kerberos client host must have a \fBwarn.conf\fR file in order for users 26 on that host to get Kerberos warnings from the client. Entries in the 27 \fBwarn.conf\fR file must have the following format: 28 .sp 29 .in +2 30 .nf 31 \fIprincipal\fR [renew[:\fIopt1\fR,...\fIoptN\fR]] syslog|terminal \fItime\fR 32 .fi 33 .in -2 34 35 .sp 36 .LP 37 or: 38 .sp 39 .in +2 40 .nf 41 \fIprincipal\fR [renew[:\fIopt1\fR,...\fIoptN\fR]] mail \fItime\fR [\fIemail address\fR] 42 .fi 43 .in -2 44 45 .sp 46 .ne 2 47 .na 48 \fB\fIprincipal\fR\fR 49 .ad 50 .RS 17n 51 Specifies the principal name to be warned. The asterisk (\fB*\fR) wildcard can 52 be used to specify groups of principals. 53 .RE 54 55 .sp 56 .ne 2 57 .na 58 \fB\fBrenew\fR\fR 59 .ad 60 .RS 17n 61 Automatically renew the credentials (TGT) until renewable lifetime expires. 62 This is equivalent to the user running \fBkinit\fR \fB-R\fR. 63 .sp 64 The renew options include: 65 .sp 66 .ne 2 67 .na 68 \fB\fBlog-success\fR\fR 69 .ad 70 .RS 15n 71 Log the result of the renew attempt on success using the specified method 72 (\fBsyslog\fR|\fBterminal\fR|\fBmail\fR). 73 .RE 74 75 .sp 76 .ne 2 77 .na 78 \fB\fBlog-failure\fR\fR 79 .ad 80 .RS 15n 81 Log the result of the renew attempt on failure using the specified method 82 (\fBsyslog\fR|\fBterminal\fR|\fBmail\fR). Some renew failure conditions are: 83 TGT renewable lifetime has expired, the KDCs are unavailable, or the cred cache 84 file has been removed. 85 .RE 86 87 .sp 88 .ne 2 89 .na 90 \fB\fBlog\fR\fR 91 .ad 92 .RS 15n 93 Same as specifying both \fBlog-success\fR and \fBlog-failure\fR. 94 .RE 95 96 .LP 97 Note - 98 .sp 99 .RS 2 100 If no log options are given, no logging is done. 101 .RE 102 .RE 103 104 .sp 105 .ne 2 106 .na 107 \fB\fBsyslog\fR\fR 108 .ad 109 .RS 17n 110 Sends the warnings to the system's syslog. Depending on the 111 \fB/etc/syslog.conf\fR file, syslog entries are written to the 112 \fB/var/adm/messages\fR file and/or displayed on the terminal. 113 .RE 114 115 .sp 116 .ne 2 117 .na 118 \fB\fBterminal\fR\fR 119 .ad 120 .RS 17n 121 Sends the warnings to display on the terminal. 122 .RE 123 124 .sp 125 .ne 2 126 .na 127 \fB\fBmail\fR\fR 128 .ad 129 .RS 17n 130 Sends the warnings as email to the address specified by \fIemail_address\fR. 131 .RE 132 133 .sp 134 .ne 2 135 .na 136 \fB\fItime\fR\fR 137 .ad 138 .RS 17n 139 Specifies how much time before the \fBTGT\fR expires when a warning should be 140 sent. The default time value is seconds, but you can specify \fBh\fR (hours) 141 and \fBm\fR (minutes) after the number to specify other time values. 142 .RE 143 144 .sp 145 .ne 2 146 .na 147 \fB\fIemail_address\fR\fR 148 .ad 149 .RS 17n 150 Specifies the email address at which to send the warnings. This field must be 151 specified only with the \fBmail\fR field. 152 .RE 153 154 .SH EXAMPLES 155 .LP 156 \fBExample 1 \fRSpecifying Warnings 157 .sp 158 .LP 159 The following \fBwarn.conf\fR entry 160 161 .sp 162 .in +2 163 .nf 164 \fB* syslog 5m\fR 165 .fi 166 .in -2 167 .sp 168 169 .sp 170 .LP 171 specifies that warnings will be sent to the syslog five minutes before the 172 expiration of the \fBTGT\fR for all principals. The form of the message is: 173 174 .sp 175 .in +2 176 .nf 177 jdb@ACME.COM: your kerberos credentials expire in 5 minutes 178 .fi 179 .in -2 180 .sp 181 182 .LP 183 \fBExample 2 \fRSpecifying Renewal 184 .sp 185 .LP 186 The following \fBwarn.conf\fR entry: 187 188 .sp 189 .in +2 190 .nf 191 * renew:log terminal 30m 192 .fi 193 .in -2 194 195 .sp 196 .LP 197 \&...specifies that renew results will be sent to the user's terminal 30 198 minutes before the expiration of the TGT for all principals. The form of the 199 message (on renew success) is: 200 201 .sp 202 .in +2 203 .nf 204 myname@ACME.COM: your kerberos credentials have been renewed 205 .fi 206 .in -2 207 208 .SH FILES 209 .ne 2 210 .na 211 \fB\fB/usr/lib/krb5/ktkt_warnd\fR\fR 212 .ad 213 .RS 28n 214 Kerberos warning daemon 215 .RE 216 217 .SH ATTRIBUTES 218 .LP 219 See \fBattributes\fR(5) for descriptions of the following attributes: 220 .sp 221 222 .sp 223 .TS 224 box; 225 c | c 226 l | l . 227 ATTRIBUTE TYPE ATTRIBUTE VALUE 228 _ 229 Interface Stability Evolving 230 .TE 231 232 .SH SEE ALSO 233 .LP 234 \fBkinit\fR(1), \fBkdestroy\fR(1), \fBktkt_warnd\fR(1M), \fBsyslog.conf\fR(4), 235 \fButmpx\fR(4), \fBattributes\fR(5), \fBkerberos\fR(5), \fBpam_krb5\fR(5) 236 .SH NOTES 237 .LP 238 The auto-renew of the TGT is attempted only if the user is logged-in, as 239 determined by examining \fButmpx\fR(4).