Print this page
12743 man page spelling mistakes
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/man/man4/krb5.conf.4
+++ new/usr/src/man/man4/krb5.conf.4
1 1 '\" te
2 2 .\" Copyright (c) 2009 Sun Microsystems, Inc. All Rights Reserved.
3 3 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License.
4 4 .\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. See the License for the specific language governing permissions and limitations under the License.
5 5 .\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
6 -.TH KRB5.CONF 4 "Nov 26, 2017"
6 +.TH KRB5.CONF 4 "May 16, 2020"
7 7 .SH NAME
8 8 krb5.conf \- Kerberos configuration file
9 9 .SH SYNOPSIS
10 -.LP
11 10 .nf
12 11 /etc/krb5/krb5.conf
13 12 .fi
14 13
15 14 .SH DESCRIPTION
16 -.LP
17 15 The \fBkrb5.conf\fR file contains Kerberos configuration information, including
18 16 the locations of \fBKDC\fRs and administration daemons for the Kerberos realms
19 17 of interest, defaults for the current realm and for Kerberos applications, and
20 18 mappings of host names onto Kerberos realms. This file must reside on all
21 19 Kerberos clients.
22 20 .sp
23 21 .LP
24 22 The format of the \fBkrb5.conf\fR consists of sections headings in square
25 23 brackets. Each section can contain zero or more configuration variables (called
26 24 \fIrelations\fR), of the form:
27 25 .sp
28 26 .LP
29 27 \fIrelation\fR= \fIrelation-value\fR
30 28 .sp
31 29 .LP
32 30 or
33 31 .sp
34 32 .LP
35 33 \fIrelation-subsection\fR = {
36 34 .br
37 35 .in +2
38 36 \fIrelation\fR= \fIrelation-value\fR
39 37 .in -2
40 38 .br
41 39 .in +2
42 40 \fIrelation\fR= \fIrelation-value\fR
43 41 .in -2
44 42 .sp
45 43 .LP
46 44 }
47 45 .sp
48 46 .LP
49 47 The \fBkrb5.conf\fR file can contain any or all of the following sections:
50 48 .sp
51 49 .ne 2
52 50 .na
53 51 \fB\fBlibdefaults\fR\fR
54 52 .ad
55 53 .sp .6
56 54 .RS 4n
57 55 Contains default values used by the Kerberos V5 library.
58 56 .RE
59 57
60 58 .sp
61 59 .ne 2
62 60 .na
63 61 \fB\fBappdefaults\fR\fR
64 62 .ad
65 63 .sp .6
66 64 .RS 4n
67 65 Contains subsections for Kerberos V5 applications, where
68 66 \fIrelation-subsection\fR is the name of an application. Each subsection
69 67 describes application-specific defaults.
70 68 .RE
71 69
72 70 .sp
73 71 .ne 2
74 72 .na
75 73 \fB\fBrealms\fR\fR
76 74 .ad
77 75 .sp .6
78 76 .RS 4n
79 77 Contains subsections for Kerberos realms, where \fIrelation-subsection\fR is
80 78 the name of a realm. Each subsection contains relations that define the
81 79 properties for that particular realm.
82 80 .RE
83 81
84 82 .sp
85 83 .ne 2
86 84 .na
87 85 \fB\fBdomain_realm\fR\fR
88 86 .ad
89 87 .sp .6
90 88 .RS 4n
91 89 Contains relations which map domain names and subdomains onto Kerberos realm
92 90 names. This is used by programs to determine what realm a host should be in,
93 91 given its fully qualified domain name.
94 92 .RE
95 93
96 94 .sp
97 95 .ne 2
98 96 .na
99 97 \fB\fBlogging\fR\fR
100 98 .ad
101 99 .sp .6
102 100 .RS 4n
103 101 Contains relations which determine how Kerberos programs are to perform
104 102 logging.
105 103 .RE
106 104
107 105 .sp
108 106 .ne 2
109 107 .na
110 108 \fB\fBcapaths\fR\fR
111 109 .ad
112 110 .sp .6
113 111 .RS 4n
114 112 Contains the authentication paths used with direct (nonhierarchical)
115 113 cross-realm authentication. Entries in this section are used by the client to
116 114 determine the intermediate realms which can be used in cross-realm
117 115 authentication. It is also used by the end-service when checking the transited
118 116 field for trusted intermediate realms.
119 117 .RE
120 118
121 119 .sp
122 120 .ne 2
123 121 .na
124 122 \fB\fBdbmodules\fR\fR
125 123 .ad
126 124 .sp .6
127 125 .RS 4n
128 126 Contains relations for Kerberos database plug-in-specific configuration
129 127 information.
130 128 .RE
131 129
132 130 .sp
133 131 .ne 2
|
↓ open down ↓ |
107 lines elided |
↑ open up ↑ |
134 132 .na
135 133 \fB\fBkdc\fR\fR
136 134 .ad
137 135 .sp .6
138 136 .RS 4n
139 137 For a Key Distribution Center (\fBKDC\fR), can contain the location of the
140 138 \fBkdc.conf\fR file.
141 139 .RE
142 140
143 141 .SS "The \fB[libdefaults]\fR Section"
144 -.LP
145 142 The \fB[libdefaults]\fR section can contain any of the following relations:
146 143 .sp
147 144 .ne 2
148 145 .na
149 146 \fB\fBdatabase_module\fR\fR
150 147 .ad
151 148 .sp .6
152 149 .RS 4n
153 150 Selects the \fBdbmodule\fR section entry to use to access the Kerberos
154 151 database. If this parameter is not present the code uses the standard
155 152 \fBdb2\fR-based Kerberos database.
156 153 .RE
157 154
158 155 .sp
159 156 .ne 2
160 157 .na
161 158 \fB\fBdefault_keytab_name\fR\fR
162 159 .ad
163 160 .sp .6
164 161 .RS 4n
165 162 Specifies the default keytab name to be used by application servers such as
166 163 \fBtelnetd\fR and \fBrlogind\fR. The default is \fB/etc/krb5/krb5.keytab\fR.
167 164 .RE
168 165
169 166 .sp
170 167 .ne 2
171 168 .na
172 169 \fB\fBdefault_realm\fR\fR
173 170 .ad
174 171 .sp .6
175 172 .RS 4n
176 173 Identifies the default Kerberos realm for the client. Set its value to your
177 174 Kerberos realm.
178 175 .RE
179 176
180 177 .sp
181 178 .ne 2
182 179 .na
183 180 \fB\fBdefault_tgs_enctypes\fR\fR
184 181 .ad
185 182 .sp .6
186 183 .RS 4n
187 184 Identifies the supported list of session key encryption types that should be
188 185 returned by the \fBKDC\fR. The list can be delimited with commas or whitespace.
189 186 The supported encryption types are \fBdes3-cbc-sha1-kd\fR, \fBdes-cbc-crc\fR,
190 187 \fBdes-cbc-md5\fR, \fBarcfour-hmac-md5\fR, \fBarcfour-hmac-md5-exp\fR,
191 188 \fBaes128-cts-hmac-sha1-96\fR, and \fBaes256-cts-hmac-sha1-96\fR.
192 189 .RE
193 190
194 191 .sp
195 192 .ne 2
196 193 .na
197 194 \fB\fBdefault_tkt_enctypes\fR\fR
198 195 .ad
199 196 .sp .6
200 197 .RS 4n
201 198 Identifies the supported list of session key encryption types that should be
202 199 requested by the client. The format is the same as for
203 200 \fBdefault_tgs_enctypes\fR. The supported encryption types are
204 201 \fBdes3-cbc-sha1-kd\fR, \fBdes-cbc-crc\fR, \fBdes-cbc-md5\fR,
205 202 \fBarcfour-hmac-md5\fR, \fBarcfour-hmac-md5-exp\fR,
206 203 \fBaes128-cts-hmac-sha1-96\fR, and \fBaes256-cts-hmac-sha1-96\fR.
207 204 .RE
208 205
209 206 .sp
210 207 .ne 2
211 208 .na
212 209 \fB\fBclockskew\fR\fR
213 210 .ad
214 211 .sp .6
215 212 .RS 4n
216 213 Sets the maximum allowable amount of clock skew in seconds that the library
217 214 tolerates before assuming that a Kerberos message is invalid. The default value
218 215 is 300 seconds, or five minutes.
219 216 .RE
220 217
221 218 .sp
222 219 .ne 2
223 220 .na
224 221 \fB\fBforwardable =\fR [\fBtrue\fR | \fBfalse\fR]\fR
225 222 .ad
226 223 .sp .6
227 224 .RS 4n
228 225 Sets the "\fBforwardable\fR" flag in all tickets. This allows users to transfer
229 226 their credentials from one host to another without reauthenticating. This
230 227 option can also be set in the \fB[appdefaults]\fR or \fB[realms]\fR section
231 228 (see below) to limit its use in particular applications or just to a specific
232 229 realm.
233 230 .RE
234 231
235 232 .sp
236 233 .ne 2
237 234 .na
238 235 \fB\fBpermitted_enctypes\fR\fR
239 236 .ad
240 237 .sp .6
241 238 .RS 4n
242 239 This relation controls the encryption types for session keys permitted by
243 240 server applications that use Kerberos for authentication. In addition, it
244 241 controls the encryption types of keys added to a \fBkeytab\fR by means of the
245 242 \fBkadmin\fR(1M) \fBktadd\fR command. The default is:
246 243 \fBaes256-cts-hmac-sha1-96\fR, \fBaes128-cts-hmac-sha1-96\fR,
247 244 \fBdes3-hmac-sha1-kd\fR, \fBarcfour-hmac-md5\fR, \fBarcfour-hmac-md5-exp\fR,
248 245 \fBdes-cbc-md5\fR, \fBdes-cbc-crc\fR.
249 246 .RE
250 247
251 248 .sp
252 249 .ne 2
253 250 .na
254 251 \fB\fBproxiable =\fR [\fBtrue\fR | \fBfalse\fR]\fR
255 252 .ad
256 253 .sp .6
257 254 .RS 4n
258 255 Sets the \fBproxiable\fR flag in all tickets. This allows users to create a
259 256 proxy ticket that can be transferred to a kerberized service to allow that
260 257 service to perform some function on behalf of the original user. This option
261 258 can also be set in the \fB[appdefaults]\fR or \fB[realms]\fR section (see
262 259 below) to limit its use in particular applications or just to a specific realm.
263 260 .RE
264 261
265 262 .sp
266 263 .ne 2
267 264 .na
268 265 \fB\fBrenew_lifetime =\fR\fIlifetime\fR\fR
269 266 .ad
270 267 .sp .6
271 268 .RS 4n
272 269 Requests renewable tickets, with a total lifetime of \fIlifetime\fR. The value
273 270 for \fIlifetime\fR must be followed immediately by one of the following
274 271 delimiters:
275 272 .sp
276 273 .ne 2
277 274 .na
278 275 \fB\fBs\fR\fR
279 276 .ad
280 277 .sp .6
281 278 .RS 4n
282 279 seconds
283 280 .RE
284 281
285 282 .sp
286 283 .ne 2
287 284 .na
288 285 \fB\fBm\fR\fR
289 286 .ad
290 287 .sp .6
291 288 .RS 4n
292 289 minutes
293 290 .RE
294 291
295 292 .sp
296 293 .ne 2
297 294 .na
298 295 \fB\fBh\fR\fR
299 296 .ad
300 297 .sp .6
301 298 .RS 4n
302 299 hours
303 300 .RE
304 301
305 302 .sp
306 303 .ne 2
307 304 .na
308 305 \fB\fBd\fR\fR
309 306 .ad
310 307 .sp .6
311 308 .RS 4n
312 309 days
313 310 .RE
314 311
315 312 Example:
316 313 .sp
317 314 .in +2
318 315 .nf
319 316 \fBrenew_lifetime = 90m\fR
320 317 .fi
321 318 .in -2
322 319 .sp
323 320
324 321 Do not mix units. A value of "\fB3h30m\fR" results in an error.
325 322 .RE
326 323
327 324 .sp
328 325 .ne 2
329 326 .na
330 327 \fB\fBmax_lifetime =\fR\fIlifetime\fR\fR
331 328 .ad
332 329 .sp .6
333 330 .RS 4n
334 331 Sets the requested maximum lifetime of the ticket. The values for
335 332 \fIlifetime\fR follow the format described for the \fBrenew_lifetime\fR option,
336 333 above.
337 334 .RE
338 335
|
↓ open down ↓ |
184 lines elided |
↑ open up ↑ |
339 336 .sp
340 337 .ne 2
341 338 .na
342 339 \fB\fBdns_lookup_kdc\fR\fR
343 340 .ad
344 341 .sp .6
345 342 .RS 4n
346 343 Indicates whether DNS SRV records need to be used to locate the KDCs and the
347 344 other servers for a realm, if they have not already been listed in the
348 345 \fB[realms]\fR section. This option makes the machine vulnerable to a certain
349 -type of DoS attack if somone spoofs the DNS records and does a redirect to
346 +type of DoS attack if someone spoofs the DNS records and does a redirect to
350 347 another server. This is, however, no worse than a DoS, since the bogus KDC is
351 348 unable to decode anything sent (excepting the initial ticket request, which has
352 349 no encrypted data). Also, anything the fake KDC sends out isl not trusted
353 350 without verification (the local machine is unaware of the secret key to be
354 351 used). If \fBdns_lookup_kdc\fR is not specified but \fBdns_fallback\fR is, then
355 352 that value is used instead. In either case, values (if present) in the
356 353 \fB[realms]\fR section override DNS. \fBdns_lookup_kdc\fR is enabled by
357 354 default.
358 355 .RE
359 356
360 357 .sp
361 358 .ne 2
362 359 .na
363 360 \fB\fBdns_lookup_realm\fR\fR
364 361 .ad
365 362 .sp .6
366 363 .RS 4n
367 364 Indicates whether DNS TXT records need to be used to determine the Kerberos
368 365 realm information and/or the host/domain name-to-realm mapping of a host, if
369 366 this information is not already present in the \fBkrb5.conf\fR file. Enabling
370 367 this option might make the host vulnerable to a redirection attack, wherein
371 368 spoofed DNS replies persuade a client to authenticate to the wrong realm. In a
372 369 realm with no cross-realm trusts, this a DoS attack. If \fBdns_lookup_realm\fR
373 370 is not specified but \fBdns_fallback\fR is, then that value is used instead. In
374 371 either case, values (if present) in the \fB[libdefaults]\fR and
375 372 \fB[domain_realm]\fR sections override DNS.
376 373 .RE
377 374
378 375 .sp
379 376 .ne 2
380 377 .na
381 378 \fB\fBdns_fallback\fR\fR
382 379 .ad
383 380 .sp .6
384 381 .RS 4n
385 382 Generic flag controlling the use of DNS for retrieval of information about
386 383 Kerberos servers and host/domain name-to-realm mapping. If both
387 384 \fBdns_lookup_kdc\fR and \fBdns_lookup_realm\fR have been specified, this
388 385 option has no effect.
389 386 .RE
390 387
391 388 .sp
392 389 .ne 2
393 390 .na
394 391 \fB\fBverify_ap_req_nofail [true | false]\fR\fR
395 392 .ad
396 393 .sp .6
397 394 .RS 4n
398 395 If \fBtrue\fR, the local keytab file (\fB/etc/krb5/krb5.keytab\fR) must contain
399 396 an entry for the local \fBhost\fR principal, for example,
|
↓ open down ↓ |
40 lines elided |
↑ open up ↑ |
400 397 \fBhost/foo.bar.com@FOO.COM\fR. This entry is needed to verify that the
401 398 \fBTGT\fR requested was issued by the same \fBKDC\fR that issued the key for
402 399 the host principal. If undefined, the behavior is as if this option were set to
403 400 \fBtrue\fR. Setting this value to \fBfalse\fR leaves the system vulnerable to
404 401 \fBDNS\fR spoofing attacks. This parameter can be in the \fB[realms]\fR section
405 402 to set it on a per-realm basis, or it can be in the \fB[libdefaults]\fR section
406 403 to make it a network-wide setting for all realms.
407 404 .RE
408 405
409 406 .SS "The \fB[appdefaults]\fR Section"
410 -.LP
411 407 This section contains subsections for Kerberos V5 applications, where
412 408 \fIrelation-subsection\fR is the name of an application. Each subsection
413 409 contains relations that define the default behaviors for that application.
414 410 .sp
415 411 .LP
416 412 The following relations can be found in the \fB[appdefaults]\fR section, though
417 413 not all relations are recognized by all kerberized applications. Some are
418 414 specific to particular applications.
419 415 .sp
420 416 .ne 2
421 417 .na
422 418 \fB\fBautologin =\fR [\fBtrue\fR | \fBfalse\fR]\fR
423 419 .ad
424 420 .sp .6
425 421 .RS 4n
426 422 Forces the application to attempt automatic login by presenting Kerberos
427 423 credentials. This is valid for the following applications: \fBrlogin\fR,
428 424 \fBrsh\fR, \fBrcp\fR, \fBrdist\fR, and \fBtelnet\fR.
429 425 .RE
430 426
431 427 .sp
432 428 .ne 2
433 429 .na
434 430 \fB\fBencrypt =\fR [\fBtrue\fR | \fBfalse\fR]\fR
435 431 .ad
436 432 .sp .6
437 433 .RS 4n
438 434 Forces applications to use encryption by default (after authentication) to
439 435 protect the privacy of the sessions. This is valid for the following
440 436 applications: \fBrlogin\fR, \fBrsh\fR, \fBrcp\fR, \fBrdist\fR, and
441 437 \fBtelnet\fR.
442 438 .RE
443 439
444 440 .sp
445 441 .ne 2
446 442 .na
447 443 \fB\fBforward =\fR [\fBtrue\fR | \fBfalse\fR]\fR
448 444 .ad
449 445 .sp .6
450 446 .RS 4n
451 447 Forces applications to forward the user'ss credentials (after authentication)
452 448 to the remote server. This is valid for the following applications:
453 449 \fBrlogin\fR, \fBrsh\fR, \fBrcp\fR, \fBrdist\fR, and \fBtelnet\fR.
454 450 .RE
455 451
456 452 .sp
457 453 .ne 2
458 454 .na
459 455 \fB\fBforwardable =\fR [\fBtrue\fR | \fBfalse\fR]\fR
460 456 .ad
461 457 .sp .6
462 458 .RS 4n
463 459 See the description in the \fB[libdefaults]\fR section above. This is used by
464 460 any application that creates a ticket granting ticket and also by applications
465 461 that can forward tickets to a remote server.
466 462 .RE
467 463
468 464 .sp
469 465 .ne 2
470 466 .na
471 467 \fB\fBproxiable =\fR [\fBtrue\fR | \fBfalse\fR]\fR
472 468 .ad
473 469 .sp .6
474 470 .RS 4n
475 471 See the description in the \fB[libdefaults]\fR section above. This is used by
476 472 any application that creates a ticket granting ticket.
477 473 .RE
478 474
479 475 .sp
480 476 .ne 2
481 477 .na
482 478 \fB\fBrenewable =\fR [\fBtrue\fR | \fBfalse\fR]\fR
483 479 .ad
484 480 .sp .6
485 481 .RS 4n
486 482 Creates a TGT that can be renewed (prior to the ticket expiration time). This
487 483 is used by any application that creates a ticket granting ticket.
488 484 .RE
489 485
490 486 .sp
491 487 .ne 2
492 488 .na
493 489 \fB\fBno_addresses =\fR [\fBtrue\fR | \fBfalse\fR]\fR
494 490 .ad
495 491 .sp .6
496 492 .RS 4n
497 493 Creates tickets with no address bindings. This is to allow tickets to be used
498 494 across a \fBNAT\fR boundary or when using multi-homed systems. This option is
499 495 valid in the \fBkinit\fR \fB[appdefault]\fR section only.
500 496 .RE
501 497
502 498 .sp
503 499 .ne 2
504 500 .na
505 501 \fB\fBmax_life =\fR\fIlifetime\fR\fR
506 502 .ad
507 503 .sp .6
508 504 .RS 4n
509 505 Sets the maximum lifetime of the ticket, with a total lifetime of
510 506 \fIlifetime\fR. The values for \fIlifetime\fR follow the format described in
511 507 the \fB[libdefaults]\fR section above. This option is obsolete and is removed
512 508 in a future release of the Solaris operating system.
513 509 .RE
514 510
515 511 .sp
516 512 .ne 2
517 513 .na
518 514 \fB\fBmax_renewable_life =\fR\fIlifetime\fR\fR
519 515 .ad
520 516 .sp .6
521 517 .RS 4n
522 518 Requests renewable tickets, with a total lifetime of \fIlifetime\fR. The values
523 519 for \fIlifetime\fR follow the format described in the \fB[libdefaults]\fR
524 520 section above. This option is obsolete and is removed in a future release of
525 521 the Solaris operating system.
526 522 .RE
527 523
528 524 .sp
529 525 .ne 2
530 526 .na
531 527 \fB\fBrcmd_protocol =\fR [ \fBrcmdv1\fR | \fBrcmdv2\fR ]\fR
532 528 .ad
533 529 .sp .6
534 530 .RS 4n
535 531 Specifies which Kerberized "\fBrcmd\fR" protocol to use when using the
536 532 Kerberized \fBrlogin\fR(1), \fBrsh\fR(1), \fBrcp\fR(1), or \fBrdist\fR(1)
537 533 programs. The default is to use \fBrcmdv2\fR by default, as this is the more
538 534 secure and more recent update of the protocol. However, when talking to older
539 535 \fBMIT\fR or \fBSEAM\fR-based "\fBrcmd\fR" servers, it can be necessary to
540 536 force the new clients to use the older \fBrcmdv1\fR protocol. This option is
541 537 valid only for the following applications: \fBrlogin\fR, \fBrcp\fR, \fBrsh\fR,
542 538 and \fBrdist\fR.
543 539 .RE
544 540
545 541 .sp
546 542 .LP
547 543 The following application defaults can be set to \fBtrue\fR or \fBfalse\fR:
548 544 .sp
549 545 .in +2
550 546 .nf
551 547 kinit
552 548 forwardable = true
553 549 proxiable = true
554 550 renewable = true
555 551 no_addresses = true
556 552 max_life = \fIdelta_time\fR
557 553 max_renewable_life = \fIdelta_time\fR
558 554 .fi
559 555 .in -2
560 556 .sp
561 557
562 558 .sp
563 559 .LP
564 560 See \fBkinit\fR(1) for the valid time duration formats you can specify for
565 561 \fIdelta_time\fR.
566 562 .sp
567 563 .LP
568 564 In the following example, \fBkinit\fR gets forwardable tickets by default and
569 565 \fBtelnet\fR has three default behaviors specified:
570 566 .sp
571 567 .in +2
572 568 .nf
573 569 [appdefaults]
574 570 kinit = {
575 571 forwardable = true
576 572 }
577 573
578 574 telnet = {
579 575 forward = true
580 576 encrypt = true
581 577 autologin = true
|
↓ open down ↓ |
161 lines elided |
↑ open up ↑ |
582 578 }
583 579 .fi
584 580 .in -2
585 581 .sp
586 582
587 583 .sp
588 584 .LP
589 585 The application defaults specified here are overridden by those specified in
590 586 the \fB[realms]\fR section.
591 587 .SS "The \fB[realms]\fR Section"
592 -.LP
593 588 This section contains subsections for Kerberos realms, where
594 589 \fIrelation-subsection\fR is the name of a realm. Each subsection contains
595 590 relations that define the properties for that particular realm. The following
596 591 relations can be specified in each \fB[realms]\fR subsection:
597 592 .sp
598 593 .ne 2
599 594 .na
600 595 \fB\fBadmin_server\fR\fR
601 596 .ad
602 597 .sp .6
603 598 .RS 4n
604 599 Identifies the host where the Kerberos administration daemon (\fBkadmind\fR) is
605 600 running. Typically, this is the master \fBKDC\fR.
606 601 .RE
607 602
608 603 .sp
609 604 .ne 2
610 605 .na
611 606 \fB\fIapplication defaults\fR\fR
612 607 .ad
613 608 .sp .6
614 609 .RS 4n
615 610 Application defaults that are specific to a particular realm can be specified
616 611 within a \fB[realms]\fR subsection. Realm-specific application defaults
617 612 override the global defaults specified in the \fB[appdefaults]\fR section.
618 613 .RE
619 614
620 615 .sp
621 616 .ne 2
622 617 .na
623 618 \fB\fBauth_to_local_realm\fR\fR
624 619 .ad
625 620 .sp .6
626 621 .RS 4n
627 622 For use in the default realm, non-default realms can be equated with the
628 623 default realm for authenticated name-to-local name mapping.
629 624 .RE
630 625
631 626 .sp
632 627 .ne 2
633 628 .na
634 629 \fB\fBauth_to_local_names\fR\fR
635 630 .ad
636 631 .sp .6
637 632 .RS 4n
638 633 This subsection allows you to set explicit mappings from principal names to
639 634 local user names. The tag is the mapping name and the value is the
640 635 corresponding local user name.
641 636 .RE
642 637
643 638 .sp
644 639 .ne 2
645 640 .na
646 641 \fB\fBauth_to_local\fR\fR
647 642 .ad
648 643 .sp .6
649 644 .RS 4n
650 645 This tag allows you to set a general rule for mapping principal names to local
651 646 user names. It is used if there is not an explicit mapping for the principal
652 647 name that is being translated. The possible values are:
653 648 .sp
654 649 .in +2
655 650 .nf
656 651 RULE:[<ncomps>:<format>](<regex>)s/<regex>/<text>/
657 652 .fi
658 653 .in -2
659 654
660 655 Each rule has three parts:
661 656 .sp
662 657 .ne 2
663 658 .na
664 659 \fBFirst part\(emFormulate the string on which to perform operations:\fR
665 660 .ad
666 661 .sp .6
667 662 .RS 4n
668 663 If not present then the string defaults to the fully flattened principal minus
669 664 the realm name. Otherwise the syntax is as follows:
670 665 .sp
671 666 .in +2
672 667 .nf
673 668 "[" \fI<ncomps>\fR ":" \fI<format>\fR "]"
674 669 .fi
675 670 .in -2
676 671
677 672 Where:
678 673 .sp
679 674 \fI<ncomps>\fR is the number of expected components for this rule. If the
680 675 particular principal does not have this number of components, then this rule
681 676 does not apply.
682 677 .sp
683 678 \fI<format>\fR is a string of \fI<component>\fR or verbatim characters to be
684 679 inserted.
685 680 .sp
686 681 \fI<component>\fR is of the form "\fB$\fR"\fI<number>\fR to select the
687 682 \fI<number>\fRth component. \fI<number>\fR begins from 1.
688 683 .RE
689 684
690 685 .sp
691 686 .ne 2
692 687 .na
693 688 \fBSecond part\(emselect rule validity:\fR
694 689 .ad
695 690 .sp .6
696 691 .RS 4n
697 692 If not present, this rule can apply to all selections. Otherwise the syntax is
698 693 as follows:
699 694 .sp
700 695 .in +2
701 696 .nf
702 697 "(" \fI<regex>\fR ")"
703 698 .fi
704 699 .in -2
705 700
706 701 Where:
707 702 .sp
708 703 \fI<regex>\fR is a selector regular expression. If this regular expression
709 704 matches the whole pattern generated from the first part, then this rule still
710 705 applies.
711 706 .RE
712 707
713 708 .sp
714 709 .ne 2
715 710 .na
716 711 \fBThird part\(emTransform rule:\fR
717 712 .ad
718 713 .sp .6
719 714 .RS 4n
720 715 If not present, then the selection string is passed verbatim and is matched.
721 716 Otherwise, the syntax is as follows:
722 717 .sp
723 718 .in +2
724 719 .nf
725 720 \fI<rule>\fR ...
726 721 .fi
727 722 .in -2
728 723
729 724 Where:
730 725 .sp
731 726 \fI<rule>\fR is of the form:
732 727 .sp
733 728 .in +2
734 729 .nf
735 730 "s/" <regex> "/" <text> "/" ["g"]
736 731 .fi
737 732 .in -2
738 733
739 734 Regular expressions are defined in \fBregex\fR(5).
740 735 .sp
741 736 For example:
742 737 .sp
743 738 auth_to_local = RULE:[1:$1@$0](.*@.*ACME\.COM)s/@.*//
744 739 .sp
745 740 The preceding maps \fB\fIusername\fR@ACME.COM\fR and all sub-realms of
746 741 \fBACME.COM\fR to \fIusername\fR.
747 742 .RE
748 743
749 744 .sp
750 745 .ne 2
751 746 .na
752 747 \fBDEFAULT\fR
753 748 .ad
754 749 .sp .6
755 750 .RS 4n
756 751 The principal name is used as the local name. If the principal has more than
757 752 one component or is not in the default realm, this rule is not applicable and
758 753 the conversion fails.
759 754 .RE
760 755
761 756 .RE
762 757
763 758 .sp
764 759 .ne 2
765 760 .na
766 761 \fB\fBdatabase_module\fR\fR
767 762 .ad
768 763 .sp .6
769 764 .RS 4n
770 765 Selects the \fBdbmodule\fR section entry to use to access the Kerberos
771 766 database.
772 767 .RE
773 768
774 769 .sp
775 770 .ne 2
776 771 .na
777 772 \fB\fBextra_addresses\fR...\fR
778 773 .ad
779 774 .sp .6
780 775 .RS 4n
781 776 This allows a computer to use multiple local addresses, to allow Kerberos to
782 777 work in a network that uses NATs. The addresses should be in a comma-separated
783 778 list.
784 779 .RE
785 780
786 781 .sp
787 782 .ne 2
788 783 .na
789 784 \fB\fBkdc\fR\fR
790 785 .ad
791 786 .sp .6
792 787 .RS 4n
793 788 The name of a host running a \fBKDC\fR for that realm. An optional port number
794 789 (separated from the hostname by a colon) can be included.
795 790 .RE
796 791
797 792 .sp
798 793 .ne 2
799 794 .na
800 795 \fB\fBkpasswd_server\fR\fR
801 796 .ad
802 797 .sp .6
803 798 .RS 4n
804 799 Identifies the host where the Kerberos password-changing server is running.
805 800 Typically, this is the same as host indicated in the \fBadmin_server\fR. If
806 801 this parameter is omitted, the host in \fBadmin_server\fR is used. You can also
807 802 specify a port number if the server indicated by \fBkpasswd_server\fR runs on a
808 803 port other than 464 (the default). The format of this parameter is:
809 804 \fIhostname\fR[:\fIport\fR].
810 805 .RE
811 806
812 807 .sp
813 808 .ne 2
814 809 .na
815 810 \fB\fBkpasswd_protocol\fR\fR
816 811 .ad
817 812 .sp .6
818 813 .RS 4n
819 814 Identifies the protocol to be used when communicating with the server indicated
820 815 by \fBkpasswd_server\fR. By default, this parameter is defined to be
821 816 \fBRPCSEC_GSS\fR, which is the protocol used by Solaris-based administration
822 817 servers. To be able to change a principal's password stored on non-Solaris
823 818 Kerberos server, such as Microsoft Active Directory or \fBMIT\fR Kerberos, this
824 819 value should be \fBSET_CHANGE\fR. This indicates that a non-RPC- based protocol
825 820 is used to communicate the password change request to the server in the
826 821 \fBkpasswd_server\fR entry.
827 822 .RE
828 823
829 824 .sp
830 825 .ne 2
831 826 .na
832 827 \fB\fBudp_preference_limit\fR\fR
833 828 .ad
834 829 .sp .6
835 830 .RS 4n
836 831 When sending a message to the KDC, the library tries using TCP before UDP if
837 832 the size of the message is above \fBudp_preference_limit\fR. If the message is
838 833 smaller than \fBudp_preference_limit\fR, then UDP is tried before TCP.
839 834 Regardless of the size, both protocols are tried if the first attempt fails.
840 835 .RE
841 836
842 837 .sp
843 838 .ne 2
844 839 .na
845 840 \fB\fBverify_ap_req_nofail\fR [\fBtrue\fR | \fBfalse\fR]\fR
846 841 .ad
847 842 .sp .6
848 843 .RS 4n
849 844 If \fBtrue\fR, the local keytab file (\fB/etc/krb5/krb5.keytab\fR) must contain
850 845 an entry for the local \fBhost\fR principal, for example,
851 846 \fBhost/foo.bar.com@FOO.COM\fR. This entry is needed to verify that the
852 847 \fBTGT\fR requested was issued by the same \fBKDC\fR that issued the key for
853 848 the host principal. If undefined, the behavior is as if this option were set to
854 849 \fBtrue\fR. Setting this value to \fBfalse\fR leaves the system vulnerable to
855 850 \fBDNS\fR spoofing attacks. This parameter might be in the \fB[realms]\fR
856 851 section to set it on a per-realm basis, or it might be in the
857 852 \fB[libdefaults]\fR section to make it a network-wide setting for all realms.
858 853 .RE
859 854
860 855 .sp
861 856 .LP
|
↓ open down ↓ |
259 lines elided |
↑ open up ↑ |
862 857 The parameters "\fBforwardable\fR", "\fBproxiable\fR", and
863 858 "\fBrenew_lifetime\fR" as described in the \fB[libdefaults]\fR section (see
864 859 above) are also valid in the \fB[realms]\fR section.
865 860 .sp
866 861 .LP
867 862 Notice that \fBkpasswd_server\fR and \fBkpasswd_protocol\fR are realm-specific
868 863 parameters. Most often, you need to specify them only when using a
869 864 non-Solaris-based Kerberos server. Otherwise, the change request is sent over
870 865 \fBRPCSEC_GSS\fR to the Solaris Kerberos administration server.
871 866 .SS "The \fB[domain_realm]\fR Section"
872 -.LP
873 867 This section provides a translation from a domain name or hostname to a
874 868 Kerberos realm name. The \fIrelation\fR can be a host name, or a domain name,
875 869 where domain names are indicated by a period (`\fB\&.\fR') prefix.
876 870 \fIrelation-value\fR is the Kerberos realm name for that particular host or
877 871 domain. Host names and domain names should be in lower case.
878 872 .sp
879 873 .LP
880 874 If no translation entry applies, the host's realm is considered to be the
881 875 hostname's domain portion converted to upper case. For example, the following
882 876 \fB[domain_realm]\fR section maps \fBcrash.mit.edu\fR into the
883 877 \fBTEST.ATHENA.MIT.EDU\fR realm:
884 878 .sp
885 879 .in +2
886 880 .nf
887 881 [domain_realm]
888 882 .mit.edu = ATHENA.MIT.EDU
889 883 mit.edu = ATHENA.MIT.EDU
890 884 crash.mit.edu = TEST.ATHENA.MIT.EDU
891 885 .fubar.org = FUBAR.ORG
892 886 fubar.org = FUBAR.ORG
893 887 .fi
894 888 .in -2
|
↓ open down ↓ |
12 lines elided |
↑ open up ↑ |
895 889 .sp
896 890
897 891 .sp
898 892 .LP
899 893 All other hosts in the \fBmit.edu\fR domain maps by default to the
900 894 \fBATHENA.MIT.EDU\fR realm, and all hosts in the \fBfubar.org\fR domain maps by
901 895 default into the \fBFUBAR.ORG\fR realm. The entries for the hosts \fBmit.edu\fR
902 896 and \fBfubar.org\fR. Without these entries, these hosts would be mapped into
903 897 the Kerberos realms \fBEDU\fR and \fBORG\fR, respectively.
904 898 .SS "The \fB[logging]\fR Section"
905 -.LP
906 899 This section indicates how Kerberos programs are to perform logging. There are
907 900 two types of relations for this section: relations to specify how to log and a
908 901 relation to specify how to rotate \fBkdc\fR log files.
909 902 .sp
910 903 .LP
911 904 The following relations can be defined to specify how to log. The same relation
912 905 can be repeated if you want to assign it multiple logging methods.
913 906 .sp
914 907 .ne 2
915 908 .na
916 909 \fB\fBadmin_server\fR\fR
917 910 .ad
918 911 .sp .6
919 912 .RS 4n
920 913 Specifies how to log the Kerberos administration daemon (\fBkadmind\fR). The
921 914 default is \fBFILE:/var/krb5/kadmin.log.\fR
922 915 .RE
923 916
924 917 .sp
925 918 .ne 2
926 919 .na
927 920 \fB\fBdefault\fR\fR
928 921 .ad
929 922 .sp .6
930 923 .RS 4n
931 924 Specifies how to perform logging in the absence of explicit specifications
932 925 otherwise.
933 926 .RE
934 927
935 928 .sp
936 929 .ne 2
937 930 .na
938 931 \fB\fBkdc\fR\fR
939 932 .ad
940 933 .sp .6
941 934 .RS 4n
942 935 Specifies how the \fBKDC\fR is to perform its logging. The default is
943 936 \fBFILE:/var/krb5/kdc.log\fR.
944 937 .RE
945 938
946 939 .sp
947 940 .LP
948 941 The \fBadmin_server\fR, \fBdefault\fR, and \fBkdc\fR relations can have the
949 942 following values:
950 943 .sp
951 944 .ne 2
952 945 .na
953 946 \fB\fBFILE:\fR\fIfilename\fR\fR
954 947 .ad
955 948 .br
956 949 .na
957 950 \fB\fBFILE=\fR\fIfilename\fR\fR
958 951 .ad
959 952 .sp .6
960 953 .RS 4n
961 954 This value causes the entity's logging messages to go to the specified file. If
962 955 the `=' form is used, the file is overwritten. If the `:' form is used, the
963 956 file is appended to.
964 957 .RE
965 958
966 959 .sp
967 960 .ne 2
968 961 .na
969 962 \fB\fBSTDERR\fR\fR
970 963 .ad
971 964 .sp .6
972 965 .RS 4n
973 966 This value causes the entity's logging messages to go to its standard error
974 967 stream.
975 968 .RE
976 969
977 970 .sp
978 971 .ne 2
979 972 .na
980 973 \fB\fBCONSOLE\fR\fR
981 974 .ad
982 975 .sp .6
983 976 .RS 4n
984 977 This value causes the entity's logging messages to go to the console, if the
985 978 system supports it.
986 979 .RE
987 980
988 981 .sp
989 982 .ne 2
990 983 .na
991 984 \fB\fBDEVICE=\fR\fIdevicename\fR\fR
992 985 .ad
993 986 .sp .6
994 987 .RS 4n
995 988 This causes the entity's logging messages to go to the specified device.
996 989 .RE
997 990
998 991 .sp
999 992 .ne 2
1000 993 .na
1001 994 \fB\fBSYSLOG[:\fR\fIseverity\fR\fB[:\fR\fIfacility\fR\fB]]\fR\fR
1002 995 .ad
1003 996 .sp .6
1004 997 .RS 4n
1005 998 This causes the entity's logging messages to go to the system log.
1006 999 .RE
1007 1000
1008 1001 .sp
1009 1002 .LP
1010 1003 The \fIseverity\fR argument specifies the default severity of system log
1011 1004 messages. This can be any of the following severities supported by the
1012 1005 \fBsyslog\fR(3C) call, minus the \fBLOG_\fR prefix: \fBLOG_EMERG\fR,
1013 1006 \fBLOG_ALERT\fR, \fBLOG_CRIT\fR, \fBLOG_ERR\fR, \fBLOG_WARNING\fR,
1014 1007 \fBLOG_NOTICE\fR, \fBLOG_INFO\fR, and \fBLOG_DEBUG\fR. For example, a value of
1015 1008 \fBCRIT\fR would specify \fBLOG_CRIT\fR severity.
1016 1009 .sp
1017 1010 .LP
1018 1011 The \fIfacility\fR argument specifies the facility under which the messages are
1019 1012 logged. This can be any of the following facilities supported by the
1020 1013 \fBsyslog\fR(3C) call minus the \fBLOG_\fR prefix: \fBLOG_KERN\fR,
1021 1014 \fBLOG_USER\fR, \fBLOG_MAIL\fR, \fBLOG_DAEMON\fR, \fBLOG_AUTH\fR,
1022 1015 \fBLOG_LPR\fR, \fBLOG_NEWS\fR, \fBLOG_UUCP\fR, \fBLOG_CRON\fR, and
1023 1016 \fBLOG_LOCAL0\fR through \fBLOG_LOCAL7\fR.
1024 1017 .sp
1025 1018 .LP
1026 1019 If no severity is specified, the default is \fBERR\fR. If no facility is
1027 1020 specified, the default is \fBAUTH\fR.
1028 1021 .sp
1029 1022 .LP
1030 1023 The following relation can be defined to specify how to rotate \fBkdc\fR log
1031 1024 files if the \fBFILE:\fR value is being used to log:
1032 1025 .sp
1033 1026 .ne 2
1034 1027 .na
1035 1028 \fB\fBkdc_rotate\fR\fR
1036 1029 .ad
1037 1030 .sp .6
1038 1031 .RS 4n
1039 1032 A relation subsection that enables \fBkdc\fR logging to be rotated to multiple
1040 1033 files based on a time interval. This can be used to avoid logging to one file,
1041 1034 which might grow too large and bring the \fBKDC\fR to a halt.
1042 1035 .RE
1043 1036
1044 1037 .sp
1045 1038 .LP
1046 1039 The time interval for the rotation is specified by the \fBperiod\fR relation.
1047 1040 The number of log files to be rotated is specified by the \fBversions\fR
1048 1041 relation. Both the \fBperiod\fR and \fBversions\fR (described below) should be
1049 1042 included in this subsection. And, this subsection applies only if the \fBkdc\fR
1050 1043 relation has a \fBFILE:\fR value.
1051 1044 .sp
1052 1045 .LP
1053 1046 The following relations can be specified for the \fBkdc_rotate\fR relation
1054 1047 subsection:
1055 1048 .sp
1056 1049 .ne 2
1057 1050 .na
1058 1051 \fB\fB\fR\fBperiod=\fIdelta_time\fR\fR\fR
1059 1052 .ad
1060 1053 .sp .6
1061 1054 .RS 4n
1062 1055 Specifies the time interval before a new log file is created. See the
1063 1056 \fBTime\fR\fBFormats\fR section in \fBkinit\fR(1) for the valid time duration
1064 1057 formats you can specify for \fIdelta_time\fR. If \fBperiod\fR is not specified
1065 1058 or set to \fBnever\fR, no rotation occurs.
1066 1059 .RE
1067 1060
1068 1061 .sp
1069 1062 .LP
1070 1063 Specifying a time interval does not mean that the log files are rotated at the
1071 1064 time interval based on real time. This is because the time interval is checked
1072 1065 at each attempt to write a record to the log, or when logging is actually
1073 1066 occurring. Therefore, rotation occurs only when logging has actually occurred
1074 1067 for the specified time interval.
1075 1068 .sp
1076 1069 .ne 2
1077 1070 .na
1078 1071 \fB\fBversions=\fR\fInumber\fR\fR
1079 1072 .ad
1080 1073 .sp .6
1081 1074 .RS 4n
1082 1075 Specifies how many previous versions are saved before the rotation begins. A
1083 1076 number is appended to the log file, starting with 0 and ending with
1084 1077 (\fInumber\fR - 1). For example, if \fBversions\fR is set to \fB2\fR, up to
1085 1078 three logging files are created (\fIfilename\fR, \fIfilename\fR.0, and
1086 1079 \fIfilename\fR.1) before the first one is overwritten to begin the rotation.
1087 1080 .RE
1088 1081
1089 1082 .sp
1090 1083 .LP
1091 1084 Notice that if \fBversions\fR is not specified or set to \fB0\fR, only one log
1092 1085 file is created, but it is overwritten whenever the time interval is met.
1093 1086 .sp
1094 1087 .LP
1095 1088 In the following example, the logging messages from the Kerberos administration
1096 1089 daemon goes to the console. The logging messages from the \fBKDC\fR is appended
1097 1090 to the \fB/var/krb5/kdc.log\fR, which is rotated between twenty-one log files
1098 1091 with a specified time interval of a day.
1099 1092 .sp
1100 1093 .in +2
1101 1094 .nf
1102 1095 [logging]
1103 1096 admin_server = CONSOLE
|
↓ open down ↓ |
188 lines elided |
↑ open up ↑ |
1104 1097 kdc = FILE:/export/logging/kadmin.log
1105 1098 kdc_rotate = {
1106 1099 period = 1d
1107 1100 versions = 20
1108 1101 }
1109 1102 .fi
1110 1103 .in -2
1111 1104 .sp
1112 1105
1113 1106 .SS "The \fB[capaths]\fR Section"
1114 -.LP
1115 1107 In order to perform direct (non-hierarchical) cross-realm authentication, a
1116 1108 database is needed to construct the authentication paths between the realms.
1117 1109 This section defines that database.
1118 1110 .sp
1119 1111 .LP
1120 1112 A client uses this section to find the authentication path between its realm
1121 1113 and the realm of the server. The server uses this section to verify the
1122 1114 authentication path used by the client, by checking the transited field of the
1123 1115 received ticket.
1124 1116 .sp
1125 1117 .LP
1126 1118 There is a subsection for each participating realm, and each subsection has
1127 1119 relations named for each of the realms. The \fIrelation-value\fR is an
1128 1120 intermediate realm which can participate in the cross-realm authentication. The
1129 1121 relations can be repeated if there is more than one intermediate realm. A value
1130 1122 of '.' means that the two realms share keys directly, and no intermediate
1131 1123 realms should be allowed to participate.
1132 1124 .sp
1133 1125 .LP
1134 1126 There are n**2 possible entries in this table, but only those entries which is
1135 1127 needed on the client or the server need to be present. The client needs a
1136 1128 subsection named for its local realm, with relations named for all the realms
1137 1129 of servers it needs to authenticate with. A server needs a subsection named for
1138 1130 each realm of the clients it serves.
1139 1131 .sp
1140 1132 .LP
1141 1133 For example, \fBANL.GOV\fR, \fBPNL.GOV\fR, and \fBNERSC.GOV\fR all wish to use
1142 1134 the \fBES.NET\fR realm as an intermediate realm. \fBANL\fR has a sub realm of
1143 1135 \fBTEST.ANL.GOV\fR, which authenticates with \fBNERSC.GOV\fR but not
1144 1136 \fBPNL.GOV\fR. The \fB[capath]\fR section for \fBANL.GOV\fR systems would look
1145 1137 like this:
1146 1138 .sp
1147 1139 .in +2
1148 1140 .nf
1149 1141 [capaths]
1150 1142 ANL.GOV = {
1151 1143 TEST.ANL.GOV = .
1152 1144 PNL.GOV = ES.NET
1153 1145 NERSC.GOV = ES.NET
1154 1146 ES.NET = .
1155 1147 }
1156 1148
1157 1149 TEST.ANL.GOV = {
1158 1150 ANL.GOV = .
1159 1151 }
1160 1152
1161 1153 PNL.GOV = {
1162 1154 ANL.GOV = ES.NET
1163 1155 }
1164 1156
1165 1157 NERSC.GOV = {
1166 1158 ANL.GOV = ES.NET
1167 1159 }
1168 1160
1169 1161 ES.NET = {
1170 1162 ANL.GOV = .
1171 1163 }
1172 1164 .fi
1173 1165 .in -2
1174 1166 .sp
1175 1167
1176 1168 .sp
1177 1169 .LP
1178 1170 The \fB[capath]\fR section of the configuration file used on \fBNERSC.GOV\fR
1179 1171 systems would look like this:
1180 1172 .sp
1181 1173 .in +2
1182 1174 .nf
1183 1175 [capaths]
1184 1176 NERSC.GOV = {
1185 1177 ANL.GOV = ES.NET
1186 1178 TEST.ANL.GOV = ES.NET
1187 1179 TEST.ANL.GOV = ANL.GOV
1188 1180 PNL.GOV = ES.NET
1189 1181 ES.NET = .
1190 1182 }
1191 1183
1192 1184 ANL.GOV = {
1193 1185 NERSC.GOV = ES.NET
1194 1186 }
1195 1187
1196 1188 PNL.GOV = {
1197 1189 NERSC.GOV = ES.NET
1198 1190 }
1199 1191
1200 1192 ES.NET = {
1201 1193 NERSC.GOV = .
1202 1194 }
1203 1195
1204 1196 TEST.ANL.GOV = {
1205 1197 NERSC.GOV = ANL.GOV
1206 1198 NERSC.GOV = ES.NET
1207 1199 }
|
↓ open down ↓ |
83 lines elided |
↑ open up ↑ |
1208 1200 .fi
1209 1201 .in -2
1210 1202 .sp
1211 1203
1212 1204 .sp
1213 1205 .LP
1214 1206 In the above examples, the ordering is not important, except when the same
1215 1207 relation is used more than once. The client uses this to determine the path.
1216 1208 (It is not important to the server, since the transited field is not sorted.)
1217 1209 .SS "PKINIT-specific Options"
1218 -.LP
1219 1210 The following are \fBpkinit-specific\fR options. These values can be specified
1220 1211 in \fB[libdefaults]\fR as global defaults, or within a realm-specific
1221 1212 subsection of \fB[libdefaults]\fR, or can be specified as realm-specific values
1222 1213 in the \fB[realms]\fR section. A realm-specific value overrides, does not add
1223 1214 to, a generic \fB[libdefaults]\fR specification.
1224 1215 .sp
1225 1216 .LP
1226 1217 The search order is:
1227 1218 .RS +4
1228 1219 .TP
1229 1220 1.
1230 1221 realm-specific subsection of \fB[libdefaults]\fR
1231 1222 .sp
1232 1223 .in +2
1233 1224 .nf
1234 1225 [libdefaults]
1235 1226 EXAMPLE.COM = {
1236 1227 pkinit_anchors = FILE:/usr/local/example.com.crt
1237 1228 .fi
1238 1229 .in -2
1239 1230
1240 1231 .RE
1241 1232 .RS +4
1242 1233 .TP
1243 1234 2.
1244 1235 realm-specific value in the \fB[realms]\fR section
1245 1236 .sp
1246 1237 .in +2
1247 1238 .nf
1248 1239 [realms]
1249 1240 OTHERREALM.ORG = {
1250 1241 pkinit_anchors = FILE:/usr/local/otherrealm.org.crt
1251 1242 .fi
1252 1243 .in -2
1253 1244
1254 1245 .RE
1255 1246 .RS +4
1256 1247 .TP
1257 1248 3.
1258 1249 generic value in the \fB[libdefaults]\fR section
1259 1250 .sp
1260 1251 .in +2
1261 1252 .nf
1262 1253 [libdefaults]
1263 1254 pkinit_anchors = DIR:/usr/local/generic_trusted_cas/
1264 1255 .fi
1265 1256 .in -2
1266 1257
1267 1258 .RE
1268 1259 .sp
1269 1260 .LP
1270 1261 The syntax for specifying Public Key identity, trust, and revocation
1271 1262 information for \fBpkinit\fR is as follows:
1272 1263 .sp
1273 1264 .ne 2
1274 1265 .na
1275 1266 \fB\fBpkinit_identities\fR \fB=\fR \fIURI\fR\fR
1276 1267 .ad
1277 1268 .sp .6
1278 1269 .RS 4n
1279 1270 Specifies the location(s) to be used to find the user's X.509 identity
1280 1271 information. This option can be specified multiple times. Each value is
1281 1272 attempted in order until identity information is found and authentication is
1282 1273 attempted. These values are not used if the user specifies
1283 1274 \fBX509_user_identity\fR on the command line.
1284 1275 .sp
1285 1276 Valid \fIURI\fR types are \fBFILE\fR, \fBDIR\fR, \fBPKCS11\fR, \fBPKCS12\fR,
1286 1277 and \fBENV\fR. See the \fBPKINIT URI Types\fR section for more details.
1287 1278 .RE
1288 1279
1289 1280 .sp
1290 1281 .ne 2
1291 1282 .na
1292 1283 \fB\fBpkinit_anchors\fR \fB=\fR \fIURI\fR\fR
1293 1284 .ad
1294 1285 .sp .6
1295 1286 .RS 4n
1296 1287 Specifies the location of trusted anchor (root) certificates which the client
1297 1288 trusts to sign KDC certificates. This option can be specified multiple times.
1298 1289 These values from the \fBconfig\fR file are not used if the user specifies
1299 1290 \fBX509_anchors\fR on the command line.
1300 1291 .sp
1301 1292 Valid \fIURI\fR types are \fBFILE\fR and \fBDIR\fR. See the \fBPKINIT URI
1302 1293 Types\fR section for more details.
1303 1294 .RE
1304 1295
1305 1296 .sp
1306 1297 .ne 2
1307 1298 .na
1308 1299 \fB\fBpkinit_pool\fR \fB=\fR \fIURI\fR\fR
1309 1300 .ad
1310 1301 .sp .6
1311 1302 .RS 4n
1312 1303 Specifies the location of intermediate certificates which can be used by the
1313 1304 client to complete the trust chain between a KDC certificate and a trusted
1314 1305 anchor. This option can be specified multiple times.
1315 1306 .sp
1316 1307 Valid \fIURI\fR types are \fBFILE\fR and \fBDIR\fR. See the \fBPKINIT URI
1317 1308 Types\fR section for more details.
1318 1309 .RE
1319 1310
1320 1311 .sp
1321 1312 .ne 2
1322 1313 .na
1323 1314 \fB\fBpkinit_revoke\fR \fB=\fR \fIURI\fR\fR
1324 1315 .ad
1325 1316 .sp .6
1326 1317 .RS 4n
1327 1318 Specifies the location of Certificate Revocation List (CRL) information to be
1328 1319 used by the client when verifying the validity of the KDC certificate
1329 1320 presented. This option can be specified multiple times.
1330 1321 .sp
1331 1322 The only valid \fIURI\fR type is \fBDIR\fR. See the \fBPKINIT URI Types\fR
1332 1323 section for more details.
1333 1324 .RE
1334 1325
1335 1326 .sp
1336 1327 .ne 2
1337 1328 .na
1338 1329 \fB\fBpkinit_require_crl_checking\fR \fB=\fR \fIvalue\fR\fR
1339 1330 .ad
1340 1331 .sp .6
1341 1332 .RS 4n
1342 1333 The default certificate verification process always checks the available
1343 1334 revocation information to see if a certificate has been revoked. If a match is
1344 1335 found for the certificate in a CRL, verification fails. If the certificate
1345 1336 being verified is not listed in a CRL, or there is no CRL present for its
1346 1337 issuing CA, and \fBpkinit_require_crl_checking\fR is \fBfalse\fR, then
1347 1338 verification succeeds. However, if \fBpkinit_require_crl_checking\fR is
1348 1339 \fBtrue\fR and there is no CRL information available for the issuing CA, then
1349 1340 verification fails. \fBpkinit_require_crl_checking\fR should be set to
1350 1341 \fBtrue\fR if the policy is such that up-to-date CRLs must be present for every
1351 1342 CA.
1352 1343 .RE
1353 1344
1354 1345 .sp
1355 1346 .ne 2
1356 1347 .na
1357 1348 \fB\fBpkinit_dh_min_bits\fR \fB=\fR \fIvalue\fR\fR
1358 1349 .ad
1359 1350 .sp .6
1360 1351 .RS 4n
1361 1352 Specifies the size of the Diffie-Hellman key the client attempts to use. The
1362 1353 acceptable values are currently 1024, 2048, and 4096. The default is 2048.
1363 1354 .RE
1364 1355
1365 1356 .sp
1366 1357 .ne 2
1367 1358 .na
1368 1359 \fB\fBpkinit_win2k\fR \fB=\fR \fIvalue\fR\fR
1369 1360 .ad
1370 1361 .sp .6
1371 1362 .RS 4n
1372 1363 This flag specifies whether the target realm is assumed to support only the
1373 1364 old, pre-RFC version of the protocol. The default is \fBfalse\fR.
1374 1365 .RE
1375 1366
1376 1367 .sp
1377 1368 .ne 2
1378 1369 .na
1379 1370 \fB\fBpkinit_win2k_require_binding\fR \fB=\fR \fIvalue\fR\fR
1380 1371 .ad
1381 1372 .sp .6
1382 1373 .RS 4n
1383 1374 If this flag is set to \fBtrue\fR, it expects that the target KDC is patched to
1384 1375 return a reply with a checksum rather than a nonce. The default is \fBfalse\fR.
1385 1376 .RE
1386 1377
1387 1378 .sp
1388 1379 .ne 2
1389 1380 .na
1390 1381 \fB\fBpkinit_eku_checking\fR \fB=\fR \fIvalue\fR\fR
1391 1382 .ad
1392 1383 .sp .6
1393 1384 .RS 4n
1394 1385 This option specifies what Extended Key Usage value the KDC certificate
1395 1386 presented to the client must contain. If the KDC certificate has the \fBpkinit
1396 1387 SubjectAlternativeName\fR encoded as the Kerberos TGS name, EKU checking is not
1397 1388 necessary since the issuing CA has certified this as a KDC certificate. The
1398 1389 values recognized in the \fBkrb5.conf\fR file are:
1399 1390 .sp
1400 1391 .ne 2
1401 1392 .na
1402 1393 \fB\fBkpKDC\fR\fR
1403 1394 .ad
1404 1395 .RS 16n
1405 1396 This is the default value and specifies that the KDC must have the
1406 1397 \fBid-pkinit-KPKdc EKU\fR as defined in RFC4556.
1407 1398 .RE
1408 1399
1409 1400 .sp
1410 1401 .ne 2
1411 1402 .na
1412 1403 \fB\fBkpServerAuth\fR\fR
1413 1404 .ad
1414 1405 .RS 16n
1415 1406 If \fBkpServerAuth\fR is specified, a KDC certificate with the
1416 1407 \fBid-kp-serverAuth EKU\fR as used by Microsoft is accepted.
1417 1408 .RE
1418 1409
1419 1410 .sp
1420 1411 .ne 2
1421 1412 .na
1422 1413 \fB\fBnone\fR\fR
1423 1414 .ad
1424 1415 .RS 16n
1425 1416 If \fBnone\fR is specified, then the KDC certificate is not checked to verify
1426 1417 it has an acceptable EKU. The use of this option is not recommended.
1427 1418 .RE
1428 1419
1429 1420 .RE
1430 1421
1431 1422 .sp
1432 1423 .ne 2
1433 1424 .na
1434 1425 \fB\fBpkinit_kdc_hostname\fR \fB=\fR \fIvalue\fR\fR
1435 1426 .ad
1436 1427 .sp .6
1437 1428 .RS 4n
1438 1429 The presence of this option indicates that the client is willing to accept a
1439 1430 KDC certificate with a \fBdNSName\fR SAN (Subject Alternative Name) rather than
1440 1431 requiring the \fBid-pkinit-san\fR as defined in RFC4556. This option can be
1441 1432 specified multiple times. Its value should contain the acceptable hostname for
1442 1433 the KDC (as contained in its certificate).
1443 1434 .RE
1444 1435
1445 1436 .sp
1446 1437 .ne 2
1447 1438 .na
1448 1439 \fB\fBpkinit_cert_match\fR \fB=\fR \fIrule\fR\fR
1449 1440 .ad
1450 1441 .sp .6
1451 1442 .RS 4n
1452 1443 Specifies matching rules that the client certificate must match before it is
1453 1444 used to attempt \fBpkinit\fR authentication. If a user has multiple
1454 1445 certificates available (on a smart card, or by way of another media), there
1455 1446 must be exactly one certificate chosen before attempting \fBpkinit\fR
1456 1447 authentication. This option can be specified multiple times. All the
1457 1448 available certificates are checked against each rule in order until there is a
1458 1449 match of exactly one certificate.
1459 1450 .sp
1460 1451 The Subject and Issuer comparison strings are the RFC2253 string
1461 1452 representations from the certificate Subject DN and Issuer DN values.
1462 1453 .sp
1463 1454 The syntax of the matching rules is:
1464 1455 .sp
1465 1456 .in +2
1466 1457 .nf
1467 1458 [relation-operator]component-rule `...'
1468 1459 .fi
1469 1460 .in -2
1470 1461
1471 1462 where
1472 1463 .sp
1473 1464 .ne 2
1474 1465 .na
1475 1466 \fB\fIrelation-operator\fR\fR
1476 1467 .ad
1477 1468 .RS 21n
1478 1469 Specify \fIrelation-operator\fR as \fB&&\fR, meaning all component rules must
1479 1470 match, or \fB||\fR, meaning only one component rule must match. If
1480 1471 \fIrelation-operator\fR is not specified, the default is \fB&&\fR\&.
1481 1472 .RE
1482 1473
1483 1474 .sp
1484 1475 .ne 2
1485 1476 .na
1486 1477 \fB\fIcomponent-rule\fR\fR
1487 1478 .ad
1488 1479 .RS 21n
1489 1480 There is no punctuation or white space between component rules.Specify
1490 1481 \fIcomponent-rule\fR as one of the following:
1491 1482 .sp
1492 1483 .in +2
1493 1484 .nf
1494 1485 `<SUBJECT>'regular-expression
1495 1486
1496 1487 `<ISSUER>'regular-expression
1497 1488
1498 1489 `<SAN>'regular-expression
1499 1490
1500 1491 `<EKU>'extended-key-usage-list
1501 1492 where extended-key-usage-list is a comma-separated list
1502 1493 of required Extended Key Usage values. All values in
1503 1494 the list must be present in the certificate.
1504 1495 `pkinit'
1505 1496 `msScLogin'
1506 1497 `clientAuth'
1507 1498 `emailProtection'
1508 1499 `<KU>'key-usage-list
1509 1500 where key-usage-list is a comma-separated list of
1510 1501 required Key Usage values. All values in the list must
1511 1502 be present in the certificate.
1512 1503 `digitalSignature'
1513 1504 .fi
1514 1505 .in -2
1515 1506
1516 1507 .RE
1517 1508
1518 1509 Examples:
1519 1510 .sp
1520 1511 .in +2
1521 1512 .nf
1522 1513 pkinit_cert_match = ||<SUBJECT>.*DoE.*<SAN>.*@EXAMPLE.COM
1523 1514 pkinit_cert_match = &&<EKU>msScLogin,clientAuth<ISSUER>.*DoE.*
1524 1515 pkinit_cert_match = <EKU>msScLogin,clientAuth<KU>digitalSignature
1525 1516 .fi
1526 1517 .in -2
1527 1518
1528 1519 .RE
1529 1520
1530 1521 .SS "PKINIT URI Types"
1531 1522 .ne 2
1532 1523 .na
1533 1524 \fB\fBFILE:\fR\fIfile-name[,key-file-name]\fR\fR
1534 1525 .ad
1535 1526 .sp .6
1536 1527 .RS 4n
1537 1528 This option has context-specific behavior.
1538 1529 .sp
1539 1530 .ne 2
1540 1531 .na
1541 1532 \fB\fBpkinit_identities\fR\fR
1542 1533 .ad
1543 1534 .RS 21n
1544 1535 \fIfile-name\fR specifies the name of a PEM-format file containing the user's
1545 1536 certificate. If \fIkey-file-name\fR is not specified, the user's private key
1546 1537 is expected to be in \fIfile-name\fR as well. Otherwise, \fIkey-file-name\fR
1547 1538 is the name of the file containing the private key.
1548 1539 .RE
1549 1540
1550 1541 .sp
1551 1542 .ne 2
1552 1543 .na
1553 1544 \fB\fBpkinit_anchors\fR\fR
1554 1545 .ad
1555 1546 .br
1556 1547 .na
1557 1548 \fB\fBpkinit_pool\fR\fR
1558 1549 .ad
1559 1550 .RS 21n
1560 1551 \fIfile-name\fR is assumed to be the name of an \fBOpenSSL-style ca-bundle\fR
1561 1552 file. The \fBca-bundle\fR file should be base-64 encoded.
1562 1553 .RE
1563 1554
1564 1555 .RE
1565 1556
1566 1557 .sp
1567 1558 .ne 2
1568 1559 .na
1569 1560 \fB\fBDIR:\fR\fIdirectory-name\fR\fR
1570 1561 .ad
1571 1562 .sp .6
1572 1563 .RS 4n
1573 1564 This option has context-specific behavior.
1574 1565 .sp
1575 1566 .ne 2
1576 1567 .na
1577 1568 \fB\fBpkinit_identities\fR\fR
1578 1569 .ad
1579 1570 .RS 21n
1580 1571 \fIdirectory-name\fR specifies a directory with files named \fB*.crt\fR and
1581 1572 \fB*.key\fR, where the first part of the file name is the same for matching
1582 1573 pairs of certificate and private key files. When a file with a name ending with
1583 1574 \&.\fBcrt\fR is found, a matching file ending with \fB\&.key\fR is assumed to
1584 1575 contain the private key. If no such file is found, then the certificate in the
1585 1576 \fB\&.crt\fR is not used.
1586 1577 .RE
1587 1578
1588 1579 .sp
1589 1580 .ne 2
1590 1581 .na
1591 1582 \fB\fBpkinit_anchors\fR\fR
1592 1583 .ad
1593 1584 .br
1594 1585 .na
1595 1586 \fB\fBpkinit_pool\fR\fR
1596 1587 .ad
1597 1588 .RS 21n
1598 1589 \fIdirectory-name\fR is assumed to be an OpenSSL-style hashed CA directory
1599 1590 where each CA cert is stored in a file named \fBhash-of-ca-cert\fR.\fI#\fR.
1600 1591 This infrastructure is encouraged, but all files in the directory are examined
1601 1592 and if they contain certificates (in PEM format), they are used.
1602 1593 .RE
1603 1594
1604 1595 .RE
1605 1596
1606 1597 .sp
1607 1598 .ne 2
1608 1599 .na
1609 1600 \fB\fBPKCS12:\fR\fIpkcs12-file-name\fR\fR
1610 1601 .ad
1611 1602 .sp .6
1612 1603 .RS 4n
1613 1604 \fIpkcs12-file-name\fR is the name of a \fBPKCS #12\fR format file, containing
1614 1605 the user's certificate and private key.
1615 1606 .RE
1616 1607
1617 1608 .sp
1618 1609 .ne 2
1619 1610 .na
1620 1611 \fB\fBPKCS11:[slotid=\fR\fIslot-id\fR\fB][:token=\fR\fItoken-label\fR\fB][:cert
1621 1612 id=\fR\fIcert-id\fR\fB][:certlabel=\fR\fIcert-label\fR\fB]\fR\fR
1622 1613 .ad
1623 1614 .sp .6
1624 1615 .RS 4n
1625 1616 All keyword/values are optional. PKCS11 modules (for example,
1626 1617 \fBopensc-pkcs11.so\fR) must be installed as a \fBcrypto\fR provider under
1627 1618 \fBlibpkcs11\fR(3LIB). \fBslotid=\fR and/or \fBtoken=\fR can be specified to
1628 1619 force the use of a particular smart card reader or token if there is more than
1629 1620 one available. \fBcertid=\fR and/or \fBcertlabel=\fR can be specified to force
1630 1621 the selection of a particular certificate on the device. See the
1631 1622 \fBpkinit_cert_match\fR configuration option for more ways to select a
1632 1623 particular certificate to use for \fBpkinit\fR.
1633 1624 .RE
1634 1625
1635 1626 .sp
1636 1627 .ne 2
1637 1628 .na
1638 1629 \fB\fBENV:\fR\fIenvironment-variable-name\fR\fR
|
↓ open down ↓ |
410 lines elided |
↑ open up ↑ |
1639 1630 .ad
1640 1631 .sp .6
1641 1632 .RS 4n
1642 1633 \fIenvironment-variable-name\fR specifies the name of an environment variable
1643 1634 which has been set to a value conforming to one of the previous values. For
1644 1635 example, \fBENV:X509_PROXY\fR, where environment variable \fBX509_PROXY\fR has
1645 1636 been set to \fBFILE:/tmp/my_proxy.pem\fR.
1646 1637 .RE
1647 1638
1648 1639 .SS "The \fB[dbmodules]\fR Section"
1649 -.LP
1650 1640 This section consists of relations that provide configuration information for
1651 1641 plug-in modules. In particular, the relations describe the configuration for
1652 1642 LDAP KDB plug-in. Use of the \fBdb2\fR KDB plug-in is the default behavior and
1653 1643 that this section does not need to be filled out in that case.
1654 1644 .sp
1655 1645 .ne 2
1656 1646 .na
1657 1647 \fB\fBdb_library\fR\fR
1658 1648 .ad
1659 1649 .sp .6
1660 1650 .RS 4n
1661 1651 Name of the plug-in library. To use the LDAP KDB plug-in the name must be
1662 1652 \fBkdb_ldap\fR. The default value is \fBdb2\fR.
1663 1653 .RE
1664 1654
1665 1655 .sp
1666 1656 .ne 2
1667 1657 .na
1668 1658 \fB\fBdb_module_dir\fR\fR
1669 1659 .ad
1670 1660 .sp .6
1671 1661 .RS 4n
1672 1662 Path to the plug-in libraries. The default is \fB/usr/lib/krb5\fR.
1673 1663 .RE
1674 1664
1675 1665 .sp
1676 1666 .ne 2
1677 1667 .na
1678 1668 \fB\fBldap_cert_path\fR\fR
1679 1669 .ad
1680 1670 .sp .6
1681 1671 .RS 4n
1682 1672 Path to the Network Security Services (NSS) trusted database for an SSL
1683 1673 connection. This is a required parameter when using the LDAP KDB plug-in.
1684 1674 .RE
1685 1675
1686 1676 .sp
1687 1677 .ne 2
1688 1678 .na
1689 1679 \fB\fBldap_conns_per_server\fR\fR
1690 1680 .ad
1691 1681 .sp .6
1692 1682 .RS 4n
1693 1683 Number of connections per LDAP instance. The default is \fB5\fR.
1694 1684 .RE
1695 1685
1696 1686 .sp
1697 1687 .ne 2
1698 1688 .na
1699 1689 \fB\fBldap_kadmind_dn\fR\fR
1700 1690 .ad
1701 1691 .sp .6
1702 1692 .RS 4n
1703 1693 Bind DN for \fBkadmind\fR. This specifies the DN that the \fBkadmind\fR service
1704 1694 uses when binding to the LDAP Directory Server. The password for this bind DN
1705 1695 should be in the \fBldap_service_password_file\fR.
1706 1696 .RE
1707 1697
1708 1698 .sp
1709 1699 .ne 2
1710 1700 .na
1711 1701 \fB\fBldap_kdc_dn\fR\fR
1712 1702 .ad
1713 1703 .sp .6
1714 1704 .RS 4n
1715 1705 Bind DN for a Key Distribution Center (KDC). This specifies the DN that the
1716 1706 \fBkrb5kdc\fR service use when binding to the LDAP Directory Server. The
1717 1707 password for this bind DN should be in the \fBldap_service_password_file\fR.
1718 1708 .RE
1719 1709
1720 1710 .sp
1721 1711 .ne 2
1722 1712 .na
1723 1713 \fB\fBldap_servers\fR\fR
1724 1714 .ad
1725 1715 .sp .6
1726 1716 .RS 4n
1727 1717 List of LDAP directory servers in URI format. Use of either of the following is
1728 1718 acceptable.
1729 1719 .sp
1730 1720 .in +2
1731 1721 .nf
1732 1722 ldap://\fI<ds hostname>\fR:\fI<SSL port>\fR
1733 1723 ldap://\fI<ds hostname>\fR
1734 1724 .fi
1735 1725 .in -2
1736 1726 .sp
1737 1727
1738 1728 Each server URI should be separated by whitespace.
1739 1729 .RE
1740 1730
1741 1731 .sp
1742 1732 .ne 2
1743 1733 .na
1744 1734 \fB\fBldap_service_password_file\fR\fR
1745 1735 .ad
1746 1736 .sp .6
1747 1737 .RS 4n
1748 1738 File containing stashed passwords used by the KDC when binding to the LDAP
1749 1739 Directory Server. The default is \fB/var/krb5/service_passwd\fR. This file is
1750 1740 created using \fBkdb5_ldap_util\fR(1M).
1751 1741 .RE
1752 1742
1753 1743 .sp
|
↓ open down ↓ |
94 lines elided |
↑ open up ↑ |
1754 1744 .ne 2
1755 1745 .na
1756 1746 \fB\fBldap_ssl_port\fR\fR
1757 1747 .ad
1758 1748 .sp .6
1759 1749 .RS 4n
1760 1750 Port number for SSL connection with directory server. The default is \fB389\fR.
1761 1751 .RE
1762 1752
1763 1753 .SH EXAMPLES
1764 -.LP
1765 1754 \fBExample 1 \fRSample File
1766 1755 .sp
1767 1756 .LP
1768 1757 The following is an example of a generic \fBkrb5.conf\fR file:
1769 1758
1770 1759 .sp
1771 1760 .in +2
1772 1761 .nf
1773 1762 [libdefaults]
1774 1763 default_realm = ATHENA.MIT.EDU
1775 1764 default_tkt_enctypes = des-cbc-crc
1776 1765 default_tgs_enctypes = des-cbc-crc
1777 1766
1778 1767 [realms]
1779 1768 ATHENA.MIT.EDU = {
1780 1769 kdc = kerberos.mit.edu
1781 1770 kdc = kerberos-1.mit.edu
1782 1771 kdc = kerberos-2.mit.edu
1783 1772 admin_server = kerberos.mit.edu
1784 1773 auth_to_local_realm = KRBDEV.ATHENA.MIT.EDU
1785 1774 }
1786 1775
1787 1776 FUBAR.ORG = {
1788 1777 kdc = kerberos.fubar.org
1789 1778 kdc = kerberos-1.fubar.org
1790 1779 admin_server = kerberos.fubar.org
1791 1780 }
1792 1781
1793 1782 [domain_realm]
1794 1783 .mit.edu = ATHENA.MIT.EDU
1795 1784 mit.edu = ATHENA.MIT.EDU
1796 1785 .fi
1797 1786 .in -2
1798 1787 .sp
1799 1788
1800 1789 .LP
1801 1790 \fBExample 2 \fRKDC Using the LDAP KDB plug-in, \fBrealms\fR and
1802 1791 \fBdbmodules\fR Sections
1803 1792 .sp
1804 1793 .LP
1805 1794 The following is an example of the \fBrealms\fR and \fBdbmodules\fR sections of
1806 1795 a Kerberos configuration file when the KDC is using the LDAP KDB plug-in.
1807 1796
1808 1797 .sp
1809 1798 .in +2
1810 1799 .nf
1811 1800 [realms]
1812 1801 SUN.COM = {
1813 1802 kdc = kc-umpk-01.athena.mit.edu
1814 1803 kdc = kc-umpk-02.athena.mit.edu
1815 1804 admin_server = kc-umpk-01.athena.mit.edu
1816 1805 database_module = LDAP
1817 1806 }
1818 1807
1819 1808 [dbmodules]
1820 1809 LDAP = {
1821 1810 db_library = kdb_ldap
1822 1811 ldap_kerberos_container_dn = "cn=krbcontainer,dc=mit,dc=edu"
1823 1812 ldap_kdc_dn = "cn=kdc service,ou=profile,dc=mit,dc=edu"
1824 1813 ldap_kadmind_dn = "cn=kadmin service,ou=profile,dc=mit,dc=edu"
1825 1814 ldap_cert_path = /var/ldap
1826 1815 ldap_servers = ldaps://ds.mit.edu
1827 1816 }
1828 1817 .fi
1829 1818 .in -2
1830 1819 .sp
1831 1820
1832 1821 .SH FILES
|
↓ open down ↓ |
58 lines elided |
↑ open up ↑ |
1833 1822 .ne 2
1834 1823 .na
1835 1824 \fB\fB/var/krb5/kdc.log\fR\fR
1836 1825 .ad
1837 1826 .sp .6
1838 1827 .RS 4n
1839 1828 \fBKDC\fR logging file
1840 1829 .RE
1841 1830
1842 1831 .SH ATTRIBUTES
1843 -.LP
1844 1832 See \fBattributes\fR(5) for descriptions of the following attributes:
1845 1833 .sp
1846 1834
1847 1835 .sp
1848 1836 .TS
1849 1837 box;
1850 1838 c | c
1851 1839 l | l .
1852 1840 ATTRIBUTE TYPE ATTRIBUTE VALUE
1853 1841 _
1854 1842 Interface Stability See below.
1855 1843 .TE
1856 1844
1857 1845 .sp
1858 1846 .LP
1859 1847 All of the keywords are Committed, except for the \fBPKINIT\fR keywords, which
1860 1848 are Volatile.
1861 1849 .SH SEE ALSO
1862 -.LP
1863 1850 \fBkinit\fR(1), \fBrcp\fR(1), \fBrdist\fR(1), \fBrlogin\fR(1), \fBrsh\fR(1),
1864 1851 \fBtelnet\fR(1), \fBsyslog\fR(3C), \fBattributes\fR(5), \fBkerberos\fR(5),
1865 1852 \fBregex\fR(5)
1866 1853 .SH NOTES
1867 -.LP
1868 1854 If the \fBkrb5.conf\fR file is not formatted properly, the \fBtelnet\fR command
1869 1855 fails. However, the \fBdtlogin\fR and \fBlogin\fR commands still succeed, even
1870 1856 if the \fBkrb5.conf\fR file is specified as required for the commands. If this
1871 1857 occurs, the following error message is displayed:
1872 1858 .sp
1873 1859 .in +2
1874 1860 .nf
1875 1861 Error initializing krb5: Improper format of \fIitem\fR
1876 1862 .fi
1877 1863 .in -2
1878 1864 .sp
1879 1865
1880 1866 .sp
1881 1867 .LP
1882 1868 To bypass any other problems that might occur, you should fix the file as soon
1883 1869 as possible.
1884 1870 .sp
1885 1871 .LP
1886 1872 The \fBmax_life\fR and \fBmax_renewable_life\fR options are obsolete and is
1887 1873 removed in a future release of the Solaris operating system.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX