1 WARN.CONF(4) File Formats and Configurations WARN.CONF(4) 2 3 4 5 NAME 6 warn.conf - Kerberos warning configuration file 7 8 SYNOPSIS 9 /etc/krb5/warn.conf 10 11 12 DESCRIPTION 13 The warn.conf file contains configuration information specifying how 14 users will be warned by the ktkt_warnd daemon about ticket expiration. 15 In addition, this file can be used to auto-renew the user's Ticket- 16 Granting Ticket (TGT) instead of warning the user. Credential 17 expiration warnings and auto-renew results are sent, by means of 18 syslog, to auth.notice. 19 20 21 Each Kerberos client host must have a warn.conf file in order for users 22 on that host to get Kerberos warnings from the client. Entries in the 23 warn.conf file must have the following format: 24 25 principal [renew[:opt1,...optN]] syslog|terminal time 26 27 28 29 or: 30 31 principal [renew[:opt1,...optN]] mail time [email address] 32 33 34 principal 35 Specifies the principal name to be warned. The 36 asterisk (*) wildcard can be used to specify groups of 37 principals. 38 39 40 renew 41 Automatically renew the credentials (TGT) until 42 renewable lifetime expires. This is equivalent to the 43 user running kinit -R. 44 45 The renew options include: 46 47 log-success 48 Log the result of the renew attempt on 49 success using the specified method 50 (syslog|terminal|mail). 51 52 53 log-failure 54 Log the result of the renew attempt on 55 failure using the specified method 56 (syslog|terminal|mail). Some renew 57 failure conditions are: TGT renewable 58 lifetime has expired, the KDCs are 59 unavailable, or the cred cache file has 60 been removed. 61 62 63 log 64 Same as specifying both log-success and 65 log-failure. 66 67 68 Note - 69 70 If no log options are given, no logging is done. 71 72 73 syslog 74 Sends the warnings to the system's syslog. Depending 75 on the /etc/syslog.conf file, syslog entries are 76 written to the /var/adm/messages file and/or displayed 77 on the terminal. 78 79 80 terminal 81 Sends the warnings to display on the terminal. 82 83 84 mail 85 Sends the warnings as email to the address specified 86 by email_address. 87 88 89 time 90 Specifies how much time before the TGT expires when a 91 warning should be sent. The default time value is 92 seconds, but you can specify h (hours) and m (minutes) 93 after the number to specify other time values. 94 95 96 email_address 97 Specifies the email address at which to send the 98 warnings. This field must be specified only with the 99 mail field. 100 101 102 EXAMPLES 103 Example 1 Specifying Warnings 104 105 106 The following warn.conf entry 107 108 109 * syslog 5m 110 111 112 113 114 specifies that warnings will be sent to the syslog five minutes before 115 the expiration of the TGT for all principals. The form of the message 116 is: 117 118 119 jdb@ACME.COM: your kerberos credentials expire in 5 minutes 120 121 122 123 Example 2 Specifying Renewal 124 125 126 The following warn.conf entry: 127 128 129 * renew:log terminal 30m 130 131 132 133 ...specifies that renew results will be sent to the user's terminal 30 134 minutes before the expiration of the TGT for all principals. The form 135 of the message (on renew success) is: 136 137 138 myname@ACME.COM: your kerberos credentials have been renewed 139 140 141 FILES 142 /usr/lib/krb5/ktkt_warnd 143 Kerberos warning daemon 144 145 146 ATTRIBUTES 147 See attributes(5) for descriptions of the following attributes: 148 149 150 151 152 +--------------------+-----------------+ 153 | ATTRIBUTE TYPE | ATTRIBUTE VALUE | 154 +--------------------+-----------------+ 155 |Interface Stability | Evolving | 156 +--------------------+-----------------+ 157 158 SEE ALSO 159 kinit(1), kdestroy(1), ktkt_warnd(1M), syslog.conf(4), utmpx(4), 160 attributes(5), kerberos(5), pam_krb5(5) 161 162 NOTES 163 The auto-renew of the TGT is attempted only if the user is logged-in, 164 as determined by examining utmpx(4). 165 166 167 168 March 30, 2005 WARN.CONF(4)