kdc.conf man page on Solaris

Man page or keyword search:  
man Server   20652 pages
apropos Keyword Search (all sections)
Output format
Solaris logo
[printable version]

kdc.conf(4)			 File Formats			   kdc.conf(4)

NAME
       kdc.conf - Key Distribution Center (KDC) configuration file

SYNOPSIS
       /etc/krb5/kdc.conf

DESCRIPTION
       The  kdc.conf  file  contains  KDC configuration information, including
       defaults used when issuing Kerberos tickets. This file must  reside  on
       all  KDC servers. After you make any changes to the kdc.conf file, stop
       and restart the krb5kdc daemon on the  KDC  for	the  changes  to  take
       effect.

       The  format  of	the  kdc.conf  consists	 of section headings in square
       brackets ([]). Each section contains zero or more  configuration	 vari‐
       ables (called relations), of the form of:

	 relation = relation-value

       or

	 relation-subsection = {
	     relation = relation-value
	     relation = relation-value
	     }

       The kdc.conf file contains one of more of the following three sections:

       kdcdefaults

	   Contains default values for overall behavior of the KDC.

       realms

	   Contains subsections for Kerberos realms, where relation-subsection
	   is the name of a realm. Each	 subsection  contains  relations  that
	   define KDC properties for that particular realm, including where to
	   find the Kerberos servers for that realm.

       logging

	   Contains relations that determine  how  Kerberos  programs  perform
	   logging.

   The kdcdefaults Section
       The following relation can be defined in the [kdcdefaults] section:

       kdc_ports

	   This	 relation  lists  the  UDP  ports on which the Kerberos server
	   should listen by default. This list is a  comma-separated  list  of
	   integers.  If the assigned value is 0, the Kerberos server does not
	   listen on any UDP port. If this relation is not specified, the Ker‐
	   beros server listens on port 750 and port 88.

       kdc_tcp_ports

	   This	 relation  lists  the  TCP  ports on which the Kerberos server
	   should listen by default. This list is a  comma-separated  list  of
	   integers.  If the assigned value is 0, the Kerberos server does not
	   listen on any TCP port. If this relation is not specified, the Ker‐
	   beros  server  listens  on  the kdc TCP port specified in /etc/ser‐
	   vices. If this port is not  found  in  /etc/services	 the  Kerberos
	   server defaults to listen on TCP port 88.

       kdc_max_tcp_connections

	   This	 relation  controls  the maximum number of TCP connections the
	   KDC allows. The minimum value is 10. If this relation is not speci‐
	   fied, the Kerberos server allows a maximum of 30 TCP connections.

   The realms Section
       This  section contains subsections for Kerberos realms, where relation-
       subsection is the name of a realm. Each subsection  contains  relations
       that define KDC properties for that particular realm.

       The following relations can be specified in each subsection:

       acl_file

	   (string) Location of the Kerberos V5 access control list (ACL) file
	   that kadmin uses to determine the privileges allowed to each	 prin‐
	   cipal on the database. The default location is /etc/krb5/kadm5.acl.

       admin_keytab

	   (string)  Location of the keytab file that kadmin uses to authenti‐
	   cate	   to	 the	database.    The    default    location	    is
	   /etc/krb5/kadm5.keytab.

       database_name

	   (string)  Location  of  the	Kerberos  database for this realm. The
	   default location is /var/krb5/principal.

       default_principal_expiration

	   (absolute time string) The default expiration  date	of  principals
	   created  in this realm. See the Time Format section in kinit(1) for
	   the valid absolute time formats you	can  use  for  default_princi‐
	   pal_expiration.

       default_principal_flags

	   (flag  string) The default attributes of principals created in this
	   realm. Some of these flags are better to set on an individual prin‐
	   cipal  basis	 through the use of the attribute modifiers when using
	   the kadmin command to create and modify principals.	However,  some
	   of  these  options can be applied to all principals in the realm by
	   adding them to the list of flags associated with this relation.

	   A "flag string" is a list of one or more of the flags listed	 below
	   preceded  by	 a  minus (-) or a plus (+) character, indicating that
	   the option that follows should be enabled or disabled.

	   Flags below marked with an asterisk (*) are	flags  that  are  best
	   applied  on	an  individual	principal  basis through the kadmin or
	   gkadmin interface rather than as a blanket attribute to be  applied
	   to all principals.

	   postdateable

	       Create postdatable tickets.

	   forwardable

	       Create forwardable tickets.

	   tgt-based

	       Allow TGT-based requests.

	   renewable

	       Create Renewable tickets.

	   proxiable

	       Create Proxiable tickets.

	   dup-skey

	       Allow  DUP_SKEY requests, this enables user-to-user authentica‐
	       tion.

	   preauth

	       Require the use of pre-authentication data whenever  principals
	       request TGTs.

	   hwauth

	       Require the use of hardware-based pre-authentication data when‐
	       ever principals request TGTs.

	   * allow-tickets

	       Allow tickets to be issued for all principals.

	   * pwdchange

	       Require principal's to change their password.

	   * service

	       Enable or disable a service.

	   * pwservice

	       Mark principals as password changing principals.

	   An example of default_principal_flags is shown in EXAMPLES, below.

       dict_file

	   (string) Location of the dictionary file  containing	 strings  that
	   are	not allowed as passwords. A principal with any password policy
	   is not allowed to select a password in the dictionary. The  default
	   location is /var/krb5/kadm5.dict.

       kadmind_port

	   (port  number) The port that the kadmind daemon is to listen on for
	   this realm. The assigned port for kadmind is 749.

       key_stash_file

	   (string)  Location  where  the  master  key	has  been  stored  (by
	   kdb5_util  stash).  The  default  location  is /var/krb5/.k5.realm,
	   where realm is the Kerberos realm.

       kdc_ports

	   (string) The list of UDP ports that the KDC	listens	 on  for  this
	   realm.  By  default,	 the  value  of	 kdc_ports as specified in the
	   [kdcdefaults] section is used.

       kdc_tcp_ports

	   (string) The list of TCP ports that the KDC listens on (in addition
	   to  the  UDP	 ports	specified  by  kdc_ports)  for	this realm. By
	   default, the value of kdc_tcp_ports as  specified  in  the  [kdcde‐
	   faults] section is used.

       master_key_name

	   (string) The name of the master key.

       master_key_type

	   (key type string) The master key's key type. This is used to deter‐
	   mine the type of encryption that encrypts the entries in the	 prin‐
	   cipal  db.  des-cbc-crc,  des3-cbc-md5,  des3-cbc-sha1-kd, arcfour-
	   hmac-md5,   arcfour-hmac-md5-exp,   aes128-cts-hmac-sha1-96,	   and
	   aes256-cts-hmac-sha1-96  are supported at this time (des-cbc-crc is
	   the default). If you set this to des3-cbc-sha1-kd all systems  that
	   receive  copies  of	the  principal db, such as those running slave
	   KDC's, must support des3-cbc-sha1-kd.

       max_life

	   (delta time string) The maximum time period for which a  ticket  is
	   valid  in  this  realm. See the Time Format section in kinit(1) for
	   the valid time duration formats you can use for max_life.

       max_renewable_life

	   (delta time string) The maximum time period during  which  a	 valid
	   ticket can be renewed in this realm. See the Time Format section in
	   kinit(1) for the valid  time	 duration  formats  you	 can  use  for
	   max_renewable_life.

       sunw_dbprop_enable = [true | false]

	   Enable  or  disable	incremental  database  propagation. Default is
	   false.

       sunw_dbprop_master_ulogsize = N

	   Specifies the maximum number of log entries available for incremen‐
	   tal	propagation  to	 the slave KDC servers. The maximum value that
	   this can be is 2500 entries. Default value is 1000 entries.

       sunw_dbprop_slave_poll = N[s, m, h]

	   Specifies how often the slave KDC polls for new  updates  that  the
	   master might have. Default is 2m (two minutes).

       supported_enctypes

	   List	 of  key/salt  strings.	 The  default key/salt combinations of
	   principals for this realm. The key is separated from the salt by  a
	   colon  (:)  or period (.). Multiple key/salt strings can be used by
	   separating each string with a space. The salt is additional	infor‐
	   mation  encoded  within  the key that tells what kind of key it is.
	   Only the normal salt is supported at this time, for	example,  des-
	   cbc-crc:normal.  Note  that, if this relation is not specified, the
	   default setting is:

	     aes256-cts-hmac-sha1-96:normal \ (see note below)
	     aes128-cts-hmac-sha1-96:normal \
	     des3-cbc-sha1-kd:normal \
	     arcfour-hmac-md5:normal \
	     des-cbc-md5:normal

	   Note -

	     The unbundled Strong Cryptographic packages must be installed for
	     the  aes256-cts-hmac-sha1-96:normal  enctype  to be available for
	     Kerberos.

       reject_bad_transit

	   This boolean specifies whether the list  of	transited  realms  for
	   cross-realm tickets should be checked against the transit path com‐
	   puted from the  realm  names	 and  the  [capaths]  section  of  its
	   krb5.conf(4) file.

	   The default for reject_bad_transit is true.

   The logging Section
       This  section indicates how Kerberos programs perform logging. The same
       relation can be repeated if you want  to	 assign	 it  multiple  logging
       methods.	 The  following relations can be defined in the [logging] sec‐
       tion:

       kdc

	   Specifies how the KDC is to perform its  logging.  The  default  is
	   FILE:/var/krb5/kdc.log.

       admin_server

	   Specifies  how the administration server is to perform its logging.
	   The default is FILE:/var/krb5/kadmin.log.

       default

	   Specifies how to perform logging in the absence of explicit	speci‐
	   fications.

       The [logging] relations can have the following values:

       FILE:filename

       or

       FILE=filename

	   This value causes the entity's logging messages to go to the speci‐
	   fied file. If the `=' form is used, the file is overwritten. If the
	   `:' form is used, the file is appended to.

       STDERR

	   This	 value	sends  the  entity's  logging messages to its standard
	   error stream.

       CONSOLE

	   This value sends the entity's logging messages to the  console,  if
	   the system supports it.

       DEVICE=devicename

	   This sends the entity's logging messages to the specified device.

       SYSLOG[:severity[:facility]]

	   This sends the entity's logging messages to the system log.

	   The	severity argument specifies the default severity of system log
	   messages. This default can be any of the following severities  sup‐
	   ported  by  the  syslog(3C) call, minus the LOG_ prefix: LOG_EMERG,
	   LOG_ALERT, LOG_CRIT, LOG_ERR,  LOG_WARNING,	LOG_NOTICE,  LOG_INFO,
	   and	LOG_DEBUG. For example, a value of CRIT would specify LOG_CRIT
	   severity.

	   The facility argument specifies the facility under which  the  mes‐
	   sages  are logged. This can be any of the following facilities sup‐
	   ported by the syslog(3C) call  minus	 the  LOG_  prefix:  LOG_KERN,
	   LOG_USER,   LOG_MAIL,   LOG_DAEMON,	LOG_AUTH,  LOG_LPR,  LOG_NEWS,
	   LOG_UUCP, LOG_CRON, and LOG_LOCAL0 through LOG_LOCAL7.

	   If no severity is specified, the default is ERR. If no facility  is
	   specified, the default is AUTH.

	   In  the  following example, the logging messages from the KDC go to
	   the console and to the system log  under  the  facility  LOG_DAEMON
	   with	 default  severity  of LOG_INFO; the logging messages from the
	   administration server are appended to the /var/krb5/kadmin.log file
	   and sent to the /dev/tty04 device.

	     [logging]
	     kdc = CONSOLE
	     kdc = SYSLOG:INFO:DAEMON
	     admin_server = FILE:/export/logging/kadmin.log
	     admin_server = DEVICE=/dev/tty04

EXAMPLES
       Example 1 Sample kdc.conf File

       The following is an example of a kdc.conf file:

	 [kdcdefaults]
	   kdc_ports = 88

	 [realms]
	   ATHENA.MIT.EDU = {
	      kadmind_port = 749
	      max_life = 10h 0m 0s
	      max_renewable_life = 7d 0h 0m 0s
	      default_principal_flags = +preauth,+forwardable,-postdateable
	      master_key_type = des-cbc-crc
	      supported_enctypes = des-cbc-crc:normal
	   }

	 [logging]
	   kdc = FILE:/export/logging/kdc.log
	   admin_server = FILE:/export/logging/kadmin.log

FILES
       /etc/krb5/kadm5.acl

	   List of principals and their kadmin administrative privileges.

       /etc/krb5/kadm5.keytab

	   Keytab for kadmind principals: kadmin/fqdn, changepw/fqdn, and kad‐
	   min/changepw.

       /var/krb5/principal

	   Kerberos principal database.

       /var/krb5/principal.ulog

	   The update log file for incremental propagation.

       /var/krb5/kadm5.dict

	   Dictionary of strings explicitly disallowed as passwords.

       /var/krb5/kdc.log

	   KDC logging file.

       /var/krb5/kadmin.log

	   Kerberos administration server logging file.

ATTRIBUTES
       See attributes(5) for descriptions of the following attributes:

       ┌─────────────────────────────┬─────────────────────────────┐
       │      ATTRIBUTE TYPE	     │	    ATTRIBUTE VALUE	   │
       ├─────────────────────────────┼─────────────────────────────┤
       │Availability		     │SUNWkdcu			   │
       ├─────────────────────────────┼─────────────────────────────┤
       │Interface Stability	     │Evolving			   │
       └─────────────────────────────┴─────────────────────────────┘

SEE ALSO
       kpasswd(1), gkadmin(1M), kadmind(1M), kadmin.local(1M),	kdb5_util(1M),
       kpropd(1M), syslog(3C), kadm5.acl(4), krb5.conf(4), attributes(5), ker‐
       beros(5)

SunOS 5.10			  3 May 2007			   kdc.conf(4)
[top]

List of man pages available for Solaris

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Tweet
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
....................................................................
Vote for polarhome
Free Shell Accounts :: the biggest list on the net