kdc.conf(4)




NAME

     kdc.conf - Key Distribution Center (KDC) configuration file


SYNOPSIS

     /etc/krb5/kdc.conf


DESCRIPTION

     The kdc.conf file contains  KDC  configuration  information,
     including  defaults used when issuing Kerberos tickets. This
     file must reside on all KDC  servers.  After  you  make  any
     changes  to  the kdc.conf file, stop and restart the krb5kdc
     daemon on the KDC for the changes to take effect.

     The format of the kdc.conf consists of section  headings  in
     square  brackets  ([]).  Each  section contains zero or more
     configuration variables (called relations), of the form of:

     relation = relation-value

     or

     relation-subsection = {
          relation = relation-value
          relation = relation-value
          }

     The kdc.conf file contains one  of  more  of  the  following
     three sections:

     kdcdefaults
           Contains default values for overall  behavior  of  the
           KDC.

     realms
           Contains  subsections  for  Kerberos   realms,   where
           relation-subsection  is the name of a realm. Each sub-
           section contains relations that define KDC  properties
           for that particular realm, including where to find the
           Kerberos servers for that realm.

     logging
           Contains relations that determine  how  Kerberos  pro-
           grams perform logging.

  The kdcdefaults Section
     The following relation can be defined in  the  [kdcdefaults]
     section:

     kdc_ports
           This relation lists the ports on  which  the  Kerberos
           server  should  listen  by  default.  This  list  is a
           comma-separated list of integers. If this relation  is
           not specified, the Kerberos server listens on port 750
           and port 88.

  The realms Section
     This section contains subsections for Kerberos realms, where
     relation-subsection  is the name of a realm. Each subsection
     contains relations that define KDC properties for that  par-
     ticular realm.

     The following relations can be specified in each subsection:

     acl_file
           (string) Location of the Kerberos  V5  access  control
           list  (ACL)  file  that  kadmin  uses to determine the
           privileges allowed to each principal on the  database.
           The default location is /etc/krb5/kadm5.acl.

     admin_keytab
           (string) Location of the keytab file that kadmin  uses
           to  authenticate to the database. The default location
           is /etc/krb5/kadm5.keytab.

     database_name
           (string) Location of the Kerberos  database  for  this
           realm. The default location is /var/krb5/principal.db.

     default_principal_expiration
           (absolute time string) The default expiration date  of
           principals  created in this realm. See the Time Format
           section in kinit(1) for the valid absolute  time  for-
           mats you can use for default_principal_expiration.

     default_principal_flags
           (flag string) The  default  attributes  of  principals
           created  in this realm. Some of these flags are better
           to set on an individual principal  basis  through  the
           use  of  the attribute modifiers when using the kadmin
           command to create and modify principals. However, some
           of  these  options can be applied to all principals in
           the realm by adding them to the list of flags  associ-
           ated with this relation.

           A "flag string" is a list of one or more of the  flags
           listed below preceded by a minus ("-") or a plus ("+")
           character, indicating that  the  option  that  follows
           should be enabled or disabled.

           Flags below marked with an asterisk  ("*")  are  flags
           that are best applied on an individual principal basis
           through the kadmin or gkadmin interface rather than as
           a blanket attribute to be applied to all principals.

           postdateable
                 Create postdatable tickets.

           forwardable
                 Create forwardable tickets.

           tgt-based
                 Allow TGT-based requests.

           renewable
                 Create Renewable tickets.

           proxiable
                 Create Proxiable tickets.

           dup-skey
                 Allow DUP_SKEY requests, this  enables  user-to-
                 user authentication.

           preauth
                 Require the use of pre-authentication data when-
                 ever principals request TGTs.

           hwauth
                 Require   the   use   of   hardware-based   pre-
                 authentication  data whenever principals request
                 TGTs.

           * allow-tickets
                 Allow tickets to be issued for all principals.

           * pwdchange
                 Require principal's to change their password.

           * service
                 Enable or disable a service.

           * pwservice
                 Mark principals as password changing principals.

           An example  of  default_principal_flags  is  shown  in
           EXAMPLES, below.

     dict_file
           (string) Location of the  dictionary  file  containing
           strings that are not allowed as passwords. A principal
           with any password policy is not allowed  to  select  a
           password  in  the  dictionary. The default location is
           /var/krb5/kadm5.dict.

     kadmind_port
           (port number) The port that the kadmind daemon  is  to
           listen  on  for this realm. The assigned port for kad-
           mind is 749.

     key_stash_file
           (string) Location where the master key has been stored
           (by   kdb5_util   stash).   The  default  location  is
           /var/krb5/.k5.realm,  where  realm  is  the   Kerberos
           realm.

     kdc_ports
           (string) The list of ports that the KDC listens on for
           this  realm.  By  default,  the  value of kdc_ports as
           specified in the [kdcdefaults] section is used.

     master_key_name
           (string) The name of the master key.

     master_key_type
           (key type string) The  master  key's  key  type.  Only
           des-cbc-crc is supported at this time.

     max_life
           (delta time string) The maximum time period for  which
           a  ticket  is valid in this realm. See the Time Format
           section in kinit(1) for the valid time  duration  for-
           mats you can use for max_life.

     max_renewable_life
           (delta time string) The  maximum  time  period  during
           which a valid ticket can be renewed in this realm. See
           the Time Format section in kinit(1) for the valid time
           duration formats you can use for max_renewable_life.

     supported_enctypes
           List of key/salt strings. The default key/salt  combi-
           nations  of  principals  for  this  realm.  The key is
           separated from the  salt  by  a  colon  (:).  Multiple
           key/salt strings can be used by separating each string
           with a  space.  The  salt  is  additional  information
           encoded  within the key that tells what kind of key it
           is. Only the normal salt is supported  at  this  time,
           for example, des-cbc-crc:normal.

  The logging Section
     This section indicates how Kerberos  programs  perform  log-
     ging.  The  same  relation  can  be  repeated if you want to
     assign it multiple logging methods. The following  relations
     can be defined in the [logging] section:

     kdc   Specifies how the KDC is to perform its  logging.  The
           default is FILE:/var/krb5/kdc.log.

     admin_server
           Specifies how the administration server is to  perform
           its logging. The default is FILE:/var/krb5/kadmin.log.

     default
           Specifies how to perform logging  in  the  absence  of
           explicit specifications.

     The [logging] relations can have the following values:

     FILE:filename

     or

     FILE=filename
           This value causes the entity's logging messages to  go
           to  the  specified  file. If the `=' form is used, the
           file is overwritten. If the `:' form is used, the file
           is appended to.

     STDERR
           This value sends the entity's logging messages to  its
           standard error stream.

     CONSOLE
           This value sends the entity's logging messages to  the
           console, if the system supports it.

     DEVICE=devicename
           This sends the entity's logging messages to the speci-
           fied device.

     SYSLOG[:severity[:facility]]
           This sends the entity's logging messages to the system
           log.

           The severity argument specifies the  default  severity
           of system log messages. This default can be any of the
           following severities supported by the syslog(3C) call,
           minus the LOG_ prefix: LOG_EMERG, LOG_ALERT, LOG_CRIT,
           LOG_ERR,  LOG_WARNING,   LOG_NOTICE,   LOG_INFO,   and
           LOG_DEBUG.  For example, a value of CRIT would specify
           LOG_CRIT severity.

           The facility argument  specifies  the  facility  under
           which  the messages are logged. This can be any of the
           following facilities supported by the syslog(3C)  call
           minus  the  LOG_ prefix: LOG_KERN, LOG_USER, LOG_MAIL,
           LOG_DAEMON,  LOG_AUTH,  LOG_LPR,  LOG_NEWS,  LOG_UUCP,
           LOG_CRON, and LOG_LOCAL0 through LOG_LOCAL7.

           If no severity is specified, the default is ERR. If no
           facility is specified, the default is AUTH.

           In the following example, the  logging  messages  from
           the  KDC go to the console and to the system log under
           the  facility  LOG_DAEMON  with  default  severity  of
           LOG_INFO; the logging messages from the administration
           server are appended to the  /var/krb5/kadmin.log  file
           and sent to the /dev/tty04 device.

     [logging]
     kdc = CONSOLE
     kdc = SYSLOG:INFO:DAEMON
     admin_server = FILE:/export/logging/kadmin.log
     admin_server = DEVICE=/dev/tty04


EXAMPLES

     Example 1: Sample kdc.conf File

     The following is an example of a kdc.conf file:

     [kdcdefaults]
        kdc_ports = 88

     [realms]
        ATHENA.MIT.EDU = {
           kadmind_port = 749
           max_life = 10h 0m 0s
           max_renewable_life = 7d 0h 0m 0s
           default_principal_flags = +preauth,+forwardable,-postdateable
           master_key_type = des-cbc-crc
           supported_enctypes = des-cbc-crc:normal
        }

     [logging]
        kdc = FILE:/export/logging/kdc.log
        admin_server = FILE:/export/logging/kadmin.log


FILES

     /etc/krb5/kadm5.acl
           List of principals  and  their  kadmin  administrative
           privileges.

     /etc/krb5/kadm5.keytab
           Keytab for kadmin/admin Principal.

     /var/krb5/principal.db
           Kerberos principal database.

     /var/krb5/kadm5.dict
           Dictionary of strings explicitly disallowed  as  pass-
           words.

     /var/krb5/kdc.log
           KDC logging file.

     /var/krb5/kadmin.log
           Kerberos administration server logging file.


ATTRIBUTES

     See attributes(5) for descriptions of the  following  attri-
     butes:

     ____________________________________________________________
    |       ATTRIBUTE TYPE        |       ATTRIBUTE VALUE       |
    |_____________________________|_____________________________|
    | Availability                | SUNWkdcu                    |
    |_____________________________|_____________________________|
    | Interface Stability         | Evolving                    |
    |_____________________________|_____________________________|


SEE ALSO

     kpasswd(1),  gkadmin(1M),   kadmind(1M),   kadmin.local(1M),
     kdb5_util(1M),   syslog(3C),   kadm5.acl(4),  attributes(5),
     SEAM(5)


Man(1) output converted with man2html