kdc.conf(4)
NAME
kdc.conf - Key Distribution Center (KDC) configuration file
SYNOPSIS
/etc/krb5/kdc.conf
DESCRIPTION
The kdc.conf file contains KDC configuration information,
including defaults used when issuing Kerberos tickets. This
file must reside on all KDC servers. After you make any
changes to the kdc.conf file, stop and restart the krb5kdc
daemon on the KDC for the changes to take effect.
The format of the kdc.conf consists of section headings in
square brackets ([]). Each section contains zero or more
configuration variables (called relations), of the form of:
relation = relation-value
or
relation-subsection = {
relation = relation-value
relation = relation-value
}
The kdc.conf file contains one of more of the following
three sections:
kdcdefaults
Contains default values for overall behavior of the
KDC.
realms
Contains subsections for Kerberos realms, where
relation-subsection is the name of a realm. Each sub-
section contains relations that define KDC properties
for that particular realm, including where to find the
Kerberos servers for that realm.
logging
Contains relations that determine how Kerberos pro-
grams perform logging.
The kdcdefaults Section
The following relation can be defined in the [kdcdefaults]
section:
kdc_ports
This relation lists the ports on which the Kerberos
server should listen by default. This list is a
comma-separated list of integers. If this relation is
not specified, the Kerberos server listens on port 750
and port 88.
The realms Section
This section contains subsections for Kerberos realms, where
relation-subsection is the name of a realm. Each subsection
contains relations that define KDC properties for that par-
ticular realm.
The following relations can be specified in each subsection:
acl_file
(string) Location of the Kerberos V5 access control
list (ACL) file that kadmin uses to determine the
privileges allowed to each principal on the database.
The default location is /etc/krb5/kadm5.acl.
admin_keytab
(string) Location of the keytab file that kadmin uses
to authenticate to the database. The default location
is /etc/krb5/kadm5.keytab.
database_name
(string) Location of the Kerberos database for this
realm. The default location is /var/krb5/principal.db.
default_principal_expiration
(absolute time string) The default expiration date of
principals created in this realm. See the Time Format
section in kinit(1) for the valid absolute time for-
mats you can use for default_principal_expiration.
default_principal_flags
(flag string) The default attributes of principals
created in this realm. Some of these flags are better
to set on an individual principal basis through the
use of the attribute modifiers when using the kadmin
command to create and modify principals. However, some
of these options can be applied to all principals in
the realm by adding them to the list of flags associ-
ated with this relation.
A "flag string" is a list of one or more of the flags
listed below preceded by a minus ("-") or a plus ("+")
character, indicating that the option that follows
should be enabled or disabled.
Flags below marked with an asterisk ("*") are flags
that are best applied on an individual principal basis
through the kadmin or gkadmin interface rather than as
a blanket attribute to be applied to all principals.
postdateable
Create postdatable tickets.
forwardable
Create forwardable tickets.
tgt-based
Allow TGT-based requests.
renewable
Create Renewable tickets.
proxiable
Create Proxiable tickets.
dup-skey
Allow DUP_SKEY requests, this enables user-to-
user authentication.
preauth
Require the use of pre-authentication data when-
ever principals request TGTs.
hwauth
Require the use of hardware-based pre-
authentication data whenever principals request
TGTs.
* allow-tickets
Allow tickets to be issued for all principals.
* pwdchange
Require principal's to change their password.
* service
Enable or disable a service.
* pwservice
Mark principals as password changing principals.
An example of default_principal_flags is shown in
EXAMPLES, below.
dict_file
(string) Location of the dictionary file containing
strings that are not allowed as passwords. A principal
with any password policy is not allowed to select a
password in the dictionary. The default location is
/var/krb5/kadm5.dict.
kadmind_port
(port number) The port that the kadmind daemon is to
listen on for this realm. The assigned port for kad-
mind is 749.
key_stash_file
(string) Location where the master key has been stored
(by kdb5_util stash). The default location is
/var/krb5/.k5.realm, where realm is the Kerberos
realm.
kdc_ports
(string) The list of ports that the KDC listens on for
this realm. By default, the value of kdc_ports as
specified in the [kdcdefaults] section is used.
master_key_name
(string) The name of the master key.
master_key_type
(key type string) The master key's key type. Only
des-cbc-crc is supported at this time.
max_life
(delta time string) The maximum time period for which
a ticket is valid in this realm. See the Time Format
section in kinit(1) for the valid time duration for-
mats you can use for max_life.
max_renewable_life
(delta time string) The maximum time period during
which a valid ticket can be renewed in this realm. See
the Time Format section in kinit(1) for the valid time
duration formats you can use for max_renewable_life.
supported_enctypes
List of key/salt strings. The default key/salt combi-
nations of principals for this realm. The key is
separated from the salt by a colon (:). Multiple
key/salt strings can be used by separating each string
with a space. The salt is additional information
encoded within the key that tells what kind of key it
is. Only the normal salt is supported at this time,
for example, des-cbc-crc:normal.
The logging Section
This section indicates how Kerberos programs perform log-
ging. The same relation can be repeated if you want to
assign it multiple logging methods. The following relations
can be defined in the [logging] section:
kdc Specifies how the KDC is to perform its logging. The
default is FILE:/var/krb5/kdc.log.
admin_server
Specifies how the administration server is to perform
its logging. The default is FILE:/var/krb5/kadmin.log.
default
Specifies how to perform logging in the absence of
explicit specifications.
The [logging] relations can have the following values:
FILE:filename
or
FILE=filename
This value causes the entity's logging messages to go
to the specified file. If the `=' form is used, the
file is overwritten. If the `:' form is used, the file
is appended to.
STDERR
This value sends the entity's logging messages to its
standard error stream.
CONSOLE
This value sends the entity's logging messages to the
console, if the system supports it.
DEVICE=devicename
This sends the entity's logging messages to the speci-
fied device.
SYSLOG[:severity[:facility]]
This sends the entity's logging messages to the system
log.
The severity argument specifies the default severity
of system log messages. This default can be any of the
following severities supported by the syslog(3C) call,
minus the LOG_ prefix: LOG_EMERG, LOG_ALERT, LOG_CRIT,
LOG_ERR, LOG_WARNING, LOG_NOTICE, LOG_INFO, and
LOG_DEBUG. For example, a value of CRIT would specify
LOG_CRIT severity.
The facility argument specifies the facility under
which the messages are logged. This can be any of the
following facilities supported by the syslog(3C) call
minus the LOG_ prefix: LOG_KERN, LOG_USER, LOG_MAIL,
LOG_DAEMON, LOG_AUTH, LOG_LPR, LOG_NEWS, LOG_UUCP,
LOG_CRON, and LOG_LOCAL0 through LOG_LOCAL7.
If no severity is specified, the default is ERR. If no
facility is specified, the default is AUTH.
In the following example, the logging messages from
the KDC go to the console and to the system log under
the facility LOG_DAEMON with default severity of
LOG_INFO; the logging messages from the administration
server are appended to the /var/krb5/kadmin.log file
and sent to the /dev/tty04 device.
[logging]
kdc = CONSOLE
kdc = SYSLOG:INFO:DAEMON
admin_server = FILE:/export/logging/kadmin.log
admin_server = DEVICE=/dev/tty04
EXAMPLES
Example 1: Sample kdc.conf File
The following is an example of a kdc.conf file:
[kdcdefaults]
kdc_ports = 88
[realms]
ATHENA.MIT.EDU = {
kadmind_port = 749
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
default_principal_flags = +preauth,+forwardable,-postdateable
master_key_type = des-cbc-crc
supported_enctypes = des-cbc-crc:normal
}
[logging]
kdc = FILE:/export/logging/kdc.log
admin_server = FILE:/export/logging/kadmin.log
FILES
/etc/krb5/kadm5.acl
List of principals and their kadmin administrative
privileges.
/etc/krb5/kadm5.keytab
Keytab for kadmin/admin Principal.
/var/krb5/principal.db
Kerberos principal database.
/var/krb5/kadm5.dict
Dictionary of strings explicitly disallowed as pass-
words.
/var/krb5/kdc.log
KDC logging file.
/var/krb5/kadmin.log
Kerberos administration server logging file.
ATTRIBUTES
See attributes(5) for descriptions of the following attri-
butes:
____________________________________________________________
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
|_____________________________|_____________________________|
| Availability | SUNWkdcu |
|_____________________________|_____________________________|
| Interface Stability | Evolving |
|_____________________________|_____________________________|
SEE ALSO
kpasswd(1), gkadmin(1M), kadmind(1M), kadmin.local(1M),
kdb5_util(1M), syslog(3C), kadm5.acl(4), attributes(5),
SEAM(5)
Man(1) output converted with
man2html