path: root/usr/src/man/man4/krb5.conf.4

'\" te
.\" Copyright (c) 2009 Sun Microsystems, Inc. All Rights Reserved.
.\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License").  You may not use this file except in compliance with the License.
.\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.  See the License for the specific language governing permissions and limitations under the License.
.\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE.  If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
.TH KRB5.CONF 4 "May 16, 2020"
.SH NAME
krb5.conf \- Kerberos configuration file
.SH SYNOPSIS
.nf
/etc/krb5/krb5.conf
.fi

.SH DESCRIPTION
The \fBkrb5.conf\fR file contains Kerberos configuration information, including
the locations of \fBKDC\fRs and administration daemons for the Kerberos realms
of interest, defaults for the current realm and for Kerberos applications, and
mappings of host names onto Kerberos realms. This file must reside on all
Kerberos clients.
.sp
.LP
The format of the \fBkrb5.conf\fR consists of sections headings in square
brackets. Each section can contain zero or more configuration variables (called
\fIrelations\fR), of the form:
.sp
.LP
\fIrelation\fR= \fIrelation-value\fR
.sp
.LP
or
.sp
.LP
\fIrelation-subsection\fR = {
.br
.in +2
\fIrelation\fR= \fIrelation-value\fR
.in -2
.br
.in +2
\fIrelation\fR= \fIrelation-value\fR
.in -2
.sp
.LP
}
.sp
.LP
The \fBkrb5.conf\fR file can contain any or all of the following sections:
.sp
.ne 2
.na
\fB\fBlibdefaults\fR\fR
.ad
.sp .6
.RS 4n
Contains default values used by the Kerberos V5 library.
.RE

.sp
.ne 2
.na
\fB\fBappdefaults\fR\fR
.ad
.sp .6
.RS 4n
Contains subsections for Kerberos V5 applications, where
\fIrelation-subsection\fR is the name of an application. Each subsection
describes application-specific defaults.
.RE

.sp
.ne 2
.na
\fB\fBrealms\fR\fR
.ad
.sp .6
.RS 4n
Contains subsections for Kerberos realms, where \fIrelation-subsection\fR is
the name of a realm. Each subsection contains relations that define the
properties for that particular realm.
.RE

.sp
.ne 2
.na
\fB\fBdomain_realm\fR\fR
.ad
.sp .6
.RS 4n
Contains relations which map domain names and subdomains onto Kerberos realm
names. This is used by programs to determine what realm a host should be in,
given its fully qualified domain name.
.RE

.sp
.ne 2
.na
\fB\fBlogging\fR\fR
.ad
.sp .6
.RS 4n
Contains relations which determine how Kerberos programs are to perform
logging.
.RE

.sp
.ne 2
.na
\fB\fBcapaths\fR\fR
.ad
.sp .6
.RS 4n
Contains the authentication paths used with direct (nonhierarchical)
cross-realm authentication. Entries in this section are used by the client to
determine the intermediate realms which can be used in cross-realm
authentication. It is also used by the end-service when checking the transited
field for trusted intermediate realms.
.RE

.sp
.ne 2
.na
\fB\fBdbmodules\fR\fR
.ad
.sp .6
.RS 4n
Contains relations for Kerberos database plug-in-specific configuration
information.
.RE

.sp
.ne 2
.na
\fB\fBkdc\fR\fR
.ad
.sp .6
.RS 4n
For a Key Distribution Center (\fBKDC\fR), can contain the location of the
\fBkdc.conf\fR file.
.RE

.SS "The \fB[libdefaults]\fR Section"
The \fB[libdefaults]\fR section can contain any of the following relations:
.sp
.ne 2
.na
\fB\fBdatabase_module\fR\fR
.ad
.sp .6
.RS 4n
Selects the \fBdbmodule\fR section entry to use to access the Kerberos
database. If this parameter is not present the code uses the standard
\fBdb2\fR-based Kerberos database.
.RE

.sp
.ne 2
.na
\fB\fBdefault_keytab_name\fR\fR
.ad
.sp .6
.RS 4n
Specifies the default keytab name to be used by application servers such as
\fBtelnetd\fR and \fBrlogind\fR. The default is \fB/etc/krb5/krb5.keytab\fR.
.RE

.sp
.ne 2
.na
\fB\fBdefault_realm\fR\fR
.ad
.sp .6
.RS 4n
Identifies the default Kerberos realm for the client. Set its value to your
Kerberos realm.
.RE

.sp
.ne 2
.na
\fB\fBdefault_tgs_enctypes\fR\fR
.ad
.sp .6
.RS 4n
Identifies the supported list of session key encryption types that should be
returned by the \fBKDC\fR. The list can be delimited with commas or whitespace.
The supported encryption types are \fBdes3-cbc-sha1-kd\fR, \fBdes-cbc-crc\fR,
\fBdes-cbc-md5\fR, \fBarcfour-hmac-md5\fR, \fBarcfour-hmac-md5-exp\fR,
\fBaes128-cts-hmac-sha1-96\fR, and \fBaes256-cts-hmac-sha1-96\fR.
.RE

.sp
.ne 2
.na
\fB\fBdefault_tkt_enctypes\fR\fR
.ad
.sp .6
.RS 4n
Identifies the supported list of session key encryption types that should be
requested by the client. The format is the same as for
\fBdefault_tgs_enctypes\fR. The supported encryption types are
\fBdes3-cbc-sha1-kd\fR, \fBdes-cbc-crc\fR, \fBdes-cbc-md5\fR,
\fBarcfour-hmac-md5\fR, \fBarcfour-hmac-md5-exp\fR,
\fBaes128-cts-hmac-sha1-96\fR, and \fBaes256-cts-hmac-sha1-96\fR.
.RE

.sp
.ne 2
.na
\fB\fBclockskew\fR\fR
.ad
.sp .6
.RS 4n
Sets the maximum allowable amount of clock skew in seconds that the library
tolerates before assuming that a Kerberos message is invalid. The default value
is 300 seconds, or five minutes.
.RE

.sp
.ne 2
.na
\fB\fBforwardable =\fR [\fBtrue\fR | \fBfalse\fR]\fR
.ad
.sp .6
.RS 4n
Sets the "\fBforwardable\fR" flag in all tickets. This allows users to transfer
their credentials from one host to another without reauthenticating. This
option can also be set in the \fB[appdefaults]\fR or \fB[realms]\fR section
(see below) to limit its use in particular applications or just to a specific
realm.
.RE

.sp
.ne 2
.na
\fB\fBpermitted_enctypes\fR\fR
.ad
.sp .6
.RS 4n
This relation controls the encryption types for session keys permitted by
server applications that use Kerberos for authentication. In addition, it
controls the encryption types of keys added to a \fBkeytab\fR by means of the
\fBkadmin\fR(1M) \fBktadd\fR command. The default is:
\fBaes256-cts-hmac-sha1-96\fR, \fBaes128-cts-hmac-sha1-96\fR,
\fBdes3-hmac-sha1-kd\fR, \fBarcfour-hmac-md5\fR, \fBarcfour-hmac-md5-exp\fR,
\fBdes-cbc-md5\fR, \fBdes-cbc-crc\fR.
.RE

.sp
.ne 2
.na
\fB\fBproxiable =\fR [\fBtrue\fR | \fBfalse\fR]\fR
.ad
.sp .6
.RS 4n
Sets the \fBproxiable\fR flag in all tickets. This allows users to create a
proxy ticket that can be transferred to a kerberized service to allow that
service to perform some function on behalf of the original user. This option
can also be set in the \fB[appdefaults]\fR or \fB[realms]\fR section (see
below) to limit its use in particular applications or just to a specific realm.
.RE

.sp
.ne 2
.na
\fB\fBrenew_lifetime =\fR\fIlifetime\fR\fR
.ad
.sp .6
.RS 4n
Requests renewable tickets, with a total lifetime of \fIlifetime\fR. The value
for \fIlifetime\fR must be followed immediately by one of the following
delimiters:
.sp
.ne 2
.na
\fB\fBs\fR\fR
.ad
.sp .6
.RS 4n
seconds
.RE

.sp
.ne 2
.na
\fB\fBm\fR\fR
.ad
.sp .6
.RS 4n
minutes
.RE

.sp
.ne 2
.na
\fB\fBh\fR\fR
.ad
.sp .6
.RS 4n
hours
.RE

.sp
.ne 2
.na
\fB\fBd\fR\fR
.ad
.sp .6
.RS 4n
days
.RE

Example:
.sp
.in +2
.nf
\fBrenew_lifetime = 90m\fR
.fi
.in -2
.sp

Do not mix units. A value of "\fB3h30m\fR" results in an error.
.RE

.sp
.ne 2
.na
\fB\fBmax_lifetime =\fR\fIlifetime\fR\fR
.ad
.sp .6
.RS 4n
Sets the requested maximum lifetime of the ticket. The values for
\fIlifetime\fR follow the format described for the \fBrenew_lifetime\fR option,
above.
.RE

.sp
.ne 2
.na
\fB\fBdns_lookup_kdc\fR\fR
.ad
.sp .6
.RS 4n
Indicates whether DNS SRV records need to be used to locate the KDCs and the
other servers for a realm, if they have not already been listed in the
\fB[realms]\fR section. This option makes the machine vulnerable to a certain
type of DoS attack if someone spoofs the DNS records and does a redirect to
another server. This is, however, no worse than a DoS, since the bogus KDC is
unable to decode anything sent (excepting the initial ticket request, which has
no encrypted data). Also, anything the fake KDC sends out isl not trusted
without verification (the local machine is unaware of the secret key to be
used). If \fBdns_lookup_kdc\fR is not specified but \fBdns_fallback\fR is, then
that value is used instead. In either case, values (if present) in the
\fB[realms]\fR section override DNS. \fBdns_lookup_kdc\fR is enabled by
default.
.RE

.sp
.ne 2
.na
\fB\fBdns_lookup_realm\fR\fR
.ad
.sp .6
.RS 4n
Indicates whether DNS TXT records need to be used to determine the Kerberos
realm information and/or the host/domain name-to-realm mapping of a host, if
this information is not already present in the \fBkrb5.conf\fR file. Enabling
this option might make the host vulnerable to a redirection attack, wherein
spoofed DNS replies persuade a client to authenticate to the wrong realm. In a
realm with no cross-realm trusts, this a DoS attack. If \fBdns_lookup_realm\fR
is not specified but \fBdns_fallback\fR is, then that value is used instead. In
either case, values (if present) in the \fB[libdefaults]\fR and
\fB[domain_realm]\fR sections override DNS.
.RE

.sp
.ne 2
.na
\fB\fBdns_fallback\fR\fR
.ad
.sp .6
.RS 4n
Generic flag controlling the use of DNS for retrieval of information about
Kerberos servers and host/domain name-to-realm mapping. If both
\fBdns_lookup_kdc\fR and \fBdns_lookup_realm\fR have been specified, this
option has no effect.
.RE

.sp
.ne 2
.na
\fB\fBverify_ap_req_nofail [true | false]\fR\fR
.ad
.sp .6
.RS 4n
If \fBtrue\fR, the local keytab file (\fB/etc/krb5/krb5.keytab\fR) must contain
an entry for the local \fBhost\fR principal, for example,
\fBhost/foo.bar.com@FOO.COM\fR. This entry is needed to verify that the
\fBTGT\fR requested was issued by the same \fBKDC\fR that issued the key for
the host principal. If undefined, the behavior is as if this option were set to
\fBtrue\fR. Setting this value to \fBfalse\fR leaves the system vulnerable to
\fBDNS\fR spoofing attacks. This parameter can be in the \fB[realms]\fR section
to set it on a per-realm basis, or it can be in the \fB[libdefaults]\fR section
to make it a network-wide setting for all realms.
.RE

.SS "The \fB[appdefaults]\fR Section"
This section contains subsections for Kerberos V5 applications, where
\fIrelation-subsection\fR is the name of an application. Each subsection
contains relations that define the default behaviors for that application.
.sp
.LP
The following relations can be found in the \fB[appdefaults]\fR section, though
not all relations are recognized by all kerberized applications. Some are
specific to particular applications.
.sp
.ne 2
.na
\fB\fBautologin =\fR [\fBtrue\fR | \fBfalse\fR]\fR
.ad
.sp .6
.RS 4n
Forces the application to attempt automatic login by presenting Kerberos
credentials. This is valid for the following applications: \fBrlogin\fR,
\fBrsh\fR, \fBrcp\fR, \fBrdist\fR, and \fBtelnet\fR.
.RE

.sp
.ne 2
.na
\fB\fBencrypt =\fR [\fBtrue\fR | \fBfalse\fR]\fR
.ad
.sp .6
.RS 4n
Forces applications to use encryption by default (after authentication) to
protect the privacy of the sessions. This is valid for the following
applications: \fBrlogin\fR, \fBrsh\fR, \fBrcp\fR, \fBrdist\fR, and
\fBtelnet\fR.
.RE

.sp
.ne 2
.na
\fB\fBforward =\fR [\fBtrue\fR | \fBfalse\fR]\fR
.ad
.sp .6
.RS 4n
Forces applications to forward the user'ss credentials (after authentication)
to the remote server. This is valid for the following applications:
\fBrlogin\fR, \fBrsh\fR, \fBrcp\fR, \fBrdist\fR, and \fBtelnet\fR.
.RE

.sp
.ne 2
.na
\fB\fBforwardable =\fR [\fBtrue\fR | \fBfalse\fR]\fR
.ad
.sp .6
.RS 4n
See the description in the \fB[libdefaults]\fR section above. This is used by
any application that creates a ticket granting ticket and also by applications
that can forward tickets to a remote server.
.RE

.sp
.ne 2
.na
\fB\fBproxiable =\fR [\fBtrue\fR | \fBfalse\fR]\fR
.ad
.sp .6
.RS 4n
See the description in the \fB[libdefaults]\fR section above. This is used by
any application that creates a ticket granting ticket.
.RE

.sp
.ne 2
.na
\fB\fBrenewable =\fR [\fBtrue\fR | \fBfalse\fR]\fR
.ad
.sp .6
.RS 4n
Creates a TGT that can be renewed (prior to the ticket expiration time). This
is used by any application that creates a ticket granting ticket.
.RE

.sp
.ne 2
.na
\fB\fBno_addresses =\fR [\fBtrue\fR | \fBfalse\fR]\fR
.ad
.sp .6
.RS 4n
Creates tickets with no address bindings. This is to allow tickets to be used
across a \fBNAT\fR boundary or when using multi-homed systems. This option is
valid in the \fBkinit\fR \fB[appdefault]\fR section only.
.RE

.sp
.ne 2
.na
\fB\fBmax_life =\fR\fIlifetime\fR\fR
.ad
.sp .6
.RS 4n
Sets the maximum lifetime of the ticket, with a total lifetime of
\fIlifetime\fR. The values for \fIlifetime\fR follow the format described in
the \fB[libdefaults]\fR section above. This option is obsolete and is removed
in a future release of the Solaris operating system.
.RE

.sp
.ne 2
.na
\fB\fBmax_renewable_life =\fR\fIlifetime\fR\fR
.ad
.sp .6
.RS 4n
Requests renewable tickets, with a total lifetime of \fIlifetime\fR. The values
for \fIlifetime\fR follow the format described in the \fB[libdefaults]\fR
section above. This option is obsolete and is removed in a future release of
the Solaris operating system.
.RE

.sp
.ne 2
.na
\fB\fBrcmd_protocol =\fR [ \fBrcmdv1\fR | \fBrcmdv2\fR ]\fR
.ad
.sp .6
.RS 4n
Specifies which Kerberized "\fBrcmd\fR" protocol to use when using the
Kerberized \fBrlogin\fR(1), \fBrsh\fR(1), \fBrcp\fR(1), or \fBrdist\fR(1)
programs. The default is to use \fBrcmdv2\fR by default, as this is the more
secure and more recent update of the protocol. However, when talking to older
\fBMIT\fR or \fBSEAM\fR-based "\fBrcmd\fR" servers, it can be necessary to
force the new clients to use the older \fBrcmdv1\fR protocol. This option is
valid only for the following applications: \fBrlogin\fR, \fBrcp\fR, \fBrsh\fR,
and \fBrdist\fR.
.RE

.sp
.LP
The following application defaults can be set to \fBtrue\fR or \fBfalse\fR:
.sp
.in +2
.nf
kinit
   forwardable = true
   proxiable = true
   renewable = true
   no_addresses = true
   max_life = \fIdelta_time\fR
   max_renewable_life = \fIdelta_time\fR
.fi
.in -2
.sp

.sp
.LP
See \fBkinit\fR(1) for the valid time duration formats you can specify for
\fIdelta_time\fR.
.sp
.LP
In the following example, \fBkinit\fR gets forwardable tickets by default and
\fBtelnet\fR has three default behaviors specified:
.sp
.in +2
.nf
[appdefaults]
   kinit = {
      forwardable = true
   }

   telnet = {
      forward = true
      encrypt = true
      autologin = true
   }
.fi
.in -2
.sp

.sp
.LP
The application defaults specified here are overridden by those specified in
the \fB[realms]\fR section.
.SS "The \fB[realms]\fR Section"
This section contains subsections for Kerberos realms, where
\fIrelation-subsection\fR is the name of a realm. Each subsection contains
relations that define the properties for that particular realm. The following
relations can be specified in each \fB[realms]\fR subsection:
.sp
.ne 2
.na
\fB\fBadmin_server\fR\fR
.ad
.sp .6
.RS 4n
Identifies the host where the Kerberos administration daemon (\fBkadmind\fR) is
running. Typically, this is the master \fBKDC\fR.
.RE

.sp
.ne 2
.na
\fB\fIapplication defaults\fR\fR
.ad
.sp .6
.RS 4n
Application defaults that are specific to a particular realm can be specified
within a \fB[realms]\fR subsection. Realm-specific application defaults
override the global defaults specified in the \fB[appdefaults]\fR section.
.RE

.sp
.ne 2
.na
\fB\fBauth_to_local_realm\fR\fR
.ad
.sp .6
.RS 4n
For use in the default realm, non-default realms can be equated with the
default realm for authenticated name-to-local name mapping.
.RE

.sp
.ne 2
.na
\fB\fBauth_to_local_names\fR\fR
.ad
.sp .6
.RS 4n
This subsection allows you to set explicit mappings from principal names to
local user names. The tag is the mapping name and the value is the
corresponding local user name.
.RE

.sp
.ne 2
.na
\fB\fBauth_to_local\fR\fR
.ad
.sp .6
.RS 4n
This tag allows you to set a general rule for mapping principal names to local
user names. It is used if there is not an explicit mapping for the principal
name that is being translated. The possible values are:
.sp
.in +2
.nf
RULE:[<ncomps>:<format>](<regex>)s/<regex>/<text>/
.fi
.in -2

Each rule has three parts:
.sp
.ne 2
.na
\fBFirst part\(emFormulate the string on which to perform operations:\fR
.ad
.sp .6
.RS 4n
If not present then the string defaults to the fully flattened principal minus
the realm name. Otherwise the syntax is as follows:
.sp
.in +2
.nf
"[" \fI<ncomps>\fR ":" \fI<format>\fR "]"
.fi
.in -2

Where:
.sp
\fI<ncomps>\fR is the number of expected components for this rule. If the
particular principal does not have this number of components, then this rule
does not apply.
.sp
\fI<format>\fR is a string of \fI<component>\fR or verbatim characters to be
inserted.
.sp
\fI<component>\fR is of the form "\fB$\fR"\fI<number>\fR to select the
\fI<number>\fRth component. \fI<number>\fR begins from 1.
.RE

.sp
.ne 2
.na
\fBSecond part\(emselect rule validity:\fR
.ad
.sp .6
.RS 4n
If not present, this rule can apply to all selections. Otherwise the syntax is
as follows:
.sp
.in +2
.nf
"(" \fI<regex>\fR ")"
.fi
.in -2

Where:
.sp
\fI<regex>\fR is a selector regular expression. If this regular expression
matches the whole pattern generated from the first part, then this rule still
applies.
.RE

.sp
.ne 2
.na
\fBThird part\(emTransform rule:\fR
.ad
.sp .6
.RS 4n
If not present, then the selection string is passed verbatim and is matched.
Otherwise, the syntax is as follows:
.sp
.in +2
.nf
\fI<rule>\fR ...
.fi
.in -2

Where:
.sp
\fI<rule>\fR is of the form:
.sp
.in +2
.nf
"s/" <regex> "/" <text> "/" ["g"]
.fi
.in -2

Regular expressions are defined in \fBregex\fR(5).
.sp
For example:
.sp
auth_to_local = RULE:[1:$1@$0](.*@.*ACME\.COM)s/@.*//
.sp
The preceding maps \fB\fIusername\fR@ACME.COM\fR and all sub-realms of
\fBACME.COM\fR to \fIusername\fR.
.RE

.sp
.ne 2
.na
\fBDEFAULT\fR
.ad
.sp .6
.RS 4n
The principal name is used as the local name. If the principal has more than
one component or is not in the default realm, this rule is not applicable and
the conversion fails.
.RE

.RE

.sp
.ne 2
.na
\fB\fBdatabase_module\fR\fR
.ad
.sp .6
.RS 4n
Selects the \fBdbmodule\fR section entry to use to access the Kerberos
database.
.RE

.sp
.ne 2
.na
\fB\fBextra_addresses\fR...\fR
.ad
.sp .6
.RS 4n
This allows a computer to use multiple local addresses, to allow Kerberos to
work in a network that uses NATs. The addresses should be in a comma-separated
list.
.RE

.sp
.ne 2
.na
\fB\fBkdc\fR\fR
.ad
.sp .6
.RS 4n
The name of a host running a \fBKDC\fR for that realm. An optional port number
(separated from the hostname by a colon) can be included.
.RE

.sp
.ne 2
.na
\fB\fBkpasswd_server\fR\fR
.ad
.sp .6
.RS 4n
Identifies the host where the Kerberos password-changing server is running.
Typically, this is the same as host indicated in the \fBadmin_server\fR. If
this parameter is omitted, the host in \fBadmin_server\fR is used. You can also
specify a port number if the server indicated by \fBkpasswd_server\fR runs on a
port other than 464 (the default). The format of this parameter is:
\fIhostname\fR[:\fIport\fR].
.RE

.sp
.ne 2
.na
\fB\fBkpasswd_protocol\fR\fR
.ad
.sp .6
.RS 4n
Identifies the protocol to be used when communicating with the server indicated
by \fBkpasswd_server\fR. By default, this parameter is defined to be
\fBRPCSEC_GSS\fR, which is the protocol used by Solaris-based administration
servers. To be able to change a principal's password stored on non-Solaris
Kerberos server, such as Microsoft Active Directory or \fBMIT\fR Kerberos, this
value should be \fBSET_CHANGE\fR. This indicates that a non-RPC- based protocol
is used to communicate the password change request to the server in the
\fBkpasswd_server\fR entry.
.RE

.sp
.ne 2
.na
\fB\fBudp_preference_limit\fR\fR
.ad
.sp .6
.RS 4n
When sending a message to the KDC, the library tries using TCP before UDP if
the size of the message is above \fBudp_preference_limit\fR. If the message is
smaller than \fBudp_preference_limit\fR, then UDP is tried before TCP.
Regardless of the size, both protocols are tried if the first attempt fails.
.RE

.sp
.ne 2
.na
\fB\fBverify_ap_req_nofail\fR [\fBtrue\fR | \fBfalse\fR]\fR
.ad
.sp .6
.RS 4n
If \fBtrue\fR, the local keytab file (\fB/etc/krb5/krb5.keytab\fR) must contain
an entry for the local \fBhost\fR principal, for example,
\fBhost/foo.bar.com@FOO.COM\fR. This entry is needed to verify that the
\fBTGT\fR requested was issued by the same \fBKDC\fR that issued the key for
the host principal. If undefined, the behavior is as if this option were set to
\fBtrue\fR. Setting this value to \fBfalse\fR leaves the system vulnerable to
\fBDNS\fR spoofing attacks. This parameter might be in the \fB[realms]\fR
section to set it on a per-realm basis, or it might be in the
\fB[libdefaults]\fR section to make it a network-wide setting for all realms.
.RE

.sp
.LP
The parameters "\fBforwardable\fR", "\fBproxiable\fR", and
"\fBrenew_lifetime\fR" as described in the \fB[libdefaults]\fR section (see
above) are also valid in the \fB[realms]\fR section.
.sp
.LP
Notice that \fBkpasswd_server\fR and \fBkpasswd_protocol\fR are realm-specific
parameters. Most often, you need to specify them only when using a
non-Solaris-based Kerberos server. Otherwise, the change request is sent over
\fBRPCSEC_GSS\fR to the Solaris Kerberos administration server.
.SS "The \fB[domain_realm]\fR Section"
This section provides a translation from a domain name or hostname to a
Kerberos realm name. The \fIrelation\fR can be a host name, or a domain name,
where domain names are indicated by a period (`\fB\&.\fR') prefix.
\fIrelation-value\fR is the Kerberos realm name for that particular host or
domain. Host names and domain names should be in lower case.
.sp
.LP
If no translation entry applies, the host's realm is considered to be the
hostname's domain portion converted to upper case. For example, the following
\fB[domain_realm]\fR section maps \fBcrash.mit.edu\fR into the
\fBTEST.ATHENA.MIT.EDU\fR realm:
.sp
.in +2
.nf
[domain_realm]
   .mit.edu = ATHENA.MIT.EDU
   mit.edu = ATHENA.MIT.EDU
   crash.mit.edu = TEST.ATHENA.MIT.EDU
   .fubar.org = FUBAR.ORG
   fubar.org = FUBAR.ORG
.fi
.in -2
.sp

.sp
.LP
All other hosts in the \fBmit.edu\fR domain maps by default to the
\fBATHENA.MIT.EDU\fR realm, and all hosts in the \fBfubar.org\fR domain maps by
default into the \fBFUBAR.ORG\fR realm. The entries for the hosts \fBmit.edu\fR
and \fBfubar.org\fR. Without these entries, these hosts would be mapped into
the Kerberos realms \fBEDU\fR and \fBORG\fR, respectively.
.SS "The \fB[logging]\fR Section"
This section indicates how Kerberos programs are to perform logging. There are
two types of relations for this section: relations to specify how to log and a
relation to specify how to rotate \fBkdc\fR log files.
.sp
.LP
The following relations can be defined to specify how to log. The same relation
can be repeated if you want to assign it multiple logging methods.
.sp
.ne 2
.na
\fB\fBadmin_server\fR\fR
.ad
.sp .6
.RS 4n
Specifies how to log the Kerberos administration daemon (\fBkadmind\fR). The
default is \fBFILE:/var/krb5/kadmin.log.\fR
.RE

.sp
.ne 2
.na
\fB\fBdefault\fR\fR
.ad
.sp .6
.RS 4n
Specifies how to perform logging in the absence of explicit specifications
otherwise.
.RE

.sp
.ne 2
.na
\fB\fBkdc\fR\fR
.ad
.sp .6
.RS 4n
Specifies how the \fBKDC\fR is to perform its logging. The default is
\fBFILE:/var/krb5/kdc.log\fR.
.RE

.sp
.LP
The \fBadmin_server\fR, \fBdefault\fR, and \fBkdc\fR relations can have the
following values:
.sp
.ne 2
.na
\fB\fBFILE:\fR\fIfilename\fR\fR
.ad
.br
.na
\fB\fBFILE=\fR\fIfilename\fR\fR
.ad
.sp .6
.RS 4n
This value causes the entity's logging messages to go to the specified file. If
the `=' form is used, the file is overwritten. If the `:' form is used, the
file is appended to.
.RE

.sp
.ne 2
.na
\fB\fBSTDERR\fR\fR
.ad
.sp .6
.RS 4n
This value causes the entity's logging messages to go to its standard error
stream.
.RE

.sp
.ne 2
.na
\fB\fBCONSOLE\fR\fR
.ad
.sp .6
.RS 4n
This value causes the entity's logging messages to go to the console, if the
system supports it.
.RE

.sp
.ne 2
.na
\fB\fBDEVICE=\fR\fIdevicename\fR\fR
.ad
.sp .6
.RS 4n
This causes the entity's logging messages to go to the specified device.
.RE

.sp
.ne 2
.na
\fB\fBSYSLOG[:\fR\fIseverity\fR\fB[:\fR\fIfacility\fR\fB]]\fR\fR
.ad
.sp .6
.RS 4n
This causes the entity's logging messages to go to the system log.
.RE

.sp
.LP
The \fIseverity\fR argument specifies the default severity of system log
messages. This can be any of the following severities supported by the
\fBsyslog\fR(3C) call, minus the \fBLOG_\fR prefix: \fBLOG_EMERG\fR,
\fBLOG_ALERT\fR, \fBLOG_CRIT\fR, \fBLOG_ERR\fR, \fBLOG_WARNING\fR,
\fBLOG_NOTICE\fR, \fBLOG_INFO\fR, and \fBLOG_DEBUG\fR. For example, a value of
\fBCRIT\fR would specify \fBLOG_CRIT\fR severity.
.sp
.LP
The \fIfacility\fR argument specifies the facility under which the messages are
logged. This can be any of the following facilities supported by the
\fBsyslog\fR(3C) call minus the \fBLOG_\fR prefix: \fBLOG_KERN\fR,
\fBLOG_USER\fR, \fBLOG_MAIL\fR, \fBLOG_DAEMON\fR, \fBLOG_AUTH\fR,
\fBLOG_LPR\fR, \fBLOG_NEWS\fR, \fBLOG_UUCP\fR, \fBLOG_CRON\fR, and
\fBLOG_LOCAL0\fR through \fBLOG_LOCAL7\fR.
.sp
.LP
If no severity is specified, the default is \fBERR\fR. If no facility is
specified, the default is \fBAUTH\fR.
.sp
.LP
The following relation can be defined to specify how to rotate \fBkdc\fR log
files if the \fBFILE:\fR value is being used to log:
.sp
.ne 2
.na
\fB\fBkdc_rotate\fR\fR
.ad
.sp .6
.RS 4n
A relation subsection that enables \fBkdc\fR logging to be rotated to multiple
files based on a time interval. This can be used to avoid logging to one file,
which might grow too large and bring the \fBKDC\fR to a halt.
.RE

.sp
.LP
The time interval for the rotation is specified by the \fBperiod\fR relation.
The number of log files to be rotated is specified by the \fBversions\fR
relation. Both the \fBperiod\fR and \fBversions\fR (described below) should be
included in this subsection. And, this subsection applies only if the \fBkdc\fR
relation has a \fBFILE:\fR value.
.sp
.LP
The following relations can be specified for the \fBkdc_rotate\fR relation
subsection:
.sp
.ne 2
.na
\fB\fB\fR\fBperiod=\fIdelta_time\fR\fR\fR
.ad
.sp .6
.RS 4n
Specifies the time interval before a new log file is created. See the
\fBTime\fR\fBFormats\fR section in \fBkinit\fR(1) for the valid time duration
formats you can specify for \fIdelta_time\fR. If \fBperiod\fR is not specified
or set to \fBnever\fR, no rotation occurs.
.RE

.sp
.LP
Specifying a time interval does not mean that the log files are rotated at the
time interval based on real time. This is because the time interval is checked
at each attempt to write a record to the log, or when logging is actually
occurring. Therefore, rotation occurs only when logging has actually occurred
for the specified time interval.
.sp
.ne 2
.na
\fB\fBversions=\fR\fInumber\fR\fR
.ad
.sp .6
.RS 4n
Specifies how many previous versions are saved before the rotation begins. A
number is appended to the log file, starting with 0 and ending with
(\fInumber\fR - 1). For example, if \fBversions\fR is set to \fB2\fR, up to
three logging files are created (\fIfilename\fR, \fIfilename\fR.0, and
\fIfilename\fR.1) before the first one is overwritten to begin the rotation.
.RE

.sp
.LP
Notice that if \fBversions\fR is not specified or set to \fB0\fR, only one log
file is created, but it is overwritten whenever the time interval is met.
.sp
.LP
In the following example, the logging messages from the Kerberos administration
daemon goes to the console. The logging messages from the \fBKDC\fR is appended
to the \fB/var/krb5/kdc.log\fR, which is rotated between twenty-one log files
with a specified time interval of a day.
.sp
.in +2
.nf
[logging]
   admin_server = CONSOLE
   kdc = FILE:/export/logging/kadmin.log
   kdc_rotate = {
      period = 1d
      versions = 20
   }
.fi
.in -2
.sp

.SS "The \fB[capaths]\fR Section"
In order to perform direct (non-hierarchical) cross-realm authentication, a
database is needed to construct the authentication paths between the realms.
This section defines that database.
.sp
.LP
A client uses this section to find the authentication path between its realm
and the realm of the server. The server uses this section to verify the
authentication path used by the client, by checking the transited field of the
received ticket.
.sp
.LP
There is a subsection for each participating realm, and each subsection has
relations named for each of the realms. The \fIrelation-value\fR is an
intermediate realm which can participate in the cross-realm authentication. The
relations can be repeated if there is more than one intermediate realm. A value
of '.' means that the two realms share keys directly, and no intermediate
realms should be allowed to participate.
.sp
.LP
There are n**2 possible entries in this table, but only those entries which is
needed on the client or the server need to be present. The client needs a
subsection named for its local realm, with relations named for all the realms
of servers it needs to authenticate with. A server needs a subsection named for
each realm of the clients it serves.
.sp
.LP
For example, \fBANL.GOV\fR, \fBPNL.GOV\fR, and \fBNERSC.GOV\fR all wish to use
the \fBES.NET\fR realm as an intermediate realm. \fBANL\fR has a sub realm of
\fBTEST.ANL.GOV\fR, which authenticates with \fBNERSC.GOV\fR but not
\fBPNL.GOV\fR. The \fB[capath]\fR section for \fBANL.GOV\fR systems would look
like this:
.sp
.in +2
.nf
[capaths]
   ANL.GOV = {
       TEST.ANL.GOV = .
       PNL.GOV = ES.NET
       NERSC.GOV = ES.NET
       ES.NET = .
   }

   TEST.ANL.GOV = {
       ANL.GOV = .
   }

   PNL.GOV = {
       ANL.GOV = ES.NET
   }

   NERSC.GOV = {
      ANL.GOV = ES.NET
   }

   ES.NET = {
      ANL.GOV = .
   }
.fi
.in -2
.sp

.sp
.LP
The \fB[capath]\fR section of the configuration file used on \fBNERSC.GOV\fR
systems would look like this:
.sp
.in +2
.nf
[capaths]
   NERSC.GOV = {
      ANL.GOV = ES.NET
      TEST.ANL.GOV = ES.NET
      TEST.ANL.GOV = ANL.GOV
      PNL.GOV = ES.NET
      ES.NET = .
   }

   ANL.GOV = {
      NERSC.GOV = ES.NET
   }

   PNL.GOV = {
      NERSC.GOV = ES.NET
   }

   ES.NET = {
      NERSC.GOV = .
   }

   TEST.ANL.GOV = {
      NERSC.GOV = ANL.GOV
      NERSC.GOV = ES.NET
   }
.fi
.in -2
.sp

.sp
.LP
In the above examples, the ordering is not important, except when the same
relation is used more than once. The client uses this to determine the path.
(It is not important to the server, since the transited field is not sorted.)
.SS "PKINIT-specific Options"
The following are \fBpkinit-specific\fR options. These values can be specified
in \fB[libdefaults]\fR as global defaults, or within a realm-specific
subsection of \fB[libdefaults]\fR, or can be specified as realm-specific values
in the \fB[realms]\fR section. A realm-specific value overrides, does not add
to, a generic \fB[libdefaults]\fR specification.
.sp
.LP
The search order is:
.RS +4
.TP
1.
realm-specific subsection of \fB[libdefaults]\fR
.sp
.in +2
.nf
          [libdefaults]
              EXAMPLE.COM = {
                  pkinit_anchors = FILE:/usr/local/example.com.crt
.fi
.in -2

.RE
.RS +4
.TP
2.
realm-specific value in the \fB[realms]\fR section
.sp
.in +2
.nf
          [realms]
              OTHERREALM.ORG = {
                  pkinit_anchors = FILE:/usr/local/otherrealm.org.crt
.fi
.in -2

.RE
.RS +4
.TP
3.
generic value in the \fB[libdefaults]\fR section
.sp
.in +2
.nf
          [libdefaults]
              pkinit_anchors = DIR:/usr/local/generic_trusted_cas/
.fi
.in -2

.RE
.sp
.LP
The syntax for specifying Public Key identity, trust, and revocation
information for \fBpkinit\fR is as follows:
.sp
.ne 2
.na
\fB\fBpkinit_identities\fR \fB=\fR \fIURI\fR\fR
.ad
.sp .6
.RS 4n
Specifies the location(s) to be used to find the user's X.509 identity
information.  This option can be specified multiple times. Each value is
attempted in order until identity information is found and authentication is
attempted. These values are not used if the user specifies
\fBX509_user_identity\fR on the command line.
.sp
Valid \fIURI\fR types are \fBFILE\fR, \fBDIR\fR, \fBPKCS11\fR, \fBPKCS12\fR,
and \fBENV\fR. See the \fBPKINIT URI Types\fR section for more details.
.RE

.sp
.ne 2
.na
\fB\fBpkinit_anchors\fR \fB=\fR \fIURI\fR\fR
.ad
.sp .6
.RS 4n
Specifies the location of trusted anchor (root) certificates which the client
trusts to sign KDC certificates. This option can be specified multiple times.
These values from the \fBconfig\fR file are not used if the user specifies
\fBX509_anchors\fR on the command line.
.sp
Valid \fIURI\fR types are \fBFILE\fR and \fBDIR\fR. See the \fBPKINIT URI
Types\fR section for more details.
.RE

.sp
.ne 2
.na
\fB\fBpkinit_pool\fR \fB=\fR \fIURI\fR\fR
.ad
.sp .6
.RS 4n
Specifies the location of intermediate certificates which can be used by the
client to complete the trust chain between a KDC certificate and a trusted
anchor.  This option can be specified multiple times.
.sp
Valid \fIURI\fR types are \fBFILE\fR and \fBDIR\fR.      See the \fBPKINIT URI
Types\fR section for more details.
.RE

.sp
.ne 2
.na
\fB\fBpkinit_revoke\fR \fB=\fR \fIURI\fR\fR
.ad
.sp .6
.RS 4n
Specifies the location of Certificate Revocation List (CRL) information to be
used by the client when verifying the validity of the KDC certificate
presented. This option can be specified multiple times.
.sp
The only valid \fIURI\fR type is \fBDIR\fR. See the \fBPKINIT URI Types\fR
section for more details.
.RE

.sp
.ne 2
.na
\fB\fBpkinit_require_crl_checking\fR \fB=\fR \fIvalue\fR\fR
.ad
.sp .6
.RS 4n
The default certificate verification process always checks the available
revocation information to see if a certificate has been revoked. If a match is
found for the certificate in a CRL, verification fails. If the certificate
being verified is not listed in a CRL, or there is no CRL present for its
issuing CA, and \fBpkinit_require_crl_checking\fR is \fBfalse\fR, then
verification succeeds. However, if \fBpkinit_require_crl_checking\fR is
\fBtrue\fR and there is no CRL information available for the issuing CA, then
verification  fails. \fBpkinit_require_crl_checking\fR should be set to
\fBtrue\fR if the policy is such that up-to-date CRLs must be present for every
CA.
.RE

.sp
.ne 2
.na
\fB\fBpkinit_dh_min_bits\fR \fB=\fR \fIvalue\fR\fR
.ad
.sp .6
.RS 4n
Specifies the size of the Diffie-Hellman key the client attempts to use. The
acceptable values are currently 1024, 2048, and 4096. The default is 2048.
.RE

.sp
.ne 2
.na
\fB\fBpkinit_win2k\fR \fB=\fR \fIvalue\fR\fR
.ad
.sp .6
.RS 4n
This flag specifies whether the target realm is assumed to support only the
old, pre-RFC version of the protocol. The default is \fBfalse\fR.
.RE

.sp
.ne 2
.na
\fB\fBpkinit_win2k_require_binding\fR \fB=\fR \fIvalue\fR\fR
.ad
.sp .6
.RS 4n
If this flag is set to \fBtrue\fR, it expects that the target KDC is patched to
return a reply with a checksum rather than a nonce. The default is \fBfalse\fR.
.RE

.sp
.ne 2
.na
\fB\fBpkinit_eku_checking\fR \fB=\fR \fIvalue\fR\fR
.ad
.sp .6
.RS 4n
This option specifies what Extended Key Usage value the KDC certificate
presented to the client must contain. If the KDC certificate has the \fBpkinit
SubjectAlternativeName\fR encoded as the Kerberos TGS name, EKU checking is not
necessary since the issuing CA has certified this as a KDC certificate. The
values recognized in the \fBkrb5.conf\fR file are:
.sp
.ne 2
.na
\fB\fBkpKDC\fR\fR
.ad
.RS 16n
This is the default value and specifies that the KDC must have the
\fBid-pkinit-KPKdc EKU\fR as defined in RFC4556.
.RE

.sp
.ne 2
.na
\fB\fBkpServerAuth\fR\fR
.ad
.RS 16n
If \fBkpServerAuth\fR is specified, a KDC certificate with the
\fBid-kp-serverAuth EKU\fR as used by Microsoft is accepted.
.RE

.sp
.ne 2
.na
\fB\fBnone\fR\fR
.ad
.RS 16n
If \fBnone\fR is specified, then the KDC certificate is not checked to verify
it has an acceptable EKU. The use of this option is not recommended.
.RE

.RE

.sp
.ne 2
.na
\fB\fBpkinit_kdc_hostname\fR \fB=\fR \fIvalue\fR\fR
.ad
.sp .6
.RS 4n
The presence of this option indicates that the client is willing to accept a
KDC certificate with a \fBdNSName\fR SAN (Subject Alternative Name) rather than
requiring the \fBid-pkinit-san\fR as defined in RFC4556. This option can be
specified multiple times. Its value should contain the acceptable hostname for
the KDC (as contained in its certificate).
.RE

.sp
.ne 2
.na
\fB\fBpkinit_cert_match\fR \fB=\fR \fIrule\fR\fR
.ad
.sp .6
.RS 4n
Specifies matching rules that the client certificate must match  before it is
used to attempt \fBpkinit\fR authentication.  If a user has multiple
certificates available (on a smart card, or by way of another media), there
must be exactly one certificate chosen before attempting \fBpkinit\fR
authentication.  This option can be specified multiple times.  All the
available certificates are checked against each rule in order until there is a
match of exactly one certificate.
.sp
The Subject and Issuer comparison strings are the RFC2253 string
representations from the certificate Subject DN and Issuer DN values.
.sp
The syntax of the matching rules is:
.sp
.in +2
.nf
[relation-operator]component-rule `...'
.fi
.in -2

where
.sp
.ne 2
.na
\fB\fIrelation-operator\fR\fR
.ad
.RS 21n
Specify \fIrelation-operator\fR as \fB&&\fR, meaning all component rules must
match,  or \fB||\fR, meaning only one component rule must match.  If
\fIrelation-operator\fR is not specified, the default is \fB&&\fR\&.
.RE

.sp
.ne 2
.na
\fB\fIcomponent-rule\fR\fR
.ad
.RS 21n
There is no punctuation or white space between component rules.Specify
\fIcomponent-rule\fR as one of the following:
.sp
.in +2
.nf
`<SUBJECT>'regular-expression

`<ISSUER>'regular-expression

`<SAN>'regular-expression

`<EKU>'extended-key-usage-list
               where extended-key-usage-list is a comma-separated list
               of required Extended Key Usage values.  All values in
               the list must be present in the certificate.
                    `pkinit'
                    `msScLogin'
                    `clientAuth'
                    `emailProtection'
`<KU>'key-usage-list
               where key-usage-list is a comma-separated list of
               required Key Usage values.  All values in the list must
               be present in the certificate.
                    `digitalSignature'
.fi
.in -2

.RE

Examples:
.sp
.in +2
.nf
pkinit_cert_match = ||<SUBJECT>.*DoE.*<SAN>.*@EXAMPLE.COM
pkinit_cert_match = &&<EKU>msScLogin,clientAuth<ISSUER>.*DoE.*
pkinit_cert_match = <EKU>msScLogin,clientAuth<KU>digitalSignature
.fi
.in -2

.RE

.SS "PKINIT URI Types"
.ne 2
.na
\fB\fBFILE:\fR\fIfile-name[,key-file-name]\fR\fR
.ad
.sp .6
.RS 4n
This option has context-specific behavior.
.sp
.ne 2
.na
\fB\fBpkinit_identities\fR\fR
.ad
.RS 21n
\fIfile-name\fR specifies the name of a PEM-format file containing the user's
certificate.  If \fIkey-file-name\fR is not specified, the user's private key
is expected to be in \fIfile-name\fR as well.  Otherwise, \fIkey-file-name\fR
is the name of the file containing the private key.
.RE

.sp
.ne 2
.na
\fB\fBpkinit_anchors\fR\fR
.ad
.br
.na
\fB\fBpkinit_pool\fR\fR
.ad
.RS 21n
\fIfile-name\fR is assumed to be the name of an \fBOpenSSL-style ca-bundle\fR
file. The \fBca-bundle\fR file should be base-64 encoded.
.RE

.RE

.sp
.ne 2
.na
\fB\fBDIR:\fR\fIdirectory-name\fR\fR
.ad
.sp .6
.RS 4n
This option has context-specific behavior.
.sp
.ne 2
.na
\fB\fBpkinit_identities\fR\fR
.ad
.RS 21n
\fIdirectory-name\fR specifies a directory with files named \fB*.crt\fR and
\fB*.key\fR, where the first part of the file name is the same for matching
pairs of certificate and private key files. When a file with a name ending with
\&.\fBcrt\fR is found, a matching file ending with \fB\&.key\fR is assumed to
contain the private key. If no such file is found, then the certificate in the
\fB\&.crt\fR is not used.
.RE

.sp
.ne 2
.na
\fB\fBpkinit_anchors\fR\fR
.ad
.br
.na
\fB\fBpkinit_pool\fR\fR
.ad
.RS 21n
\fIdirectory-name\fR is assumed to be an OpenSSL-style hashed CA directory
where each CA cert is stored in a file named \fBhash-of-ca-cert\fR.\fI#\fR.
This infrastructure is encouraged, but all files in the directory are examined
and if they contain certificates (in PEM format), they are used.
.RE

.RE

.sp
.ne 2
.na
\fB\fBPKCS12:\fR\fIpkcs12-file-name\fR\fR
.ad
.sp .6
.RS 4n
\fIpkcs12-file-name\fR is the name of a \fBPKCS #12\fR format file, containing
the user's certificate and private key.
.RE

.sp
.ne 2
.na
\fB\fBPKCS11:[slotid=\fR\fIslot-id\fR\fB][:token=\fR\fItoken-label\fR\fB][:cert
id=\fR\fIcert-id\fR\fB][:certlabel=\fR\fIcert-label\fR\fB]\fR\fR
.ad
.sp .6
.RS 4n
All keyword/values are optional. PKCS11 modules (for example,
\fBopensc-pkcs11.so\fR) must be installed as a \fBcrypto\fR provider under
\fBlibpkcs11\fR(3LIB). \fBslotid=\fR and/or \fBtoken=\fR can be specified to
force the use of a particular smart card reader or token if there is more than
one available. \fBcertid=\fR and/or \fBcertlabel=\fR can be specified to force
the selection of a particular certificate on the device. See the
\fBpkinit_cert_match\fR configuration option for more ways to select a
particular certificate to use for \fBpkinit\fR.
.RE

.sp
.ne 2
.na
\fB\fBENV:\fR\fIenvironment-variable-name\fR\fR
.ad
.sp .6
.RS 4n
\fIenvironment-variable-name\fR specifies the name of an environment variable
which has been set to a value conforming to one of the previous values. For
example, \fBENV:X509_PROXY\fR, where environment variable \fBX509_PROXY\fR has
been set to \fBFILE:/tmp/my_proxy.pem\fR.
.RE

.SS "The \fB[dbmodules]\fR Section"
This section consists of relations that provide configuration information for
plug-in modules. In particular, the relations describe the configuration for
LDAP KDB plug-in. Use of the \fBdb2\fR KDB plug-in is the default behavior and
that this section does not need to be filled out in that case.
.sp
.ne 2
.na
\fB\fBdb_library\fR\fR
.ad
.sp .6
.RS 4n
Name of the plug-in library. To use the LDAP KDB plug-in the name must be
\fBkdb_ldap\fR. The default value is \fBdb2\fR.
.RE

.sp
.ne 2
.na
\fB\fBdb_module_dir\fR\fR
.ad
.sp .6
.RS 4n
Path to the plug-in libraries. The default is \fB/usr/lib/krb5\fR.
.RE

.sp
.ne 2
.na
\fB\fBldap_cert_path\fR\fR
.ad
.sp .6
.RS 4n
Path to the Network Security Services (NSS) trusted database for an SSL
connection. This is a required parameter when using the LDAP KDB plug-in.
.RE

.sp
.ne 2
.na
\fB\fBldap_conns_per_server\fR\fR
.ad
.sp .6
.RS 4n
Number of connections per LDAP instance. The default is \fB5\fR.
.RE

.sp
.ne 2
.na
\fB\fBldap_kadmind_dn\fR\fR
.ad
.sp .6
.RS 4n
Bind DN for \fBkadmind\fR. This specifies the DN that the \fBkadmind\fR service
uses when binding to the LDAP Directory Server. The password for this bind DN
should be in the \fBldap_service_password_file\fR.
.RE

.sp
.ne 2
.na
\fB\fBldap_kdc_dn\fR\fR
.ad
.sp .6
.RS 4n
Bind DN for a Key Distribution Center (KDC). This specifies the DN that the
\fBkrb5kdc\fR service use when binding to the LDAP Directory Server. The
password for this bind DN should be in the \fBldap_service_password_file\fR.
.RE

.sp
.ne 2
.na
\fB\fBldap_servers\fR\fR
.ad
.sp .6
.RS 4n
List of LDAP directory servers in URI format. Use of either of the following is
acceptable.
.sp
.in +2
.nf
ldap://\fI<ds hostname>\fR:\fI<SSL port>\fR
ldap://\fI<ds hostname>\fR
.fi
.in -2
.sp

Each server URI should be separated by whitespace.
.RE

.sp
.ne 2
.na
\fB\fBldap_service_password_file\fR\fR
.ad
.sp .6
.RS 4n
File containing stashed passwords used by the KDC when binding to the LDAP
Directory Server. The default is \fB/var/krb5/service_passwd\fR. This file is
created using \fBkdb5_ldap_util\fR(1M).
.RE

.sp
.ne 2
.na
\fB\fBldap_ssl_port\fR\fR
.ad
.sp .6
.RS 4n
Port number for SSL connection with directory server. The default is \fB389\fR.
.RE

.SH EXAMPLES
\fBExample 1 \fRSample File
.sp
.LP
The following is an example of a generic \fBkrb5.conf\fR file:

.sp
.in +2
.nf
[libdefaults]
   default_realm = ATHENA.MIT.EDU
   default_tkt_enctypes = des-cbc-crc
   default_tgs_enctypes = des-cbc-crc

[realms]
   ATHENA.MIT.EDU = {
      kdc = kerberos.mit.edu
      kdc = kerberos-1.mit.edu
      kdc = kerberos-2.mit.edu
      admin_server = kerberos.mit.edu
      auth_to_local_realm = KRBDEV.ATHENA.MIT.EDU
   }

   FUBAR.ORG = {
      kdc = kerberos.fubar.org
      kdc = kerberos-1.fubar.org
      admin_server = kerberos.fubar.org
  }

[domain_realm]
   .mit.edu = ATHENA.MIT.EDU
   mit.edu = ATHENA.MIT.EDU
.fi
.in -2
.sp

.LP
\fBExample 2 \fRKDC Using the LDAP KDB plug-in, \fBrealms\fR and
\fBdbmodules\fR Sections
.sp
.LP
The following is an example of the \fBrealms\fR and \fBdbmodules\fR sections of
a Kerberos configuration file when the KDC is using the LDAP KDB plug-in.

.sp
.in +2
.nf
[realms]
    SUN.COM = {
        kdc = kc-umpk-01.athena.mit.edu
        kdc = kc-umpk-02.athena.mit.edu
        admin_server = kc-umpk-01.athena.mit.edu
        database_module = LDAP
    }

[dbmodules]
    LDAP = {
        db_library = kdb_ldap
        ldap_kerberos_container_dn = "cn=krbcontainer,dc=mit,dc=edu"
        ldap_kdc_dn = "cn=kdc service,ou=profile,dc=mit,dc=edu"
        ldap_kadmind_dn = "cn=kadmin service,ou=profile,dc=mit,dc=edu"
        ldap_cert_path = /var/ldap
        ldap_servers = ldaps://ds.mit.edu
    }
.fi
.in -2
.sp

.SH FILES
.ne 2
.na
\fB\fB/var/krb5/kdc.log\fR\fR
.ad
.sp .6
.RS 4n
\fBKDC\fR logging file
.RE

.SH ATTRIBUTES
See \fBattributes\fR(5) for descriptions of the following attributes:
.sp

.sp
.TS
box;
c | c
l | l .
ATTRIBUTE TYPE	ATTRIBUTE VALUE
_
Interface Stability	See below.
.TE

.sp
.LP
All of the keywords are Committed, except for the \fBPKINIT\fR keywords, which
are Volatile.
.SH SEE ALSO
\fBkinit\fR(1), \fBrcp\fR(1), \fBrdist\fR(1), \fBrlogin\fR(1), \fBrsh\fR(1),
\fBtelnet\fR(1), \fBsyslog\fR(3C), \fBattributes\fR(5), \fBkerberos\fR(5),
\fBregex\fR(5)
.SH NOTES
If the \fBkrb5.conf\fR file is not formatted properly, the \fBtelnet\fR command
fails. However, the \fBdtlogin\fR and \fBlogin\fR commands still succeed, even
if the \fBkrb5.conf\fR file is specified as required for the commands. If this
occurs, the following error message is displayed:
.sp
.in +2
.nf
Error initializing krb5: Improper format of \fIitem\fR
.fi
.in -2
.sp

.sp
.LP
To bypass any other problems that might occur, you should fix the file as soon
as possible.
.sp
.LP
The \fBmax_life\fR and \fBmax_renewable_life\fR options are obsolete and is
removed in a future release of the Solaris operating system.