unixdev.net


Switch to SpeakEasy.net DSL

The Modular Manual Browser

Home Page
Manual: (SunOS-5.10)
Page:
Section:
Apropos / Subsearch:
optional field

kdc.conf(4)                      File Formats                      kdc.conf(4)



NAME
       kdc.conf - Key Distribution Center (KDC) configuration file

SYNOPSIS
       /etc/krb5/kdc.conf

DESCRIPTION
       The  kdc.conf  file  contains  KDC configuration information, including
       defaults used when issuing Kerberos tickets. This file must  reside  on
       all  KDC servers. After you make any changes to the kdc.conf file, stop
       and restart the krb5kdc daemon on the  KDC  for  the  changes  to  take
       effect.

       The  format  of  the  kdc.conf  consists  of section headings in square
       brackets ([]). Each section contains zero or more  configuration  vari-
       ables (called relations), of the form of:

       relation = relation-value

       or

       relation-subsection = {
            relation = relation-value
            relation = relation-value
            }

       The kdc.conf file contains one of more of the following three sections:

       kdcdefaults

           Contains default values for overall behavior of the KDC.



       realms

           Contains subsections for Kerberos realms, where relation-subsection
           is the name of a realm. Each  subsection  contains  relations  that
           define KDC properties for that particular realm, including where to
           find the Kerberos servers for that realm.



       logging

           Contains relations that determine  how  Kerberos  programs  perform
           logging.



   The kdcdefaults Section
       The following relation can be defined in the [kdcdefaults] section:

       kdc_ports

           This  relation  lists  the  UDP  ports on which the Kerberos server
           should listen by default. This list is a  comma-separated  list  of
           integers.  Note  that,  if  the  assigned  value is 0, the Kerberos
           server will not listen on any UDP port. If  this  relation  is  not
           specified, the Kerberos server listens on port 750 and port 88.



       kdc_tcp_ports

           This  relation  lists  the  TCP  ports on which the Kerberos server
           should listen by default. This list is a  comma-separated  list  of
           integers.  Note  that,  if  the  assigned  value is 0, the Kerberos
           server will not listen on any TCP port.  If this  relation  is  not
           specified,  the  Kerberos  server  will  listen on the kdc TCP port
           specified in /etc/services. If this port is not found in  /etc/ser-
           vices the Kerberos server will default to listen on TCP port 88.



       kdc_max_tcp_connections

           This  relation  controls  the maximum number of TCP connections the
           KDC will allow. Note, the minimum value is 10. If this relation  is
           not  specified,  the Kerberos server will allow a maximum of 30 TCP
           connections.



   The realms Section
       This section contains subsections for Kerberos realms, where  relation-
       subsection  is  the name of a realm. Each subsection contains relations
       that define KDC properties for that particular realm.

       The following relations can be specified in each subsection:

       acl_file

           (string) Location of the Kerberos V5 access control list (ACL) file
           that  kadmin uses to determine the privileges allowed to each prin-
           cipal on the database. The default location is /etc/krb5/kadm5.acl.



       admin_keytab

           (string) Location of the keytab file that kadmin uses to  authenti-
           cate     to    the    database.    The    default    location    is
           /etc/krb5/kadm5.keytab.



       database_name

           (string) Location of the Kerberos  database  for  this  realm.  The
           default location is /var/krb5/principal.



       default_principal_expiration

           (absolute  time  string)  The default expiration date of principals
           created in this realm. See the Time Format section in kinit(1)  for
           the  valid  absolute  time  formats you can use for default_princi-
           pal_expiration.



       default_principal_flags

           (flag string) The default attributes of principals created in  this
           realm. Some of these flags are better to set on an individual prin-
           cipal basis through the use of the attribute modifiers  when  using
           the  kadmin  command to create and modify principals. However, some
           of these options can be applied to all principals in the  realm  by
           adding them to the list of flags associated with this relation.

           A  "flag string" is a list of one or more of the flags listed below
           preceded by a minus ("-") or a  plus  ("+")  character,  indicating
           that the option that follows should be enabled or disabled.

           Flags  below  marked with an asterisk ("*") are flags that are best
           applied on an individual principal  basis  through  the  kadmin  or
           gkadmin  interface rather than as a blanket attribute to be applied
           to all principals.


           postdateable            Create postdatable tickets.




           forwardable             Create forwardable tickets.



           tgt-based               Allow TGT-based requests.



           renewable               Create Renewable tickets.



           proxiable               Create Proxiable tickets.



           dup-skey                Allow DUP_SKEY requests, this enables user-
                                   to-user authentication.



           preauth                 Require  the use of pre-authentication data
                                   whenever principals request TGTs.



           hwauth                  Require  the  use  of  hardware-based  pre-
                                   authentication   data  whenever  principals
                                   request TGTs.



           * allow-tickets         Allow tickets to be issued for all  princi-
                                   pals.



           * pwdchange             Require  principal's  to change their pass-
                                   word.



           * service               Enable or disable a service.



           * pwservice             Mark principals as password changing  prin-
                                   cipals.


           An example of default_principal_flags is shown in EXAMPLES, below.


       dict_file

           (string)  Location  of  the dictionary file containing strings that
           are not allowed as passwords. A principal with any password  policy
           is  not allowed to select a password in the dictionary. The default
           location is /var/krb5/kadm5.dict.



       kadmind_port

           (port number) The port that the kadmind daemon is to listen on  for
           this realm. The assigned port for kadmind is 749.



       key_stash_file

           (string)  Location  where  the  master  key  has  been  stored  (by
           kdb5_util stash).  The  default  location  is  /var/krb5/.k5.realm,
           where realm is the Kerberos realm.



       kdc_ports

           (string)  The  list  of  UDP ports that the KDC listens on for this
           realm. By default, the value  of  kdc_ports  as  specified  in  the
           [kdcdefaults] section is used.



       kdc_tcp_ports

           (string) The list of TCP ports that the KDC listens on (in addition
           to the UDP  ports  specified  by  kdc_ports)  for  this  realm.  By
           default,  the  value  of  kdc_tcp_ports as specified in the [kdcde-
           faults] section is used.



       master_key_name

           (string) The name of the master key.



       master_key_type

           (key type string) The master key's key type. This is used to deter-
           mine  the  type  of encryption that will encrypt the entries in the
           principal db. des-cbc-crc,  des3-cbc-sha1,  arcfour-hmac-md5,  arc-
           four-hmac-md5-exp,  aes128-cts-hmac-sha1-96,  and  aes256-cts-hmac-
           sha1-96 are supported at this time (des-cbc-crc  is  the  default).
           Note,  if  you  set  this to des3-cbc-sha1 all systems that receive
           copies of the principal db, such as those running slave KDC's, must
           support des3-cbc-sha1.



       max_life

           (delta  time  string) The maximum time period for which a ticket is
           valid in this realm. See the Time Format section  in  kinit(1)  for
           the valid time duration formats you can use for max_life.



       max_renewable_life

           (delta  time  string)  The maximum time period during which a valid
           ticket can be renewed in this realm. See the Time Format section in
           kinit(1)  for  the  valid  time  duration  formats  you can use for
           max_renewable_life.



       sunw_dbprop_enable = [true | false]

           Enable or disable  incremental  database  propagation.  Default  is
           false.



       sunw_dbprop_master_ulogsize = N

           Specifies the maximum number of log entries available for incremen-
           tal propagation to the slave KDC servers. The  maximum  value  that
           this can be is 2500 entries. Default value is 1000 entries.



       sunw_dbprop_slave_poll = N[s, m, h]

           Specifies  how  often  the slave KDC polls for new updates that the
           master might have. Default is 2m (two minutes).



       supported_enctypes

           List of key/salt strings.  The  default  key/salt  combinations  of
           principals  for this realm. The key is separated from the salt by a
           colon (:) or period (.). Multiple key/salt strings can be  used  by
           separating  each string with a space. The salt is additional infor-
           mation encoded within the key that tells what kind of  key  it  is.
           Only  the  normal salt is supported at this time, for example, des-
           cbc-crc:normal. If you do not want to  enable  triple-DES  support,
           you  should  set this tag to des-cbc-md5:normal des-cbc-crc:normal.
           Note that, if this relation is not specified, the  default  setting
           is:


           aes256-cts-hmac-sha1-96:normal \ (see note below)
           aes128-cts-hmac-sha1-96:normal \
           des3-cbc-sha1:normal \
           arcfour-hmac-md5:normal \
           des-cbc-md5:normal \
           des-cbc-crc:normal



           Note -  The   unbundled   Strong  Cryptographic  packages  must  be
                   installed for the aes256-cts-hmac-sha1-96:normal enctype to
                   be available for Kerberos.



   The logging Section
       This  section indicates how Kerberos programs perform logging. The same
       relation can be repeated if you want  to  assign  it  multiple  logging
       methods.  The  following relations can be defined in the [logging] sec-
       tion:

       kdc

           Specifies how the KDC is to perform its  logging.  The  default  is
           FILE:/var/krb5/kdc.log.



       admin_server

           Specifies  how the administration server is to perform its logging.
           The default is FILE:/var/krb5/kadmin.log.



       default

           Specifies how to perform logging in the absence of explicit  speci-
           fications.



       The [logging] relations can have the following values:

       FILE:filename

       or

       FILE=filename

           This value causes the entity's logging messages to go to the speci-
           fied file. If the `=' form is used, the file is overwritten. If the
           `:' form is used, the file is appended to.



       STDERR

           This  value  sends  the  entity's  logging messages to its standard
           error stream.



       CONSOLE

           This value sends the entity's logging messages to the  console,  if
           the system supports it.



       DEVICE=devicename

           This sends the entity's logging messages to the specified device.



       SYSLOG[:severity[:facility]]

           This sends the entity's logging messages to the system log.

           The  severity argument specifies the default severity of system log
           messages. This default can be any of the following severities  sup-
           ported  by  the  syslog(3C) call, minus the LOG_ prefix: LOG_EMERG,
           LOG_ALERT, LOG_CRIT, LOG_ERR,  LOG_WARNING,  LOG_NOTICE,  LOG_INFO,
           and  LOG_DEBUG. For example, a value of CRIT would specify LOG_CRIT
           severity.

           The facility argument specifies the facility under which  the  mes-
           sages  are logged. This can be any of the following facilities sup-
           ported by the syslog(3C) call  minus  the  LOG_  prefix:  LOG_KERN,
           LOG_USER,   LOG_MAIL,   LOG_DAEMON,  LOG_AUTH,  LOG_LPR,  LOG_NEWS,
           LOG_UUCP, LOG_CRON, and LOG_LOCAL0 through LOG_LOCAL7.

           If no severity is specified, the default is ERR. If no facility  is
           specified, the default is AUTH.

           In  the  following example, the logging messages from the KDC go to
           the console and to the system log  under  the  facility  LOG_DAEMON
           with  default  severity  of LOG_INFO; the logging messages from the
           administration server are appended to the /var/krb5/kadmin.log file
           and sent to the /dev/tty04 device.


           [logging]
           kdc = CONSOLE
           kdc = SYSLOG:INFO:DAEMON
           admin_server = FILE:/export/logging/kadmin.log
           admin_server = DEVICE=/dev/tty04



EXAMPLES
       Example 1: Sample kdc.conf File

       The following is an example of a kdc.conf file:

       [kdcdefaults]
          kdc_ports = 88

       [realms]
          ATHENA.MIT.EDU = {
             kadmind_port = 749
             max_life = 10h 0m 0s
             max_renewable_life = 7d 0h 0m 0s
             default_principal_flags = +preauth,+forwardable,-postdateable
             master_key_type = des-cbc-crc
             supported_enctypes = des-cbc-crc:normal
          }

       [logging]
          kdc = FILE:/export/logging/kdc.log
          admin_server = FILE:/export/logging/kadmin.log


FILES
       /etc/krb5/kadm5.acl

           List of principals and their kadmin administrative privileges.



       /etc/krb5/kadm5.keytab

           Keytab for kadmin/admin Principal.



       /var/krb5/principal

           Kerberos principal database.



       /var/krb5/principal.ulog

           The update log file for incremental propagation.



       /var/krb5/kadm5.dict

           Dictionary of strings explicitly disallowed as passwords.



       /var/krb5/kdc.log

           KDC logging file.



       /var/krb5/kadmin.log

           Kerberos administration server logging file.



ATTRIBUTES
       See attributes(5) for descriptions of the following attributes:


       tab()     allbox;     cw(2.750000i)|    cw(2.750000i)    lw(2.750000i)|
       lw(2.750000i).   ATTRIBUTE  TYPEATTRIBUTE  VALUE   AvailabilitySUNWkdcu
       Interface StabilityEvolving


SEE ALSO
       kpasswd(1),  gkadmin(1M), kadmind(1M), kadmin.local(1M), kdb5_util(1M),
       kpropd(1M), syslog(3C), kadm5.acl(4), attributes(5), SEAM(5)



SunOS 5.10                        16 Jun 2004                      kdc.conf(4)