krb5.conf.4 (2010 09)

ManualsBrandsHP ManualsSoftwareHP-UX Manpages

krb5.conf(4) krb5.conf(4)

NAME

krb5.conf - Kerberos conﬁguration ﬁle

DESCRIPTION

The conﬁguration ﬁle,

krb5.conf, contains information needed by the Kerberos V5 library. This

includes information describing the default Kerberos realm and the location of the Kerberos key distribu-

tion centers for known realms.

The

krb5.conf ﬁle uses an INI-style format. Sections are delimited by square brackets,

[].Within

each section, there are relations where tags can be assigned to have speciﬁc values. Tags can also contain

a subsection, which contains further relations or subsections. A tag can be assigned with multiple values.

Here is an example of the INI-style format used by

krb5.conf:

[section1]

tag1 = value_a

tag1 = value_b

tag2 = value_c

[section2]

tag3 = {

subtag1 = subtag_value_a

subtag1 = subtag_value_b

subtag2 = subtag_value_c

}

tag4 = {

subtag1 = subtag_value_d

subtag2 = subtag_value_e

}

The following sections are currently used in the krb5.conf ﬁle. Each will be explained in more details.

[libdefaults] Contains various default values used by the Kerberos V5 library.

[appdefaults] Contains default values used by Kerberos V5 applications.

[login] Contains default values used by the Kerberos V5 login program, login.krb5.

(Note: The Kerberized login program is not delivered as part of this product.)

[realms] Contains Kerberos realm names which describe where to ﬁnd the Kerberos servers

for a particular realm and other realm-speciﬁc information.

[domain_realm] Contains relations which map subdomains and domain names to Kerberos realm

names. This is used by programs to determine what realm a host should be in,

given its fully qualiﬁed domain name.

[logging] Contains relations which determine how Kerberos entities are to perform their log-

ging.

[capaths] Contains the authentication paths used with non-hierarchical cross-realm. Entries

in this section are used by the client to determine the intermediate realms which

may be used in cross-realm authentication. It is also used by the end-service for

checking the transited ﬁeld for trusted intermediate realms.

libdefaults Section

The following relations are deﬁned in the

[libdefaults] section:

default_keytab_name

Speciﬁes the default keytab name to be used by application severs such as telnetd

and rlogind. The default is /etc/krb5.keytab. This formerly defaulted to

/etc/v5srvtab.

default_realm Identiﬁes the default realm to be used in a client host’s Kerberos activity.

default_tgs_enctypes

Identiﬁes the supported list of session key encryption types that should be

returned by the Key Distribution Center. The list may be delimited with commas

or white spaces. See kerberos(5) for a list of supported encryption types for this

tag.

HP-UX 11i Version 3: September 2010 − 1 − Hewlett-Packard Company 1

Summary of content (8 pages)

PAGE 1
krb5.conf(4) krb5.conf(4) NAME krb5.conf - Kerberos configuration file DESCRIPTION The configuration file, krb5.conf, contains information needed by the Kerberos V5 library. This includes information describing the default Kerberos realm and the location of the Kerberos key distribution centers for known realms. The krb5.conf file uses an INI-style format. Sections are delimited by square brackets, [ ]. Within each section, there are relations where tags can be assigned to have specific values.
PAGE 2
krb5.conf(4) krb5.conf(4) default_tkt_enctypes Identifies the supported list of session key encryption types that should be requested by the client, in the same format. See kerberos(5) for a list of supported encryption types for this tag. permitted_enctypes Identifies the permitted list of session key encryption types. See kerberos(5) for a list of supported encryption types for this tag.
PAGE 3
krb5.conf(4) krb5.conf(4) forwardable If this flag is set, initial tickets by default will be forwardable. The default value for this flag is false. proxiable If this flag is set, initial tickets by default will be proxiable. The default value for this flag is false. appdefaults Section Each tag in the [appdefaults] section names a Kerberos V5 application or an option that is used by some Kerberos V5 application(s).
PAGE 4
krb5.conf(4) krb5.conf(4) password sync mechanism from the secondary to the Master server. This occurs in the following cases: • The secondary server is listed above the primary. In this case the admin_server will find the secondary server first and update the password on the secondary server. • If none of the servers listed above the secondary server respond, then admin_server will update the password on the secondary. default_domain Identifies the default domain for the hosts in the realm.
PAGE 5
krb5.conf(4) krb5.conf(4) SYSLOG[:severity[:facility ] ] This causes the entity’s logging messages to go to the system log. The severity argument specifies the default severity of system log messages. This may be any of the following severities mentioned below supported by the syslog() call (see syslog (3C)). The supported arguments are: LOG_ALERT LOG_CRIT LOG_DEBUG LOG_EMERG LOG_INFO LOG_NOTICE LOG_ERR LOG_WARNING For example, to specify LOG_CRIT severity, you would use CRIT for severity .
PAGE 6
krb5.conf(4) krb5.conf(4) NERSC.GOV = ES.NET ES.NET = . } TEST.ANL.GOV = { ANL.GOV = } PNL.GOV = { ANL.GOV = } NERSC.GOV = { ANL.GOV = } ES.NET = { ANL.GOV = } . ES.NET ES.NET . The [capaths] section of the configuration file used on NERSC.GOV systems would look like this: A [capaths] NERSC.GOV = { ANL.GOV = ES.NET TEST.ANL.GOV = ES.NET TEST.ANL.GOV = ANL.GOV PNL.GOV = ES.NET ES.NET = . } ANL.GOV = { NERSC.GOV = ES.NET } PNL.GOV = { NERSC.GOV = ES.NET } ES.NET = { NERSC.GOV = . } TEST.ANL.
PAGE 7
krb5.conf(4) krb5.conf(4) AUTHOR krb5.conf was developed by the Massachusetts Institute of Technology. SEE ALSO syslog(3C), kerberos(5), ldapux(5).
PAGE 8
(Notes) A (Notes) kA 8 Hewlett-Packard Company −1− HP-UX 11i Version 3: September 2010