HP-UX Reference (11i v1 05/09) - 4 File Formats (vol 8)

ManualsBrandsHP ManualsSoftwareHP-UX Reference Manuals

161

162

163

164

165

166

167

168

169

170

krb5.conf(4) krb5.conf(4)

LOG_ALERT LOG_CRIT LOG_DEBUG LOG_ERR

LOG_EMERG LOG_INFO LOG_NOTICE LOG_WARNING

For example, to specify LOG_CRIT severity, one would use

CRIT for severity. The LOG_ preﬁx is

deleted.

The

facility argument speciﬁes the facility under which the messages are logged. This may be any of

the following facilities supported by the syslog()

call (see syslog(3C)). The supported arguments are:

LOG_KERN, LOG_USER , LOG_MAIL, LOG_DAEMON

, LOG_AUTH, LOG_LPR, LOG_NEWS, LOG_UUCP,

LOG_CRON, and LOG_LOCAL0 through LOG_LOCAL7 .

If no severity is speciﬁed, the default is ERR. If no

facility is speciﬁed, the default is AUTH.

In the following example, the logging messages from the Key Distribution Center will go to the console and

to the system log under the facility LOG_DAEMON with default severity of LOG_INFO; and the logging

messages from the administrative server will be appended to the ﬁle /var/adm/kadmin.log and sent to the

device /dev/tty04.

[logging]

kdc = CONSOLE

kdc = SYSLOG:INFO:DAEMON

admin_server = FILE:/var/adm/kadmin.log

admin_server = DEVICE=/dev/tty04

capaths Section

Cross-realm authentication is typically organized hierarchically. This hierarchy is based on the name of the

realm. Hence, restrictions are imposed on the choice of realm names and on who may participate in a

cross-realm authentication. A non hierarchical organization may be used, but requires a database to con-

struct the authentication paths between the realms. This section deﬁnes that database.

A client will use this section to ﬁnd the authentication path between its realm and the realm of the server.

The server will use this section to verify the authentication path used by the client, by checking the tran-

sited ﬁeld of the received ticket.

There is a tag name for every participating realm. Each tag has subtags for each of the realms. The value of

the subtags is an intermediate realm which may participate in the cross-realm authentication. The subtags

may be repeated if there is more then one intermediate realm. A value of "." means that the two realms

share keys directly, and no intermediate realms should be allowed to participate.

There are n**2 possible entries in this table, but only those entries which will be needed on the client or the

server need to be present. The client needs a tag for its local realm, with subtags for all the realms of

servers it will need to authenticate with. A server needs a tag for each realm of the clients it will serve.

For example, ANL.GOV, PNL.GOV, and NERSC.GOV all wish to use the ES.NET realm as an intermediate

realm. ANL has a sub realm of TEST.ANL.GOV which will authenticate with NERSC.GOV but not

PNL.GOV. The [capaths] section for ANL.GOV systems would look like this:

[capaths]

ANL.GOV = {

TEST.ANL.GOV = .

PNL.GOV = ES.NET

NERSC.GOV = ES.NET

ES.NET = .

}

TEST.ANL.GOV = {

ANL.GOV = .

}

PNL.GOV = {

ANL.GOV = ES.NET

}

NERSC.GOV = {

ANL.GOV = ES.NET

}

ES.NET = {

ANL.GOV = .

}

HP-UX 11i Version 1: September 2005 − 4 − Hewlett-Packard Company Section 4−−147