HP-UX Reference (11i v3 07/02) - 4 File Formats (vol 8)

ManualsBrandsHP ManualsSoftwareHP-UX Reference Manuals

201

202

203

204

205

206

207

208

209

210

krb5.conf(4) krb5.conf(4)

by the client, in the same format.

permitted_enctypes

Identiﬁes the permitted list of session key encryption types.

clockskew Sets the maximum allowable amount of clockskew in seconds that the library will

tolerate before assuming that a Kerberos message is invalid. The default value is 300

seconds, or ﬁve minutes.

kpasswd_timeout

Sets the timeout value for the amount of time (in seconds) to wait for a response from

an admin server. This can be any value between 1 and 300; if a value is speciﬁed out-

side this range, the timeout value will be set to the default value, 10.

kdc_timesync If the value of this relation is non-zero, the library will compute the difference

between the system clock and the time returned by the Key Distribution Center. The

difference is computed to correct an inaccurate system clock. This corrective factor is

only used by the Kerberos library.

kdc_req_checksum_type

This relation is used for compatibility with DCE security servers which do not support

the default

CKSUMTYPE_RSA_MD5

used by this version of Kerberos. Use a value of

2 to use the

CKSUMTYPE_RSA_MD4

instead. This applies to DCE 1.1 and earlier.

ap_req_checksum_type

Allows you to set the checksum type used in the authenticator of

KRB_AP_REQ mes-

sages. The default value for this type is

CKSUMTYPE_RSA_MD5

. For compatibility

with applications linked against DCE Kerberos libraries, use a value of 2 so that

CKSUMTYPE_RSA_MD4

is used instead. This applies to DCE 1.1 and earlier.

safe_checksum_type

Allows you to set the keyed-checksum type used in

KRB_SAFE messages. The

default value for this type is

CKSUMTYPE_RSA_MD5_DES

. For compatibility with

applications linked against DCE Kerberos libraries, use a value of 3 so that

CKSUMTYPE_RSA_MD4_DES

is used instead. This applies to DCE 1.1 and earlier.

ccache_type Is used on systems which are DCE clients, to specify the type of cache to be created by

kinit, or when forwarded tickets are received. DCE and Kerberos can share the

cache, but some versions of DCE do not support the default cache as created by this

version of Kerberos. Use a value of 1 on DCE 1.0.3a systems, and use a value of 2 on

DCE 1.1 systems.

ldapux_multidomain

This ﬂag need to be set to 1 by the administrator if the realm name of the user needs

to be obtained from the W2K multidomain. Refer to the ldapux(5) man page for more

information on conﬁguring the W2K multidomain.

extra_addresses

This allows a computer to use multiple local addresses in order to allow Kerberos to

work in a network that uses NATs. The addresses should be in a comma-separated

list.

udp_preference_limit

When sending a message to the Key Distribution Center (KDC), the library will try

using TCP before UDP if the size of the message is above "udp_preference_limit". If

the message is smaller than "udp_preference_limit", then UDP will be tried before

TCP. Regardless of the size, both protocols will be tried if the ﬁrst attempt fails.

renew_lifetime

The value of this tag is the default renewable lifetime for initial tickets. The default

value for the tag is 0.

noaddresses Setting this ﬂag causes the initial Kerberos ticket to be addressless. The default for

the ﬂag is true.

forwardable If this ﬂag is set, initial tickets by default will be forwardable. The default value for

this ﬂag is false.

proxiable If this ﬂag is set, initial tickets by default will be proxiable. The default value for this

ﬂag is false.

HP-UX 11i Version 3: February 2007 − 2 − Hewlett-Packard Company 201