HP-UX Reference (11i v3 07/02) - 4 File Formats (vol 8)

ManualsBrandsHP ManualsSoftwareHP-UX Reference Manuals

201

202

203

204

205

206

207

208

209

210

krb5.conf(4) krb5.conf(4)

The severity argument speciﬁes the default severity of system log messages. This may

be any of the following severities mentioned below supported by the

syslog() call

(see syslog(3C)). The supported arguments are:

LOG_ALERT LOG_CRIT LOG_DEBUG LOG_ERR

LOG_EMERG LOG_INFO LOG_NOTICE LOG_WARNING

For example, to specify LOG_CRIT

severity, you would use CRIT for severity. The

LOG_ preﬁx is deleted.

The facility argument speciﬁes the facility under which the messages are logged. This

may be any of the following facilities supported by the

syslog() call (see

syslog(3C)). The supported arguments are:

LOG_KERN,

LOG_USER, LOG_MAIL,

LOG_DAEMON , LOG_AUTH, LOG_LPR, LOG_NEWS,

LOG_UUCP, LOG_CRON, and

LOG_LOCAL0 through LOG_LOCAL7 .

If no severity is speciﬁed, the default is ERR.Ifnofacility is speciﬁed, the default is

AUTH.

In the following example, the logging messages from the Key Distribution Center will go to the console and

to the system log under the facility LOG_DAEMON with default severity of LOG_INFO; the logging mes-

sages from the administrative server will be appended to the ﬁle

/var/adm/kadmin.log and sent to

the device

/dev/tty04 .

[logging]

kdc = CONSOLE

kdc = SYSLOG:INFO:DAEMON

admin_server = FILE:/var/adm/kadmin.log

admin_server = DEVICE=/dev/tty04

capaths Section

Cross-realm authentication is typically organized hierarchically. This hierarchy is based on the name of the

realm. Hence, restrictions are imposed on the choice of realm names and on who may participate in a

cross-realm authentication. A non hierarchical organization may be used but requires a database to con-

struct the authentication paths between the realms. This section deﬁnes that database.

A client will use this section to ﬁnd the authentication path between its realm and the realm of the server.

The server will use this section to verify the authentication path used by the client by checking the tran-

sited ﬁeld of the received ticket.

There is a tag name for every participating realm. Each tag has subtags for each of the realms. The value

of the subtags is an intermediate realm which may participate in the cross-realm authentication. The sub-

tags may be repeated if there is more then one intermediate realm. A value of "." means that the two

realms share keys directly, and no intermediate realms should be allowed to participate.

There are n**2 possible entries in this table, but only those entries which will be needed on the client or the

server need to be present. The client needs a tag for its local realm with subtags for all the realms of

servers it will need to authenticate with. A server needs a tag for each realm of the clients it will serve.

For example,

ANL.GOV, PNL.GOV, and NERSC.GOV all wish to use the ES.NET realm as an intermedi-

ate realm. ANL has a sub realm of TEST.ANL.GOV which will authenticate with NERSC.GOV but not

PNL.GOV. The [capaths] section for ANL.GOV systems would look like this:

[capaths]

ANL.GOV = {

TEST.ANL.GOV = .

PNL.GOV = ES.NET

NERSC.GOV = ES.NET

ES.NET = .

}

204 Hewlett-Packard Company − 5 − HP-UX 11i Version 3: February 2007