Home Man
Search
Today's Posts
Register

Linux & Unix Commands - Search Man Pages

OpenSolaris 2009.06 - man page for kdc.conf (opensolaris section 4)

kdc.conf(4)				   File Formats 			      kdc.conf(4)

NAME
       kdc.conf - Key Distribution Center (KDC) configuration file

SYNOPSIS
       /etc/krb5/kdc.conf

DESCRIPTION
       The  kdc.conf  file  contains  KDC configuration information, including defaults used when
       issuing Kerberos tickets. This file must reside on all KDC servers.  After  you	make  any
       changes	to  the  kdc.conf  file,  stop	and restart the krb5kdc daemon on the KDC for the
       changes to take effect.

       The format of the kdc.conf consists of section headings in square brackets ([]). Each sec-
       tion contains zero or more configuration variables (called relations), of the form of:

	 relation = relation-value

       or

	 relation-subsection = {
	      relation = relation-value
	      relation = relation-value
	      }

       The kdc.conf file contains one of more of the following three sections:

       kdcdefaults

	   Contains default values for overall behavior of the KDC.

       realms

	   Contains  subsections  for Kerberos realms, where relation-subsection is the name of a
	   realm. Each subsection contains relations that define KDC properties for that particu-
	   lar realm, including where to find the Kerberos servers for that realm.

       logging

	   Contains relations that determine how Kerberos programs perform logging.

   The kdcdefaults Section
       The following relation can be defined in the [kdcdefaults] section:

       kdc_ports

	   This  relation  lists  the  UDP  ports  on  which the Kerberos server should listen by
	   default. This list is a comma-separated list of integers. If the assigned value is  0,
	   the	Kerberos  server  does not listen on any UDP port. If this relation is not speci-
	   fied, the Kerberos server listens on port 750 and port 88.

       kdc_tcp_ports

	   This relation lists the TCP ports on  which	the  Kerberos  server  should  listen  by
	   default.  This list is a comma-separated list of integers. If the assigned value is 0,
	   the Kerberos server does not listen on any TCP port. If this relation  is  not  speci-
	   fied,  the  Kerberos server listens on the kdc TCP port specified in /etc/services. If
	   this port is not found in /etc/services the Kerberos server defaults to listen on  TCP
	   port 88.

       kdc_max_tcp_connections

	   This relation controls the maximum number of TCP connections the KDC allows. The mini-
	   mum value is 10. If this relation is not specified, the Kerberos server allows a maxi-
	   mum of 30 TCP connections.

   The realms Section
       This  section  contains	subsections for Kerberos realms, where relation-subsection is the
       name of a realm. Each subsection contains relations that define KDC  properties	for  that
       particular realm.

       The following relations can be specified in each subsection:

       acl_file

	   (string)  Location  of the Kerberos V5 access control list (ACL) file that kadmin uses
	   to determine the privileges allowed to each principal on  the  database.  The  default
	   location is /etc/krb5/kadm5.acl.

       admin_keytab

	   (string) Location of the keytab file that kadmin uses to authenticate to the database.
	   The default location is /etc/krb5/kadm5.keytab.

       database_name

	   (string) Location of the Kerberos database for this realm.  The  default  location  is
	   /var/krb5/principal.

       default_principal_expiration

	   (absolute  time  string)  The  default  expiration  date of principals created in this
	   realm. See the Time Format section in kinit(1) for the valid absolute time formats you
	   can use for default_principal_expiration.

       default_principal_flags

	   (flag  string)  The	default  attributes  of principals created in this realm. Some of
	   these flags are better to set on an individual principal basis through the use of  the
	   attribute  modifiers  when  using  the kadmin command to create and modify principals.
	   However, some of these options can be applied to all principals in the realm by adding
	   them to the list of flags associated with this relation.

	   A "flag string" is a list of one or more of the flags listed below preceded by a minus
	   (-) or a plus (+) character, indicating that the option that follows should be enabled
	   or disabled.

	   Flags below marked with an asterisk (*) are flags that are best applied on an individ-
	   ual principal basis through the kadmin or gkadmin interface rather than as  a  blanket
	   attribute to be applied to all principals.

	   postdateable

	       Create postdatable tickets.

	   forwardable

	       Create forwardable tickets.

	   tgt-based

	       Allow TGT-based requests.

	   renewable

	       Create Renewable tickets.

	   proxiable

	       Create Proxiable tickets.

	   dup-skey

	       Allow DUP_SKEY requests, this enables user-to-user authentication.

	   preauth

	       Require the use of pre-authentication data whenever principals request TGTs.

	   hwauth

	       Require	the  use  of  hardware-based  pre-authentication data whenever principals
	       request TGTs.

	   * allow-tickets

	       Allow tickets to be issued for all principals.

	   * pwdchange

	       Require principal's to change their password.

	   * service

	       Enable or disable a service.

	   * pwservice

	       Mark principals as password changing principals.

	   An example of default_principal_flags is shown in EXAMPLES, below.

       dict_file

	   (string) Location of the dictionary file containing strings that are  not  allowed  as
	   passwords. A principal with any password policy is not allowed to select a password in
	   the dictionary. The default location is /var/krb5/kadm5.dict.

       kadmind_port

	   (port number) The port that the kadmind daemon is to listen on  for	this  realm.  The
	   assigned port for kadmind is 749.

       key_stash_file

	   (string)  Location  where  the  master  key	has been stored (by kdb5_util stash). The
	   default location is /var/krb5/.k5.realm, where realm is the Kerberos realm.

       kdc_ports

	   (string) The list of UDP ports that the KDC listens on for this realm. By default, the
	   value of kdc_ports as specified in the [kdcdefaults] section is used.

       kdc_tcp_ports

	   (string)  The  list of TCP ports that the KDC listens on (in addition to the UDP ports
	   specified by kdc_ports) for this realm. By default,	the  value  of	kdc_tcp_ports  as
	   specified in the [kdcdefaults] section is used.

       master_key_name

	   (string) The name of the master key.

       master_key_type

	   (key  type  string)	The  master key's key type. This is used to determine the type of
	   encryption that encrypts the entries in the principal db.  des-cbc-crc,  des3-cbc-md5,
	   des3-cbc-sha1-kd, arcfour-hmac-md5, arcfour-hmac-md5-exp, aes128-cts-hmac-sha1-96, and
	   aes256-cts-hmac-sha1-96 are supported at this time (des-cbc-crc is  the  default).  If
	   you	set this to des3-cbc-sha1-kd all systems that receive copies of the principal db,
	   such as those running slave KDC's, must support des3-cbc-sha1-kd.

       max_life

	   (delta time string) The maximum time period for which a ticket is valid in this realm.
	   See	the  Time  Format section in kinit(1) for the valid time duration formats you can
	   use for max_life.

       max_renewable_life

	   (delta time string) The maximum time period during which a valid ticket can be renewed
	   in  this  realm.  See  the Time Format section in kinit(1) for the valid time duration
	   formats you can use for max_renewable_life.

       sunw_dbprop_enable = [true | false]

	   Enable or disable incremental database propagation. Default is false.

       sunw_dbprop_master_ulogsize = N

	   Specifies the maximum number of log entries available for incremental  propagation  to
	   the	slave  KDC  servers.  The maximum value that this can be is 2500 entries. Default
	   value is 1000 entries.

       sunw_dbprop_slave_poll = N[s, m, h]

	   Specifies how often the slave KDC polls for new updates that the  master  might  have.
	   Default is 2m (two minutes).

       supported_enctypes

	   List  of  key/salt  strings.  The default key/salt combinations of principals for this
	   realm. The key is separated from the salt by a  colon  (:)  or  period  (.).  Multiple
	   key/salt strings can be used by separating each string with a space. The salt is addi-
	   tional information encoded within the key that tells what kind of key it is. Only  the
	   normal  salt is supported at this time, for example, des-cbc-crc:normal. If this rela-
	   tion is not specified, the default setting is:

	     aes256-cts-hmac-sha1-96:normal \ (see note below)
	     aes128-cts-hmac-sha1-96:normal \
	     des3-cbc-sha1-kd:normal \
	     arcfour-hmac-md5:normal \
	     des-cbc-md5:normal

	   Note -

	     The unbundled Strong Cryptographic packages must be installed  for  the  aes256-cts-
	     hmac-sha1-96:normal enctype to be available for Kerberos.

       reject_bad_transit

	   This  boolean  specifies  whether the list of transited realms for cross-realm tickets
	   should be checked against the transit path computed from the realm names and the [cap-
	   aths] section of its krb5.conf(4) file.

	   The default for reject_bad_transit is true.

   The logging Section
       This  section  indicates  how  Kerberos programs perform logging. The same relation can be
       repeated if you want to assign it multiple logging methods. The following relations can be
       defined in the [logging] section:

       kdc

	   Specifies	how   the   KDC   is   to   perform   its   logging.   The   default   is
	   FILE:/var/krb5/kdc.log.

       admin_server

	   Specifies how the administration server is to perform  its  logging.  The  default  is
	   FILE:/var/krb5/kadmin.log.

       default

	   Specifies how to perform logging in the absence of explicit specifications.

       The [logging] relations can have the following values:

       FILE:filename

       or

       FILE=filename

	   This  value	causes	the entity's logging messages to go to the specified file. If the
	   `=' form is used, the file is overwritten. If the  `:'  form  is  used,  the  file  is
	   appended to.

       STDERR

	   This value sends the entity's logging messages to its standard error stream.

       CONSOLE

	   This  value sends the entity's logging messages to the console, if the system supports
	   it.

       DEVICE=devicename

	   This sends the entity's logging messages to the specified device.

       SYSLOG[:severity[:facility]]

	   This sends the entity's logging messages to the system log.

	   The severity argument specifies the default severity  of  system  log  messages.  This
	   default can be any of the following severities supported by the syslog(3C) call, minus
	   the LOG_ prefix: LOG_EMERG, LOG_ALERT,  LOG_CRIT,  LOG_ERR,	LOG_WARNING,  LOG_NOTICE,
	   LOG_INFO, and LOG_DEBUG. For example, a value of CRIT would specify LOG_CRIT severity.

	   The facility argument specifies the facility under which the messages are logged. This
	   can be any of the following facilities supported by the syslog(3C) call minus the LOG_
	   prefix:   LOG_KERN,	LOG_USER,  LOG_MAIL,  LOG_DAEMON,  LOG_AUTH,  LOG_LPR,	LOG_NEWS,
	   LOG_UUCP, LOG_CRON, and LOG_LOCAL0 through LOG_LOCAL7.

	   If no severity is specified, the default is ERR. If	no  facility  is  specified,  the
	   default is AUTH.

	   In  the  following example, the logging messages from the KDC go to the console and to
	   the system log under the facility LOG_DAEMON with default severity  of  LOG_INFO;  the
	   logging  messages  from  the  administration server are appended to the /var/krb5/kad-
	   min.log file and sent to the /dev/tty04 device.

	     [logging]
	     kdc = CONSOLE
	     kdc = SYSLOG:INFO:DAEMON
	     admin_server = FILE:/export/logging/kadmin.log
	     admin_server = DEVICE=/dev/tty04

   PKINIT-specific Options
       The following are pkinit-specific options. These values can be specified in  [kdcdefaults]
       as  global  defaults,  or within a realm-specific subsection of [realms]. A realm-specific
       value overrides, does not add to, a generic [kdcdefaults] specification. The search  order
       is

	   1.	  realm-specific subsection of [realms]

		  [realms]
			 [realms]
			     EXAMPLE.COM = {
				  pkinit_anchors = FILE:/usr/local/example.com.crt
			     }

	   2.	  generic value in the [kdcdefaults] section

		    [kdcdefaults]
			pkinit_anchors = DIR:/usr/local/generic_trusted_cas/

       pkinit_identity = URI	Specifies  the	location of the KDC's X.509 identity information.
				This option is required if pkinit is supported by the KDC.  Valid
				URI  types are FILE, DIR, PKCS11, PKCS12, and ENV. See the PKINIT
				URI Types section for more details.

       pkinit_anchors = URI	Specifies the location	of  trusted  anchor  (root)  certificates
				which  the KDC trusts to sign client certificates. This option is
				required if pkinit is supported by the KDC. This  option  can  be
				specified  multiple  times. Valid URI types are FILE and DIR. See
				the PKINIT URI Types section for details.

       pkinit_pool		Specifies the location of intermediate certificates which can  be
				used  by  the  KDC to complete the trust chain between a client's
				certificate and a trusted anchor. This option  can  be	specified
				multiple  times. Valid URI types are FILE and DIR. See the PKINIT
				URI Types section for more details.

       pkinit_revoke		Specifies the  location  of  Certificate  Revocation  List  (CRL)
				information  to be used by the KDC when verifying the validity of
				client certificates. This option can be specified multiple times.
				The  default  certificate  verification process always checks the
				available revocation information to see if a certificate has been
				revoked.  If a match is found for the certificate in a CRL, veri-
				fication fails. If the certificate being verified is  not  listed
				in  a  CRL,  or  there	is no CRL present for its issuing CA, and
				pkinit_require_crl_checking is false, then verification succeeds.
				The only valid URI types is DIR. See the PKINIT URI Types section
				for more details.  If  pkinit_require_crl_checking  is	true  and
				there is no CRL information available for the issuing CA, verifi-
				cation fails. pkinit_require_crl_checking should be set  to  true
				if  the  policy  is such that up-to-date CRLs must be present for
				every CA.

       pkinit_dh_min_bits	Specifies the minimum number of bits the KDC is willing to accept
				for a client's Diffie-Hellman key.

       pkinit_allow_upn 	Specifies  that  the KDC is willing to accept client certificates
				with the Microsoft UserPrincipalName  (UPN)  Subject  Alternative
				Name  (SAN). This means the KDC accepts the binding of the UPN in
				the certificate to the Kerberos principal name.

				The default is false.

				Without this option, the KDC only accepts certificates	with  the
				id-pkinit-san as defined in RFC4556. There is currently no option
				to disable SAN checking in the KDC.

       pkinit_eku_checking	This option specifies what Extended Key Usage  (EKU)  values  the
				KDC  is willing to accept in client certificates. The values rec-
				ognized in the kdc.conf file are:

				kpClientAuth	This is the  default  value  and  specifies  that
						client	certificates  must  have  the  id-pkinit-
						KPClientAuth EKU as defined in RFC4556.

				scLogin 	If scLogin is specified, client certificates with
						the  Microsoft Smart Card Login EKU (id-ms-kp-sc-
						logon) is accepted.

   PKINIT URI Types
       FILE:file-name[,key-file-name]

	   This option has context-specific behavior.

	   pkinit_identity    file-name specifies the name of a PEM-format  file  containing  the
			      user's  certificate.  If key-file-name is not specified, the user's
			      private key is expected to be in file-name as well. Otherwise, key-
			      file-name is the name of the file containing the private key.

	   pkinit_anchors     file-name  is  assumed to be the name of an OpenSSL-style ca-bundle
	   pkinit_pool	      file. The ca-bundle file should be base-64 encoded.

       DIR:directory-name

	   This option has context-specific behavior.

	   pkinit_identity    directory-name specifies a directory with  files	named  *.crt  and
			      *.key, where the first part of the file name is the same for match-
			      ing pairs of certificate and private key files. When a file with	a
			      name ending with .crt is found, a matching file ending with .key is
			      assumed to contain the private key. If no such file is found,  then
			      the certificate in the .crt is not used.

	   pkinit_anchors     directory-name  is  assumed to be an OpenSSL-style hashed CA direc-
	   pkinit_pool	      tory where each CA cert is  stored  in  a  file  named  hash-of-ca-
			      cert.#.  This  infrastructure  is  encouraged, but all files in the
			      directory is examined and if they contain certificates (in PEM for-
			      mat), they are used.

	   pkinit_revoke      directory-name  is  assumed to be an OpenSSL-style hashed CA direc-
			      tory where each revocation list is stored in a file named  hash-of-
			      ca-cert.r#. This infrastructure is encouraged, but all files in the
			      directory is examined and if they contain a revocation list (in PEM
			      format), they are used.

       PKCS12:pkcs12-file-name

	   pkcs12-file-name is the name of a PKCS #12 format file, containing the user's certifi-
	   cate and private key.

       PKCS11:[slotid=slot-id][:token=token-label][:certid=cert-id][:certlabel=cert-label]

	   All keyword/values are optional. PKCS11 modules (for example,  opensc-pkcs11.so)  must
	   be  installed as a crypto provider under libpkcs11(3LIB). slotid= and/or token= can be
	   specified to force the use of a particular smard card reader or token if there is more
	   than  one available. certid= and/or certlabel= can be specified to force the selection
	   of a particular certificate on the device.  See  the  pkinit_cert_match  configuration
	   option for more ways to select a particular certificate to use for pkinit.

       ENV:environment-variable-name

	   environment-variable-name specifies the name of an environment variable which has been
	   set to a value conforming to one of the previous values. For example,  ENV:X509_PROXY,
	   where environment variable X509_PROXY has been set to FILE:/tmp/my_proxy.pem.

EXAMPLES
       Example 1 Sample kdc.conf File

       The following is an example of a kdc.conf file:

	 [kdcdefaults]
	    kdc_ports = 88

	 [realms]
	    ATHENA.MIT.EDU = {
	       kadmind_port = 749
	       max_life = 10h 0m 0s
	       max_renewable_life = 7d 0h 0m 0s
	       default_principal_flags = +preauth,+forwardable,-postdateable
	       master_key_type = des-cbc-crc
	       supported_enctypes = des-cbc-crc:normal
	    }

	 [logging]
	    kdc = FILE:/export/logging/kdc.log
	    admin_server = FILE:/export/logging/kadmin.log

FILES
       /etc/krb5/kadm5.acl

	   List of principals and their kadmin administrative privileges.

       /etc/krb5/kadm5.keytab

	   Keytab for kadmind principals: kadmin/fqdn, changepw/fqdn, and kadmin/changepw.

       /var/krb5/principal

	   Kerberos principal database.

       /var/krb5/principal.ulog

	   The update log file for incremental propagation.

       /var/krb5/kadm5.dict

	   Dictionary of strings explicitly disallowed as passwords.

       /var/krb5/kdc.log

	   KDC logging file.

       /var/krb5/kadmin.log

	   Kerberos administration server logging file.

ATTRIBUTES
       See attributes(5) for descriptions of the following attributes:

       +-----------------------------+-----------------------------+
       |      ATTRIBUTE TYPE	     |	    ATTRIBUTE VALUE	   |
       +-----------------------------+-----------------------------+
       |Availability		     |SUNWkdcu			   |
       +-----------------------------+-----------------------------+
       |Interface Stability	     |See below.		   |
       +-----------------------------+-----------------------------+

       All of the keywords, except for the PKINIT keywords are Committed. The PKINIT keywords are
       Volatile.

SEE ALSO
       kpasswd(1), gkadmin(1M), kadmind(1M), kadmin.local(1M), kdb5_util(1M),  kpropd(1M),  libp-
       kcs11(3LIB), syslog(3C), kadm5.acl(4), krb5.conf(4), attributes(5), kerberos(5)

SunOS 5.11				   12 Nov 2008				      kdc.conf(4)


All times are GMT -4. The time now is 08:49 AM.

Unix & Linux Forums Content Copyrightę1993-2018. All Rights Reserved.
UNIX.COM Login
Username:
Password:  
Show Password