summaryrefslogtreecommitdiff
path: root/crypto/heimdal/lib/krb5/krb5.conf.5
diff options
context:
space:
mode:
Diffstat (limited to 'crypto/heimdal/lib/krb5/krb5.conf.5')
-rw-r--r--crypto/heimdal/lib/krb5/krb5.conf.5350
1 files changed, 0 insertions, 350 deletions
diff --git a/crypto/heimdal/lib/krb5/krb5.conf.5 b/crypto/heimdal/lib/krb5/krb5.conf.5
deleted file mode 100644
index ca2d1e59cf627..0000000000000
--- a/crypto/heimdal/lib/krb5/krb5.conf.5
+++ /dev/null
@@ -1,350 +0,0 @@
-.\" $Id: krb5.conf.5,v 1.17 2001/05/31 13:58:34 assar Exp $
-.\"
-.Dd April 11, 1999
-.Dt KRB5.CONF 5
-.Os HEIMDAL
-.Sh NAME
-.Nm /etc/krb5.conf
-.Nd configuration file for Kerberos 5
-.Sh DESCRIPTION
-The
-.Nm
-file specifies several configuration parameters for the Kerberos 5
-library, as well as for some programs.
-.Pp
-The file consists of one or more sections, containing a number of
-bindings. The value of each binding can be either a string or a list
-of other bindings. The grammar looks like:
-.Bd -literal -offset indent
-file:
- /* empty */
- sections
-
-sections:
- section sections
- section
-
-section:
- '[' section_name ']' bindings
-
-section_name:
- STRING
-
-bindings:
- binding bindings
- binding
-
-binding:
- name '=' STRING
- name '=' '{' bindings '}'
-
-name:
- STRING
-
-.Ed
-.Li STRINGs
-consists of one or more non-white space characters.
-Currently recognised sections and bindings are:
-.Bl -tag -width "xxx" -offset indent
-.It Li [appdefaults]
-Specifies the default values to be used for Kerberos applications.
-You can specify defaults per application, realm, or a combination of
-these. The preference order is:
-.Bl -enum -compact
-.It
-.Va application Va realm Va option
-.It
-.Va application Va option
-.It
-.Va realm Va option
-.It
-.Va option
-.El
-.Pp
-The supported options are:
-.Bl -tag -width "xxx" -offset indent
-.It Li forwardable = Va boolean
-When obtaining initial credentials, make the credentials forwardable.
-.It Li proxiable = Va boolean
-When obtaining initial credentials, make the credentials proxiable.
-.It Li no-addresses = Va boolean
-When obtaining initial credentials, request them for an empty set of
-addresses, making the tickets valid from any address.
-.It Li ticket_life = Va time
-Default ticket lifetime.
-.It Li renew_lifetime = Va time
-Default renewable ticket lifetime.
-.El
-.It Li [libdefaults]
-.Bl -tag -width "xxx" -offset indent
-.It Li default_realm = Va REALM
-Default realm to use, this is also known as your
-.Dq local realm .
-The default is the result of
-.Fn krb5_get_host_realm "local hostname" .
-.It Li clockskew = Va time
-Maximum time differential (in seconds) allowed when comparing
-times. Default is 300 seconds (five minutes).
-.It Li kdc_timeout = Va time
-Maximum time to wait for a reply from the kdc, default is 3 seconds.
-.It v4_name_convert
-.It v4_instance_resolve
-These are decribed in the
-.Xr krb5_425_conv_principal 3
-manual page.
-.It Li capath = {
-.Bl -tag -width "xxx" -offset indent
-.It Va destination-realm Li = Va next-hop-realm
-.It ...
-.El
-Normally, all requests to realms different from the one of the current
-client are sent to this KDC to get cross-realm tickets.
-If this KDC does not have a cross-realm key with the desired realm and
-the hierarchical path to that realm does not work, a path can be
-configured using this directive.
-The text shown above instructs the KDC to try to obtain a cross-realm
-ticket to
-.Va next-hop-realm
-when the desired realm is
-.Va destination-realm .
-This configuration should preferably be done on the KDC where it will
-help all its clients but can also be done on the client itself.
-.It Li }
-.It Li default_etypes = Va etypes...
-A list of default etypes to use.
-.It Li default_etypes_des = Va etypes...
-A list of default etypes to use when requesting a DES credential.
-.It Li default_keytab_name = Va keytab
-The keytab to use if none other is specified, default is
-.Dq FILE:/etc/krb5.keytab .
-.It Li kdc_timesync = Va boolean
-Try to keep track of the time differential between the local machine
-and the KDC, and then compensate for that when issuing requests.
-.It Li max_retries = Va number
-The max number of times to try to contact each KDC.
-.It Li ticket_lifetime = Va time
-Default ticket lifetime.
-.It Li renew_lifetime = Va time
-Default renewable ticket lifetime.
-.It Li forwardable = Va boolean
-When obtaining initial credentials, make the credentials forwardable.
-This option is also valid in the [realms] section.
-.It Li proxiable = Va boolean
-When obtaining initial credentials, make the credentials proxiable.
-This option is also valid in the [realms] section.
-.It Li verify_ap_req_nofail = Va boolean
-Enable to make a failure to verify obtained credentials
-non-fatal. This can be useful if there is no keytab on a host.
-.It Li warn_pwexpire = Va time
-How soon to warn for expiring password. Default is seven days.
-.It Li http_proxy = Va proxy-spec
-A HTTP-proxy to use when talking to the KDC via HTTP.
-.It Li dns_proxy = Va proxy-spec
-Enable using DNS via HTTP.
-.It Li extra_addresses = Va address...
-A list of addresses to get tickets for along with all local addresses.
-.It Li time_format = Va string
-How to print time strings in logs, this string is passed to
-.Xr strftime 3 .
-.It Li date_format = Va string
-How to print date strings in logs, this string is passed to
-.Xr strftime 3 .
-.It Li log_utc = Va boolean
-Write log-entries using UTC instead of your local time zone.
-.It Li srv_lookup = Va boolean
-Use DNS SRV records to lookup realm configuration information.
-.It Li srv_try_txt = Va boolean
-If a SRV lookup fails, try looking up the same info in a DNS TXT record.
-.It Li scan_interfaces = Va boolean
-Scan all network interfaces for addresses, as opposed to simply using
-the address associated with the system's host name.
-.It Li fcache_version = Va int
-Use file credential cache format version specified.
-.It Li krb4_get_tickets = Va boolean
-Also get Kerberos 4 tickets in
-.Nm kinit
-and other programs.
-This option is also valid in the [realms] section.
-.El
-.It Li [domain_realm]
-This is a list of mappings from DNS domain to Kerberos realm. Each
-binding in this section looks like:
-.Pp
-.Dl domain = realm
-.Pp
-The domain can be either a full name of a host or a trailing
-component, in the latter case the domain-string should start with a
-perid.
-.It Li [realms]
-.Bl -tag -width "xxx" -offset indent
-.It Va REALM Li = {
-.Bl -tag -width "xxx" -offset indent
-.It Li kdc = Va host[:port]
-Specifies a list of kdcs for this realm. If the optional port is absent, the
-default value for the
-.Dq kerberos/udp
-service will be used.
-The kdcs will be used in the order that they are specified.
-.It Li admin_server = Va host[:port]
-Specifies the admin server for this realm, where all the modifications
-to the database are perfomed.
-.It Li kpasswd_server = Va host[:port]
-Points to the server where all the password changes are perfomed.
-If there is no such entry, the kpasswd port on the admin_server host
-will be tried.
-.It Li v4_instance_convert
-.It Li v4_name_convert
-.It Li default_domain
-See
-.Xr krb5_425_conv_principal 3 .
-.El
-.It Li }
-.El
-.It Li [logging]
-.Bl -tag -width "xxx" -offset indent
-.It Va entity Li = Va destination
-Specifies that
-.Va entity
-should use the specified
-.Li destination
-for logging. See the
-.Xr krb5_openlog 3
-manual page for a list of defined destinations.
-.El
-.It Li [kdc]
-.Bl -tag -width "xxx" -offset indent
-.It database Li = {
-.Bl -tag -width "xxx" -offset indent
-.It dbname Li = Va DATABASENAME
-use this database for this realm.
-.It realm Li = Va REALM
-specifies the realm that will be stored in this database.
-.It mkey_file Li = Pa FILENAME
-use this keytab file for the master key of this database.
-If not specified
-.Va DATABASENAME Ns .mkey
-will be used.
-.It acl_file Li = PA FILENAME
-use this file for the ACL list of this database.
-.It log_file Li = Pa FILENAME
-use this file as the log of changes performed to the database. This
-file is used by
-.Nm ipropd-master
-for propagating changes to slaves.
-.El
-.It Li }
-.It max-request = Va SIZE
-Maximum size of a kdc request.
-.It require-preauth = Va BOOL
-If set pre-authentication is required. Since krb4 requests are not
-pre-authenticated they will be rejected.
-.It ports = Va "list of ports"
-list of ports the kdc should listen to.
-.It addresses = Va "list of interfaces"
-list of addresses the kdc should bind to.
-.It enable-kerberos4 = Va BOOL
-turn on kerberos4 support.
-.It v4-realm = Va REALM
-to what realm v4 requests should be mapped.
-.It enable-524 = Va BOOL
-should the Kerberos 524 converting facility be turned on. Default is same as
-.Va enable-kerberos4 .
-.It enable-http = Va BOOL
-should the kdc answer kdc-requests over http.
-.It enable-kaserver = Va BOOL
-if this kdc should emulate the AFS kaserver.
-.It check-ticket-addresses = Va BOOL
-verify the addresses in the tickets used in tgs requests.
-.\" XXX
-.It allow-null-ticket-addresses = Va BOOL
-allow addresses-less tickets.
-.\" XXX
-.It allow-anonymous = Va BOOL
-if the kdc is allowed to hand out anonymous tickets.
-.It encode_as_rep_as_tgs_rep = Va BOOL
-encode as-rep as tgs-rep tobe compatible with mistakes older DCE secd did.
-.\" XXX
-.It kdc_warn_pwexpire = Va TIME
-the time before expiration that the user should be warned that her
-password is about to expire.
-.It logging = Va Logging
-What type of logging the kdc should use, see also [logging]/kdc.
-.El
-.It Li [kadmin]
-.Bl -tag -width "xxx" -offset indent
-.It require-preauth = Va BOOL
-If pre-authentication is required to talk to the kadmin server.
-.It default_keys = Va keytypes...
-for each entry in
-.Va default_keys
-try to parse it as a sequence of
-.Va etype:salttype:salt
-syntax of this if something like:
-.Pp
-[(des|des3|etype):](pw-salt|afs3-salt)[:string]
-.Pp
-if
-.Ar etype
-is omitted it means everything, and if string is omitted is means the default string (for that principal). Additional special values of keyttypes are:
-.Bl -tag -width "xxx" -offset indent
-.It v5
-The kerberos 5 salt
-.Va pw-salt
-.It v4
-The kerberos 4 type
-.Va des:pw-salt:
-.El
-.It use_v4_salt = Va BOOL
-When true, this is the same as
-.Pp
-.Va default_keys = Va des3:pw-salt Va v4
-.Pp
-and is only left for backwards compatability.
-.El
-.El
-.Sh ENVIRONMENT
-.Ev KRB5_CONFIG
-points to the configuration file to read.
-.Sh EXAMPLE
-.Bd -literal -offset indent
-[libdefaults]
- default_realm = FOO.SE
-[domain_realm]
- .foo.se = FOO.SE
- .bar.se = FOO.SE
-[realms]
- FOO.SE = {
- kdc = kerberos.foo.se
- v4_name_convert = {
- rcmd = host
- }
- v4_instance_convert = {
- xyz = xyz.bar.se
- }
- default_domain = foo.se
- }
-[logging]
- kdc = FILE:/var/heimdal/kdc.log
- kdc = SYSLOG:INFO
- default = SYSLOG:INFO:USER
-.Ed
-.Sh DIAGNOSTICS
-Since
-.Nm
-is read and parsed by the krb5 library, there is not a lot of
-opportunities for programs to report parsing errors in any useful
-format.
-To help overcome this problem, there is a program
-.Nm verify_krb5_conf
-that reads
-.Nm
-and tries to emit useful diagnostics from parsing errors. Note that
-this program does not have any way of knowing what options are
-actually used and thus cannot warn about unknown or misspelt ones.
-.Sh SEE ALSO
-.Xr verify_krb5_conf 8 ,
-.Xr krb5_openlog 3 ,
-.Xr krb5_425_conv_principal 3 ,
-.Xr strftime 3 ,
-.Xr kinit 1 ,
-.Xr Source tm
generated by cgit v1.2.3 (git 2.25.1) at 2025-10-08 14:03:13 +0000