summaryrefslogtreecommitdiff
path: root/doc/html/admin/conf_files
diff options
context:
space:
mode:
authorCy Schubert <cy@FreeBSD.org>2017-07-07 17:03:42 +0000
committerCy Schubert <cy@FreeBSD.org>2017-07-07 17:03:42 +0000
commit33a9b234e7087f573ef08cd7318c6497ba08b439 (patch)
treed0ea40ad3bf5463a3c55795977c71bcb7d781b4b /doc/html/admin/conf_files
vendor/krb5/1.15.1
Notes
Diffstat (limited to 'doc/html/admin/conf_files')
-rw-r--r--doc/html/admin/conf_files/index.html183
-rw-r--r--doc/html/admin/conf_files/kadm5_acl.html333
-rw-r--r--doc/html/admin/conf_files/kdc_conf.html1069
-rw-r--r--doc/html/admin/conf_files/krb5_conf.html1299
4 files changed, 2884 insertions, 0 deletions
diff --git a/doc/html/admin/conf_files/index.html b/doc/html/admin/conf_files/index.html
new file mode 100644
index 000000000000..8b6207cb6a03
--- /dev/null
+++ b/doc/html/admin/conf_files/index.html
@@ -0,0 +1,183 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+
+
+<html xmlns="http://www.w3.org/1999/xhtml">
+ <head>
+ <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+
+ <title>Configuration Files &mdash; MIT Kerberos Documentation</title>
+
+ <link rel="stylesheet" href="../../_static/agogo.css" type="text/css" />
+ <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" />
+ <link rel="stylesheet" href="../../_static/kerb.css" type="text/css" />
+
+ <script type="text/javascript">
+ var DOCUMENTATION_OPTIONS = {
+ URL_ROOT: '../../',
+ VERSION: '1.15.1',
+ COLLAPSE_INDEX: false,
+ FILE_SUFFIX: '.html',
+ HAS_SOURCE: true
+ };
+ </script>
+ <script type="text/javascript" src="../../_static/jquery.js"></script>
+ <script type="text/javascript" src="../../_static/underscore.js"></script>
+ <script type="text/javascript" src="../../_static/doctools.js"></script>
+ <link rel="author" title="About these documents" href="../../about.html" />
+ <link rel="copyright" title="Copyright" href="../../copyright.html" />
+ <link rel="top" title="MIT Kerberos Documentation" href="../../index.html" />
+ <link rel="up" title="For administrators" href="../index.html" />
+ <link rel="next" title="krb5.conf" href="krb5_conf.html" />
+ <link rel="prev" title="UNIX Application Servers" href="../install_appl_srv.html" />
+ </head>
+ <body>
+ <div class="header-wrapper">
+ <div class="header">
+
+
+ <h1><a href="../../index.html">MIT Kerberos Documentation</a></h1>
+
+ <div class="rel">
+
+ <a href="../../index.html" title="Full Table of Contents"
+ accesskey="C">Contents</a> |
+ <a href="../install_appl_srv.html" title="UNIX Application Servers"
+ accesskey="P">previous</a> |
+ <a href="krb5_conf.html" title="krb5.conf"
+ accesskey="N">next</a> |
+ <a href="../../genindex.html" title="General Index"
+ accesskey="I">index</a> |
+ <a href="../../search.html" title="Enter search criteria"
+ accesskey="S">Search</a> |
+ <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Configuration Files">feedback</a>
+ </div>
+ </div>
+ </div>
+
+ <div class="content-wrapper">
+ <div class="content">
+ <div class="document">
+
+ <div class="documentwrapper">
+ <div class="bodywrapper">
+ <div class="body">
+
+ <div class="section" id="configuration-files">
+<h1>Configuration Files<a class="headerlink" href="#configuration-files" title="Permalink to this headline">¶</a></h1>
+<p>Kerberos uses configuration files to allow administrators to specify
+settings on a per-machine basis. <a class="reference internal" href="krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a> applies to all
+applications using the Kerboros library, on clients and servers.
+For KDC-specific applications, additional settings can be specified in
+<a class="reference internal" href="kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>; the two files are merged into a configuration profile
+used by applications accessing the KDC database directly. <a class="reference internal" href="kadm5_acl.html#kadm5-acl-5"><em>kadm5.acl</em></a>
+is also only used on the KDC, it controls permissions for modifying the
+KDC database.</p>
+<div class="section" id="contents">
+<h2>Contents<a class="headerlink" href="#contents" title="Permalink to this headline">¶</a></h2>
+<div class="toctree-wrapper compound">
+<ul>
+<li class="toctree-l1"><a class="reference internal" href="krb5_conf.html">krb5.conf</a></li>
+<li class="toctree-l1"><a class="reference internal" href="kdc_conf.html">kdc.conf</a></li>
+<li class="toctree-l1"><a class="reference internal" href="kadm5_acl.html">kadm5.acl</a></li>
+</ul>
+</div>
+</div>
+</div>
+
+
+ </div>
+ </div>
+ </div>
+ </div>
+ <div class="sidebar">
+ <h2>On this page</h2>
+ <ul>
+<li><a class="reference internal" href="#">Configuration Files</a><ul>
+<li><a class="reference internal" href="#contents">Contents</a></li>
+</ul>
+</li>
+</ul>
+
+ <br/>
+ <h2>Table of contents</h2>
+ <ul class="current">
+<li class="toctree-l1"><a class="reference internal" href="../../user/index.html">For users</a></li>
+<li class="toctree-l1 current"><a class="reference internal" href="../index.html">For administrators</a><ul class="current">
+<li class="toctree-l2"><a class="reference internal" href="../install.html">Installation guide</a></li>
+<li class="toctree-l2 current"><a class="current reference internal" href="">Configuration Files</a><ul>
+<li class="toctree-l3"><a class="reference internal" href="krb5_conf.html">krb5.conf</a></li>
+<li class="toctree-l3"><a class="reference internal" href="kdc_conf.html">kdc.conf</a></li>
+<li class="toctree-l3"><a class="reference internal" href="kadm5_acl.html">kadm5.acl</a></li>
+</ul>
+</li>
+<li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../host_config.html">Host configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../auth_indicator.html">Authentication indicators</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../admin_commands/index.html">Administration programs</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../mitK5defaults.html">MIT Kerberos defaults</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../env_variables.html">Environment variables</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../troubleshoot.html">Troubleshooting</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../advanced/index.html">Advanced topics</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../various_envs.html">Various links</a></li>
+</ul>
+</li>
+<li class="toctree-l1"><a class="reference internal" href="../../appdev/index.html">For application developers</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../plugindev/index.html">For plugin module developers</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../build/index.html">Building Kerberos V5</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../basic/index.html">Kerberos V5 concepts</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../formats/index.html">Protocols and file formats</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../mitK5features.html">MIT Kerberos features</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../build_this.html">How to build this documentation from the source</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../about.html">Contributing to the MIT Kerberos Documentation</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../resources.html">Resources</a></li>
+</ul>
+
+ <br/>
+ <h4><a href="../../index.html">Full Table of Contents</a></h4>
+ <h4>Search</h4>
+ <form class="search" action="../../search.html" method="get">
+ <input type="text" name="q" size="18" />
+ <input type="submit" value="Go" />
+ <input type="hidden" name="check_keywords" value="yes" />
+ <input type="hidden" name="area" value="default" />
+ </form>
+ </div>
+ <div class="clearer"></div>
+ </div>
+ </div>
+
+ <div class="footer-wrapper">
+ <div class="footer" >
+ <div class="right" ><i>Release: 1.15.1</i><br />
+ &copy; <a href="../../copyright.html">Copyright</a> 1985-2017, MIT.
+ </div>
+ <div class="left">
+
+ <a href="../../index.html" title="Full Table of Contents"
+ >Contents</a> |
+ <a href="../install_appl_srv.html" title="UNIX Application Servers"
+ >previous</a> |
+ <a href="krb5_conf.html" title="krb5.conf"
+ >next</a> |
+ <a href="../../genindex.html" title="General Index"
+ >index</a> |
+ <a href="../../search.html" title="Enter search criteria"
+ >Search</a> |
+ <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Configuration Files">feedback</a>
+ </div>
+ </div>
+ </div>
+
+ </body>
+</html> \ No newline at end of file
diff --git a/doc/html/admin/conf_files/kadm5_acl.html b/doc/html/admin/conf_files/kadm5_acl.html
new file mode 100644
index 000000000000..640fc7bc1c9c
--- /dev/null
+++ b/doc/html/admin/conf_files/kadm5_acl.html
@@ -0,0 +1,333 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+
+
+<html xmlns="http://www.w3.org/1999/xhtml">
+ <head>
+ <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+
+ <title>kadm5.acl &mdash; MIT Kerberos Documentation</title>
+
+ <link rel="stylesheet" href="../../_static/agogo.css" type="text/css" />
+ <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" />
+ <link rel="stylesheet" href="../../_static/kerb.css" type="text/css" />
+
+ <script type="text/javascript">
+ var DOCUMENTATION_OPTIONS = {
+ URL_ROOT: '../../',
+ VERSION: '1.15.1',
+ COLLAPSE_INDEX: false,
+ FILE_SUFFIX: '.html',
+ HAS_SOURCE: true
+ };
+ </script>
+ <script type="text/javascript" src="../../_static/jquery.js"></script>
+ <script type="text/javascript" src="../../_static/underscore.js"></script>
+ <script type="text/javascript" src="../../_static/doctools.js"></script>
+ <link rel="author" title="About these documents" href="../../about.html" />
+ <link rel="copyright" title="Copyright" href="../../copyright.html" />
+ <link rel="top" title="MIT Kerberos Documentation" href="../../index.html" />
+ <link rel="up" title="Configuration Files" href="index.html" />
+ <link rel="next" title="Realm configuration decisions" href="../realm_config.html" />
+ <link rel="prev" title="kdc.conf" href="kdc_conf.html" />
+ </head>
+ <body>
+ <div class="header-wrapper">
+ <div class="header">
+
+
+ <h1><a href="../../index.html">MIT Kerberos Documentation</a></h1>
+
+ <div class="rel">
+
+ <a href="../../index.html" title="Full Table of Contents"
+ accesskey="C">Contents</a> |
+ <a href="kdc_conf.html" title="kdc.conf"
+ accesskey="P">previous</a> |
+ <a href="../realm_config.html" title="Realm configuration decisions"
+ accesskey="N">next</a> |
+ <a href="../../genindex.html" title="General Index"
+ accesskey="I">index</a> |
+ <a href="../../search.html" title="Enter search criteria"
+ accesskey="S">Search</a> |
+ <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__kadm5.acl">feedback</a>
+ </div>
+ </div>
+ </div>
+
+ <div class="content-wrapper">
+ <div class="content">
+ <div class="document">
+
+ <div class="documentwrapper">
+ <div class="bodywrapper">
+ <div class="body">
+
+ <div class="section" id="kadm5-acl">
+<span id="kadm5-acl-5"></span><h1>kadm5.acl<a class="headerlink" href="#kadm5-acl" title="Permalink to this headline">¶</a></h1>
+<div class="section" id="description">
+<h2>DESCRIPTION<a class="headerlink" href="#description" title="Permalink to this headline">¶</a></h2>
+<p>The Kerberos <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><em>kadmind</em></a> daemon uses an Access Control List
+(ACL) file to manage access rights to the Kerberos database.
+For operations that affect principals, the ACL file also controls
+which principals can operate on which other principals.</p>
+<p>The default location of the Kerberos ACL file is
+<a class="reference internal" href="../../mitK5defaults.html#paths"><em>LOCALSTATEDIR</em></a><tt class="docutils literal"><span class="pre">/krb5kdc</span></tt><tt class="docutils literal"><span class="pre">/kadm5.acl</span></tt> unless this is overridden by the <em>acl_file</em>
+variable in <a class="reference internal" href="kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>.</p>
+</div>
+<div class="section" id="syntax">
+<h2>SYNTAX<a class="headerlink" href="#syntax" title="Permalink to this headline">¶</a></h2>
+<p>Empty lines and lines starting with the sharp sign (<tt class="docutils literal"><span class="pre">#</span></tt>) are
+ignored. Lines containing ACL entries have the format:</p>
+<div class="highlight-python"><div class="highlight"><pre>principal permissions [target_principal [restrictions] ]
+</pre></div>
+</div>
+<div class="admonition note">
+<p class="first admonition-title">Note</p>
+<p class="last">Line order in the ACL file is important. The first matching entry
+will control access for an actor principal on a target principal.</p>
+</div>
+<dl class="docutils">
+<dt><em>principal</em></dt>
+<dd><p class="first">(Partially or fully qualified Kerberos principal name.) Specifies
+the principal whose permissions are to be set.</p>
+<p class="last">Each component of the name may be wildcarded using the <tt class="docutils literal"><span class="pre">*</span></tt>
+character.</p>
+</dd>
+<dt><em>permissions</em></dt>
+<dd><p class="first">Specifies what operations may or may not be performed by a
+<em>principal</em> matching a particular entry. This is a string of one or
+more of the following list of characters or their upper-case
+counterparts. If the character is <em>upper-case</em>, then the operation
+is disallowed. If the character is <em>lower-case</em>, then the operation
+is permitted.</p>
+<table border="1" class="last docutils">
+<colgroup>
+<col width="2%" />
+<col width="98%" />
+</colgroup>
+<tbody valign="top">
+<tr class="row-odd"><td>a</td>
+<td>[Dis]allows the addition of principals or policies</td>
+</tr>
+<tr class="row-even"><td>c</td>
+<td>[Dis]allows the changing of passwords for principals</td>
+</tr>
+<tr class="row-odd"><td>d</td>
+<td>[Dis]allows the deletion of principals or policies</td>
+</tr>
+<tr class="row-even"><td>e</td>
+<td>[Dis]allows the extraction of principal keys</td>
+</tr>
+<tr class="row-odd"><td>i</td>
+<td>[Dis]allows inquiries about principals or policies</td>
+</tr>
+<tr class="row-even"><td>l</td>
+<td>[Dis]allows the listing of all principals or policies</td>
+</tr>
+<tr class="row-odd"><td>m</td>
+<td>[Dis]allows the modification of principals or policies</td>
+</tr>
+<tr class="row-even"><td>p</td>
+<td>[Dis]allows the propagation of the principal database (used in <a class="reference internal" href="../database.html#incr-db-prop"><em>Incremental database propagation</em></a>)</td>
+</tr>
+<tr class="row-odd"><td>s</td>
+<td>[Dis]allows the explicit setting of the key for a principal</td>
+</tr>
+<tr class="row-even"><td>x</td>
+<td>Short for admcilsp. All privileges (except <tt class="docutils literal"><span class="pre">e</span></tt>)</td>
+</tr>
+<tr class="row-odd"><td>*</td>
+<td>Same as x.</td>
+</tr>
+</tbody>
+</table>
+</dd>
+</dl>
+<div class="admonition note">
+<p class="first admonition-title">Note</p>
+<p class="last">The <tt class="docutils literal"><span class="pre">extract</span></tt> privilege is not included in the wildcard
+privilege; it must be explicitly assigned. This privilege
+allows the user to extract keys from the database, and must be
+handled with great care to avoid disclosure of important keys
+like those of the kadmin/* or krbtgt/* principals. The
+<strong>lockdown_keys</strong> principal attribute can be used to prevent
+key extraction from specific principals regardless of the
+granted privilege.</p>
+</div>
+<dl class="docutils">
+<dt><em>target_principal</em></dt>
+<dd><p class="first">(Optional. Partially or fully qualified Kerberos principal name.)
+Specifies the principal on which <em>permissions</em> may be applied.
+Each component of the name may be wildcarded using the <tt class="docutils literal"><span class="pre">*</span></tt>
+character.</p>
+<p class="last"><em>target_principal</em> can also include back-references to <em>principal</em>,
+in which <tt class="docutils literal"><span class="pre">*number</span></tt> matches the corresponding wildcard in
+<em>principal</em>.</p>
+</dd>
+<dt><em>restrictions</em></dt>
+<dd><p class="first">(Optional) A string of flags. Allowed restrictions are:</p>
+<blockquote>
+<div><dl class="docutils">
+<dt>{+|-}<em>flagname</em></dt>
+<dd>flag is forced to the indicated value. The permissible flags
+are the same as those for the <strong>default_principal_flags</strong>
+variable in <a class="reference internal" href="kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>.</dd>
+<dt><em>-clearpolicy</em></dt>
+<dd>policy is forced to be empty.</dd>
+<dt><em>-policy pol</em></dt>
+<dd>policy is forced to be <em>pol</em>.</dd>
+<dt>-{<em>expire, pwexpire, maxlife, maxrenewlife</em>} <em>time</em></dt>
+<dd>(<a class="reference internal" href="../../basic/date_format.html#getdate"><em>getdate time</em></a> string) associated value will be forced to
+MIN(<em>time</em>, requested value).</dd>
+</dl>
+</div></blockquote>
+<p class="last">The above flags act as restrictions on any add or modify operation
+which is allowed due to that ACL line.</p>
+</dd>
+</dl>
+<div class="admonition warning">
+<p class="first admonition-title">Warning</p>
+<p class="last">If the kadmind ACL file is modified, the kadmind daemon needs to be
+restarted for changes to take effect.</p>
+</div>
+</div>
+<div class="section" id="example">
+<h2>EXAMPLE<a class="headerlink" href="#example" title="Permalink to this headline">¶</a></h2>
+<p>Here is an example of a kadm5.acl file:</p>
+<div class="highlight-python"><div class="highlight"><pre>*/admin@ATHENA.MIT.EDU * # line 1
+joeadmin@ATHENA.MIT.EDU ADMCIL # line 2
+joeadmin/*@ATHENA.MIT.EDU i */root@ATHENA.MIT.EDU # line 3
+*/root@ATHENA.MIT.EDU ci *1@ATHENA.MIT.EDU # line 4
+*/root@ATHENA.MIT.EDU l * # line 5
+sms@ATHENA.MIT.EDU x * -maxlife 9h -postdateable # line 6
+</pre></div>
+</div>
+<p>(line 1) Any principal in the <tt class="docutils literal"><span class="pre">ATHENA.MIT.EDU</span></tt> realm with
+an <tt class="docutils literal"><span class="pre">admin</span></tt> instance has all administrative privileges.</p>
+<p>(lines 1-3) The user <tt class="docutils literal"><span class="pre">joeadmin</span></tt> has all permissions with his
+<tt class="docutils literal"><span class="pre">admin</span></tt> instance, <tt class="docutils literal"><span class="pre">joeadmin/admin&#64;ATHENA.MIT.EDU</span></tt> (matches line
+1). He has no permissions at all with his null instance,
+<tt class="docutils literal"><span class="pre">joeadmin&#64;ATHENA.MIT.EDU</span></tt> (matches line 2). His <tt class="docutils literal"><span class="pre">root</span></tt> and other
+non-<tt class="docutils literal"><span class="pre">admin</span></tt>, non-null instances (e.g., <tt class="docutils literal"><span class="pre">extra</span></tt> or <tt class="docutils literal"><span class="pre">dbadmin</span></tt>) have
+inquire permissions with any principal that has the instance <tt class="docutils literal"><span class="pre">root</span></tt>
+(matches line 3).</p>
+<p>(line 4) Any <tt class="docutils literal"><span class="pre">root</span></tt> principal in <tt class="docutils literal"><span class="pre">ATHENA.MIT.EDU</span></tt> can inquire
+or change the password of their null instance, but not any other
+null instance. (Here, <tt class="docutils literal"><span class="pre">*1</span></tt> denotes a back-reference to the
+component matching the first wildcard in the actor principal.)</p>
+<p>(line 5) Any <tt class="docutils literal"><span class="pre">root</span></tt> principal in <tt class="docutils literal"><span class="pre">ATHENA.MIT.EDU</span></tt> can generate
+the list of principals in the database, and the list of policies
+in the database. This line is separate from line 4, because list
+permission can only be granted globally, not to specific target
+principals.</p>
+<p>(line 6) Finally, the Service Management System principal
+<tt class="docutils literal"><span class="pre">sms&#64;ATHENA.MIT.EDU</span></tt> has all permissions, but any principal that it
+creates or modifies will not be able to get postdateable tickets or
+tickets with a life of longer than 9 hours.</p>
+</div>
+<div class="section" id="see-also">
+<h2>SEE ALSO<a class="headerlink" href="#see-also" title="Permalink to this headline">¶</a></h2>
+<p><a class="reference internal" href="kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>, <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><em>kadmind</em></a></p>
+</div>
+</div>
+
+
+ </div>
+ </div>
+ </div>
+ </div>
+ <div class="sidebar">
+ <h2>On this page</h2>
+ <ul>
+<li><a class="reference internal" href="#">kadm5.acl</a><ul>
+<li><a class="reference internal" href="#description">DESCRIPTION</a></li>
+<li><a class="reference internal" href="#syntax">SYNTAX</a></li>
+<li><a class="reference internal" href="#example">EXAMPLE</a></li>
+<li><a class="reference internal" href="#see-also">SEE ALSO</a></li>
+</ul>
+</li>
+</ul>
+
+ <br/>
+ <h2>Table of contents</h2>
+ <ul class="current">
+<li class="toctree-l1"><a class="reference internal" href="../../user/index.html">For users</a></li>
+<li class="toctree-l1 current"><a class="reference internal" href="../index.html">For administrators</a><ul class="current">
+<li class="toctree-l2"><a class="reference internal" href="../install.html">Installation guide</a></li>
+<li class="toctree-l2 current"><a class="reference internal" href="index.html">Configuration Files</a><ul class="current">
+<li class="toctree-l3"><a class="reference internal" href="krb5_conf.html">krb5.conf</a></li>
+<li class="toctree-l3"><a class="reference internal" href="kdc_conf.html">kdc.conf</a></li>
+<li class="toctree-l3 current"><a class="current reference internal" href="">kadm5.acl</a></li>
+</ul>
+</li>
+<li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../host_config.html">Host configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../auth_indicator.html">Authentication indicators</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../admin_commands/index.html">Administration programs</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../mitK5defaults.html">MIT Kerberos defaults</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../env_variables.html">Environment variables</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../troubleshoot.html">Troubleshooting</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../advanced/index.html">Advanced topics</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../various_envs.html">Various links</a></li>
+</ul>
+</li>
+<li class="toctree-l1"><a class="reference internal" href="../../appdev/index.html">For application developers</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../plugindev/index.html">For plugin module developers</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../build/index.html">Building Kerberos V5</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../basic/index.html">Kerberos V5 concepts</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../formats/index.html">Protocols and file formats</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../mitK5features.html">MIT Kerberos features</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../build_this.html">How to build this documentation from the source</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../about.html">Contributing to the MIT Kerberos Documentation</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../resources.html">Resources</a></li>
+</ul>
+
+ <br/>
+ <h4><a href="../../index.html">Full Table of Contents</a></h4>
+ <h4>Search</h4>
+ <form class="search" action="../../search.html" method="get">
+ <input type="text" name="q" size="18" />
+ <input type="submit" value="Go" />
+ <input type="hidden" name="check_keywords" value="yes" />
+ <input type="hidden" name="area" value="default" />
+ </form>
+ </div>
+ <div class="clearer"></div>
+ </div>
+ </div>
+
+ <div class="footer-wrapper">
+ <div class="footer" >
+ <div class="right" ><i>Release: 1.15.1</i><br />
+ &copy; <a href="../../copyright.html">Copyright</a> 1985-2017, MIT.
+ </div>
+ <div class="left">
+
+ <a href="../../index.html" title="Full Table of Contents"
+ >Contents</a> |
+ <a href="kdc_conf.html" title="kdc.conf"
+ >previous</a> |
+ <a href="../realm_config.html" title="Realm configuration decisions"
+ >next</a> |
+ <a href="../../genindex.html" title="General Index"
+ >index</a> |
+ <a href="../../search.html" title="Enter search criteria"
+ >Search</a> |
+ <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__kadm5.acl">feedback</a>
+ </div>
+ </div>
+ </div>
+
+ </body>
+</html> \ No newline at end of file
diff --git a/doc/html/admin/conf_files/kdc_conf.html b/doc/html/admin/conf_files/kdc_conf.html
new file mode 100644
index 000000000000..b81a78f740f7
--- /dev/null
+++ b/doc/html/admin/conf_files/kdc_conf.html
@@ -0,0 +1,1069 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+
+
+<html xmlns="http://www.w3.org/1999/xhtml">
+ <head>
+ <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+
+ <title>kdc.conf &mdash; MIT Kerberos Documentation</title>
+
+ <link rel="stylesheet" href="../../_static/agogo.css" type="text/css" />
+ <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" />
+ <link rel="stylesheet" href="../../_static/kerb.css" type="text/css" />
+
+ <script type="text/javascript">
+ var DOCUMENTATION_OPTIONS = {
+ URL_ROOT: '../../',
+ VERSION: '1.15.1',
+ COLLAPSE_INDEX: false,
+ FILE_SUFFIX: '.html',
+ HAS_SOURCE: true
+ };
+ </script>
+ <script type="text/javascript" src="../../_static/jquery.js"></script>
+ <script type="text/javascript" src="../../_static/underscore.js"></script>
+ <script type="text/javascript" src="../../_static/doctools.js"></script>
+ <link rel="author" title="About these documents" href="../../about.html" />
+ <link rel="copyright" title="Copyright" href="../../copyright.html" />
+ <link rel="top" title="MIT Kerberos Documentation" href="../../index.html" />
+ <link rel="up" title="Configuration Files" href="index.html" />
+ <link rel="next" title="kadm5.acl" href="kadm5_acl.html" />
+ <link rel="prev" title="krb5.conf" href="krb5_conf.html" />
+ </head>
+ <body>
+ <div class="header-wrapper">
+ <div class="header">
+
+
+ <h1><a href="../../index.html">MIT Kerberos Documentation</a></h1>
+
+ <div class="rel">
+
+ <a href="../../index.html" title="Full Table of Contents"
+ accesskey="C">Contents</a> |
+ <a href="krb5_conf.html" title="krb5.conf"
+ accesskey="P">previous</a> |
+ <a href="kadm5_acl.html" title="kadm5.acl"
+ accesskey="N">next</a> |
+ <a href="../../genindex.html" title="General Index"
+ accesskey="I">index</a> |
+ <a href="../../search.html" title="Enter search criteria"
+ accesskey="S">Search</a> |
+ <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__kdc.conf">feedback</a>
+ </div>
+ </div>
+ </div>
+
+ <div class="content-wrapper">
+ <div class="content">
+ <div class="document">
+
+ <div class="documentwrapper">
+ <div class="bodywrapper">
+ <div class="body">
+
+ <div class="section" id="kdc-conf">
+<span id="kdc-conf-5"></span><h1>kdc.conf<a class="headerlink" href="#kdc-conf" title="Permalink to this headline">¶</a></h1>
+<p>The kdc.conf file supplements <a class="reference internal" href="krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a> for programs which
+are typically only used on a KDC, such as the <a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8"><em>krb5kdc</em></a> and
+<a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><em>kadmind</em></a> daemons and the <a class="reference internal" href="../admin_commands/kdb5_util.html#kdb5-util-8"><em>kdb5_util</em></a> program.
+Relations documented here may also be specified in krb5.conf; for the
+KDC programs mentioned, krb5.conf and kdc.conf will be merged into a
+single configuration profile.</p>
+<p>Normally, the kdc.conf file is found in the KDC state directory,
+<a class="reference internal" href="../../mitK5defaults.html#paths"><em>LOCALSTATEDIR</em></a><tt class="docutils literal"><span class="pre">/krb5kdc</span></tt>. You can override the default location by setting the
+environment variable <strong>KRB5_KDC_PROFILE</strong>.</p>
+<p>Please note that you need to restart the KDC daemon for any configuration
+changes to take effect.</p>
+<div class="section" id="structure">
+<h2>Structure<a class="headerlink" href="#structure" title="Permalink to this headline">¶</a></h2>
+<p>The kdc.conf file is set up in the same format as the
+<a class="reference internal" href="krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a> file.</p>
+</div>
+<div class="section" id="sections">
+<h2>Sections<a class="headerlink" href="#sections" title="Permalink to this headline">¶</a></h2>
+<p>The kdc.conf file may contain the following sections:</p>
+<table border="1" class="docutils">
+<colgroup>
+<col width="29%" />
+<col width="71%" />
+</colgroup>
+<tbody valign="top">
+<tr class="row-odd"><td><a class="reference internal" href="#kdcdefaults"><em>[kdcdefaults]</em></a></td>
+<td>Default values for KDC behavior</td>
+</tr>
+<tr class="row-even"><td><a class="reference internal" href="#kdc-realms"><em>[realms]</em></a></td>
+<td>Realm-specific database configuration and settings</td>
+</tr>
+<tr class="row-odd"><td><a class="reference internal" href="#dbdefaults"><em>[dbdefaults]</em></a></td>
+<td>Default database settings</td>
+</tr>
+<tr class="row-even"><td><a class="reference internal" href="#dbmodules"><em>[dbmodules]</em></a></td>
+<td>Per-database settings</td>
+</tr>
+<tr class="row-odd"><td><a class="reference internal" href="#logging"><em>[logging]</em></a></td>
+<td>Controls how Kerberos daemons perform logging</td>
+</tr>
+</tbody>
+</table>
+<div class="section" id="kdcdefaults">
+<span id="id1"></span><h3>[kdcdefaults]<a class="headerlink" href="#kdcdefaults" title="Permalink to this headline">¶</a></h3>
+<p>With two exceptions, relations in the [kdcdefaults] section specify
+default values for realm variables, to be used if the [realms]
+subsection does not contain a relation for the tag. See the
+<a class="reference internal" href="#kdc-realms"><em>[realms]</em></a> section for the definitions of these relations.</p>
+<ul class="simple">
+<li><strong>host_based_services</strong></li>
+<li><strong>kdc_listen</strong></li>
+<li><strong>kdc_ports</strong></li>
+<li><strong>kdc_tcp_listen</strong></li>
+<li><strong>kdc_tcp_ports</strong></li>
+<li><strong>no_host_referral</strong></li>
+<li><strong>restrict_anonymous_to_tgt</strong></li>
+</ul>
+<dl class="docutils">
+<dt><strong>kdc_max_dgram_reply_size</strong></dt>
+<dd>Specifies the maximum packet size that can be sent over UDP. The
+default value is 4096 bytes.</dd>
+<dt><strong>kdc_tcp_listen_backlog</strong></dt>
+<dd>(Integer.) Set the size of the listen queue length for the KDC
+daemon. The value may be limited by OS settings. The default
+value is 5.</dd>
+</dl>
+</div>
+<div class="section" id="realms">
+<span id="kdc-realms"></span><h3>[realms]<a class="headerlink" href="#realms" title="Permalink to this headline">¶</a></h3>
+<p>Each tag in the [realms] section is the name of a Kerberos realm. The
+value of the tag is a subsection where the relations define KDC
+parameters for that particular realm. The following example shows how
+to define one parameter for the ATHENA.MIT.EDU realm:</p>
+<div class="highlight-python"><div class="highlight"><pre>[realms]
+ ATHENA.MIT.EDU = {
+ max_renewable_life = 7d 0h 0m 0s
+ }
+</pre></div>
+</div>
+<p>The following tags may be specified in a [realms] subsection:</p>
+<dl class="docutils">
+<dt><strong>acl_file</strong></dt>
+<dd>(String.) Location of the access control list file that
+<a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><em>kadmind</em></a> uses to determine which principals are allowed
+which permissions on the Kerberos database. The default value is
+<a class="reference internal" href="../../mitK5defaults.html#paths"><em>LOCALSTATEDIR</em></a><tt class="docutils literal"><span class="pre">/krb5kdc</span></tt><tt class="docutils literal"><span class="pre">/kadm5.acl</span></tt>. For more information on Kerberos ACL
+file see <a class="reference internal" href="kadm5_acl.html#kadm5-acl-5"><em>kadm5.acl</em></a>.</dd>
+<dt><strong>database_module</strong></dt>
+<dd>(String.) This relation indicates the name of the configuration
+section under <a class="reference internal" href="#dbmodules"><em>[dbmodules]</em></a> for database-specific parameters
+used by the loadable database library. The default value is the
+realm name. If this configuration section does not exist, default
+values will be used for all database parameters.</dd>
+<dt><strong>database_name</strong></dt>
+<dd>(String, deprecated.) This relation specifies the location of the
+Kerberos database for this realm, if the DB2 module is being used
+and the <a class="reference internal" href="#dbmodules"><em>[dbmodules]</em></a> configuration section does not specify a
+database name. The default value is <a class="reference internal" href="../../mitK5defaults.html#paths"><em>LOCALSTATEDIR</em></a><tt class="docutils literal"><span class="pre">/krb5kdc</span></tt><tt class="docutils literal"><span class="pre">/principal</span></tt>.</dd>
+<dt><strong>default_principal_expiration</strong></dt>
+<dd>(<a class="reference internal" href="../../basic/date_format.html#abstime"><em>Absolute time</em></a> string.) Specifies the default expiration date of
+principals created in this realm. The default value is 0, which
+means no expiration date.</dd>
+<dt><strong>default_principal_flags</strong></dt>
+<dd><p class="first">(Flag string.) Specifies the default attributes of principals
+created in this realm. The format for this string is a
+comma-separated list of flags, with &#8216;+&#8217; before each flag that
+should be enabled and &#8216;-&#8216; before each flag that should be
+disabled. The <strong>postdateable</strong>, <strong>forwardable</strong>, <strong>tgt-based</strong>,
+<strong>renewable</strong>, <strong>proxiable</strong>, <strong>dup-skey</strong>, <strong>allow-tickets</strong>, and
+<strong>service</strong> flags default to enabled.</p>
+<p>There are a number of possible flags:</p>
+<dl class="last docutils">
+<dt><strong>allow-tickets</strong></dt>
+<dd>Enabling this flag means that the KDC will issue tickets for
+this principal. Disabling this flag essentially deactivates
+the principal within this realm.</dd>
+<dt><strong>dup-skey</strong></dt>
+<dd>Enabling this flag allows the principal to obtain a session
+key for another user, permitting user-to-user authentication
+for this principal.</dd>
+<dt><strong>forwardable</strong></dt>
+<dd>Enabling this flag allows the principal to obtain forwardable
+tickets.</dd>
+<dt><strong>hwauth</strong></dt>
+<dd>If this flag is enabled, then the principal is required to
+preauthenticate using a hardware device before receiving any
+tickets.</dd>
+<dt><strong>no-auth-data-required</strong></dt>
+<dd>Enabling this flag prevents PAC or AD-SIGNEDPATH data from
+being added to service tickets for the principal.</dd>
+<dt><strong>ok-as-delegate</strong></dt>
+<dd>If this flag is enabled, it hints the client that credentials
+can and should be delegated when authenticating to the
+service.</dd>
+<dt><strong>ok-to-auth-as-delegate</strong></dt>
+<dd>Enabling this flag allows the principal to use S4USelf tickets.</dd>
+<dt><strong>postdateable</strong></dt>
+<dd>Enabling this flag allows the principal to obtain postdateable
+tickets.</dd>
+<dt><strong>preauth</strong></dt>
+<dd>If this flag is enabled on a client principal, then that
+principal is required to preauthenticate to the KDC before
+receiving any tickets. On a service principal, enabling this
+flag means that service tickets for this principal will only
+be issued to clients with a TGT that has the preauthenticated
+bit set.</dd>
+<dt><strong>proxiable</strong></dt>
+<dd>Enabling this flag allows the principal to obtain proxy
+tickets.</dd>
+<dt><strong>pwchange</strong></dt>
+<dd>Enabling this flag forces a password change for this
+principal.</dd>
+<dt><strong>pwservice</strong></dt>
+<dd>If this flag is enabled, it marks this principal as a password
+change service. This should only be used in special cases,
+for example, if a user&#8217;s password has expired, then the user
+has to get tickets for that principal without going through
+the normal password authentication in order to be able to
+change the password.</dd>
+<dt><strong>renewable</strong></dt>
+<dd>Enabling this flag allows the principal to obtain renewable
+tickets.</dd>
+<dt><strong>service</strong></dt>
+<dd>Enabling this flag allows the the KDC to issue service tickets
+for this principal.</dd>
+<dt><strong>tgt-based</strong></dt>
+<dd>Enabling this flag allows a principal to obtain tickets based
+on a ticket-granting-ticket, rather than repeating the
+authentication process that was used to obtain the TGT.</dd>
+</dl>
+</dd>
+<dt><strong>dict_file</strong></dt>
+<dd>(String.) Location of the dictionary file containing strings that
+are not allowed as passwords. The file should contain one string
+per line, with no additional whitespace. If none is specified or
+if there is no policy assigned to the principal, no dictionary
+checks of passwords will be performed.</dd>
+<dt><strong>host_based_services</strong></dt>
+<dd>(Whitespace- or comma-separated list.) Lists services which will
+get host-based referral processing even if the server principal is
+not marked as host-based by the client.</dd>
+<dt><strong>iprop_enable</strong></dt>
+<dd>(Boolean value.) Specifies whether incremental database
+propagation is enabled. The default value is false.</dd>
+<dt><strong>iprop_master_ulogsize</strong></dt>
+<dd>(Integer.) Specifies the maximum number of log entries to be
+retained for incremental propagation. The default value is 1000.
+Prior to release 1.11, the maximum value was 2500.</dd>
+<dt><strong>iprop_slave_poll</strong></dt>
+<dd>(Delta time string.) Specifies how often the slave KDC polls for
+new updates from the master. The default value is <tt class="docutils literal"><span class="pre">2m</span></tt> (that
+is, two minutes).</dd>
+<dt><strong>iprop_listen</strong></dt>
+<dd>(Whitespace- or comma-separated list.) Specifies the iprop RPC
+listening addresses and/or ports for the <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><em>kadmind</em></a> daemon.
+Each entry may be an interface address, a port number, or an
+address and port number separated by a colon. If the address
+contains colons, enclose it in square brackets. If no address is
+specified, the wildcard address is used. If kadmind fails to bind
+to any of the specified addresses, it will fail to start. The
+default (when <strong>iprop_enable</strong> is true) is to bind to the wildcard
+address at the port specified in <strong>iprop_port</strong>. New in release
+1.15.</dd>
+<dt><strong>iprop_port</strong></dt>
+<dd>(Port number.) Specifies the port number to be used for
+incremental propagation. When <strong>iprop_enable</strong> is true, this
+relation is required in the slave configuration file, and this
+relation or <strong>iprop_listen</strong> is required in the master
+configuration file, as there is no default port number. Port
+numbers specified in <strong>iprop_listen</strong> entries will override this
+port number for the <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><em>kadmind</em></a> daemon.</dd>
+<dt><strong>iprop_resync_timeout</strong></dt>
+<dd>(Delta time string.) Specifies the amount of time to wait for a
+full propagation to complete. This is optional in configuration
+files, and is used by slave KDCs only. The default value is 5
+minutes (<tt class="docutils literal"><span class="pre">5m</span></tt>). New in release 1.11.</dd>
+<dt><strong>iprop_logfile</strong></dt>
+<dd>(File name.) Specifies where the update log file for the realm
+database is to be stored. The default is to use the
+<strong>database_name</strong> entry from the realms section of the krb5 config
+file, with <tt class="docutils literal"><span class="pre">.ulog</span></tt> appended. (NOTE: If <strong>database_name</strong> isn&#8217;t
+specified in the realms section, perhaps because the LDAP database
+back end is being used, or the file name is specified in the
+[dbmodules] section, then the hard-coded default for
+<strong>database_name</strong> is used. Determination of the <strong>iprop_logfile</strong>
+default value will not use values from the [dbmodules] section.)</dd>
+<dt><strong>kadmind_listen</strong></dt>
+<dd>(Whitespace- or comma-separated list.) Specifies the kadmin RPC
+listening addresses and/or ports for the <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><em>kadmind</em></a> daemon.
+Each entry may be an interface address, a port number, or an
+address and port number separated by a colon. If the address
+contains colons, enclose it in square brackets. If no address is
+specified, the wildcard address is used. If kadmind fails to bind
+to any of the specified addresses, it will fail to start. The
+default is to bind to the wildcard address at the port specified
+in <strong>kadmind_port</strong>, or the standard kadmin port (749). New in
+release 1.15.</dd>
+<dt><strong>kadmind_port</strong></dt>
+<dd>(Port number.) Specifies the port on which the <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><em>kadmind</em></a>
+daemon is to listen for this realm. Port numbers specified in
+<strong>kadmind_listen</strong> entries will override this port number. The
+assigned port for kadmind is 749, which is used by default.</dd>
+<dt><strong>key_stash_file</strong></dt>
+<dd>(String.) Specifies the location where the master key has been
+stored (via kdb5_util stash). The default is <a class="reference internal" href="../../mitK5defaults.html#paths"><em>LOCALSTATEDIR</em></a><tt class="docutils literal"><span class="pre">/krb5kdc</span></tt><tt class="docutils literal"><span class="pre">/.k5.REALM</span></tt>, where <em>REALM</em> is the Kerberos realm.</dd>
+<dt><strong>kdc_listen</strong></dt>
+<dd>(Whitespace- or comma-separated list.) Specifies the UDP
+listening addresses and/or ports for the <a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8"><em>krb5kdc</em></a> daemon.
+Each entry may be an interface address, a port number, or an
+address and port number separated by a colon. If the address
+contains colons, enclose it in square brackets. If no address is
+specified, the wildcard address is used. If no port is specified,
+the standard port (88) is used. If the KDC daemon fails to bind
+to any of the specified addresses, it will fail to start. The
+default is to bind to the wildcard address on the standard port.
+New in release 1.15.</dd>
+<dt><strong>kdc_ports</strong></dt>
+<dd>(Whitespace- or comma-separated list, deprecated.) Prior to
+release 1.15, this relation lists the ports for the
+<a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8"><em>krb5kdc</em></a> daemon to listen on for UDP requests. In
+release 1.15 and later, it has the same meaning as <strong>kdc_listen</strong>
+if that relation is not defined.</dd>
+<dt><strong>kdc_tcp_listen</strong></dt>
+<dd>(Whitespace- or comma-separated list.) Specifies the TCP
+listening addresses and/or ports for the <a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8"><em>krb5kdc</em></a> daemon.
+Each entry may be an interface address, a port number, or an
+address and port number separated by a colon. If the address
+contains colons, enclose it in square brackets. If no address is
+specified, the wildcard address is used. If no port is specified,
+the standard port (88) is used. To disable listening on TCP, set
+this relation to the empty string with <tt class="docutils literal"><span class="pre">kdc_tcp_listen</span> <span class="pre">=</span> <span class="pre">&quot;&quot;</span></tt>.
+If the KDC daemon fails to bind to any of the specified addresses,
+it will fail to start. The default is to bind to the wildcard
+address on the standard port. New in release 1.15.</dd>
+<dt><strong>kdc_tcp_ports</strong></dt>
+<dd>(Whitespace- or comma-separated list, deprecated.) Prior to
+release 1.15, this relation lists the ports for the
+<a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8"><em>krb5kdc</em></a> daemon to listen on for UDP requests. In
+release 1.15 and later, it has the same meaning as
+<strong>kdc_tcp_listen</strong> if that relation is not defined.</dd>
+<dt><strong>kpasswd_listen</strong></dt>
+<dd>(Comma-separated list.) Specifies the kpasswd listening addresses
+and/or ports for the <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><em>kadmind</em></a> daemon. Each entry may be
+an interface address, a port number, or an address and port number
+separated by a colon. If the address contains colons, enclose it
+in square brackets. If no address is specified, the wildcard
+address is used. If kadmind fails to bind to any of the specified
+addresses, it will fail to start. The default is to bind to the
+wildcard address at the port specified in <strong>kpasswd_port</strong>, or the
+standard kpasswd port (464). New in release 1.15.</dd>
+<dt><strong>kpasswd_port</strong></dt>
+<dd>(Port number.) Specifies the port on which the <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><em>kadmind</em></a>
+daemon is to listen for password change requests for this realm.
+Port numbers specified in <strong>kpasswd_listen</strong> entries will override
+this port number. The assigned port for password change requests
+is 464, which is used by default.</dd>
+<dt><strong>master_key_name</strong></dt>
+<dd>(String.) Specifies the name of the principal associated with the
+master key. The default is <tt class="docutils literal"><span class="pre">K/M</span></tt>.</dd>
+<dt><strong>master_key_type</strong></dt>
+<dd>(Key type string.) Specifies the master key&#8217;s key type. The
+default value for this is <tt class="docutils literal"><span class="pre">aes256-cts-hmac-sha1-96</span></tt>. For a list of all possible
+values, see <a class="reference internal" href="#encryption-types"><em>Encryption types</em></a>.</dd>
+<dt><strong>max_life</strong></dt>
+<dd>(<a class="reference internal" href="../../basic/date_format.html#duration"><em>Time duration</em></a> string.) Specifies the maximum time period for
+which a ticket may be valid in this realm. The default value is
+24 hours.</dd>
+<dt><strong>max_renewable_life</strong></dt>
+<dd>(<a class="reference internal" href="../../basic/date_format.html#duration"><em>Time duration</em></a> string.) Specifies the maximum time period
+during which a valid ticket may be renewed in this realm.
+The default value is 0.</dd>
+<dt><strong>no_host_referral</strong></dt>
+<dd>(Whitespace- or comma-separated list.) Lists services to block
+from getting host-based referral processing, even if the client
+marks the server principal as host-based or the service is also
+listed in <strong>host_based_services</strong>. <tt class="docutils literal"><span class="pre">no_host_referral</span> <span class="pre">=</span> <span class="pre">*</span></tt> will
+disable referral processing altogether.</dd>
+<dt><strong>des_crc_session_supported</strong></dt>
+<dd>(Boolean value). If set to true, the KDC will assume that service
+principals support des-cbc-crc for session key enctype negotiation
+purposes. If <strong>allow_weak_crypto</strong> in <a class="reference internal" href="krb5_conf.html#libdefaults"><em>[libdefaults]</em></a> is
+false, or if des-cbc-crc is not a permitted enctype, then this
+variable has no effect. Defaults to true. New in release 1.11.</dd>
+<dt><strong>reject_bad_transit</strong></dt>
+<dd><p class="first">(Boolean value.) If set to true, the KDC will check the list of
+transited realms for cross-realm tickets against the transit path
+computed from the realm names and the capaths section of its
+<a class="reference internal" href="krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a> file; if the path in the ticket to be issued
+contains any realms not in the computed path, the ticket will not
+be issued, and an error will be returned to the client instead.
+If this value is set to false, such tickets will be issued
+anyways, and it will be left up to the application server to
+validate the realm transit path.</p>
+<p>If the disable-transited-check flag is set in the incoming
+request, this check is not performed at all. Having the
+<strong>reject_bad_transit</strong> option will cause such ticket requests to
+be rejected always.</p>
+<p>This transit path checking and config file option currently apply
+only to TGS requests.</p>
+<p class="last">The default value is true.</p>
+</dd>
+<dt><strong>restrict_anonymous_to_tgt</strong></dt>
+<dd>(Boolean value.) If set to true, the KDC will reject ticket
+requests from anonymous principals to service principals other
+than the realm&#8217;s ticket-granting service. This option allows
+anonymous PKINIT to be enabled for use as FAST armor tickets
+without allowing anonymous authentication to services. The
+default value is false. New in release 1.9.</dd>
+<dt><strong>supported_enctypes</strong></dt>
+<dd>(List of <em>key</em>:<em>salt</em> strings.) Specifies the default key/salt
+combinations of principals for this realm. Any principals created
+through <a class="reference internal" href="../admin_commands/kadmin_local.html#kadmin-1"><em>kadmin</em></a> will have keys of these types. The
+default value for this tag is <tt class="docutils literal"><span class="pre">aes256-cts-hmac-sha1-96:normal</span> <span class="pre">aes128-cts-hmac-sha1-96:normal</span> <span class="pre">des3-cbc-sha1:normal</span> <span class="pre">arcfour-hmac-md5:normal</span></tt>. For lists of
+possible values, see <a class="reference internal" href="#keysalt-lists"><em>Keysalt lists</em></a>.</dd>
+</dl>
+</div>
+<div class="section" id="dbdefaults">
+<span id="id2"></span><h3>[dbdefaults]<a class="headerlink" href="#dbdefaults" title="Permalink to this headline">¶</a></h3>
+<p>The [dbdefaults] section specifies default values for some database
+parameters, to be used if the [dbmodules] subsection does not contain
+a relation for the tag. See the <a class="reference internal" href="#dbmodules"><em>[dbmodules]</em></a> section for the
+definitions of these relations.</p>
+<ul class="simple">
+<li><strong>ldap_kerberos_container_dn</strong></li>
+<li><strong>ldap_kdc_dn</strong></li>
+<li><strong>ldap_kdc_sasl_authcid</strong></li>
+<li><strong>ldap_kdc_sasl_authzid</strong></li>
+<li><strong>ldap_kdc_sasl_mech</strong></li>
+<li><strong>ldap_kdc_sasl_realm</strong></li>
+<li><strong>ldap_kadmind_dn</strong></li>
+<li><strong>ldap_kadmind_sasl_authcid</strong></li>
+<li><strong>ldap_kadmind_sasl_authzid</strong></li>
+<li><strong>ldap_kadmind_sasl_mech</strong></li>
+<li><strong>ldap_kadmind_sasl_realm</strong></li>
+<li><strong>ldap_service_password_file</strong></li>
+<li><strong>ldap_servers</strong></li>
+<li><strong>ldap_conns_per_server</strong></li>
+</ul>
+</div>
+<div class="section" id="dbmodules">
+<span id="id3"></span><h3>[dbmodules]<a class="headerlink" href="#dbmodules" title="Permalink to this headline">¶</a></h3>
+<p>The [dbmodules] section contains parameters used by the KDC database
+library and database modules. Each tag in the [dbmodules] section is
+the name of a Kerberos realm or a section name specified by a realm&#8217;s
+<strong>database_module</strong> parameter. The following example shows how to
+define one database parameter for the ATHENA.MIT.EDU realm:</p>
+<div class="highlight-python"><div class="highlight"><pre>[dbmodules]
+ ATHENA.MIT.EDU = {
+ disable_last_success = true
+ }
+</pre></div>
+</div>
+<p>The following tags may be specified in a [dbmodules] subsection:</p>
+<dl class="docutils">
+<dt><strong>database_name</strong></dt>
+<dd>This DB2-specific tag indicates the location of the database in
+the filesystem. The default is <a class="reference internal" href="../../mitK5defaults.html#paths"><em>LOCALSTATEDIR</em></a><tt class="docutils literal"><span class="pre">/krb5kdc</span></tt><tt class="docutils literal"><span class="pre">/principal</span></tt>.</dd>
+<dt><strong>db_library</strong></dt>
+<dd>This tag indicates the name of the loadable database module. The
+value should be <tt class="docutils literal"><span class="pre">db2</span></tt> for the DB2 module and <tt class="docutils literal"><span class="pre">kldap</span></tt> for the
+LDAP module.</dd>
+<dt><strong>disable_last_success</strong></dt>
+<dd>If set to <tt class="docutils literal"><span class="pre">true</span></tt>, suppresses KDC updates to the &#8220;Last successful
+authentication&#8221; field of principal entries requiring
+preauthentication. Setting this flag may improve performance.
+(Principal entries which do not require preauthentication never
+update the &#8220;Last successful authentication&#8221; field.). First
+introduced in release 1.9.</dd>
+<dt><strong>disable_lockout</strong></dt>
+<dd>If set to <tt class="docutils literal"><span class="pre">true</span></tt>, suppresses KDC updates to the &#8220;Last failed
+authentication&#8221; and &#8220;Failed password attempts&#8221; fields of principal
+entries requiring preauthentication. Setting this flag may
+improve performance, but also disables account lockout. First
+introduced in release 1.9.</dd>
+<dt><strong>ldap_conns_per_server</strong></dt>
+<dd>This LDAP-specific tag indicates the number of connections to be
+maintained per LDAP server.</dd>
+<dt><strong>ldap_kdc_dn</strong> and <strong>ldap_kadmind_dn</strong></dt>
+<dd>These LDAP-specific tags indicate the default DN for binding to
+the LDAP server. The <a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8"><em>krb5kdc</em></a> daemon uses
+<strong>ldap_kdc_dn</strong>, while the <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><em>kadmind</em></a> daemon and other
+administrative programs use <strong>ldap_kadmind_dn</strong>. The kadmind DN
+must have the rights to read and write the Kerberos data in the
+LDAP database. The KDC DN must have the same rights, unless
+<strong>disable_lockout</strong> and <strong>disable_last_success</strong> are true, in
+which case it only needs to have rights to read the Kerberos data.
+These tags are ignored if a SASL mechanism is set with
+<strong>ldap_kdc_sasl_mech</strong> or <strong>ldap_kadmind_sasl_mech</strong>.</dd>
+<dt><strong>ldap_kdc_sasl_mech</strong> and <strong>ldap_kadmind_sasl_mech</strong></dt>
+<dd>These LDAP-specific tags specify the SASL mechanism (such as
+<tt class="docutils literal"><span class="pre">EXTERNAL</span></tt>) to use when binding to the LDAP server. New in
+release 1.13.</dd>
+<dt><strong>ldap_kdc_sasl_authcid</strong> and <strong>ldap_kadmind_sasl_authcid</strong></dt>
+<dd>These LDAP-specific tags specify the SASL authentication identity
+to use when binding to the LDAP server. Not all SASL mechanisms
+require an authentication identity. If the SASL mechanism
+requires a secret (such as the password for <tt class="docutils literal"><span class="pre">DIGEST-MD5</span></tt>), these
+tags also determine the name within the
+<strong>ldap_service_password_file</strong> where the secret is stashed. New
+in release 1.13.</dd>
+<dt><strong>ldap_kdc_sasl_authzid</strong> and <strong>ldap_kadmind_sasl_authzid</strong></dt>
+<dd>These LDAP-specific tags specify the SASL authorization identity
+to use when binding to the LDAP server. In most circumstances
+they do not need to be specified. New in release 1.13.</dd>
+<dt><strong>ldap_kdc_sasl_realm</strong> and <strong>ldap_kadmind_sasl_realm</strong></dt>
+<dd>These LDAP-specific tags specify the SASL realm to use when
+binding to the LDAP server. In most circumstances they do not
+need to be set. New in release 1.13.</dd>
+<dt><strong>ldap_kerberos_container_dn</strong></dt>
+<dd>This LDAP-specific tag indicates the DN of the container object
+where the realm objects will be located.</dd>
+<dt><strong>ldap_servers</strong></dt>
+<dd>This LDAP-specific tag indicates the list of LDAP servers that the
+Kerberos servers can connect to. The list of LDAP servers is
+whitespace-separated. The LDAP server is specified by a LDAP URI.
+It is recommended to use <tt class="docutils literal"><span class="pre">ldapi:</span></tt> or <tt class="docutils literal"><span class="pre">ldaps:</span></tt> URLs to connect
+to the LDAP server.</dd>
+<dt><strong>ldap_service_password_file</strong></dt>
+<dd>This LDAP-specific tag indicates the file containing the stashed
+passwords (created by <tt class="docutils literal"><span class="pre">kdb5_ldap_util</span> <span class="pre">stashsrvpw</span></tt>) for the
+<strong>ldap_kdc_dn</strong> and <strong>ldap_kadmind_dn</strong> objects, or for the
+<strong>ldap_kdc_sasl_authcid</strong> or <strong>ldap_kadmind_sasl_authcid</strong> names
+for SASL authentication. This file must be kept secure.</dd>
+<dt><strong>unlockiter</strong></dt>
+<dd>If set to <tt class="docutils literal"><span class="pre">true</span></tt>, this DB2-specific tag causes iteration
+operations to release the database lock while processing each
+principal. Setting this flag to <tt class="docutils literal"><span class="pre">true</span></tt> can prevent extended
+blocking of KDC or kadmin operations when dumps of large databases
+are in progress. First introduced in release 1.13.</dd>
+</dl>
+<p>The following tag may be specified directly in the [dbmodules]
+section to control where database modules are loaded from:</p>
+<dl class="docutils">
+<dt><strong>db_module_dir</strong></dt>
+<dd>This tag controls where the plugin system looks for database
+modules. The value should be an absolute path.</dd>
+</dl>
+</div>
+<div class="section" id="logging">
+<span id="id4"></span><h3>[logging]<a class="headerlink" href="#logging" title="Permalink to this headline">¶</a></h3>
+<p>The [logging] section indicates how <a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8"><em>krb5kdc</em></a> and
+<a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><em>kadmind</em></a> perform logging. It may contain the following
+relations:</p>
+<dl class="docutils">
+<dt><strong>admin_server</strong></dt>
+<dd>Specifies how <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><em>kadmind</em></a> performs logging.</dd>
+<dt><strong>kdc</strong></dt>
+<dd>Specifies how <a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8"><em>krb5kdc</em></a> performs logging.</dd>
+<dt><strong>default</strong></dt>
+<dd>Specifies how either daemon performs logging in the absence of
+relations specific to the daemon.</dd>
+<dt><strong>debug</strong></dt>
+<dd>(Boolean value.) Specifies whether debugging messages are
+included in log outputs other than SYSLOG. Debugging messages are
+always included in the system log output because syslog performs
+its own priority filtering. The default value is false. New in
+release 1.15.</dd>
+</dl>
+<p>Logging specifications may have the following forms:</p>
+<dl class="docutils">
+<dt><strong>FILE=</strong><em>filename</em> or <strong>FILE:</strong><em>filename</em></dt>
+<dd>This value causes the daemon&#8217;s logging messages to go to the
+<em>filename</em>. If the <tt class="docutils literal"><span class="pre">=</span></tt> form is used, the file is overwritten.
+If the <tt class="docutils literal"><span class="pre">:</span></tt> form is used, the file is appended to.</dd>
+<dt><strong>STDERR</strong></dt>
+<dd>This value causes the daemon&#8217;s logging messages to go to its
+standard error stream.</dd>
+<dt><strong>CONSOLE</strong></dt>
+<dd>This value causes the daemon&#8217;s logging messages to go to the
+console, if the system supports it.</dd>
+<dt><strong>DEVICE=</strong><em>&lt;devicename&gt;</em></dt>
+<dd>This causes the daemon&#8217;s logging messages to go to the specified
+device.</dd>
+<dt><strong>SYSLOG</strong>[<strong>:</strong><em>severity</em>[<strong>:</strong><em>facility</em>]]</dt>
+<dd><p class="first">This causes the daemon&#8217;s logging messages to go to the system log.</p>
+<p>The severity argument specifies the default severity of system log
+messages. This may be any of the following severities supported
+by the syslog(3) call, minus the <tt class="docutils literal"><span class="pre">LOG_</span></tt> prefix: <strong>EMERG</strong>,
+<strong>ALERT</strong>, <strong>CRIT</strong>, <strong>ERR</strong>, <strong>WARNING</strong>, <strong>NOTICE</strong>, <strong>INFO</strong>,
+and <strong>DEBUG</strong>.</p>
+<p>The facility argument specifies the facility under which the
+messages are logged. This may be any of the following facilities
+supported by the syslog(3) call minus the LOG_ prefix: <strong>KERN</strong>,
+<strong>USER</strong>, <strong>MAIL</strong>, <strong>DAEMON</strong>, <strong>AUTH</strong>, <strong>LPR</strong>, <strong>NEWS</strong>,
+<strong>UUCP</strong>, <strong>CRON</strong>, and <strong>LOCAL0</strong> through <strong>LOCAL7</strong>.</p>
+<p class="last">If no severity is specified, the default is <strong>ERR</strong>. If no
+facility is specified, the default is <strong>AUTH</strong>.</p>
+</dd>
+</dl>
+<p>In the following example, the logging messages from the KDC will go to
+the console and to the system log under the facility LOG_DAEMON with
+default severity of LOG_INFO; and the logging messages from the
+administrative server will be appended to the file
+<tt class="docutils literal"><span class="pre">/var/adm/kadmin.log</span></tt> and sent to the device <tt class="docutils literal"><span class="pre">/dev/tty04</span></tt>.</p>
+<div class="highlight-python"><div class="highlight"><pre>[logging]
+ kdc = CONSOLE
+ kdc = SYSLOG:INFO:DAEMON
+ admin_server = FILE:/var/adm/kadmin.log
+ admin_server = DEVICE=/dev/tty04
+</pre></div>
+</div>
+</div>
+<div class="section" id="otp">
+<span id="id5"></span><h3>[otp]<a class="headerlink" href="#otp" title="Permalink to this headline">¶</a></h3>
+<p>Each subsection of [otp] is the name of an OTP token type. The tags
+within the subsection define the configuration required to forward a
+One Time Password request to a RADIUS server.</p>
+<p>For each token type, the following tags may be specified:</p>
+<dl class="docutils">
+<dt><strong>server</strong></dt>
+<dd>This is the server to send the RADIUS request to. It can be a
+hostname with optional port, an ip address with optional port, or
+a Unix domain socket address. The default is
+<a class="reference internal" href="../../mitK5defaults.html#paths"><em>LOCALSTATEDIR</em></a><tt class="docutils literal"><span class="pre">/krb5kdc</span></tt><tt class="docutils literal"><span class="pre">/&lt;name&gt;.socket</span></tt>.</dd>
+<dt><strong>secret</strong></dt>
+<dd>This tag indicates a filename (which may be relative to <a class="reference internal" href="../../mitK5defaults.html#paths"><em>LOCALSTATEDIR</em></a><tt class="docutils literal"><span class="pre">/krb5kdc</span></tt>)
+containing the secret used to encrypt the RADIUS packets. The
+secret should appear in the first line of the file by itself;
+leading and trailing whitespace on the line will be removed. If
+the value of <strong>server</strong> is a Unix domain socket address, this tag
+is optional, and an empty secret will be used if it is not
+specified. Otherwise, this tag is required.</dd>
+<dt><strong>timeout</strong></dt>
+<dd>An integer which specifies the time in seconds during which the
+KDC should attempt to contact the RADIUS server. This tag is the
+total time across all retries and should be less than the time
+which an OTP value remains valid for. The default is 5 seconds.</dd>
+<dt><strong>retries</strong></dt>
+<dd>This tag specifies the number of retries to make to the RADIUS
+server. The default is 3 retries (4 tries).</dd>
+<dt><strong>strip_realm</strong></dt>
+<dd>If this tag is <tt class="docutils literal"><span class="pre">true</span></tt>, the principal without the realm will be
+passed to the RADIUS server. Otherwise, the realm will be
+included. The default value is <tt class="docutils literal"><span class="pre">true</span></tt>.</dd>
+<dt><strong>indicator</strong></dt>
+<dd>This tag specifies an authentication indicator to be included in
+the ticket if this token type is used to authenticate. This
+option may be specified multiple times. (New in release 1.14.)</dd>
+</dl>
+<p>In the following example, requests are sent to a remote server via UDP:</p>
+<div class="highlight-python"><div class="highlight"><pre>[otp]
+ MyRemoteTokenType = {
+ server = radius.mydomain.com:1812
+ secret = SEmfiajf42$
+ timeout = 15
+ retries = 5
+ strip_realm = true
+ }
+</pre></div>
+</div>
+<p>An implicit default token type named <tt class="docutils literal"><span class="pre">DEFAULT</span></tt> is defined for when
+the per-principal configuration does not specify a token type. Its
+configuration is shown below. You may override this token type to
+something applicable for your situation:</p>
+<div class="highlight-python"><div class="highlight"><pre>[otp]
+ DEFAULT = {
+ strip_realm = false
+ }
+</pre></div>
+</div>
+</div>
+</div>
+<div class="section" id="pkinit-options">
+<h2>PKINIT options<a class="headerlink" href="#pkinit-options" title="Permalink to this headline">¶</a></h2>
+<div class="admonition note">
+<p class="first admonition-title">Note</p>
+<p class="last">The following are pkinit-specific options. These values may
+be specified in [kdcdefaults] as global defaults, or within
+a realm-specific subsection of [realms]. Also note that a
+realm-specific value over-rides, does not add to, a generic
+[kdcdefaults] specification. The search order is:</p>
+</div>
+<ol class="arabic">
+<li><p class="first">realm-specific subsection of [realms]:</p>
+<div class="highlight-python"><div class="highlight"><pre>[realms]
+ EXAMPLE.COM = {
+ pkinit_anchors = FILE:/usr/local/example.com.crt
+ }
+</pre></div>
+</div>
+</li>
+<li><p class="first">generic value in the [kdcdefaults] section:</p>
+<div class="highlight-python"><div class="highlight"><pre>[kdcdefaults]
+ pkinit_anchors = DIR:/usr/local/generic_trusted_cas/
+</pre></div>
+</div>
+</li>
+</ol>
+<p>For information about the syntax of some of these options, see
+<a class="reference internal" href="krb5_conf.html#pkinit-identity"><em>Specifying PKINIT identity information</em></a> in
+<a class="reference internal" href="krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a>.</p>
+<dl class="docutils">
+<dt><strong>pkinit_anchors</strong></dt>
+<dd>Specifies the location of trusted anchor (root) certificates which
+the KDC trusts to sign client certificates. This option is
+required if pkinit is to be supported by the KDC. This option may
+be specified multiple times.</dd>
+<dt><strong>pkinit_dh_min_bits</strong></dt>
+<dd>Specifies the minimum number of bits the KDC is willing to accept
+for a client&#8217;s Diffie-Hellman key. The default is 2048.</dd>
+<dt><strong>pkinit_allow_upn</strong></dt>
+<dd><p class="first">Specifies that the KDC is willing to accept client certificates
+with the Microsoft UserPrincipalName (UPN) Subject Alternative
+Name (SAN). This means the KDC accepts the binding of the UPN in
+the certificate to the Kerberos principal name. The default value
+is false.</p>
+<p class="last">Without this option, the KDC will only accept certificates with
+the id-pkinit-san as defined in <span class="target" id="index-0"></span><a class="rfc reference external" href="http://tools.ietf.org/html/rfc4556.html"><strong>RFC 4556</strong></a>. There is currently
+no option to disable SAN checking in the KDC.</p>
+</dd>
+<dt><strong>pkinit_eku_checking</strong></dt>
+<dd><p class="first">This option specifies what Extended Key Usage (EKU) values the KDC
+is willing to accept in client certificates. The values
+recognized in the kdc.conf file are:</p>
+<dl class="last docutils">
+<dt><strong>kpClientAuth</strong></dt>
+<dd>This is the default value and specifies that client
+certificates must have the id-pkinit-KPClientAuth EKU as
+defined in <span class="target" id="index-1"></span><a class="rfc reference external" href="http://tools.ietf.org/html/rfc4556.html"><strong>RFC 4556</strong></a>.</dd>
+<dt><strong>scLogin</strong></dt>
+<dd>If scLogin is specified, client certificates with the
+Microsoft Smart Card Login EKU (id-ms-kp-sc-logon) will be
+accepted.</dd>
+<dt><strong>none</strong></dt>
+<dd>If none is specified, then client certificates will not be
+checked to verify they have an acceptable EKU. The use of
+this option is not recommended.</dd>
+</dl>
+</dd>
+<dt><strong>pkinit_identity</strong></dt>
+<dd>Specifies the location of the KDC&#8217;s X.509 identity information.
+This option is required if pkinit is to be supported by the KDC.</dd>
+<dt><strong>pkinit_indicator</strong></dt>
+<dd>Specifies an authentication indicator to include in the ticket if
+pkinit is used to authenticate. This option may be specified
+multiple times. (New in release 1.14.)</dd>
+<dt><strong>pkinit_kdc_ocsp</strong></dt>
+<dd>Specifies the location of the KDC&#8217;s OCSP.</dd>
+<dt><strong>pkinit_pool</strong></dt>
+<dd>Specifies the location of intermediate certificates which may be
+used by the KDC to complete the trust chain between a client&#8217;s
+certificate and a trusted anchor. This option may be specified
+multiple times.</dd>
+<dt><strong>pkinit_revoke</strong></dt>
+<dd>Specifies the location of Certificate Revocation List (CRL)
+information to be used by the KDC when verifying the validity of
+client certificates. This option may be specified multiple times.</dd>
+<dt><strong>pkinit_require_crl_checking</strong></dt>
+<dd><p class="first">The default certificate verification process will always check the
+available revocation information to see if a certificate has been
+revoked. If a match is found for the certificate in a CRL,
+verification fails. If the certificate being verified is not
+listed in a CRL, or there is no CRL present for its issuing CA,
+and <strong>pkinit_require_crl_checking</strong> is false, then verification
+succeeds.</p>
+<p>However, if <strong>pkinit_require_crl_checking</strong> is true and there is
+no CRL information available for the issuing CA, then verification
+fails.</p>
+<p class="last"><strong>pkinit_require_crl_checking</strong> should be set to true if the
+policy is such that up-to-date CRLs must be present for every CA.</p>
+</dd>
+</dl>
+</div>
+<div class="section" id="encryption-types">
+<span id="id6"></span><h2>Encryption types<a class="headerlink" href="#encryption-types" title="Permalink to this headline">¶</a></h2>
+<p>Any tag in the configuration files which requires a list of encryption
+types can be set to some combination of the following strings.
+Encryption types marked as &#8220;weak&#8221; are available for compatibility but
+not recommended for use.</p>
+<table border="1" class="docutils">
+<colgroup>
+<col width="44%" />
+<col width="56%" />
+</colgroup>
+<tbody valign="top">
+<tr class="row-odd"><td>des-cbc-crc</td>
+<td>DES cbc mode with CRC-32 (weak)</td>
+</tr>
+<tr class="row-even"><td>des-cbc-md4</td>
+<td>DES cbc mode with RSA-MD4 (weak)</td>
+</tr>
+<tr class="row-odd"><td>des-cbc-md5</td>
+<td>DES cbc mode with RSA-MD5 (weak)</td>
+</tr>
+<tr class="row-even"><td>des-cbc-raw</td>
+<td>DES cbc mode raw (weak)</td>
+</tr>
+<tr class="row-odd"><td>des3-cbc-raw</td>
+<td>Triple DES cbc mode raw (weak)</td>
+</tr>
+<tr class="row-even"><td>des3-cbc-sha1 des3-hmac-sha1 des3-cbc-sha1-kd</td>
+<td>Triple DES cbc mode with HMAC/sha1</td>
+</tr>
+<tr class="row-odd"><td>des-hmac-sha1</td>
+<td>DES with HMAC/sha1 (weak)</td>
+</tr>
+<tr class="row-even"><td>aes256-cts-hmac-sha1-96 aes256-cts aes256-sha1</td>
+<td>AES-256 CTS mode with 96-bit SHA-1 HMAC</td>
+</tr>
+<tr class="row-odd"><td>aes128-cts-hmac-sha1-96 aes128-cts aes128-sha1</td>
+<td>AES-128 CTS mode with 96-bit SHA-1 HMAC</td>
+</tr>
+<tr class="row-even"><td>aes256-cts-hmac-sha384-192 aes256-sha2</td>
+<td>AES-256 CTS mode with 192-bit SHA-384 HMAC</td>
+</tr>
+<tr class="row-odd"><td>aes128-cts-hmac-sha256-128 aes128-sha2</td>
+<td>AES-128 CTS mode with 128-bit SHA-256 HMAC</td>
+</tr>
+<tr class="row-even"><td>arcfour-hmac rc4-hmac arcfour-hmac-md5</td>
+<td>RC4 with HMAC/MD5</td>
+</tr>
+<tr class="row-odd"><td>arcfour-hmac-exp rc4-hmac-exp arcfour-hmac-md5-exp</td>
+<td>Exportable RC4 with HMAC/MD5 (weak)</td>
+</tr>
+<tr class="row-even"><td>camellia256-cts-cmac camellia256-cts</td>
+<td>Camellia-256 CTS mode with CMAC</td>
+</tr>
+<tr class="row-odd"><td>camellia128-cts-cmac camellia128-cts</td>
+<td>Camellia-128 CTS mode with CMAC</td>
+</tr>
+<tr class="row-even"><td>des</td>
+<td>The DES family: des-cbc-crc, des-cbc-md5, and des-cbc-md4 (weak)</td>
+</tr>
+<tr class="row-odd"><td>des3</td>
+<td>The triple DES family: des3-cbc-sha1</td>
+</tr>
+<tr class="row-even"><td>aes</td>
+<td>The AES family: aes256-cts-hmac-sha1-96 and aes128-cts-hmac-sha1-96</td>
+</tr>
+<tr class="row-odd"><td>rc4</td>
+<td>The RC4 family: arcfour-hmac</td>
+</tr>
+<tr class="row-even"><td>camellia</td>
+<td>The Camellia family: camellia256-cts-cmac and camellia128-cts-cmac</td>
+</tr>
+</tbody>
+</table>
+<p>The string <strong>DEFAULT</strong> can be used to refer to the default set of
+types for the variable in question. Types or families can be removed
+from the current list by prefixing them with a minus sign (&#8220;-&#8221;).
+Types or families can be prefixed with a plus sign (&#8220;+&#8221;) for symmetry;
+it has the same meaning as just listing the type or family. For
+example, &#8220;<tt class="docutils literal"><span class="pre">DEFAULT</span> <span class="pre">-des</span></tt>&#8221; would be the default set of encryption
+types with DES types removed, and &#8220;<tt class="docutils literal"><span class="pre">des3</span> <span class="pre">DEFAULT</span></tt>&#8221; would be the
+default set of encryption types with triple DES types moved to the
+front.</p>
+<p>While <strong>aes128-cts</strong> and <strong>aes256-cts</strong> are supported for all Kerberos
+operations, they are not supported by very old versions of our GSSAPI
+implementation (krb5-1.3.1 and earlier). Services running versions of
+krb5 without AES support must not be given keys of these encryption
+types in the KDC database.</p>
+<p>The <strong>aes128-sha2</strong> and <strong>aes256-sha2</strong> encryption types are new in
+release 1.15. Services running versions of krb5 without support for
+these newer encryption types must not be given keys of these
+encryption types in the KDC database.</p>
+</div>
+<div class="section" id="keysalt-lists">
+<span id="id7"></span><h2>Keysalt lists<a class="headerlink" href="#keysalt-lists" title="Permalink to this headline">¶</a></h2>
+<p>Kerberos keys for users are usually derived from passwords. Kerberos
+commands and configuration parameters that affect generation of keys
+take lists of enctype-salttype (&#8220;keysalt&#8221;) pairs, known as <em>keysalt
+lists</em>. Each keysalt pair is an enctype name followed by a salttype
+name, in the format <em>enc</em>:<em>salt</em>. Individual keysalt list members are
+separated by comma (&#8221;,&#8221;) characters or space characters. For example:</p>
+<div class="highlight-python"><div class="highlight"><pre>kadmin -e aes256-cts:normal,aes128-cts:normal
+</pre></div>
+</div>
+<p>would start up kadmin so that by default it would generate
+password-derived keys for the <strong>aes256-cts</strong> and <strong>aes128-cts</strong>
+encryption types, using a <strong>normal</strong> salt.</p>
+<p>To ensure that people who happen to pick the same password do not have
+the same key, Kerberos 5 incorporates more information into the key
+using something called a salt. The supported salt types are as
+follows:</p>
+<table border="1" class="docutils">
+<colgroup>
+<col width="21%" />
+<col width="79%" />
+</colgroup>
+<tbody valign="top">
+<tr class="row-odd"><td>normal</td>
+<td>default for Kerberos Version 5</td>
+</tr>
+<tr class="row-even"><td>v4</td>
+<td>the only type used by Kerberos Version 4 (no salt)</td>
+</tr>
+<tr class="row-odd"><td>norealm</td>
+<td>same as the default, without using realm information</td>
+</tr>
+<tr class="row-even"><td>onlyrealm</td>
+<td>uses only realm information as the salt</td>
+</tr>
+<tr class="row-odd"><td>afs3</td>
+<td>AFS version 3, only used for compatibility with Kerberos 4 in AFS</td>
+</tr>
+<tr class="row-even"><td>special</td>
+<td>generate a random salt</td>
+</tr>
+</tbody>
+</table>
+</div>
+<div class="section" id="sample-kdc-conf-file">
+<h2>Sample kdc.conf File<a class="headerlink" href="#sample-kdc-conf-file" title="Permalink to this headline">¶</a></h2>
+<p>Here&#8217;s an example of a kdc.conf file:</p>
+<div class="highlight-python"><div class="highlight"><pre>[kdcdefaults]
+ kdc_listen = 88
+ kdc_tcp_listen = 88
+[realms]
+ ATHENA.MIT.EDU = {
+ kadmind_port = 749
+ max_life = 12h 0m 0s
+ max_renewable_life = 7d 0h 0m 0s
+ master_key_type = aes256-cts-hmac-sha1-96
+ supported_enctypes = aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal
+ database_module = openldap_ldapconf
+ }
+
+[logging]
+ kdc = FILE:/usr/local/var/krb5kdc/kdc.log
+ admin_server = FILE:/usr/local/var/krb5kdc/kadmin.log
+
+[dbdefaults]
+ ldap_kerberos_container_dn = cn=krbcontainer,dc=mit,dc=edu
+
+[dbmodules]
+ openldap_ldapconf = {
+ db_library = kldap
+ disable_last_success = true
+ ldap_kdc_dn = &quot;cn=krbadmin,dc=mit,dc=edu&quot;
+ # this object needs to have read rights on
+ # the realm container and principal subtrees
+ ldap_kadmind_dn = &quot;cn=krbadmin,dc=mit,dc=edu&quot;
+ # this object needs to have read and write rights on
+ # the realm container and principal subtrees
+ ldap_service_password_file = /etc/kerberos/service.keyfile
+ ldap_servers = ldaps://kerberos.mit.edu
+ ldap_conns_per_server = 5
+ }
+</pre></div>
+</div>
+</div>
+<div class="section" id="files">
+<h2>FILES<a class="headerlink" href="#files" title="Permalink to this headline">¶</a></h2>
+<p><a class="reference internal" href="../../mitK5defaults.html#paths"><em>LOCALSTATEDIR</em></a><tt class="docutils literal"><span class="pre">/krb5kdc</span></tt><tt class="docutils literal"><span class="pre">/kdc.conf</span></tt></p>
+</div>
+<div class="section" id="see-also">
+<h2>SEE ALSO<a class="headerlink" href="#see-also" title="Permalink to this headline">¶</a></h2>
+<p><a class="reference internal" href="krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a>, <a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8"><em>krb5kdc</em></a>, <a class="reference internal" href="kadm5_acl.html#kadm5-acl-5"><em>kadm5.acl</em></a></p>
+</div>
+</div>
+
+
+ </div>
+ </div>
+ </div>
+ </div>
+ <div class="sidebar">
+ <h2>On this page</h2>
+ <ul>
+<li><a class="reference internal" href="#">kdc.conf</a><ul>
+<li><a class="reference internal" href="#structure">Structure</a></li>
+<li><a class="reference internal" href="#sections">Sections</a><ul>
+<li><a class="reference internal" href="#kdcdefaults">[kdcdefaults]</a></li>
+<li><a class="reference internal" href="#realms">[realms]</a></li>
+<li><a class="reference internal" href="#dbdefaults">[dbdefaults]</a></li>
+<li><a class="reference internal" href="#dbmodules">[dbmodules]</a></li>
+<li><a class="reference internal" href="#logging">[logging]</a></li>
+<li><a class="reference internal" href="#otp">[otp]</a></li>
+</ul>
+</li>
+<li><a class="reference internal" href="#pkinit-options">PKINIT options</a></li>
+<li><a class="reference internal" href="#encryption-types">Encryption types</a></li>
+<li><a class="reference internal" href="#keysalt-lists">Keysalt lists</a></li>
+<li><a class="reference internal" href="#sample-kdc-conf-file">Sample kdc.conf File</a></li>
+<li><a class="reference internal" href="#files">FILES</a></li>
+<li><a class="reference internal" href="#see-also">SEE ALSO</a></li>
+</ul>
+</li>
+</ul>
+
+ <br/>
+ <h2>Table of contents</h2>
+ <ul class="current">
+<li class="toctree-l1"><a class="reference internal" href="../../user/index.html">For users</a></li>
+<li class="toctree-l1 current"><a class="reference internal" href="../index.html">For administrators</a><ul class="current">
+<li class="toctree-l2"><a class="reference internal" href="../install.html">Installation guide</a></li>
+<li class="toctree-l2 current"><a class="reference internal" href="index.html">Configuration Files</a><ul class="current">
+<li class="toctree-l3"><a class="reference internal" href="krb5_conf.html">krb5.conf</a></li>
+<li class="toctree-l3 current"><a class="current reference internal" href="">kdc.conf</a></li>
+<li class="toctree-l3"><a class="reference internal" href="kadm5_acl.html">kadm5.acl</a></li>
+</ul>
+</li>
+<li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../host_config.html">Host configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../auth_indicator.html">Authentication indicators</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../admin_commands/index.html">Administration programs</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../mitK5defaults.html">MIT Kerberos defaults</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../env_variables.html">Environment variables</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../troubleshoot.html">Troubleshooting</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../advanced/index.html">Advanced topics</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../various_envs.html">Various links</a></li>
+</ul>
+</li>
+<li class="toctree-l1"><a class="reference internal" href="../../appdev/index.html">For application developers</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../plugindev/index.html">For plugin module developers</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../build/index.html">Building Kerberos V5</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../basic/index.html">Kerberos V5 concepts</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../formats/index.html">Protocols and file formats</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../mitK5features.html">MIT Kerberos features</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../build_this.html">How to build this documentation from the source</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../about.html">Contributing to the MIT Kerberos Documentation</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../resources.html">Resources</a></li>
+</ul>
+
+ <br/>
+ <h4><a href="../../index.html">Full Table of Contents</a></h4>
+ <h4>Search</h4>
+ <form class="search" action="../../search.html" method="get">
+ <input type="text" name="q" size="18" />
+ <input type="submit" value="Go" />
+ <input type="hidden" name="check_keywords" value="yes" />
+ <input type="hidden" name="area" value="default" />
+ </form>
+ </div>
+ <div class="clearer"></div>
+ </div>
+ </div>
+
+ <div class="footer-wrapper">
+ <div class="footer" >
+ <div class="right" ><i>Release: 1.15.1</i><br />
+ &copy; <a href="../../copyright.html">Copyright</a> 1985-2017, MIT.
+ </div>
+ <div class="left">
+
+ <a href="../../index.html" title="Full Table of Contents"
+ >Contents</a> |
+ <a href="krb5_conf.html" title="krb5.conf"
+ >previous</a> |
+ <a href="kadm5_acl.html" title="kadm5.acl"
+ >next</a> |
+ <a href="../../genindex.html" title="General Index"
+ >index</a> |
+ <a href="../../search.html" title="Enter search criteria"
+ >Search</a> |
+ <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__kdc.conf">feedback</a>
+ </div>
+ </div>
+ </div>
+
+ </body>
+</html> \ No newline at end of file
diff --git a/doc/html/admin/conf_files/krb5_conf.html b/doc/html/admin/conf_files/krb5_conf.html
new file mode 100644
index 000000000000..ca50e7ad27f1
--- /dev/null
+++ b/doc/html/admin/conf_files/krb5_conf.html
@@ -0,0 +1,1299 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+
+
+<html xmlns="http://www.w3.org/1999/xhtml">
+ <head>
+ <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+
+ <title>krb5.conf &mdash; MIT Kerberos Documentation</title>
+
+ <link rel="stylesheet" href="../../_static/agogo.css" type="text/css" />
+ <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" />
+ <link rel="stylesheet" href="../../_static/kerb.css" type="text/css" />
+
+ <script type="text/javascript">
+ var DOCUMENTATION_OPTIONS = {
+ URL_ROOT: '../../',
+ VERSION: '1.15.1',
+ COLLAPSE_INDEX: false,
+ FILE_SUFFIX: '.html',
+ HAS_SOURCE: true
+ };
+ </script>
+ <script type="text/javascript" src="../../_static/jquery.js"></script>
+ <script type="text/javascript" src="../../_static/underscore.js"></script>
+ <script type="text/javascript" src="../../_static/doctools.js"></script>
+ <link rel="author" title="About these documents" href="../../about.html" />
+ <link rel="copyright" title="Copyright" href="../../copyright.html" />
+ <link rel="top" title="MIT Kerberos Documentation" href="../../index.html" />
+ <link rel="up" title="Configuration Files" href="index.html" />
+ <link rel="next" title="kdc.conf" href="kdc_conf.html" />
+ <link rel="prev" title="Configuration Files" href="index.html" />
+ </head>
+ <body>
+ <div class="header-wrapper">
+ <div class="header">
+
+
+ <h1><a href="../../index.html">MIT Kerberos Documentation</a></h1>
+
+ <div class="rel">
+
+ <a href="../../index.html" title="Full Table of Contents"
+ accesskey="C">Contents</a> |
+ <a href="index.html" title="Configuration Files"
+ accesskey="P">previous</a> |
+ <a href="kdc_conf.html" title="kdc.conf"
+ accesskey="N">next</a> |
+ <a href="../../genindex.html" title="General Index"
+ accesskey="I">index</a> |
+ <a href="../../search.html" title="Enter search criteria"
+ accesskey="S">Search</a> |
+ <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__krb5.conf">feedback</a>
+ </div>
+ </div>
+ </div>
+
+ <div class="content-wrapper">
+ <div class="content">
+ <div class="document">
+
+ <div class="documentwrapper">
+ <div class="bodywrapper">
+ <div class="body">
+
+ <div class="section" id="krb5-conf">
+<span id="krb5-conf-5"></span><h1>krb5.conf<a class="headerlink" href="#krb5-conf" title="Permalink to this headline">¶</a></h1>
+<p>The krb5.conf file contains Kerberos configuration information,
+including the locations of KDCs and admin servers for the Kerberos
+realms of interest, defaults for the current realm and for Kerberos
+applications, and mappings of hostnames onto Kerberos realms.
+Normally, you should install your krb5.conf file in the directory
+<tt class="docutils literal"><span class="pre">/etc</span></tt>. You can override the default location by setting the
+environment variable <strong>KRB5_CONFIG</strong>. Multiple colon-separated
+filenames may be specified in <strong>KRB5_CONFIG</strong>; all files which are
+present will be read. Starting in release 1.14, directory names can
+also be specified in <strong>KRB5_CONFIG</strong>; all files within the directory
+whose names consist solely of alphanumeric characters, dashes, or
+underscores will be read.</p>
+<div class="section" id="structure">
+<h2>Structure<a class="headerlink" href="#structure" title="Permalink to this headline">¶</a></h2>
+<p>The krb5.conf file is set up in the style of a Windows INI file.
+Sections are headed by the section name, in square brackets. Each
+section may contain zero or more relations, of the form:</p>
+<div class="highlight-python"><div class="highlight"><pre><span class="n">foo</span> <span class="o">=</span> <span class="n">bar</span>
+</pre></div>
+</div>
+<p>or:</p>
+<div class="highlight-python"><div class="highlight"><pre>fubar = {
+ foo = bar
+ baz = quux
+}
+</pre></div>
+</div>
+<p>Placing a &#8216;*&#8217; at the end of a line indicates that this is the <em>final</em>
+value for the tag. This means that neither the remainder of this
+configuration file nor any other configuration file will be checked
+for any other values for this tag.</p>
+<p>For example, if you have the following lines:</p>
+<div class="highlight-python"><div class="highlight"><pre>foo = bar*
+foo = baz
+</pre></div>
+</div>
+<p>then the second value of <tt class="docutils literal"><span class="pre">foo</span></tt> (<tt class="docutils literal"><span class="pre">baz</span></tt>) would never be read.</p>
+<p>The krb5.conf file can include other files using either of the
+following directives at the beginning of a line:</p>
+<div class="highlight-python"><div class="highlight"><pre>include FILENAME
+includedir DIRNAME
+</pre></div>
+</div>
+<p><em>FILENAME</em> or <em>DIRNAME</em> should be an absolute path. The named file or
+directory must exist and be readable. Including a directory includes
+all files within the directory whose names consist solely of
+alphanumeric characters, dashes, or underscores. Starting in release
+1.15, files with names ending in &#8221;.conf&#8221; are also included. Included
+profile files are syntactically independent of their parents, so each
+included file must begin with a section header.</p>
+<p>The krb5.conf file can specify that configuration should be obtained
+from a loadable module, rather than the file itself, using the
+following directive at the beginning of a line before any section
+headers:</p>
+<div class="highlight-python"><div class="highlight"><pre>module MODULEPATH:RESIDUAL
+</pre></div>
+</div>
+<p><em>MODULEPATH</em> may be relative to the library path of the krb5
+installation, or it may be an absolute path. <em>RESIDUAL</em> is provided
+to the module at initialization time. If krb5.conf uses a module
+directive, <a class="reference internal" href="kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> should also use one if it exists.</p>
+</div>
+<div class="section" id="sections">
+<h2>Sections<a class="headerlink" href="#sections" title="Permalink to this headline">¶</a></h2>
+<p>The krb5.conf file may contain the following sections:</p>
+<table border="1" class="docutils">
+<colgroup>
+<col width="26%" />
+<col width="74%" />
+</colgroup>
+<tbody valign="top">
+<tr class="row-odd"><td><a class="reference internal" href="#libdefaults"><em>[libdefaults]</em></a></td>
+<td>Settings used by the Kerberos V5 library</td>
+</tr>
+<tr class="row-even"><td><a class="reference internal" href="#realms"><em>[realms]</em></a></td>
+<td>Realm-specific contact information and settings</td>
+</tr>
+<tr class="row-odd"><td><a class="reference internal" href="#domain-realm"><em>[domain_realm]</em></a></td>
+<td>Maps server hostnames to Kerberos realms</td>
+</tr>
+<tr class="row-even"><td><a class="reference internal" href="#capaths"><em>[capaths]</em></a></td>
+<td>Authentication paths for non-hierarchical cross-realm</td>
+</tr>
+<tr class="row-odd"><td><a class="reference internal" href="#appdefaults"><em>[appdefaults]</em></a></td>
+<td>Settings used by some Kerberos V5 applications</td>
+</tr>
+<tr class="row-even"><td><a class="reference internal" href="#plugins"><em>[plugins]</em></a></td>
+<td>Controls plugin module registration</td>
+</tr>
+</tbody>
+</table>
+<p>Additionally, krb5.conf may include any of the relations described in
+<a class="reference internal" href="kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>, but it is not a recommended practice.</p>
+<div class="section" id="libdefaults">
+<span id="id1"></span><h3>[libdefaults]<a class="headerlink" href="#libdefaults" title="Permalink to this headline">¶</a></h3>
+<p>The libdefaults section may contain any of the following relations:</p>
+<dl class="docutils">
+<dt><strong>allow_weak_crypto</strong></dt>
+<dd>If this flag is set to false, then weak encryption types (as noted
+in <a class="reference internal" href="kdc_conf.html#encryption-types"><em>Encryption types</em></a> in <a class="reference internal" href="kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>) will be filtered
+out of the lists <strong>default_tgs_enctypes</strong>,
+<strong>default_tkt_enctypes</strong>, and <strong>permitted_enctypes</strong>. The default
+value for this tag is false, which may cause authentication
+failures in existing Kerberos infrastructures that do not support
+strong crypto. Users in affected environments should set this tag
+to true until their infrastructure adopts stronger ciphers.</dd>
+<dt><strong>ap_req_checksum_type</strong></dt>
+<dd>An integer which specifies the type of AP-REQ checksum to use in
+authenticators. This variable should be unset so the appropriate
+checksum for the encryption key in use will be used. This can be
+set if backward compatibility requires a specific checksum type.
+See the <strong>kdc_req_checksum_type</strong> configuration option for the
+possible values and their meanings.</dd>
+<dt><strong>canonicalize</strong></dt>
+<dd>If this flag is set to true, initial ticket requests to the KDC
+will request canonicalization of the client principal name, and
+answers with different client principals than the requested
+principal will be accepted. The default value is false.</dd>
+<dt><strong>ccache_type</strong></dt>
+<dd>This parameter determines the format of credential cache types
+created by <a class="reference internal" href="../../user/user_commands/kinit.html#kinit-1"><em>kinit</em></a> or other programs. The default value
+is 4, which represents the most current format. Smaller values
+can be used for compatibility with very old implementations of
+Kerberos which interact with credential caches on the same host.</dd>
+<dt><strong>clockskew</strong></dt>
+<dd><p class="first">Sets the maximum allowable amount of clockskew in seconds that the
+library will tolerate before assuming that a Kerberos message is
+invalid. The default value is 300 seconds, or five minutes.</p>
+<p class="last">The clockskew setting is also used when evaluating ticket start
+and expiration times. For example, tickets that have reached
+their expiration time can still be used (and renewed if they are
+renewable tickets) if they have been expired for a shorter
+duration than the <strong>clockskew</strong> setting.</p>
+</dd>
+<dt><strong>default_ccache_name</strong></dt>
+<dd>This relation specifies the name of the default credential cache.
+The default is <a class="reference internal" href="../../mitK5defaults.html#paths"><em>DEFCCNAME</em></a>. This relation is subject to parameter
+expansion (see below). New in release 1.11.</dd>
+<dt><strong>default_client_keytab_name</strong></dt>
+<dd>This relation specifies the name of the default keytab for
+obtaining client credentials. The default is <a class="reference internal" href="../../mitK5defaults.html#paths"><em>DEFCKTNAME</em></a>. This
+relation is subject to parameter expansion (see below).
+New in release 1.11.</dd>
+<dt><strong>default_keytab_name</strong></dt>
+<dd>This relation specifies the default keytab name to be used by
+application servers such as sshd. The default is <a class="reference internal" href="../../mitK5defaults.html#paths"><em>DEFKTNAME</em></a>. This
+relation is subject to parameter expansion (see below).</dd>
+<dt><strong>default_realm</strong></dt>
+<dd>Identifies the default Kerberos realm for the client. Set its
+value to your Kerberos realm. If this value is not set, then a
+realm must be specified with every Kerberos principal when
+invoking programs such as <a class="reference internal" href="../../user/user_commands/kinit.html#kinit-1"><em>kinit</em></a>.</dd>
+<dt><strong>default_tgs_enctypes</strong></dt>
+<dd><p class="first">Identifies the supported list of session key encryption types that
+the client should request when making a TGS-REQ, in order of
+preference from highest to lowest. The list may be delimited with
+commas or whitespace. See <a class="reference internal" href="kdc_conf.html#encryption-types"><em>Encryption types</em></a> in
+<a class="reference internal" href="kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> for a list of the accepted values for this tag.
+The default value is <tt class="docutils literal"><span class="pre">aes256-cts-hmac-sha1-96</span> <span class="pre">aes128-cts-hmac-sha1-96</span> <span class="pre">des3-cbc-sha1</span> <span class="pre">arcfour-hmac-md5</span> <span class="pre">camellia256-cts-cmac</span> <span class="pre">camellia128-cts-cmac</span> <span class="pre">des-cbc-crc</span> <span class="pre">des-cbc-md5</span> <span class="pre">des-cbc-md4</span></tt>, but single-DES encryption types
+will be implicitly removed from this list if the value of
+<strong>allow_weak_crypto</strong> is false.</p>
+<p class="last">Do not set this unless required for specific backward
+compatibility purposes; stale values of this setting can prevent
+clients from taking advantage of new stronger enctypes when the
+libraries are upgraded.</p>
+</dd>
+<dt><strong>default_tkt_enctypes</strong></dt>
+<dd><p class="first">Identifies the supported list of session key encryption types that
+the client should request when making an AS-REQ, in order of
+preference from highest to lowest. The format is the same as for
+default_tgs_enctypes. The default value for this tag is
+<tt class="docutils literal"><span class="pre">aes256-cts-hmac-sha1-96</span> <span class="pre">aes128-cts-hmac-sha1-96</span> <span class="pre">des3-cbc-sha1</span> <span class="pre">arcfour-hmac-md5</span> <span class="pre">camellia256-cts-cmac</span> <span class="pre">camellia128-cts-cmac</span> <span class="pre">des-cbc-crc</span> <span class="pre">des-cbc-md5</span> <span class="pre">des-cbc-md4</span></tt>, but single-DES encryption types will be implicitly
+removed from this list if the value of <strong>allow_weak_crypto</strong> is
+false.</p>
+<p class="last">Do not set this unless required for specific backward
+compatibility purposes; stale values of this setting can prevent
+clients from taking advantage of new stronger enctypes when the
+libraries are upgraded.</p>
+</dd>
+<dt><strong>dns_canonicalize_hostname</strong></dt>
+<dd>Indicate whether name lookups will be used to canonicalize
+hostnames for use in service principal names. Setting this flag
+to false can improve security by reducing reliance on DNS, but
+means that short hostnames will not be canonicalized to
+fully-qualified hostnames. The default value is true.</dd>
+<dt><strong>dns_lookup_kdc</strong></dt>
+<dd><p class="first">Indicate whether DNS SRV records should be used to locate the KDCs
+and other servers for a realm, if they are not listed in the
+krb5.conf information for the realm. (Note that the admin_server
+entry must be in the krb5.conf realm information in order to
+contact kadmind, because the DNS implementation for kadmin is
+incomplete.)</p>
+<p class="last">Enabling this option does open up a type of denial-of-service
+attack, if someone spoofs the DNS records and redirects you to
+another server. However, it&#8217;s no worse than a denial of service,
+because that fake KDC will be unable to decode anything you send
+it (besides the initial ticket request, which has no encrypted
+data), and anything the fake KDC sends will not be trusted without
+verification using some secret that it won&#8217;t know.</p>
+</dd>
+<dt><strong>dns_uri_lookup</strong></dt>
+<dd>Indicate whether DNS URI records should be used to locate the KDCs
+and other servers for a realm, if they are not listed in the
+krb5.conf information for the realm. SRV records are used as a
+fallback if no URI records were found. The default value is true.
+New in release 1.15.</dd>
+<dt><strong>err_fmt</strong></dt>
+<dd>This relation allows for custom error message formatting. If a
+value is set, error messages will be formatted by substituting a
+normal error message for %M and an error code for %C in the value.</dd>
+<dt><strong>extra_addresses</strong></dt>
+<dd>This allows a computer to use multiple local addresses, in order
+to allow Kerberos to work in a network that uses NATs while still
+using address-restricted tickets. The addresses should be in a
+comma-separated list. This option has no effect if
+<strong>noaddresses</strong> is true.</dd>
+<dt><strong>forwardable</strong></dt>
+<dd>If this flag is true, initial tickets will be forwardable by
+default, if allowed by the KDC. The default value is false.</dd>
+<dt><strong>ignore_acceptor_hostname</strong></dt>
+<dd>When accepting GSSAPI or krb5 security contexts for host-based
+service principals, ignore any hostname passed by the calling
+application, and allow clients to authenticate to any service
+principal in the keytab matching the service name and realm name
+(if given). This option can improve the administrative
+flexibility of server applications on multihomed hosts, but could
+compromise the security of virtual hosting environments. The
+default value is false. New in release 1.10.</dd>
+<dt><strong>k5login_authoritative</strong></dt>
+<dd>If this flag is true, principals must be listed in a local user&#8217;s
+k5login file to be granted login access, if a <a class="reference internal" href="../../user/user_config/k5login.html#k5login-5"><em>.k5login</em></a>
+file exists. If this flag is false, a principal may still be
+granted login access through other mechanisms even if a k5login
+file exists but does not list the principal. The default value is
+true.</dd>
+<dt><strong>k5login_directory</strong></dt>
+<dd>If set, the library will look for a local user&#8217;s k5login file
+within the named directory, with a filename corresponding to the
+local username. If not set, the library will look for k5login
+files in the user&#8217;s home directory, with the filename .k5login.
+For security reasons, .k5login files must be owned by
+the local user or by root.</dd>
+<dt><strong>kcm_mach_service</strong></dt>
+<dd>On OS X only, determines the name of the bootstrap service used to
+contact the KCM daemon for the KCM credential cache type. If the
+value is <tt class="docutils literal"><span class="pre">-</span></tt>, Mach RPC will not be used to contact the KCM
+daemon. The default value is <tt class="docutils literal"><span class="pre">org.h5l.kcm</span></tt>.</dd>
+<dt><strong>kcm_socket</strong></dt>
+<dd>Determines the path to the Unix domain socket used to access the
+KCM daemon for the KCM credential cache type. If the value is
+<tt class="docutils literal"><span class="pre">-</span></tt>, Unix domain sockets will not be used to contact the KCM
+daemon. The default value is
+<tt class="docutils literal"><span class="pre">/var/run/.heim_org.h5l.kcm-socket</span></tt>.</dd>
+<dt><strong>kdc_default_options</strong></dt>
+<dd>Default KDC options (Xored for multiple values) when requesting
+initial tickets. By default it is set to 0x00000010
+(KDC_OPT_RENEWABLE_OK).</dd>
+<dt><strong>kdc_timesync</strong></dt>
+<dd>Accepted values for this relation are 1 or 0. If it is nonzero,
+client machines will compute the difference between their time and
+the time returned by the KDC in the timestamps in the tickets and
+use this value to correct for an inaccurate system clock when
+requesting service tickets or authenticating to services. This
+corrective factor is only used by the Kerberos library; it is not
+used to change the system clock. The default value is 1.</dd>
+<dt><strong>kdc_req_checksum_type</strong></dt>
+<dd><p class="first">An integer which specifies the type of checksum to use for the KDC
+requests, for compatibility with very old KDC implementations.
+This value is only used for DES keys; other keys use the preferred
+checksum type for those keys.</p>
+<p>The possible values and their meanings are as follows.</p>
+<table border="1" class="last docutils">
+<colgroup>
+<col width="20%" />
+<col width="80%" />
+</colgroup>
+<tbody valign="top">
+<tr class="row-odd"><td>1</td>
+<td>CRC32</td>
+</tr>
+<tr class="row-even"><td>2</td>
+<td>RSA MD4</td>
+</tr>
+<tr class="row-odd"><td>3</td>
+<td>RSA MD4 DES</td>
+</tr>
+<tr class="row-even"><td>4</td>
+<td>DES CBC</td>
+</tr>
+<tr class="row-odd"><td>7</td>
+<td>RSA MD5</td>
+</tr>
+<tr class="row-even"><td>8</td>
+<td>RSA MD5 DES</td>
+</tr>
+<tr class="row-odd"><td>9</td>
+<td>NIST SHA</td>
+</tr>
+<tr class="row-even"><td>12</td>
+<td>HMAC SHA1 DES3</td>
+</tr>
+<tr class="row-odd"><td>-138</td>
+<td>Microsoft MD5 HMAC checksum type</td>
+</tr>
+</tbody>
+</table>
+</dd>
+<dt><strong>noaddresses</strong></dt>
+<dd>If this flag is true, requests for initial tickets will not be
+made with address restrictions set, allowing the tickets to be
+used across NATs. The default value is true.</dd>
+<dt><strong>permitted_enctypes</strong></dt>
+<dd>Identifies all encryption types that are permitted for use in
+session key encryption. The default value for this tag is
+<tt class="docutils literal"><span class="pre">aes256-cts-hmac-sha1-96</span> <span class="pre">aes128-cts-hmac-sha1-96</span> <span class="pre">des3-cbc-sha1</span> <span class="pre">arcfour-hmac-md5</span> <span class="pre">camellia256-cts-cmac</span> <span class="pre">camellia128-cts-cmac</span> <span class="pre">des-cbc-crc</span> <span class="pre">des-cbc-md5</span> <span class="pre">des-cbc-md4</span></tt>, but single-DES encryption types will be implicitly
+removed from this list if the value of <strong>allow_weak_crypto</strong> is
+false.</dd>
+<dt><strong>plugin_base_dir</strong></dt>
+<dd>If set, determines the base directory where krb5 plugins are
+located. The default value is the <tt class="docutils literal"><span class="pre">krb5/plugins</span></tt> subdirectory
+of the krb5 library directory.</dd>
+<dt><strong>preferred_preauth_types</strong></dt>
+<dd>This allows you to set the preferred preauthentication types which
+the client will attempt before others which may be advertised by a
+KDC. The default value for this setting is &#8220;17, 16, 15, 14&#8221;,
+which forces libkrb5 to attempt to use PKINIT if it is supported.</dd>
+<dt><strong>proxiable</strong></dt>
+<dd>If this flag is true, initial tickets will be proxiable by
+default, if allowed by the KDC. The default value is false.</dd>
+<dt><strong>rdns</strong></dt>
+<dd>If this flag is true, reverse name lookup will be used in addition
+to forward name lookup to canonicalizing hostnames for use in
+service principal names. If <strong>dns_canonicalize_hostname</strong> is set
+to false, this flag has no effect. The default value is true.</dd>
+<dt><strong>realm_try_domains</strong></dt>
+<dd>Indicate whether a host&#8217;s domain components should be used to
+determine the Kerberos realm of the host. The value of this
+variable is an integer: -1 means not to search, 0 means to try the
+host&#8217;s domain itself, 1 means to also try the domain&#8217;s immediate
+parent, and so forth. The library&#8217;s usual mechanism for locating
+Kerberos realms is used to determine whether a domain is a valid
+realm, which may involve consulting DNS if <strong>dns_lookup_kdc</strong> is
+set. The default is not to search domain components.</dd>
+<dt><strong>renew_lifetime</strong></dt>
+<dd>(<a class="reference internal" href="../../basic/date_format.html#duration"><em>Time duration</em></a> string.) Sets the default renewable lifetime
+for initial ticket requests. The default value is 0.</dd>
+<dt><strong>safe_checksum_type</strong></dt>
+<dd>An integer which specifies the type of checksum to use for the
+KRB-SAFE requests. By default it is set to 8 (RSA MD5 DES). For
+compatibility with applications linked against DCE version 1.1 or
+earlier Kerberos libraries, use a value of 3 to use the RSA MD4
+DES instead. This field is ignored when its value is incompatible
+with the session key type. See the <strong>kdc_req_checksum_type</strong>
+configuration option for the possible values and their meanings.</dd>
+<dt><strong>ticket_lifetime</strong></dt>
+<dd>(<a class="reference internal" href="../../basic/date_format.html#duration"><em>Time duration</em></a> string.) Sets the default lifetime for initial
+ticket requests. The default value is 1 day.</dd>
+<dt><strong>udp_preference_limit</strong></dt>
+<dd>When sending a message to the KDC, the library will try using TCP
+before UDP if the size of the message is above
+<strong>udp_preference_limit</strong>. If the message is smaller than
+<strong>udp_preference_limit</strong>, then UDP will be tried before TCP.
+Regardless of the size, both protocols will be tried if the first
+attempt fails.</dd>
+<dt><strong>verify_ap_req_nofail</strong></dt>
+<dd>If this flag is true, then an attempt to verify initial
+credentials will fail if the client machine does not have a
+keytab. The default value is false.</dd>
+</dl>
+</div>
+<div class="section" id="realms">
+<span id="id2"></span><h3>[realms]<a class="headerlink" href="#realms" title="Permalink to this headline">¶</a></h3>
+<p>Each tag in the [realms] section of the file is the name of a Kerberos
+realm. The value of the tag is a subsection with relations that
+define the properties of that particular realm. For each realm, the
+following tags may be specified in the realm&#8217;s subsection:</p>
+<dl class="docutils">
+<dt><strong>admin_server</strong></dt>
+<dd>Identifies the host where the administration server is running.
+Typically, this is the master Kerberos server. This tag must be
+given a value in order to communicate with the <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><em>kadmind</em></a>
+server for the realm.</dd>
+<dt><strong>auth_to_local</strong></dt>
+<dd><p class="first">This tag allows you to set a general rule for mapping principal
+names to local user names. It will be used if there is not an
+explicit mapping for the principal name that is being
+translated. The possible values are:</p>
+<dl class="docutils">
+<dt><strong>RULE:</strong><em>exp</em></dt>
+<dd><p class="first">The local name will be formulated from <em>exp</em>.</p>
+<p class="last">The format for <em>exp</em> is <strong>[</strong><em>n</em><strong>:</strong><em>string</em><strong>](</strong><em>regexp</em><strong>)s/</strong><em>pattern</em><strong>/</strong><em>replacement</em><strong>/g</strong>.
+The integer <em>n</em> indicates how many components the target
+principal should have. If this matches, then a string will be
+formed from <em>string</em>, substituting the realm of the principal
+for <tt class="docutils literal"><span class="pre">$0</span></tt> and the <em>n</em>&#8216;th component of the principal for
+<tt class="docutils literal"><span class="pre">$n</span></tt> (e.g., if the principal was <tt class="docutils literal"><span class="pre">johndoe/admin</span></tt> then
+<tt class="docutils literal"><span class="pre">[2:$2$1foo]</span></tt> would result in the string
+<tt class="docutils literal"><span class="pre">adminjohndoefoo</span></tt>). If this string matches <em>regexp</em>, then
+the <tt class="docutils literal"><span class="pre">s//[g]</span></tt> substitution command will be run over the
+string. The optional <strong>g</strong> will cause the substitution to be
+global over the <em>string</em>, instead of replacing only the first
+match in the <em>string</em>.</p>
+</dd>
+<dt><strong>DEFAULT</strong></dt>
+<dd>The principal name will be used as the local user name. If
+the principal has more than one component or is not in the
+default realm, this rule is not applicable and the conversion
+will fail.</dd>
+</dl>
+<p>For example:</p>
+<div class="highlight-python"><div class="highlight"><pre>[realms]
+ ATHENA.MIT.EDU = {
+ auth_to_local = RULE:[2:$1](johndoe)s/^.*$/guest/
+ auth_to_local = RULE:[2:$1;$2](^.*;admin$)s/;admin$//
+ auth_to_local = RULE:[2:$2](^.*;root)s/^.*$/root/
+ auto_to_local = DEFAULT
+ }
+</pre></div>
+</div>
+<p class="last">would result in any principal without <tt class="docutils literal"><span class="pre">root</span></tt> or <tt class="docutils literal"><span class="pre">admin</span></tt> as the
+second component to be translated with the default rule. A
+principal with a second component of <tt class="docutils literal"><span class="pre">admin</span></tt> will become its
+first component. <tt class="docutils literal"><span class="pre">root</span></tt> will be used as the local name for any
+principal with a second component of <tt class="docutils literal"><span class="pre">root</span></tt>. The exception to
+these two rules are any principals <tt class="docutils literal"><span class="pre">johndoe/*</span></tt>, which will
+always get the local name <tt class="docutils literal"><span class="pre">guest</span></tt>.</p>
+</dd>
+<dt><strong>auth_to_local_names</strong></dt>
+<dd>This subsection allows you to set explicit mappings from principal
+names to local user names. The tag is the mapping name, and the
+value is the corresponding local user name.</dd>
+<dt><strong>default_domain</strong></dt>
+<dd>This tag specifies the domain used to expand hostnames when
+translating Kerberos 4 service principals to Kerberos 5 principals
+(for example, when converting <tt class="docutils literal"><span class="pre">rcmd.hostname</span></tt> to
+<tt class="docutils literal"><span class="pre">host/hostname.domain</span></tt>).</dd>
+<dt><strong>http_anchors</strong></dt>
+<dd><p class="first">When KDCs and kpasswd servers are accessed through HTTPS proxies, this tag
+can be used to specify the location of the CA certificate which should be
+trusted to issue the certificate for a proxy server. If left unspecified,
+the system-wide default set of CA certificates is used.</p>
+<p>The syntax for values is similar to that of values for the
+<strong>pkinit_anchors</strong> tag:</p>
+<p><strong>FILE:</strong> <em>filename</em></p>
+<p><em>filename</em> is assumed to be the name of an OpenSSL-style ca-bundle file.</p>
+<p><strong>DIR:</strong> <em>dirname</em></p>
+<p><em>dirname</em> is assumed to be an directory which contains CA certificates.
+All files in the directory will be examined; if they contain certificates
+(in PEM format), they will be used.</p>
+<p><strong>ENV:</strong> <em>envvar</em></p>
+<p class="last"><em>envvar</em> specifies the name of an environment variable which has been set
+to a value conforming to one of the previous values. For example,
+<tt class="docutils literal"><span class="pre">ENV:X509_PROXY_CA</span></tt>, where environment variable <tt class="docutils literal"><span class="pre">X509_PROXY_CA</span></tt> has
+been set to <tt class="docutils literal"><span class="pre">FILE:/tmp/my_proxy.pem</span></tt>.</p>
+</dd>
+<dt><strong>kdc</strong></dt>
+<dd>The name or address of a host running a KDC for that realm. An
+optional port number, separated from the hostname by a colon, may
+be included. If the name or address contains colons (for example,
+if it is an IPv6 address), enclose it in square brackets to
+distinguish the colon from a port separator. For your computer to
+be able to communicate with the KDC for each realm, this tag must
+be given a value in each realm subsection in the configuration
+file, or there must be DNS SRV records specifying the KDCs.</dd>
+<dt><strong>kpasswd_server</strong></dt>
+<dd>Points to the server where all the password changes are performed.
+If there is no such entry, the port 464 on the <strong>admin_server</strong>
+host will be tried.</dd>
+<dt><strong>master_kdc</strong></dt>
+<dd>Identifies the master KDC(s). Currently, this tag is used in only
+one case: If an attempt to get credentials fails because of an
+invalid password, the client software will attempt to contact the
+master KDC, in case the user&#8217;s password has just been changed, and
+the updated database has not been propagated to the slave servers
+yet.</dd>
+<dt><strong>v4_instance_convert</strong></dt>
+<dd>This subsection allows the administrator to configure exceptions
+to the <strong>default_domain</strong> mapping rule. It contains V4 instances
+(the tag name) which should be translated to some specific
+hostname (the tag value) as the second component in a Kerberos V5
+principal name.</dd>
+<dt><strong>v4_realm</strong></dt>
+<dd>This relation is used by the krb524 library routines when
+converting a V5 principal name to a V4 principal name. It is used
+when the V4 realm name and the V5 realm name are not the same, but
+still share the same principal names and passwords. The tag value
+is the Kerberos V4 realm name.</dd>
+</dl>
+</div>
+<div class="section" id="domain-realm">
+<span id="id3"></span><h3>[domain_realm]<a class="headerlink" href="#domain-realm" title="Permalink to this headline">¶</a></h3>
+<p>The [domain_realm] section provides a translation from a domain name
+or hostname to a Kerberos realm name. The tag name can be a host name
+or domain name, where domain names are indicated by a prefix of a
+period (<tt class="docutils literal"><span class="pre">.</span></tt>). The value of the relation is the Kerberos realm name
+for that particular host or domain. A host name relation implicitly
+provides the corresponding domain name relation, unless an explicit domain
+name relation is provided. The Kerberos realm may be
+identified either in the <a class="reference internal" href="#realms">realms</a> section or using DNS SRV records.
+Host names and domain names should be in lower case. For example:</p>
+<div class="highlight-python"><div class="highlight"><pre>[domain_realm]
+ crash.mit.edu = TEST.ATHENA.MIT.EDU
+ .dev.mit.edu = TEST.ATHENA.MIT.EDU
+ mit.edu = ATHENA.MIT.EDU
+</pre></div>
+</div>
+<p>maps the host with the name <tt class="docutils literal"><span class="pre">crash.mit.edu</span></tt> into the
+<tt class="docutils literal"><span class="pre">TEST.ATHENA.MIT.EDU</span></tt> realm. The second entry maps all hosts under the
+domain <tt class="docutils literal"><span class="pre">dev.mit.edu</span></tt> into the <tt class="docutils literal"><span class="pre">TEST.ATHENA.MIT.EDU</span></tt> realm, but not
+the host with the name <tt class="docutils literal"><span class="pre">dev.mit.edu</span></tt>. That host is matched
+by the third entry, which maps the host <tt class="docutils literal"><span class="pre">mit.edu</span></tt> and all hosts
+under the domain <tt class="docutils literal"><span class="pre">mit.edu</span></tt> that do not match a preceding rule
+into the realm <tt class="docutils literal"><span class="pre">ATHENA.MIT.EDU</span></tt>.</p>
+<p>If no translation entry applies to a hostname used for a service
+principal for a service ticket request, the library will try to get a
+referral to the appropriate realm from the client realm&#8217;s KDC. If
+that does not succeed, the host&#8217;s realm is considered to be the
+hostname&#8217;s domain portion converted to uppercase, unless the
+<strong>realm_try_domains</strong> setting in [libdefaults] causes a different
+parent domain to be used.</p>
+</div>
+<div class="section" id="capaths">
+<span id="id4"></span><h3>[capaths]<a class="headerlink" href="#capaths" title="Permalink to this headline">¶</a></h3>
+<p>In order to perform direct (non-hierarchical) cross-realm
+authentication, configuration is needed to determine the
+authentication paths between realms.</p>
+<p>A client will use this section to find the authentication path between
+its realm and the realm of the server. The server will use this
+section to verify the authentication path used by the client, by
+checking the transited field of the received ticket.</p>
+<p>There is a tag for each participating client realm, and each tag has
+subtags for each of the server realms. The value of the subtags is an
+intermediate realm which may participate in the cross-realm
+authentication. The subtags may be repeated if there is more then one
+intermediate realm. A value of &#8221;.&#8221; means that the two realms share
+keys directly, and no intermediate realms should be allowed to
+participate.</p>
+<p>Only those entries which will be needed on the client or the server
+need to be present. A client needs a tag for its local realm with
+subtags for all the realms of servers it will need to authenticate to.
+A server needs a tag for each realm of the clients it will serve, with
+a subtag of the server realm.</p>
+<p>For example, <tt class="docutils literal"><span class="pre">ANL.GOV</span></tt>, <tt class="docutils literal"><span class="pre">PNL.GOV</span></tt>, and <tt class="docutils literal"><span class="pre">NERSC.GOV</span></tt> all wish to
+use the <tt class="docutils literal"><span class="pre">ES.NET</span></tt> realm as an intermediate realm. ANL has a sub
+realm of <tt class="docutils literal"><span class="pre">TEST.ANL.GOV</span></tt> which will authenticate with <tt class="docutils literal"><span class="pre">NERSC.GOV</span></tt>
+but not <tt class="docutils literal"><span class="pre">PNL.GOV</span></tt>. The [capaths] section for <tt class="docutils literal"><span class="pre">ANL.GOV</span></tt> systems
+would look like this:</p>
+<div class="highlight-python"><div class="highlight"><pre>[capaths]
+ ANL.GOV = {
+ TEST.ANL.GOV = .
+ PNL.GOV = ES.NET
+ NERSC.GOV = ES.NET
+ ES.NET = .
+ }
+ TEST.ANL.GOV = {
+ ANL.GOV = .
+ }
+ PNL.GOV = {
+ ANL.GOV = ES.NET
+ }
+ NERSC.GOV = {
+ ANL.GOV = ES.NET
+ }
+ ES.NET = {
+ ANL.GOV = .
+ }
+</pre></div>
+</div>
+<p>The [capaths] section of the configuration file used on <tt class="docutils literal"><span class="pre">NERSC.GOV</span></tt>
+systems would look like this:</p>
+<div class="highlight-python"><div class="highlight"><pre>[capaths]
+ NERSC.GOV = {
+ ANL.GOV = ES.NET
+ TEST.ANL.GOV = ES.NET
+ TEST.ANL.GOV = ANL.GOV
+ PNL.GOV = ES.NET
+ ES.NET = .
+ }
+ ANL.GOV = {
+ NERSC.GOV = ES.NET
+ }
+ PNL.GOV = {
+ NERSC.GOV = ES.NET
+ }
+ ES.NET = {
+ NERSC.GOV = .
+ }
+ TEST.ANL.GOV = {
+ NERSC.GOV = ANL.GOV
+ NERSC.GOV = ES.NET
+ }
+</pre></div>
+</div>
+<p>When a subtag is used more than once within a tag, clients will use
+the order of values to determine the path. The order of values is not
+important to servers.</p>
+</div>
+<div class="section" id="appdefaults">
+<span id="id5"></span><h3>[appdefaults]<a class="headerlink" href="#appdefaults" title="Permalink to this headline">¶</a></h3>
+<p>Each tag in the [appdefaults] section names a Kerberos V5 application
+or an option that is used by some Kerberos V5 application[s]. The
+value of the tag defines the default behaviors for that application.</p>
+<p>For example:</p>
+<div class="highlight-python"><div class="highlight"><pre>[appdefaults]
+ telnet = {
+ ATHENA.MIT.EDU = {
+ option1 = false
+ }
+ }
+ telnet = {
+ option1 = true
+ option2 = true
+ }
+ ATHENA.MIT.EDU = {
+ option2 = false
+ }
+ option2 = true
+</pre></div>
+</div>
+<p>The above four ways of specifying the value of an option are shown in
+order of decreasing precedence. In this example, if telnet is running
+in the realm EXAMPLE.COM, it should, by default, have option1 and
+option2 set to true. However, a telnet program in the realm
+<tt class="docutils literal"><span class="pre">ATHENA.MIT.EDU</span></tt> should have <tt class="docutils literal"><span class="pre">option1</span></tt> set to false and
+<tt class="docutils literal"><span class="pre">option2</span></tt> set to true. Any other programs in ATHENA.MIT.EDU should
+have <tt class="docutils literal"><span class="pre">option2</span></tt> set to false by default. Any programs running in
+other realms should have <tt class="docutils literal"><span class="pre">option2</span></tt> set to true.</p>
+<p>The list of specifiable options for each application may be found in
+that application&#8217;s man pages. The application defaults specified here
+are overridden by those specified in the <a class="reference internal" href="#realms">realms</a> section.</p>
+</div>
+<div class="section" id="plugins">
+<span id="id6"></span><h3>[plugins]<a class="headerlink" href="#plugins" title="Permalink to this headline">¶</a></h3>
+<blockquote>
+<div><ul class="simple">
+<li><a class="reference internal" href="#pwqual">pwqual</a> interface</li>
+<li><a class="reference internal" href="#kadm5-hook">kadm5_hook</a> interface</li>
+<li><a class="reference internal" href="#clpreauth">clpreauth</a> and <a class="reference internal" href="#kdcpreauth">kdcpreauth</a> interfaces</li>
+</ul>
+</div></blockquote>
+<p>Tags in the [plugins] section can be used to register dynamic plugin
+modules and to turn modules on and off. Not every krb5 pluggable
+interface uses the [plugins] section; the ones that do are documented
+here.</p>
+<p>New in release 1.9.</p>
+<p>Each pluggable interface corresponds to a subsection of [plugins].
+All subsections support the same tags:</p>
+<dl class="docutils">
+<dt><strong>disable</strong></dt>
+<dd>This tag may have multiple values. If there are values for this
+tag, then the named modules will be disabled for the pluggable
+interface.</dd>
+<dt><strong>enable_only</strong></dt>
+<dd>This tag may have multiple values. If there are values for this
+tag, then only the named modules will be enabled for the pluggable
+interface.</dd>
+<dt><strong>module</strong></dt>
+<dd>This tag may have multiple values. Each value is a string of the
+form <tt class="docutils literal"><span class="pre">modulename:pathname</span></tt>, which causes the shared object
+located at <em>pathname</em> to be registered as a dynamic module named
+<em>modulename</em> for the pluggable interface. If <em>pathname</em> is not an
+absolute path, it will be treated as relative to the
+<strong>plugin_base_dir</strong> value from <a class="reference internal" href="#libdefaults"><em>[libdefaults]</em></a>.</dd>
+</dl>
+<p>For pluggable interfaces where module order matters, modules
+registered with a <strong>module</strong> tag normally come first, in the order
+they are registered, followed by built-in modules in the order they
+are documented below. If <strong>enable_only</strong> tags are used, then the
+order of those tags overrides the normal module order.</p>
+<p>The following subsections are currently supported within the [plugins]
+section:</p>
+<div class="section" id="ccselect-interface">
+<span id="ccselect"></span><h4>ccselect interface<a class="headerlink" href="#ccselect-interface" title="Permalink to this headline">¶</a></h4>
+<p>The ccselect subsection controls modules for credential cache
+selection within a cache collection. In addition to any registered
+dynamic modules, the following built-in modules exist (and may be
+disabled with the disable tag):</p>
+<dl class="docutils">
+<dt><strong>k5identity</strong></dt>
+<dd>Uses a .k5identity file in the user&#8217;s home directory to select a
+client principal</dd>
+<dt><strong>realm</strong></dt>
+<dd>Uses the service realm to guess an appropriate cache from the
+collection</dd>
+</dl>
+</div>
+<div class="section" id="pwqual-interface">
+<span id="pwqual"></span><h4>pwqual interface<a class="headerlink" href="#pwqual-interface" title="Permalink to this headline">¶</a></h4>
+<p>The pwqual subsection controls modules for the password quality
+interface, which is used to reject weak passwords when passwords are
+changed. The following built-in modules exist for this interface:</p>
+<dl class="docutils">
+<dt><strong>dict</strong></dt>
+<dd>Checks against the realm dictionary file</dd>
+<dt><strong>empty</strong></dt>
+<dd>Rejects empty passwords</dd>
+<dt><strong>hesiod</strong></dt>
+<dd>Checks against user information stored in Hesiod (only if Kerberos
+was built with Hesiod support)</dd>
+<dt><strong>princ</strong></dt>
+<dd>Checks against components of the principal name</dd>
+</dl>
+</div>
+<div class="section" id="kadm5-hook-interface">
+<span id="kadm5-hook"></span><h4>kadm5_hook interface<a class="headerlink" href="#kadm5-hook-interface" title="Permalink to this headline">¶</a></h4>
+<p>The kadm5_hook interface provides plugins with information on
+principal creation, modification, password changes and deletion. This
+interface can be used to write a plugin to synchronize MIT Kerberos
+with another database such as Active Directory. No plugins are built
+in for this interface.</p>
+</div>
+<div class="section" id="clpreauth-and-kdcpreauth-interfaces">
+<span id="kdcpreauth"></span><span id="clpreauth"></span><h4>clpreauth and kdcpreauth interfaces<a class="headerlink" href="#clpreauth-and-kdcpreauth-interfaces" title="Permalink to this headline">¶</a></h4>
+<p>The clpreauth and kdcpreauth interfaces allow plugin modules to
+provide client and KDC preauthentication mechanisms. The following
+built-in modules exist for these interfaces:</p>
+<dl class="docutils">
+<dt><strong>pkinit</strong></dt>
+<dd>This module implements the PKINIT preauthentication mechanism.</dd>
+<dt><strong>encrypted_challenge</strong></dt>
+<dd>This module implements the encrypted challenge FAST factor.</dd>
+<dt><strong>encrypted_timestamp</strong></dt>
+<dd>This module implements the encrypted timestamp mechanism.</dd>
+</dl>
+</div>
+<div class="section" id="hostrealm-interface">
+<span id="hostrealm"></span><h4>hostrealm interface<a class="headerlink" href="#hostrealm-interface" title="Permalink to this headline">¶</a></h4>
+<p>The hostrealm section (introduced in release 1.12) controls modules
+for the host-to-realm interface, which affects the local mapping of
+hostnames to realm names and the choice of default realm. The following
+built-in modules exist for this interface:</p>
+<dl class="docutils">
+<dt><strong>profile</strong></dt>
+<dd>This module consults the [domain_realm] section of the profile for
+authoritative host-to-realm mappings, and the <strong>default_realm</strong>
+variable for the default realm.</dd>
+<dt><strong>dns</strong></dt>
+<dd>This module looks for DNS records for fallback host-to-realm
+mappings and the default realm. It only operates if the
+<strong>dns_lookup_realm</strong> variable is set to true.</dd>
+<dt><strong>domain</strong></dt>
+<dd>This module applies heuristics for fallback host-to-realm
+mappings. It implements the <strong>realm_try_domains</strong> variable, and
+uses the uppercased parent domain of the hostname if that does not
+produce a result.</dd>
+</dl>
+</div>
+<div class="section" id="localauth-interface">
+<span id="localauth"></span><h4>localauth interface<a class="headerlink" href="#localauth-interface" title="Permalink to this headline">¶</a></h4>
+<p>The localauth section (introduced in release 1.12) controls modules
+for the local authorization interface, which affects the relationship
+between Kerberos principals and local system accounts. The following
+built-in modules exist for this interface:</p>
+<dl class="docutils">
+<dt><strong>default</strong></dt>
+<dd>This module implements the <strong>DEFAULT</strong> type for <strong>auth_to_local</strong>
+values.</dd>
+<dt><strong>rule</strong></dt>
+<dd>This module implements the <strong>RULE</strong> type for <strong>auth_to_local</strong>
+values.</dd>
+<dt><strong>names</strong></dt>
+<dd>This module looks for an <strong>auth_to_local_names</strong> mapping for the
+principal name.</dd>
+<dt><strong>auth_to_local</strong></dt>
+<dd>This module processes <strong>auth_to_local</strong> values in the default
+realm&#8217;s section, and applies the default method if no
+<strong>auth_to_local</strong> values exist.</dd>
+<dt><strong>k5login</strong></dt>
+<dd>This module authorizes a principal to a local account according to
+the account&#8217;s <a class="reference internal" href="../../user/user_config/k5login.html#k5login-5"><em>.k5login</em></a> file.</dd>
+<dt><strong>an2ln</strong></dt>
+<dd>This module authorizes a principal to a local account if the
+principal name maps to the local account name.</dd>
+</dl>
+</div>
+</div>
+</div>
+<div class="section" id="pkinit-options">
+<h2>PKINIT options<a class="headerlink" href="#pkinit-options" title="Permalink to this headline">¶</a></h2>
+<div class="admonition note">
+<p class="first admonition-title">Note</p>
+<p class="last">The following are PKINIT-specific options. These values may
+be specified in [libdefaults] as global defaults, or within
+a realm-specific subsection of [libdefaults], or may be
+specified as realm-specific values in the [realms] section.
+A realm-specific value overrides, not adds to, a generic
+[libdefaults] specification. The search order is:</p>
+</div>
+<ol class="arabic">
+<li><p class="first">realm-specific subsection of [libdefaults]:</p>
+<div class="highlight-python"><div class="highlight"><pre>[libdefaults]
+ EXAMPLE.COM = {
+ pkinit_anchors = FILE:/usr/local/example.com.crt
+ }
+</pre></div>
+</div>
+</li>
+<li><p class="first">realm-specific value in the [realms] section:</p>
+<div class="highlight-python"><div class="highlight"><pre>[realms]
+ OTHERREALM.ORG = {
+ pkinit_anchors = FILE:/usr/local/otherrealm.org.crt
+ }
+</pre></div>
+</div>
+</li>
+<li><p class="first">generic value in the [libdefaults] section:</p>
+<div class="highlight-python"><div class="highlight"><pre>[libdefaults]
+ pkinit_anchors = DIR:/usr/local/generic_trusted_cas/
+</pre></div>
+</div>
+</li>
+</ol>
+<div class="section" id="specifying-pkinit-identity-information">
+<span id="pkinit-identity"></span><h3>Specifying PKINIT identity information<a class="headerlink" href="#specifying-pkinit-identity-information" title="Permalink to this headline">¶</a></h3>
+<p>The syntax for specifying Public Key identity, trust, and revocation
+information for PKINIT is as follows:</p>
+<dl class="docutils">
+<dt><strong>FILE:</strong><em>filename</em>[<strong>,</strong><em>keyfilename</em>]</dt>
+<dd><p class="first">This option has context-specific behavior.</p>
+<p>In <strong>pkinit_identity</strong> or <strong>pkinit_identities</strong>, <em>filename</em>
+specifies the name of a PEM-format file containing the user&#8217;s
+certificate. If <em>keyfilename</em> is not specified, the user&#8217;s
+private key is expected to be in <em>filename</em> as well. Otherwise,
+<em>keyfilename</em> is the name of the file containing the private key.</p>
+<p class="last">In <strong>pkinit_anchors</strong> or <strong>pkinit_pool</strong>, <em>filename</em> is assumed to
+be the name of an OpenSSL-style ca-bundle file.</p>
+</dd>
+<dt><strong>DIR:</strong><em>dirname</em></dt>
+<dd><p class="first">This option has context-specific behavior.</p>
+<p>In <strong>pkinit_identity</strong> or <strong>pkinit_identities</strong>, <em>dirname</em>
+specifies a directory with files named <tt class="docutils literal"><span class="pre">*.crt</span></tt> and <tt class="docutils literal"><span class="pre">*.key</span></tt>
+where the first part of the file name is the same for matching
+pairs of certificate and private key files. When a file with a
+name ending with <tt class="docutils literal"><span class="pre">.crt</span></tt> is found, a matching file ending with
+<tt class="docutils literal"><span class="pre">.key</span></tt> is assumed to contain the private key. If no such file
+is found, then the certificate in the <tt class="docutils literal"><span class="pre">.crt</span></tt> is not used.</p>
+<p>In <strong>pkinit_anchors</strong> or <strong>pkinit_pool</strong>, <em>dirname</em> is assumed to
+be an OpenSSL-style hashed CA directory where each CA cert is
+stored in a file named <tt class="docutils literal"><span class="pre">hash-of-ca-cert.#</span></tt>. This infrastructure
+is encouraged, but all files in the directory will be examined and
+if they contain certificates (in PEM format), they will be used.</p>
+<p class="last">In <strong>pkinit_revoke</strong>, <em>dirname</em> is assumed to be an OpenSSL-style
+hashed CA directory where each revocation list is stored in a file
+named <tt class="docutils literal"><span class="pre">hash-of-ca-cert.r#</span></tt>. This infrastructure is encouraged,
+but all files in the directory will be examined and if they
+contain a revocation list (in PEM format), they will be used.</p>
+</dd>
+<dt><strong>PKCS12:</strong><em>filename</em></dt>
+<dd><em>filename</em> is the name of a PKCS #12 format file, containing the
+user&#8217;s certificate and private key.</dd>
+<dt><strong>PKCS11:</strong>[<strong>module_name=</strong>]<em>modname</em>[<strong>:slotid=</strong><em>slot-id</em>][<strong>:token=</strong><em>token-label</em>][<strong>:certid=</strong><em>cert-id</em>][<strong>:certlabel=</strong><em>cert-label</em>]</dt>
+<dd>All keyword/values are optional. <em>modname</em> specifies the location
+of a library implementing PKCS #11. If a value is encountered
+with no keyword, it is assumed to be the <em>modname</em>. If no
+module-name is specified, the default is <tt class="docutils literal"><span class="pre">opensc-pkcs11.so</span></tt>.
+<tt class="docutils literal"><span class="pre">slotid=</span></tt> and/or <tt class="docutils literal"><span class="pre">token=</span></tt> may be specified to force the use of
+a particular smard card reader or token if there is more than one
+available. <tt class="docutils literal"><span class="pre">certid=</span></tt> and/or <tt class="docutils literal"><span class="pre">certlabel=</span></tt> may be specified to
+force the selection of a particular certificate on the device.
+See the <strong>pkinit_cert_match</strong> configuration option for more ways
+to select a particular certificate to use for PKINIT.</dd>
+<dt><strong>ENV:</strong><em>envvar</em></dt>
+<dd><em>envvar</em> specifies the name of an environment variable which has
+been set to a value conforming to one of the previous values. For
+example, <tt class="docutils literal"><span class="pre">ENV:X509_PROXY</span></tt>, where environment variable
+<tt class="docutils literal"><span class="pre">X509_PROXY</span></tt> has been set to <tt class="docutils literal"><span class="pre">FILE:/tmp/my_proxy.pem</span></tt>.</dd>
+</dl>
+</div>
+<div class="section" id="pkinit-krb5-conf-options">
+<h3>PKINIT krb5.conf options<a class="headerlink" href="#pkinit-krb5-conf-options" title="Permalink to this headline">¶</a></h3>
+<dl class="docutils">
+<dt><strong>pkinit_anchors</strong></dt>
+<dd>Specifies the location of trusted anchor (root) certificates which
+the client trusts to sign KDC certificates. This option may be
+specified multiple times. These values from the config file are
+not used if the user specifies X509_anchors on the command line.</dd>
+<dt><strong>pkinit_cert_match</strong></dt>
+<dd><p class="first">Specifies matching rules that the client certificate must match
+before it is used to attempt PKINIT authentication. If a user has
+multiple certificates available (on a smart card, or via other
+media), there must be exactly one certificate chosen before
+attempting PKINIT authentication. This option may be specified
+multiple times. All the available certificates are checked
+against each rule in order until there is a match of exactly one
+certificate.</p>
+<p>The Subject and Issuer comparison strings are the <span class="target" id="index-0"></span><a class="rfc reference external" href="http://tools.ietf.org/html/rfc2253.html"><strong>RFC 2253</strong></a>
+string representations from the certificate Subject DN and Issuer
+DN values.</p>
+<p>The syntax of the matching rules is:</p>
+<blockquote>
+<div>[<em>relation-operator</em>]<em>component-rule</em> ...</div></blockquote>
+<p>where:</p>
+<dl class="docutils">
+<dt><em>relation-operator</em></dt>
+<dd>can be either <tt class="docutils literal"><span class="pre">&amp;&amp;</span></tt>, meaning all component rules must match,
+or <tt class="docutils literal"><span class="pre">||</span></tt>, meaning only one component rule must match. The
+default is <tt class="docutils literal"><span class="pre">&amp;&amp;</span></tt>.</dd>
+<dt><em>component-rule</em></dt>
+<dd><p class="first">can be one of the following. Note that there is no
+punctuation or whitespace between component rules.</p>
+<blockquote>
+<div><div class="line-block">
+<div class="line"><strong>&lt;SUBJECT&gt;</strong><em>regular-expression</em></div>
+<div class="line"><strong>&lt;ISSUER&gt;</strong><em>regular-expression</em></div>
+<div class="line"><strong>&lt;SAN&gt;</strong><em>regular-expression</em></div>
+<div class="line"><strong>&lt;EKU&gt;</strong><em>extended-key-usage-list</em></div>
+<div class="line"><strong>&lt;KU&gt;</strong><em>key-usage-list</em></div>
+</div>
+</div></blockquote>
+<p><em>extended-key-usage-list</em> is a comma-separated list of
+required Extended Key Usage values. All values in the list
+must be present in the certificate. Extended Key Usage values
+can be:</p>
+<ul class="simple">
+<li>pkinit</li>
+<li>msScLogin</li>
+<li>clientAuth</li>
+<li>emailProtection</li>
+</ul>
+<p><em>key-usage-list</em> is a comma-separated list of required Key
+Usage values. All values in the list must be present in the
+certificate. Key Usage values can be:</p>
+<ul class="last simple">
+<li>digitalSignature</li>
+<li>keyEncipherment</li>
+</ul>
+</dd>
+</dl>
+<p>Examples:</p>
+<div class="last highlight-python"><div class="highlight"><pre>pkinit_cert_match = ||&lt;SUBJECT&gt;.*DoE.*&lt;SAN&gt;.*@EXAMPLE.COM
+pkinit_cert_match = &amp;&amp;&lt;EKU&gt;msScLogin,clientAuth&lt;ISSUER&gt;.*DoE.*
+pkinit_cert_match = &lt;EKU&gt;msScLogin,clientAuth&lt;KU&gt;digitalSignature
+</pre></div>
+</div>
+</dd>
+<dt><strong>pkinit_eku_checking</strong></dt>
+<dd><p class="first">This option specifies what Extended Key Usage value the KDC
+certificate presented to the client must contain. (Note that if
+the KDC certificate has the pkinit SubjectAlternativeName encoded
+as the Kerberos TGS name, EKU checking is not necessary since the
+issuing CA has certified this as a KDC certificate.) The values
+recognized in the krb5.conf file are:</p>
+<dl class="last docutils">
+<dt><strong>kpKDC</strong></dt>
+<dd>This is the default value and specifies that the KDC must have
+the id-pkinit-KPKdc EKU as defined in <span class="target" id="index-1"></span><a class="rfc reference external" href="http://tools.ietf.org/html/rfc4556.html"><strong>RFC 4556</strong></a>.</dd>
+<dt><strong>kpServerAuth</strong></dt>
+<dd>If <strong>kpServerAuth</strong> is specified, a KDC certificate with the
+id-kp-serverAuth EKU will be accepted. This key usage value
+is used in most commercially issued server certificates.</dd>
+<dt><strong>none</strong></dt>
+<dd>If <strong>none</strong> is specified, then the KDC certificate will not be
+checked to verify it has an acceptable EKU. The use of this
+option is not recommended.</dd>
+</dl>
+</dd>
+<dt><strong>pkinit_dh_min_bits</strong></dt>
+<dd>Specifies the size of the Diffie-Hellman key the client will
+attempt to use. The acceptable values are 1024, 2048, and 4096.
+The default is 2048.</dd>
+<dt><strong>pkinit_identities</strong></dt>
+<dd>Specifies the location(s) to be used to find the user&#8217;s X.509
+identity information. This option may be specified multiple
+times. Each value is attempted in order until identity
+information is found and authentication is attempted. Note that
+these values are not used if the user specifies
+<strong>X509_user_identity</strong> on the command line.</dd>
+<dt><strong>pkinit_kdc_hostname</strong></dt>
+<dd>The presense of this option indicates that the client is willing
+to accept a KDC certificate with a dNSName SAN (Subject
+Alternative Name) rather than requiring the id-pkinit-san as
+defined in <span class="target" id="index-2"></span><a class="rfc reference external" href="http://tools.ietf.org/html/rfc4556.html"><strong>RFC 4556</strong></a>. This option may be specified multiple
+times. Its value should contain the acceptable hostname for the
+KDC (as contained in its certificate).</dd>
+<dt><strong>pkinit_pool</strong></dt>
+<dd>Specifies the location of intermediate certificates which may be
+used by the client to complete the trust chain between a KDC
+certificate and a trusted anchor. This option may be specified
+multiple times.</dd>
+<dt><strong>pkinit_require_crl_checking</strong></dt>
+<dd><p class="first">The default certificate verification process will always check the
+available revocation information to see if a certificate has been
+revoked. If a match is found for the certificate in a CRL,
+verification fails. If the certificate being verified is not
+listed in a CRL, or there is no CRL present for its issuing CA,
+and <strong>pkinit_require_crl_checking</strong> is false, then verification
+succeeds.</p>
+<p>However, if <strong>pkinit_require_crl_checking</strong> is true and there is
+no CRL information available for the issuing CA, then verification
+fails.</p>
+<p class="last"><strong>pkinit_require_crl_checking</strong> should be set to true if the
+policy is such that up-to-date CRLs must be present for every CA.</p>
+</dd>
+<dt><strong>pkinit_revoke</strong></dt>
+<dd>Specifies the location of Certificate Revocation List (CRL)
+information to be used by the client when verifying the validity
+of the KDC certificate presented. This option may be specified
+multiple times.</dd>
+</dl>
+</div>
+</div>
+<div class="section" id="parameter-expansion">
+<span id="id7"></span><h2>Parameter expansion<a class="headerlink" href="#parameter-expansion" title="Permalink to this headline">¶</a></h2>
+<p>Starting with release 1.11, several variables, such as
+<strong>default_keytab_name</strong>, allow parameters to be expanded.
+Valid parameters are:</p>
+<blockquote>
+<div><table border="1" class="docutils">
+<colgroup>
+<col width="25%" />
+<col width="75%" />
+</colgroup>
+<tbody valign="top">
+<tr class="row-odd"><td>%{TEMP}</td>
+<td>Temporary directory</td>
+</tr>
+<tr class="row-even"><td>%{uid}</td>
+<td>Unix real UID or Windows SID</td>
+</tr>
+<tr class="row-odd"><td>%{euid}</td>
+<td>Unix effective user ID or Windows SID</td>
+</tr>
+<tr class="row-even"><td>%{USERID}</td>
+<td>Same as %{uid}</td>
+</tr>
+<tr class="row-odd"><td>%{null}</td>
+<td>Empty string</td>
+</tr>
+<tr class="row-even"><td>%{LIBDIR}</td>
+<td>Installation library directory</td>
+</tr>
+<tr class="row-odd"><td>%{BINDIR}</td>
+<td>Installation binary directory</td>
+</tr>
+<tr class="row-even"><td>%{SBINDIR}</td>
+<td>Installation admin binary directory</td>
+</tr>
+<tr class="row-odd"><td>%{username}</td>
+<td>(Unix) Username of effective user ID</td>
+</tr>
+<tr class="row-even"><td>%{APPDATA}</td>
+<td>(Windows) Roaming application data for current user</td>
+</tr>
+<tr class="row-odd"><td>%{COMMON_APPDATA}</td>
+<td>(Windows) Application data for all users</td>
+</tr>
+<tr class="row-even"><td>%{LOCAL_APPDATA}</td>
+<td>(Windows) Local application data for current user</td>
+</tr>
+<tr class="row-odd"><td>%{SYSTEM}</td>
+<td>(Windows) Windows system folder</td>
+</tr>
+<tr class="row-even"><td>%{WINDOWS}</td>
+<td>(Windows) Windows folder</td>
+</tr>
+<tr class="row-odd"><td>%{USERCONFIG}</td>
+<td>(Windows) Per-user MIT krb5 config file directory</td>
+</tr>
+<tr class="row-even"><td>%{COMMONCONFIG}</td>
+<td>(Windows) Common MIT krb5 config file directory</td>
+</tr>
+</tbody>
+</table>
+</div></blockquote>
+</div>
+<div class="section" id="sample-krb5-conf-file">
+<h2>Sample krb5.conf file<a class="headerlink" href="#sample-krb5-conf-file" title="Permalink to this headline">¶</a></h2>
+<p>Here is an example of a generic krb5.conf file:</p>
+<div class="highlight-python"><div class="highlight"><pre>[libdefaults]
+ default_realm = ATHENA.MIT.EDU
+ dns_lookup_kdc = true
+ dns_lookup_realm = false
+
+[realms]
+ ATHENA.MIT.EDU = {
+ kdc = kerberos.mit.edu
+ kdc = kerberos-1.mit.edu
+ kdc = kerberos-2.mit.edu
+ admin_server = kerberos.mit.edu
+ master_kdc = kerberos.mit.edu
+ }
+ EXAMPLE.COM = {
+ kdc = kerberos.example.com
+ kdc = kerberos-1.example.com
+ admin_server = kerberos.example.com
+ }
+
+[domain_realm]
+ mit.edu = ATHENA.MIT.EDU
+
+[capaths]
+ ATHENA.MIT.EDU = {
+ EXAMPLE.COM = .
+ }
+ EXAMPLE.COM = {
+ ATHENA.MIT.EDU = .
+ }
+</pre></div>
+</div>
+</div>
+<div class="section" id="files">
+<h2>FILES<a class="headerlink" href="#files" title="Permalink to this headline">¶</a></h2>
+<p><tt class="docutils literal"><span class="pre">/etc/krb5.conf</span></tt></p>
+</div>
+<div class="section" id="see-also">
+<h2>SEE ALSO<a class="headerlink" href="#see-also" title="Permalink to this headline">¶</a></h2>
+<p>syslog(3)</p>
+</div>
+</div>
+
+
+ </div>
+ </div>
+ </div>
+ </div>
+ <div class="sidebar">
+ <h2>On this page</h2>
+ <ul>
+<li><a class="reference internal" href="#">krb5.conf</a><ul>
+<li><a class="reference internal" href="#structure">Structure</a></li>
+<li><a class="reference internal" href="#sections">Sections</a><ul>
+<li><a class="reference internal" href="#libdefaults">[libdefaults]</a></li>
+<li><a class="reference internal" href="#realms">[realms]</a></li>
+<li><a class="reference internal" href="#domain-realm">[domain_realm]</a></li>
+<li><a class="reference internal" href="#capaths">[capaths]</a></li>
+<li><a class="reference internal" href="#appdefaults">[appdefaults]</a></li>
+<li><a class="reference internal" href="#plugins">[plugins]</a><ul>
+<li><a class="reference internal" href="#ccselect-interface">ccselect interface</a></li>
+<li><a class="reference internal" href="#pwqual-interface">pwqual interface</a></li>
+<li><a class="reference internal" href="#kadm5-hook-interface">kadm5_hook interface</a></li>
+<li><a class="reference internal" href="#clpreauth-and-kdcpreauth-interfaces">clpreauth and kdcpreauth interfaces</a></li>
+<li><a class="reference internal" href="#hostrealm-interface">hostrealm interface</a></li>
+<li><a class="reference internal" href="#localauth-interface">localauth interface</a></li>
+</ul>
+</li>
+</ul>
+</li>
+<li><a class="reference internal" href="#pkinit-options">PKINIT options</a><ul>
+<li><a class="reference internal" href="#specifying-pkinit-identity-information">Specifying PKINIT identity information</a></li>
+<li><a class="reference internal" href="#pkinit-krb5-conf-options">PKINIT krb5.conf options</a></li>
+</ul>
+</li>
+<li><a class="reference internal" href="#parameter-expansion">Parameter expansion</a></li>
+<li><a class="reference internal" href="#sample-krb5-conf-file">Sample krb5.conf file</a></li>
+<li><a class="reference internal" href="#files">FILES</a></li>
+<li><a class="reference internal" href="#see-also">SEE ALSO</a></li>
+</ul>
+</li>
+</ul>
+
+ <br/>
+ <h2>Table of contents</h2>
+ <ul class="current">
+<li class="toctree-l1"><a class="reference internal" href="../../user/index.html">For users</a></li>
+<li class="toctree-l1 current"><a class="reference internal" href="../index.html">For administrators</a><ul class="current">
+<li class="toctree-l2"><a class="reference internal" href="../install.html">Installation guide</a></li>
+<li class="toctree-l2 current"><a class="reference internal" href="index.html">Configuration Files</a><ul class="current">
+<li class="toctree-l3 current"><a class="current reference internal" href="">krb5.conf</a></li>
+<li class="toctree-l3"><a class="reference internal" href="kdc_conf.html">kdc.conf</a></li>
+<li class="toctree-l3"><a class="reference internal" href="kadm5_acl.html">kadm5.acl</a></li>
+</ul>
+</li>
+<li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../host_config.html">Host configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../auth_indicator.html">Authentication indicators</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../admin_commands/index.html">Administration programs</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../../mitK5defaults.html">MIT Kerberos defaults</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../env_variables.html">Environment variables</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../troubleshoot.html">Troubleshooting</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../advanced/index.html">Advanced topics</a></li>
+<li class="toctree-l2"><a class="reference internal" href="../various_envs.html">Various links</a></li>
+</ul>
+</li>
+<li class="toctree-l1"><a class="reference internal" href="../../appdev/index.html">For application developers</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../plugindev/index.html">For plugin module developers</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../build/index.html">Building Kerberos V5</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../basic/index.html">Kerberos V5 concepts</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../formats/index.html">Protocols and file formats</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../mitK5features.html">MIT Kerberos features</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../build_this.html">How to build this documentation from the source</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../about.html">Contributing to the MIT Kerberos Documentation</a></li>
+<li class="toctree-l1"><a class="reference internal" href="../../resources.html">Resources</a></li>
+</ul>
+
+ <br/>
+ <h4><a href="../../index.html">Full Table of Contents</a></h4>
+ <h4>Search</h4>
+ <form class="search" action="../../search.html" method="get">
+ <input type="text" name="q" size="18" />
+ <input type="submit" value="Go" />
+ <input type="hidden" name="check_keywords" value="yes" />
+ <input type="hidden" name="area" value="default" />
+ </form>
+ </div>
+ <div class="clearer"></div>
+ </div>
+ </div>
+
+ <div class="footer-wrapper">
+ <div class="footer" >
+ <div class="right" ><i>Release: 1.15.1</i><br />
+ &copy; <a href="../../copyright.html">Copyright</a> 1985-2017, MIT.
+ </div>
+ <div class="left">
+
+ <a href="../../index.html" title="Full Table of Contents"
+ >Contents</a> |
+ <a href="index.html" title="Configuration Files"
+ >previous</a> |
+ <a href="kdc_conf.html" title="kdc.conf"
+ >next</a> |
+ <a href="../../genindex.html" title="General Index"
+ >index</a> |
+ <a href="../../search.html" title="Enter search criteria"
+ >Search</a> |
+ <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__krb5.conf">feedback</a>
+ </div>
+ </div>
+ </div>
+
+ </body>
+</html> \ No newline at end of file
generated by cgit v1.3 (git 2.53.0) at 2026-04-23 21:38:24 +0000