krb5: Import MIT 1.21.3 - src - FreeBSD source tree

diff options


context:
space:
mode:

author	Cy Schubert <cy@FreeBSD.org>	2025-03-19 22:12:25 +0000
committer	Cy Schubert <cy@FreeBSD.org>	2025-03-19 22:12:25 +0000
commit	8f7d3ef26dec89a92ec0665de84a5936310a5574 (patch)
tree	9a465418bd4056bf0d369751320a414eaed29fa4 /doc/html/admin/conf_files
parent	1a79b20663ca26acc2998b90ea2ff2aefd8af5b1 (diff)

Diffstat (limited to 'doc/html/admin/conf_files')

-rw-r--r--

doc/html/admin/conf_files/index.html

-rw-r--r--

doc/html/admin/conf_files/kadm5_acl.html

214

-rw-r--r--

doc/html/admin/conf_files/kdc_conf.html

936

-rw-r--r--

doc/html/admin/conf_files/krb5_conf.html

1035

4 files changed, 1094 insertions, 1141 deletions

diff --git a/doc/html/admin/conf_files/index.html b/doc/html/admin/conf_files/index.html
index 749620f7c0fe..57c59b1edae7 100644
--- a/doc/html/admin/conf_files/index.html
+++ b/doc/html/admin/conf_files/index.html

@@ -1,35 +1,26 @@

-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"

- "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

+<!DOCTYPE html>

-<html xmlns="http://www.w3.org/1999/xhtml">

+<html>

<head>

- <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

+ <meta charset="utf-8" />

+ <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="generator" content="Docutils 0.17.1: http://docutils.sourceforge.net/" />

<title>Configuration Files — MIT Kerberos Documentation</title>

- <link rel="stylesheet" href="../../_static/agogo.css" type="text/css" />

- <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" />

- <link rel="stylesheet" href="../../_static/kerb.css" type="text/css" />

- <script type="text/javascript">

- var DOCUMENTATION_OPTIONS = {

- URL_ROOT: '../../',

- VERSION: '1.21.2',

- COLLAPSE_INDEX: false,

- FILE_SUFFIX: '.html',

- HAS_SOURCE: true,

- SOURCELINK_SUFFIX: '.txt'

- };

- </script>

- <script type="text/javascript" src="../../_static/jquery.js"></script>

- <script type="text/javascript" src="../../_static/underscore.js"></script>

- <script type="text/javascript" src="../../_static/doctools.js"></script>

+ <link rel="stylesheet" type="text/css" href="../../_static/pygments.css" />

+ <link rel="stylesheet" type="text/css" href="../../_static/agogo.css" />

+ <link rel="stylesheet" type="text/css" href="../../_static/kerb.css" />

+ <script data-url_root="../../" id="documentation_options" src="../../_static/documentation_options.js"></script>

+ <script src="../../_static/jquery.js"></script>

+ <script src="../../_static/underscore.js"></script>

+ <script src="../../_static/doctools.js"></script>

- </head>

- <body>

+ </head><body>

@@ -61,7 +52,7 @@

- <div class="section" id="configuration-files">

+ <section id="configuration-files">

<h1>Configuration Files<a class="headerlink" href="#configuration-files" title="Permalink to this headline">¶</a></h1>

Kerberos uses configuration files to allow administrators to specify

settings on a per-machine basis. <a class="reference internal" href="krb5_conf.html#krb5-conf-5">krb5.conf</a> applies to all

@@ -71,7 +62,7 @@ For KDC-specific applications, additional settings can be specified in

used by applications accessing the KDC database directly. <a class="reference internal" href="kadm5_acl.html#kadm5-acl-5">kadm5.acl</a>

is also only used on the KDC, it controls permissions for modifying the

KDC database.

-<div class="section" id="contents">

+<section id="contents">

<h2>Contents<a class="headerlink" href="#contents" title="Permalink to this headline">¶</a></h2>

<ul>

@@ -80,15 +71,17 @@ KDC database.

</ul>

</div>

-</div>

+</section>

+ <div class="clearer"></div>

</div>

<ul>

<li><a class="reference internal" href="#">Configuration Files</a><ul>

@@ -153,6 +146,7 @@ KDC database.

</form>

</div>

</div>

@@ -160,8 +154,8 @@ KDC database.

- <div class="right" >Release: 1.21.2

+ <div class="right" >Release: 1.21.3

+ © <a href="../../copyright.html">Copyright</a> 1985-2024, MIT.

</div>

diff --git a/doc/html/admin/conf_files/kadm5_acl.html b/doc/html/admin/conf_files/kadm5_acl.html
index 8feac5d43fa7..611864b3c535 100644
--- a/doc/html/admin/conf_files/kadm5_acl.html
+++ b/doc/html/admin/conf_files/kadm5_acl.html

@@ -1,35 +1,26 @@

-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"

- "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

+<!DOCTYPE html>

-<html xmlns="http://www.w3.org/1999/xhtml">

+<html>

<head>

- <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

+ <meta charset="utf-8" />

+ <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="generator" content="Docutils 0.17.1: http://docutils.sourceforge.net/" />

<title>kadm5.acl — MIT Kerberos Documentation</title>

- <link rel="stylesheet" href="../../_static/agogo.css" type="text/css" />

- <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" />

- <link rel="stylesheet" href="../../_static/kerb.css" type="text/css" />

- <script type="text/javascript">

- var DOCUMENTATION_OPTIONS = {

- URL_ROOT: '../../',

- VERSION: '1.21.2',

- COLLAPSE_INDEX: false,

- FILE_SUFFIX: '.html',

- HAS_SOURCE: true,

- SOURCELINK_SUFFIX: '.txt'

- };

- </script>

- <script type="text/javascript" src="../../_static/jquery.js"></script>

- <script type="text/javascript" src="../../_static/underscore.js"></script>

- <script type="text/javascript" src="../../_static/doctools.js"></script>

+ <link rel="stylesheet" type="text/css" href="../../_static/pygments.css" />

+ <link rel="stylesheet" type="text/css" href="../../_static/agogo.css" />

+ <link rel="stylesheet" type="text/css" href="../../_static/kerb.css" />

+ <script data-url_root="../../" id="documentation_options" src="../../_static/documentation_options.js"></script>

+ <script src="../../_static/jquery.js"></script>

+ <script src="../../_static/underscore.js"></script>

+ <script src="../../_static/doctools.js"></script>

- </head>

- <body>

+ </head><body>

@@ -61,90 +52,88 @@

- <div class="section" id="kadm5-acl">

+ <section id="kadm5-acl">

-<div class="section" id="description">

+<section id="description">

<h2>DESCRIPTION<a class="headerlink" href="#description" title="Permalink to this headline">¶</a></h2>

The Kerberos <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8">kadmind</a> daemon uses an Access Control List

(ACL) file to manage access rights to the Kerberos database.

For operations that affect principals, the ACL file also controls

which principals can operate on which other principals.

The default location of the Kerberos ACL file is

-<a class="reference internal" href="../../mitK5defaults.html#paths">LOCALSTATEDIR</a><code class="docutils literal">/krb5kdc</code><code class="docutils literal">/kadm5.acl</code> unless this is overridden by the acl_file

+<a class="reference internal" href="../../mitK5defaults.html#paths">LOCALSTATEDIR</a><code class="docutils literal notranslate">/krb5kdc</code><code class="docutils literal notranslate">/kadm5.acl</code> unless this is overridden by the acl_file

variable in <a class="reference internal" href="kdc_conf.html#kdc-conf-5">kdc.conf</a>.

-</div>

-<div class="section" id="syntax">

+</section>

+<section id="syntax">

<h2>SYNTAX<a class="headerlink" href="#syntax" title="Permalink to this headline">¶</a></h2>

-Empty lines and lines starting with the sharp sign (<code class="docutils literal">#</code>) are

+Empty lines and lines starting with the sharp sign (<code class="docutils literal notranslate">#</code>) are

ignored. Lines containing ACL entries have the format:

-<div class="highlight-default"><div class="highlight"><pre>principal permissions [target_principal [restrictions] ]

+<div class="highlight-default notranslate"><div class="highlight"><pre>principal permissions [target_principal [restrictions] ]

</pre></div>

</div>

-Note

-Line order in the ACL file is important. The first matching entry

+Note

+Line order in the ACL file is important. The first matching entry

will control access for an actor principal on a target principal.

</div>

-<dl class="docutils">

-<dt>principal</dt>

-<dd>(Partially or fully qualified Kerberos principal name.) Specifies

+<dl>

+<dt>principal</dt><dd>(Partially or fully qualified Kerberos principal name.) Specifies

the principal whose permissions are to be set.

-Each component of the name may be wildcarded using the <code class="docutils literal">*</code>

+Each component of the name may be wildcarded using the <code class="docutils literal notranslate">*</code>

character.

</dd>

-<dt>permissions</dt>

-<dd>Specifies what operations may or may not be performed by a

+<dt>permissions</dt><dd>Specifies what operations may or may not be performed by a

principal matching a particular entry. This is a string of one or

more of the following list of characters or their upper-case

counterparts. If the character is upper-case, then the operation

is disallowed. If the character is lower-case, then the operation

is permitted.

-<table border="1" class="last docutils">

+<table class="docutils align-default">

-<col width="2%" />

-<col width="98%" />

+<col style="width: 2%" />

+<col style="width: 98%" />

</colgroup>

-<tbody valign="top">

-<tr class="row-odd"><td>a</td>

-<td>[Dis]allows the addition of principals or policies</td>

+<tbody>

+<tr class="row-odd"><td>a</td>

+<td>[Dis]allows the addition of principals or policies</td>

</tr>

-<tr class="row-even"><td>c</td>

-<td>[Dis]allows the changing of passwords for principals</td>

+<tr class="row-even"><td>c</td>

+<td>[Dis]allows the changing of passwords for principals</td>

</tr>

-<tr class="row-odd"><td>d</td>

-<td>[Dis]allows the deletion of principals or policies</td>

+<tr class="row-odd"><td>d</td>

+<td>[Dis]allows the deletion of principals or policies</td>

</tr>

-<tr class="row-even"><td>e</td>

-<td>[Dis]allows the extraction of principal keys</td>

+<tr class="row-even"><td>e</td>

+<td>[Dis]allows the extraction of principal keys</td>

</tr>

-<tr class="row-odd"><td>i</td>

-<td>[Dis]allows inquiries about principals or policies</td>

+<tr class="row-odd"><td>i</td>

+<td>[Dis]allows inquiries about principals or policies</td>

</tr>

-<tr class="row-even"><td>l</td>

-<td>[Dis]allows the listing of all principals or policies</td>

+<tr class="row-even"><td>l</td>

+<td>[Dis]allows the listing of all principals or policies</td>

</tr>

-<tr class="row-odd"><td>m</td>

-<td>[Dis]allows the modification of principals or policies</td>

+<tr class="row-odd"><td>m</td>

+<td>[Dis]allows the modification of principals or policies</td>

</tr>

-<tr class="row-even"><td>p</td>

-<td>[Dis]allows the propagation of the principal database (used in <a class="reference internal" href="../database.html#incr-db-prop">Incremental database propagation</a>)</td>

+<tr class="row-even"><td>p</td>

+<td>[Dis]allows the propagation of the principal database (used in <a class="reference internal" href="../database.html#incr-db-prop">Incremental database propagation</a>)</td>

</tr>

-<tr class="row-odd"><td>s</td>

-<td>[Dis]allows the explicit setting of the key for a principal</td>

+<tr class="row-odd"><td>s</td>

+<td>[Dis]allows the explicit setting of the key for a principal</td>

</tr>

-<tr class="row-even"><td>x</td>

-<td>Short for admcilsp. All privileges (except <code class="docutils literal">e</code>)</td>

+<tr class="row-even"><td>x</td>

+<td>Short for admcilsp. All privileges (except <code class="docutils literal notranslate">e</code>)</td>

</tr>

-<tr class="row-odd"><td>*</td>

-<td>Same as x.</td>

+<tr class="row-odd"><td>*</td>

+<td>Same as x.</td>

</tr>

</tbody>

</table>

</dd>

</dl>

-Note

-The <code class="docutils literal">extract</code> privilege is not included in the wildcard

+Note

+The <code class="docutils literal notranslate">extract</code> privilege is not included in the wildcard

privilege; it must be explicitly assigned. This privilege

allows the user to extract keys from the database, and must be

handled with great care to avoid disclosure of important keys

@@ -153,47 +142,45 @@ like those of the kadmin/* or krbtgt/* principals. The

key extraction from specific principals regardless of the

granted privilege.

</div>

-<dl class="docutils">

-<dt>target_principal</dt>

-<dd>(Optional. Partially or fully qualified Kerberos principal name.)

+<dl>

+<dt>target_principal</dt><dd>(Optional. Partially or fully qualified Kerberos principal name.)

Specifies the principal on which permissions may be applied.

-Each component of the name may be wildcarded using the <code class="docutils literal">*</code>

+Each component of the name may be wildcarded using the <code class="docutils literal notranslate">*</code>

character.

-target_principal can also include back-references to principal,

-in which <code class="docutils literal">*number</code> matches the corresponding wildcard in

+target_principal can also include back-references to principal,

+in which <code class="docutils literal notranslate">*number</code> matches the corresponding wildcard in

principal.

</dd>

-<dt>restrictions</dt>

-<dd>(Optional) A string of flags. Allowed restrictions are:

+<dt>restrictions</dt><dd>(Optional) A string of flags. Allowed restrictions are:

-<div><dl class="docutils">

-<dt>{+|-}flagname</dt>

-<dd>flag is forced to the indicated value. The permissible flags

+<div><dl class="simple">

+<dt>{+|-}flagname</dt><dd>flag is forced to the indicated value. The permissible flags

are the same as those for the default_principal_flags

-variable in <a class="reference internal" href="kdc_conf.html#kdc-conf-5">kdc.conf</a>.</dd>

-<dt>-clearpolicy</dt>

-<dd>policy is forced to be empty.</dd>

-<dt>-policy pol</dt>

-<dd>policy is forced to be pol.</dd>

-<dt>-{expire, pwexpire, maxlife, maxrenewlife} time</dt>

-<dd>(<a class="reference internal" href="../../basic/date_format.html#getdate">getdate time</a> string) associated value will be forced to

-MIN(time, requested value).</dd>

+variable in <a class="reference internal" href="kdc_conf.html#kdc-conf-5">kdc.conf</a>.

+</dd>

+<dt>-clearpolicy</dt><dd>policy is forced to be empty.

+</dd>

+<dt>-policy pol</dt><dd>policy is forced to be pol.

+</dd>

+<dt>-{expire, pwexpire, maxlife, maxrenewlife} time</dt><dd>(<a class="reference internal" href="../../basic/date_format.html#getdate">getdate time</a> string) associated value will be forced to

+MIN(time, requested value).

+</dd>

</dl>

</div></blockquote>

-The above flags act as restrictions on any add or modify operation

+The above flags act as restrictions on any add or modify operation

which is allowed due to that ACL line.

</dd>

</dl>

-Warning

-If the kadmind ACL file is modified, the kadmind daemon needs to be

+Warning

+If the kadmind ACL file is modified, the kadmind daemon needs to be

restarted for changes to take effect.

</div>

-</div>

-<div class="section" id="example">

+</section>

+<section id="example">

<h2>EXAMPLE<a class="headerlink" href="#example" title="Permalink to this headline">¶</a></h2>

Here is an example of a kadm5.acl file:

-<div class="highlight-default"><div class="highlight"><pre>*/admin@ATHENA.MIT.EDU * # line 1

+<div class="highlight-default notranslate"><div class="highlight"><pre>*/admin@ATHENA.MIT.EDU * # line 1

joeadmin@ATHENA.MIT.EDU ADMCIL # line 2

joeadmin/*@ATHENA.MIT.EDU i */root@ATHENA.MIT.EDU # line 3

*/root@ATHENA.MIT.EDU ci *1@ATHENA.MIT.EDU # line 4

@@ -201,31 +188,31 @@ restarted for changes to take effect.

sms@ATHENA.MIT.EDU x * -maxlife 9h -postdateable # line 6

</pre></div>

</div>

-(line 1) Any principal in the <code class="docutils literal">ATHENA.MIT.EDU</code> realm with an

-<code class="docutils literal">admin</code> instance has all administrative privileges except extracting

+(line 1) Any principal in the <code class="docutils literal notranslate">ATHENA.MIT.EDU</code> realm with an

+<code class="docutils literal notranslate">admin</code> instance has all administrative privileges except extracting

keys.

-(lines 1-3) The user <code class="docutils literal">joeadmin</code> has all permissions except

-extracting keys with his <code class="docutils literal">admin</code> instance,

-<code class="docutils literal">joeadmin/admin@ATHENA.MIT.EDU</code> (matches line 1). He has no

-permissions at all with his null instance, <code class="docutils literal">joeadmin@ATHENA.MIT.EDU</code>

-(matches line 2). His <code class="docutils literal">root</code> and other non-<code class="docutils literal">admin</code>, non-null

-instances (e.g., <code class="docutils literal">extra</code> or <code class="docutils literal">dbadmin</code>) have inquire permissions

-with any principal that has the instance <code class="docutils literal">root</code> (matches line 3).

-(line 4) Any <code class="docutils literal">root</code> principal in <code class="docutils literal">ATHENA.MIT.EDU</code> can inquire

+(lines 1-3) The user <code class="docutils literal notranslate">joeadmin</code> has all permissions except

+extracting keys with his <code class="docutils literal notranslate">admin</code> instance,

+<code class="docutils literal notranslate">joeadmin/admin@ATHENA.MIT.EDU</code> (matches line 1). He has no

+permissions at all with his null instance, <code class="docutils literal notranslate">joeadmin@ATHENA.MIT.EDU</code>

+(matches line 2). His <code class="docutils literal notranslate">root</code> and other non-<code class="docutils literal notranslate">admin</code>, non-null

+instances (e.g., <code class="docutils literal notranslate">extra</code> or <code class="docutils literal notranslate">dbadmin</code>) have inquire permissions

+with any principal that has the instance <code class="docutils literal notranslate">root</code> (matches line 3).

+(line 4) Any <code class="docutils literal notranslate">root</code> principal in <code class="docutils literal notranslate">ATHENA.MIT.EDU</code> can inquire

or change the password of their null instance, but not any other

-null instance. (Here, <code class="docutils literal">*1</code> denotes a back-reference to the

+null instance. (Here, <code class="docutils literal notranslate">*1</code> denotes a back-reference to the

component matching the first wildcard in the actor principal.)

-(line 5) Any <code class="docutils literal">root</code> principal in <code class="docutils literal">ATHENA.MIT.EDU</code> can generate

+(line 5) Any <code class="docutils literal notranslate">root</code> principal in <code class="docutils literal notranslate">ATHENA.MIT.EDU</code> can generate

the list of principals in the database, and the list of policies

in the database. This line is separate from line 4, because list

permission can only be granted globally, not to specific target

principals.

(line 6) Finally, the Service Management System principal

-<code class="docutils literal">sms@ATHENA.MIT.EDU</code> has all permissions except extracting keys, but

+<code class="docutils literal notranslate">sms@ATHENA.MIT.EDU</code> has all permissions except extracting keys, but

any principal that it creates or modifies will not be able to get

postdateable tickets or tickets with a life of longer than 9 hours.

-</div>

-<div class="section" id="module-behavior">

+</section>

+<section id="module-behavior">

<h2>MODULE BEHAVIOR<a class="headerlink" href="#module-behavior" title="Permalink to this headline">¶</a></h2>

The ACL file can coexist with other authorization modules in release

1.16 and later, as configured in the <a class="reference internal" href="krb5_conf.html#kadm5-auth">kadm5_auth interface</a> section of

@@ -234,20 +221,22 @@ operations according to the rules above, but will never

authoritatively deny an operation, so other modules can authorize

operations in addition to those authorized by the ACL file.

To operate without an ACL file, set the acl_file variable in

-<a class="reference internal" href="kdc_conf.html#kdc-conf-5">kdc.conf</a> to the empty string with <code class="docutils literal">acl_file = ""</code>.

-</div>

-<div class="section" id="see-also">

+<a class="reference internal" href="kdc_conf.html#kdc-conf-5">kdc.conf</a> to the empty string with <code class="docutils literal notranslate">acl_file = ""</code>.

+</section>

+<section id="see-also">

<a class="reference internal" href="kdc_conf.html#kdc-conf-5">kdc.conf</a>, <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8">kadmind</a>

-</div>

+</section>

+ <div class="clearer"></div>

</div>

<ul>

@@ -316,6 +305,7 @@ operations in addition to those authorized by the ACL file.

</form>

</div>

</div>

@@ -323,8 +313,8 @@ operations in addition to those authorized by the ACL file.

- <div class="right" >Release: 1.21.2

+ <div class="right" >Release: 1.21.3

+ © <a href="../../copyright.html">Copyright</a> 1985-2024, MIT.

</div>

diff --git a/doc/html/admin/conf_files/kdc_conf.html b/doc/html/admin/conf_files/kdc_conf.html
index 928418c7d49a..dc6876d608ec 100644
--- a/doc/html/admin/conf_files/kdc_conf.html
+++ b/doc/html/admin/conf_files/kdc_conf.html

@@ -1,35 +1,26 @@

-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"

- "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

+<!DOCTYPE html>

-<html xmlns="http://www.w3.org/1999/xhtml">

+<html>

<head>

- <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

+ <meta charset="utf-8" />

+ <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="generator" content="Docutils 0.17.1: http://docutils.sourceforge.net/" />

<title>kdc.conf — MIT Kerberos Documentation</title>

- <link rel="stylesheet" href="../../_static/agogo.css" type="text/css" />

- <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" />

- <link rel="stylesheet" href="../../_static/kerb.css" type="text/css" />

- <script type="text/javascript">

- var DOCUMENTATION_OPTIONS = {

- URL_ROOT: '../../',

- VERSION: '1.21.2',

- COLLAPSE_INDEX: false,

- FILE_SUFFIX: '.html',

- HAS_SOURCE: true,

- SOURCELINK_SUFFIX: '.txt'

- };

- </script>

- <script type="text/javascript" src="../../_static/jquery.js"></script>

- <script type="text/javascript" src="../../_static/underscore.js"></script>

- <script type="text/javascript" src="../../_static/doctools.js"></script>

+ <link rel="stylesheet" type="text/css" href="../../_static/pygments.css" />

+ <link rel="stylesheet" type="text/css" href="../../_static/agogo.css" />

+ <link rel="stylesheet" type="text/css" href="../../_static/kerb.css" />

+ <script data-url_root="../../" id="documentation_options" src="../../_static/documentation_options.js"></script>

+ <script src="../../_static/jquery.js"></script>

+ <script src="../../_static/underscore.js"></script>

+ <script src="../../_static/doctools.js"></script>

- </head>

- <body>

+ </head><body>

@@ -61,7 +52,7 @@

- <div class="section" id="kdc-conf">

+ <section id="kdc-conf">

The kdc.conf file supplements <a class="reference internal" href="krb5_conf.html#krb5-conf-5">krb5.conf</a> for programs which

are typically only used on a KDC, such as the <a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8">krb5kdc</a> and

@@ -70,218 +61,216 @@ Relations documented here may also be specified in krb5.conf; for the

KDC programs mentioned, krb5.conf and kdc.conf will be merged into a

single configuration profile.

Normally, the kdc.conf file is found in the KDC state directory,

-<a class="reference internal" href="../../mitK5defaults.html#paths">LOCALSTATEDIR</a><code class="docutils literal">/krb5kdc</code>. You can override the default location by setting the

+<a class="reference internal" href="../../mitK5defaults.html#paths">LOCALSTATEDIR</a><code class="docutils literal notranslate">/krb5kdc</code>. You can override the default location by setting the

environment variable KRB5_KDC_PROFILE.

Please note that you need to restart the KDC daemon for any configuration

changes to take effect.

-<div class="section" id="structure">

+<section id="structure">

<h2>Structure<a class="headerlink" href="#structure" title="Permalink to this headline">¶</a></h2>

The kdc.conf file is set up in the same format as the

<a class="reference internal" href="krb5_conf.html#krb5-conf-5">krb5.conf</a> file.

-</div>

-<div class="section" id="sections">

+</section>

+<section id="sections">

<h2>Sections<a class="headerlink" href="#sections" title="Permalink to this headline">¶</a></h2>

The kdc.conf file may contain the following sections:

-<table border="1" class="docutils">

+<table class="docutils align-default">

-<col width="29%" />

-<col width="71%" />

+<col style="width: 29%" />

+<col style="width: 71%" />

</colgroup>

-<tbody valign="top">

-<tr class="row-odd"><td><a class="reference internal" href="#kdcdefaults">[kdcdefaults]</a></td>

-<td>Default values for KDC behavior</td>

+<tbody>

+<tr class="row-odd"><td><a class="reference internal" href="#kdcdefaults">[kdcdefaults]</a></td>

+<td>Default values for KDC behavior</td>

</tr>

-<tr class="row-even"><td><a class="reference internal" href="#kdc-realms">[realms]</a></td>

-<td>Realm-specific database configuration and settings</td>

+<tr class="row-even"><td><a class="reference internal" href="#kdc-realms">[realms]</a></td>

+<td>Realm-specific database configuration and settings</td>

</tr>

-<tr class="row-odd"><td><a class="reference internal" href="#dbdefaults">[dbdefaults]</a></td>

-<td>Default database settings</td>

+<tr class="row-odd"><td><a class="reference internal" href="#dbdefaults">[dbdefaults]</a></td>

+<td>Default database settings</td>

</tr>

-<tr class="row-even"><td><a class="reference internal" href="#dbmodules">[dbmodules]</a></td>

-<td>Per-database settings</td>

+<tr class="row-even"><td><a class="reference internal" href="#dbmodules">[dbmodules]</a></td>

+<td>Per-database settings</td>

</tr>

-<tr class="row-odd"><td><a class="reference internal" href="#logging">[logging]</a></td>

-<td>Controls how Kerberos daemons perform logging</td>

+<tr class="row-odd"><td><a class="reference internal" href="#logging">[logging]</a></td>

+<td>Controls how Kerberos daemons perform logging</td>

</tr>

</tbody>

</table>

-<div class="section" id="kdcdefaults">

+<section id="kdcdefaults">

<h3>[kdcdefaults]<a class="headerlink" href="#kdcdefaults" title="Permalink to this headline">¶</a></h3>

Some relations in the [kdcdefaults] section specify default values for

realm variables, to be used if the [realms] subsection does not

contain a relation for the tag. See the <a class="reference internal" href="#kdc-realms">[realms]</a> section for

the definitions of these relations.

-<li>host_based_services</li>

-<li>kdc_listen</li>

-<li>kdc_ports</li>

-<li>kdc_tcp_listen</li>

-<li>kdc_tcp_ports</li>

-<li>no_host_referral</li>

-<li>restrict_anonymous_to_tgt</li>

+<li>host_based_services</li>

+<li>kdc_listen</li>

+<li>kdc_ports</li>

+<li>kdc_tcp_listen</li>

+<li>kdc_tcp_ports</li>

+<li>no_host_referral</li>

+<li>restrict_anonymous_to_tgt</li>

</ul>

The following [kdcdefaults] variables have no per-realm equivalent:

-<dl class="docutils">

-<dt>kdc_max_dgram_reply_size</dt>

-<dd>Specifies the maximum packet size that can be sent over UDP. The

-default value is 4096 bytes.</dd>

-<dt>kdc_tcp_listen_backlog</dt>

-<dd>(Integer.) Set the size of the listen queue length for the KDC

+<dl class="simple">

+<dt>kdc_max_dgram_reply_size</dt><dd>Specifies the maximum packet size that can be sent over UDP. The

+default value is 4096 bytes.

+</dd>

+<dt>kdc_tcp_listen_backlog</dt><dd>(Integer.) Set the size of the listen queue length for the KDC

daemon. The value may be limited by OS settings. The default

-value is 5.</dd>

-<dt>spake_preauth_kdc_challenge</dt>

-<dd>(String.) Specifies the group for a SPAKE optimistic challenge.

+value is 5.

+</dd>

+<dt>spake_preauth_kdc_challenge</dt><dd>(String.) Specifies the group for a SPAKE optimistic challenge.

See the spake_preauth_groups variable in <a class="reference internal" href="krb5_conf.html#libdefaults">[libdefaults]</a>

for possible values. The default is not to issue an optimistic

-challenge. (New in release 1.17.)</dd>

+challenge. (New in release 1.17.)

+</dd>

</dl>

-</div>

-<div class="section" id="realms">

+</section>

+<section id="realms">

<h3>[realms]<a class="headerlink" href="#realms" title="Permalink to this headline">¶</a></h3>

Each tag in the [realms] section is the name of a Kerberos realm. The

value of the tag is a subsection where the relations define KDC

parameters for that particular realm. The following example shows how

to define one parameter for the ATHENA.MIT.EDU realm:

-<div class="highlight-default"><div class="highlight"><pre>[realms]

+<div class="highlight-default notranslate"><div class="highlight"><pre>[realms]

ATHENA.MIT.EDU = {

max_renewable_life = 7d 0h 0m 0s

}

</pre></div>

</div>

The following tags may be specified in a [realms] subsection:

-<dl class="docutils">

-<dt>acl_file</dt>

-<dd>(String.) Location of the access control list file that

+<dl>

+<dt>acl_file</dt><dd>(String.) Location of the access control list file that

<a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8">kadmind</a> uses to determine which principals are allowed

which permissions on the Kerberos database. To operate without an

-ACL file, set this relation to the empty string with <code class="docutils literal">acl_file =

-""</code>. The default value is <a class="reference internal" href="../../mitK5defaults.html#paths">LOCALSTATEDIR</a><code class="docutils literal">/krb5kdc</code><code class="docutils literal">/kadm5.acl</code>. For more

-information on Kerberos ACL file see <a class="reference internal" href="kadm5_acl.html#kadm5-acl-5">kadm5.acl</a>.</dd>

-<dt>database_module</dt>

-<dd>(String.) This relation indicates the name of the configuration

+ACL file, set this relation to the empty string with <code class="docutils literal notranslate">acl_file =

+""</code>. The default value is <a class="reference internal" href="../../mitK5defaults.html#paths">LOCALSTATEDIR</a><code class="docutils literal notranslate">/krb5kdc</code><code class="docutils literal notranslate">/kadm5.acl</code>. For more

+information on Kerberos ACL file see <a class="reference internal" href="kadm5_acl.html#kadm5-acl-5">kadm5.acl</a>.

+</dd>

+<dt>database_module</dt><dd>(String.) This relation indicates the name of the configuration

section under <a class="reference internal" href="#dbmodules">[dbmodules]</a> for database-specific parameters

used by the loadable database library. The default value is the

realm name. If this configuration section does not exist, default

-values will be used for all database parameters.</dd>

-<dt>database_name</dt>

-<dd>(String, deprecated.) This relation specifies the location of the

+values will be used for all database parameters.

+</dd>

+<dt>database_name</dt><dd>(String, deprecated.) This relation specifies the location of the

Kerberos database for this realm, if the DB2 module is being used

and the <a class="reference internal" href="#dbmodules">[dbmodules]</a> configuration section does not specify a

-database name. The default value is <a class="reference internal" href="../../mitK5defaults.html#paths">LOCALSTATEDIR</a><code class="docutils literal">/krb5kdc</code><code class="docutils literal">/principal</code>.</dd>

-<dt>default_principal_expiration</dt>

-<dd>(<a class="reference internal" href="../../basic/date_format.html#abstime">Absolute time</a> string.) Specifies the default expiration date of

+database name. The default value is <a class="reference internal" href="../../mitK5defaults.html#paths">LOCALSTATEDIR</a><code class="docutils literal notranslate">/krb5kdc</code><code class="docutils literal notranslate">/principal</code>.

+</dd>

+<dt>default_principal_expiration</dt><dd>(<a class="reference internal" href="../../basic/date_format.html#abstime">Absolute time</a> string.) Specifies the default expiration date of

principals created in this realm. The default value is 0, which

-means no expiration date.</dd>

-<dt>default_principal_flags</dt>

-<dd>(Flag string.) Specifies the default attributes of principals

+means no expiration date.

+</dd>

+<dt>default_principal_flags</dt><dd>(Flag string.) Specifies the default attributes of principals

created in this realm. The format for this string is a

comma-separated list of flags, with ‘+’ before each flag that

-should be enabled and ‘-‘ before each flag that should be

+should be enabled and ‘-’ before each flag that should be

disabled. The postdateable, forwardable, tgt-based,

renewable, proxiable, dup-skey, allow-tickets, and

service flags default to enabled.

There are a number of possible flags:

-<dl class="last docutils">

-<dt>allow-tickets</dt>

-<dd>Enabling this flag means that the KDC will issue tickets for

+<dl class="simple">

+<dt>allow-tickets</dt><dd>Enabling this flag means that the KDC will issue tickets for

this principal. Disabling this flag essentially deactivates

-the principal within this realm.</dd>

-<dt>dup-skey</dt>

-<dd>Enabling this flag allows the KDC to issue user-to-user

-service tickets for this principal.</dd>

-<dt>forwardable</dt>

-<dd>Enabling this flag allows the principal to obtain forwardable

-tickets.</dd>

-<dt>hwauth</dt>

-<dd>If this flag is enabled, then the principal is required to

+the principal within this realm.

+</dd>

+<dt>dup-skey</dt><dd>Enabling this flag allows the KDC to issue user-to-user

+service tickets for this principal.

+</dd>

+<dt>forwardable</dt><dd>Enabling this flag allows the principal to obtain forwardable

+tickets.

+</dd>

+<dt>hwauth</dt><dd>If this flag is enabled, then the principal is required to

preauthenticate using a hardware device before receiving any

-tickets.</dd>

-<dt>no-auth-data-required</dt>

-<dd>Enabling this flag prevents PAC or AD-SIGNEDPATH data from

-being added to service tickets for the principal.</dd>

-<dt>ok-as-delegate</dt>

-<dd>If this flag is enabled, it hints the client that credentials

+tickets.

+</dd>

+<dt>no-auth-data-required</dt><dd>Enabling this flag prevents PAC or AD-SIGNEDPATH data from

+being added to service tickets for the principal.

+</dd>

+<dt>ok-as-delegate</dt><dd>If this flag is enabled, it hints the client that credentials

can and should be delegated when authenticating to the

-service.</dd>

-<dt>ok-to-auth-as-delegate</dt>

-<dd>Enabling this flag allows the principal to use S4USelf tickets.</dd>

-<dt>postdateable</dt>

-<dd>Enabling this flag allows the principal to obtain postdateable

-tickets.</dd>

-<dt>preauth</dt>

-<dd>If this flag is enabled on a client principal, then that

+service.

+</dd>

+<dt>ok-to-auth-as-delegate</dt><dd>Enabling this flag allows the principal to use S4USelf tickets.

+</dd>

+<dt>postdateable</dt><dd>Enabling this flag allows the principal to obtain postdateable

+tickets.

+</dd>

+<dt>preauth</dt><dd>If this flag is enabled on a client principal, then that

principal is required to preauthenticate to the KDC before

receiving any tickets. On a service principal, enabling this

flag means that service tickets for this principal will only

be issued to clients with a TGT that has the preauthenticated

-bit set.</dd>

-<dt>proxiable</dt>

-<dd>Enabling this flag allows the principal to obtain proxy

-tickets.</dd>

-<dt>pwchange</dt>

-<dd>Enabling this flag forces a password change for this

-principal.</dd>

-<dt>pwservice</dt>

-<dd>If this flag is enabled, it marks this principal as a password

+bit set.

+</dd>

+<dt>proxiable</dt><dd>Enabling this flag allows the principal to obtain proxy

+tickets.

+</dd>

+<dt>pwchange</dt><dd>Enabling this flag forces a password change for this

+principal.

+</dd>

+<dt>pwservice</dt><dd>If this flag is enabled, it marks this principal as a password

change service. This should only be used in special cases,

for example, if a user’s password has expired, then the user

has to get tickets for that principal without going through

the normal password authentication in order to be able to

-change the password.</dd>

-<dt>renewable</dt>

-<dd>Enabling this flag allows the principal to obtain renewable

-tickets.</dd>

-<dt>service</dt>

-<dd>Enabling this flag allows the the KDC to issue service tickets

+change the password.

+</dd>

+<dt>renewable</dt><dd>Enabling this flag allows the principal to obtain renewable

+tickets.

+</dd>

+<dt>service</dt><dd>Enabling this flag allows the the KDC to issue service tickets

for this principal. In release 1.17 and later, user-to-user

service tickets are still allowed if the dup-skey flag is

-set.</dd>

-<dt>tgt-based</dt>

-<dd>Enabling this flag allows a principal to obtain tickets based

+set.

+</dd>

+<dt>tgt-based</dt><dd>Enabling this flag allows a principal to obtain tickets based

on a ticket-granting-ticket, rather than repeating the

-authentication process that was used to obtain the TGT.</dd>

+authentication process that was used to obtain the TGT.

+</dd>

</dl>

</dd>

-<dt>dict_file</dt>

-<dd>(String.) Location of the dictionary file containing strings that

+<dt>dict_file</dt><dd>(String.) Location of the dictionary file containing strings that

are not allowed as passwords. The file should contain one string

per line, with no additional whitespace. If none is specified or

if there is no policy assigned to the principal, no dictionary

-checks of passwords will be performed.</dd>

-<dt>disable_pac</dt>

-<dd>(Boolean value.) If true, the KDC will not issue PACs for this

+checks of passwords will be performed.

+</dd>

+<dt>disable_pac</dt><dd>(Boolean value.) If true, the KDC will not issue PACs for this

realm, and S4U2Self and S4U2Proxy operations will be disabled.

The default is false, which will permit the KDC to issue PACs.

-New in release 1.20.</dd>

-<dt>encrypted_challenge_indicator</dt>

-<dd>(String.) Specifies the authentication indicator value that the KDC

+New in release 1.20.

+</dd>

+<dt>encrypted_challenge_indicator</dt><dd>(String.) Specifies the authentication indicator value that the KDC

asserts into tickets obtained using FAST encrypted challenge

-pre-authentication. New in 1.16.</dd>

-<dt>host_based_services</dt>

-<dd>(Whitespace- or comma-separated list.) Lists services which will

+pre-authentication. New in 1.16.

+</dd>

+<dt>host_based_services</dt><dd>(Whitespace- or comma-separated list.) Lists services which will

get host-based referral processing even if the server principal is

-not marked as host-based by the client.</dd>

-<dt>iprop_enable</dt>

-<dd>(Boolean value.) Specifies whether incremental database

-propagation is enabled. The default value is false.</dd>

-<dt>iprop_ulogsize</dt>

-<dd>(Integer.) Specifies the maximum number of log entries to be

+not marked as host-based by the client.

+</dd>

+<dt>iprop_enable</dt><dd>(Boolean value.) Specifies whether incremental database

+propagation is enabled. The default value is false.

+</dd>

+<dt>iprop_ulogsize</dt><dd>(Integer.) Specifies the maximum number of log entries to be

retained for incremental propagation. The default value is 1000.

Prior to release 1.11, the maximum value was 2500. New in release

-1.19.</dd>

-<dt>iprop_master_ulogsize</dt>

-<dd>The name for iprop_ulogsize prior to release 1.19. Its value is

-used as a fallback if iprop_ulogsize is not specified.</dd>

-<dt>iprop_replica_poll</dt>

-<dd>(Delta time string.) Specifies how often the replica KDC polls

-for new updates from the primary. The default value is <code class="docutils literal">2m</code>

-(that is, two minutes). New in release 1.17.</dd>

-<dt>iprop_slave_poll</dt>

-<dd>(Delta time string.) The name for iprop_replica_poll prior to

+1.19.

+</dd>

+<dt>iprop_master_ulogsize</dt><dd>The name for iprop_ulogsize prior to release 1.19. Its value is

+used as a fallback if iprop_ulogsize is not specified.

+</dd>

+<dt>iprop_replica_poll</dt><dd>(Delta time string.) Specifies how often the replica KDC polls

+for new updates from the primary. The default value is <code class="docutils literal notranslate">2m</code>

+(that is, two minutes). New in release 1.17.

+</dd>

+<dt>iprop_slave_poll</dt><dd>(Delta time string.) The name for iprop_replica_poll prior to

release 1.17. Its value is used as a fallback if

-iprop_replica_poll is not specified.</dd>

-<dt>iprop_listen</dt>

-<dd>(Whitespace- or comma-separated list.) Specifies the iprop RPC

+iprop_replica_poll is not specified.

+</dd>

+<dt>iprop_listen</dt><dd>(Whitespace- or comma-separated list.) Specifies the iprop RPC

listening addresses and/or ports for the <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8">kadmind</a> daemon.

Each entry may be an interface address, a port number, or an

address and port number separated by a colon. If the address

@@ -290,32 +279,32 @@ specified, the wildcard address is used. If kadmind fails to bind

to any of the specified addresses, it will fail to start. The

default (when iprop_enable is true) is to bind to the wildcard

address at the port specified in iprop_port. New in release

-1.15.</dd>

-<dt>iprop_port</dt>

-<dd>(Port number.) Specifies the port number to be used for

+1.15.

+</dd>

+<dt>iprop_port</dt><dd>(Port number.) Specifies the port number to be used for

incremental propagation. When iprop_enable is true, this

relation is required in the replica KDC configuration file, and

this relation or iprop_listen is required in the primary

configuration file, as there is no default port number. Port

numbers specified in iprop_listen entries will override this

-port number for the <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8">kadmind</a> daemon.</dd>

-<dt>iprop_resync_timeout</dt>

-<dd>(Delta time string.) Specifies the amount of time to wait for a

+port number for the <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8">kadmind</a> daemon.

+</dd>

+<dt>iprop_resync_timeout</dt><dd>(Delta time string.) Specifies the amount of time to wait for a

full propagation to complete. This is optional in configuration

files, and is used by replica KDCs only. The default value is 5

-minutes (<code class="docutils literal">5m</code>). New in release 1.11.</dd>

-<dt>iprop_logfile</dt>

-<dd>(File name.) Specifies where the update log file for the realm

+minutes (<code class="docutils literal notranslate">5m</code>). New in release 1.11.

+</dd>

+<dt>iprop_logfile</dt><dd>(File name.) Specifies where the update log file for the realm

database is to be stored. The default is to use the

database_name entry from the realms section of the krb5 config

-file, with <code class="docutils literal">.ulog</code> appended. (NOTE: If database_name isn’t

+file, with <code class="docutils literal notranslate">.ulog</code> appended. (NOTE: If database_name isn’t

specified in the realms section, perhaps because the LDAP database

back end is being used, or the file name is specified in the

[dbmodules] section, then the hard-coded default for

database_name is used. Determination of the iprop_logfile

-default value will not use values from the [dbmodules] section.)</dd>

-<dt>kadmind_listen</dt>

-<dd>(Whitespace- or comma-separated list.) Specifies the kadmin RPC

+default value will not use values from the [dbmodules] section.)

+</dd>

+<dt>kadmind_listen</dt><dd>(Whitespace- or comma-separated list.) Specifies the kadmin RPC

listening addresses and/or ports for the <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8">kadmind</a> daemon.

Each entry may be an interface address, a port number, or an

address and port number separated by a colon. If the address

@@ -324,17 +313,17 @@ specified, the wildcard address is used. If kadmind fails to bind

to any of the specified addresses, it will fail to start. The

default is to bind to the wildcard address at the port specified

in kadmind_port, or the standard kadmin port (749). New in

-release 1.15.</dd>

-<dt>kadmind_port</dt>

-<dd>(Port number.) Specifies the port on which the <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8">kadmind</a>

+release 1.15.

+</dd>

+<dt>kadmind_port</dt><dd>(Port number.) Specifies the port on which the <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8">kadmind</a>

daemon is to listen for this realm. Port numbers specified in

kadmind_listen entries will override this port number. The

-assigned port for kadmind is 749, which is used by default.</dd>

-<dt>key_stash_file</dt>

-<dd>(String.) Specifies the location where the master key has been

-stored (via kdb5_util stash). The default is <a class="reference internal" href="../../mitK5defaults.html#paths">LOCALSTATEDIR</a><code class="docutils literal">/krb5kdc</code><code class="docutils literal">/.k5.REALM</code>, where REALM is the Kerberos realm.</dd>

-<dt>kdc_listen</dt>

-<dd>(Whitespace- or comma-separated list.) Specifies the UDP

+assigned port for kadmind is 749, which is used by default.

+</dd>

+<dt>key_stash_file</dt><dd>(String.) Specifies the location where the master key has been

+stored (via kdb5_util stash). The default is <a class="reference internal" href="../../mitK5defaults.html#paths">LOCALSTATEDIR</a><code class="docutils literal notranslate">/krb5kdc</code><code class="docutils literal notranslate">/.k5.REALM</code>, where REALM is the Kerberos realm.

+</dd>

+<dt>kdc_listen</dt><dd>(Whitespace- or comma-separated list.) Specifies the UDP

listening addresses and/or ports for the <a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8">krb5kdc</a> daemon.

Each entry may be an interface address, a port number, or an

address and port number separated by a colon. If the address

@@ -343,33 +332,33 @@ specified, the wildcard address is used. If no port is specified,

the standard port (88) is used. If the KDC daemon fails to bind

to any of the specified addresses, it will fail to start. The

default is to bind to the wildcard address on the standard port.

-New in release 1.15.</dd>

-<dt>kdc_ports</dt>

-<dd>(Whitespace- or comma-separated list, deprecated.) Prior to

+New in release 1.15.

+</dd>

+<dt>kdc_ports</dt><dd>(Whitespace- or comma-separated list, deprecated.) Prior to

release 1.15, this relation lists the ports for the

<a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8">krb5kdc</a> daemon to listen on for UDP requests. In

release 1.15 and later, it has the same meaning as kdc_listen

-if that relation is not defined.</dd>

-<dt>kdc_tcp_listen</dt>

-<dd>(Whitespace- or comma-separated list.) Specifies the TCP

+if that relation is not defined.

+</dd>

+<dt>kdc_tcp_listen</dt><dd>(Whitespace- or comma-separated list.) Specifies the TCP

listening addresses and/or ports for the <a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8">krb5kdc</a> daemon.

Each entry may be an interface address, a port number, or an

address and port number separated by a colon. If the address

contains colons, enclose it in square brackets. If no address is

specified, the wildcard address is used. If no port is specified,

the standard port (88) is used. To disable listening on TCP, set

-this relation to the empty string with <code class="docutils literal">kdc_tcp_listen = ""</code>.

+this relation to the empty string with <code class="docutils literal notranslate">kdc_tcp_listen = ""</code>.

If the KDC daemon fails to bind to any of the specified addresses,

it will fail to start. The default is to bind to the wildcard

-address on the standard port. New in release 1.15.</dd>

-<dt>kdc_tcp_ports</dt>

-<dd>(Whitespace- or comma-separated list, deprecated.) Prior to

+address on the standard port. New in release 1.15.

+</dd>

+<dt>kdc_tcp_ports</dt><dd>(Whitespace- or comma-separated list, deprecated.) Prior to

release 1.15, this relation lists the ports for the

<a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8">krb5kdc</a> daemon to listen on for UDP requests. In

release 1.15 and later, it has the same meaning as

-kdc_tcp_listen if that relation is not defined.</dd>

-<dt>kpasswd_listen</dt>

-<dd>(Comma-separated list.) Specifies the kpasswd listening addresses

+kdc_tcp_listen if that relation is not defined.

+</dd>

+<dt>kpasswd_listen</dt><dd>(Comma-separated list.) Specifies the kpasswd listening addresses

and/or ports for the <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8">kadmind</a> daemon. Each entry may be

an interface address, a port number, or an address and port number

separated by a colon. If the address contains colons, enclose it

@@ -377,36 +366,36 @@ in square brackets. If no address is specified, the wildcard

address is used. If kadmind fails to bind to any of the specified

addresses, it will fail to start. The default is to bind to the

wildcard address at the port specified in kpasswd_port, or the

-standard kpasswd port (464). New in release 1.15.</dd>

-<dt>kpasswd_port</dt>

-<dd>(Port number.) Specifies the port on which the <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8">kadmind</a>

+standard kpasswd port (464). New in release 1.15.

+</dd>

+<dt>kpasswd_port</dt><dd>(Port number.) Specifies the port on which the <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8">kadmind</a>

daemon is to listen for password change requests for this realm.

Port numbers specified in kpasswd_listen entries will override

this port number. The assigned port for password change requests

-is 464, which is used by default.</dd>

-<dt>master_key_name</dt>

-<dd>(String.) Specifies the name of the principal associated with the

-master key. The default is <code class="docutils literal">K/M</code>.</dd>

-<dt>master_key_type</dt>

-<dd>(Key type string.) Specifies the master key’s key type. The

-default value for this is <code class="docutils literal">aes256-cts-hmac-sha1-96</code>. For a list of all possible

-values, see <a class="reference internal" href="#encryption-types">Encryption types</a>.</dd>

-<dt>max_life</dt>

-<dd>(<a class="reference internal" href="../../basic/date_format.html#duration">Time duration</a> string.) Specifies the maximum time period for

+is 464, which is used by default.

+</dd>

+<dt>master_key_name</dt><dd>(String.) Specifies the name of the principal associated with the

+master key. The default is <code class="docutils literal notranslate">K/M</code>.

+</dd>

+<dt>master_key_type</dt><dd>(Key type string.) Specifies the master key’s key type. The

+default value for this is <code class="docutils literal notranslate">aes256-cts-hmac-sha1-96</code>. For a list of all possible

+values, see <a class="reference internal" href="#encryption-types">Encryption types</a>.

+</dd>

+<dt>max_life</dt><dd>(<a class="reference internal" href="../../basic/date_format.html#duration">Time duration</a> string.) Specifies the maximum time period for

which a ticket may be valid in this realm. The default value is

-24 hours.</dd>

-<dt>max_renewable_life</dt>

-<dd>(<a class="reference internal" href="../../basic/date_format.html#duration">Time duration</a> string.) Specifies the maximum time period

+24 hours.

+</dd>

+<dt>max_renewable_life</dt><dd>(<a class="reference internal" href="../../basic/date_format.html#duration">Time duration</a> string.) Specifies the maximum time period

during which a valid ticket may be renewed in this realm.

-The default value is 0.</dd>

-<dt>no_host_referral</dt>

-<dd>(Whitespace- or comma-separated list.) Lists services to block

+The default value is 0.

+</dd>

+<dt>no_host_referral</dt><dd>(Whitespace- or comma-separated list.) Lists services to block

from getting host-based referral processing, even if the client

marks the server principal as host-based or the service is also

-listed in host_based_services. <code class="docutils literal">no_host_referral = *</code> will

-disable referral processing altogether.</dd>

-<dt>reject_bad_transit</dt>

-<dd>(Boolean value.) If set to true, the KDC will check the list of

+listed in host_based_services. <code class="docutils literal notranslate">no_host_referral = *</code> will

+disable referral processing altogether.

+</dd>

+<dt>reject_bad_transit</dt><dd>(Boolean value.) If set to true, the KDC will check the list of

transited realms for cross-realm tickets against the transit path

computed from the realm names and the capaths section of its

<a class="reference internal" href="krb5_conf.html#krb5-conf-5">krb5.conf</a> file; if the path in the ticket to be issued

@@ -421,90 +410,89 @@ request, this check is not performed at all. Having the

be rejected always.

This transit path checking and config file option currently apply

only to TGS requests.

-The default value is true.

+The default value is true.

</dd>

-<dt>restrict_anonymous_to_tgt</dt>

-<dd>(Boolean value.) If set to true, the KDC will reject ticket

+<dt>restrict_anonymous_to_tgt</dt><dd>(Boolean value.) If set to true, the KDC will reject ticket

requests from anonymous principals to service principals other

than the realm’s ticket-granting service. This option allows

anonymous PKINIT to be enabled for use as FAST armor tickets

without allowing anonymous authentication to services. The

-default value is false. New in release 1.9.</dd>

-<dt>spake_preauth_indicator</dt>

-<dd>(String.) Specifies an authentication indicator value that the

+default value is false. New in release 1.9.

+</dd>

+<dt>spake_preauth_indicator</dt><dd>(String.) Specifies an authentication indicator value that the

KDC asserts into tickets obtained using SPAKE pre-authentication.

The default is not to add any indicators. This option may be

-specified multiple times. New in release 1.17.</dd>

-<dt>supported_enctypes</dt>

-<dd>(List of key:salt strings.) Specifies the default key/salt

+specified multiple times. New in release 1.17.

+</dd>

+<dt>supported_enctypes</dt><dd>(List of key:salt strings.) Specifies the default key/salt

combinations of principals for this realm. Any principals created

through <a class="reference internal" href="../admin_commands/kadmin_local.html#kadmin-1">kadmin</a> will have keys of these types. The

-default value for this tag is <code class="docutils literal">aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal</code>. For lists of

-possible values, see <a class="reference internal" href="#keysalt-lists">Keysalt lists</a>.</dd>

+default value for this tag is <code class="docutils literal notranslate">aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal</code>. For lists of

+possible values, see <a class="reference internal" href="#keysalt-lists">Keysalt lists</a>.

+</dd>

</dl>

-</div>

-<div class="section" id="dbdefaults">

+</section>

+<section id="dbdefaults">

<h3>[dbdefaults]<a class="headerlink" href="#dbdefaults" title="Permalink to this headline">¶</a></h3>

The [dbdefaults] section specifies default values for some database

parameters, to be used if the [dbmodules] subsection does not contain

a relation for the tag. See the <a class="reference internal" href="#dbmodules">[dbmodules]</a> section for the

definitions of these relations.

-<li>ldap_kerberos_container_dn</li>

-<li>ldap_kdc_dn</li>

-<li>ldap_kdc_sasl_authcid</li>

-<li>ldap_kdc_sasl_authzid</li>

-<li>ldap_kdc_sasl_mech</li>

-<li>ldap_kdc_sasl_realm</li>

-<li>ldap_kadmind_dn</li>

-<li>ldap_kadmind_sasl_authcid</li>

-<li>ldap_kadmind_sasl_authzid</li>

-<li>ldap_kadmind_sasl_mech</li>

-<li>ldap_kadmind_sasl_realm</li>

-<li>ldap_service_password_file</li>

-<li>ldap_conns_per_server</li>

+<li>ldap_kerberos_container_dn</li>

+<li>ldap_kdc_dn</li>

+<li>ldap_kdc_sasl_authcid</li>

+<li>ldap_kdc_sasl_authzid</li>

+<li>ldap_kdc_sasl_mech</li>

+<li>ldap_kdc_sasl_realm</li>

+<li>ldap_kadmind_dn</li>

+<li>ldap_kadmind_sasl_authcid</li>

+<li>ldap_kadmind_sasl_authzid</li>

+<li>ldap_kadmind_sasl_mech</li>

+<li>ldap_kadmind_sasl_realm</li>

+<li>ldap_service_password_file</li>

+<li>ldap_conns_per_server</li>

</ul>

-</div>

-<div class="section" id="dbmodules">

+</section>

+<section id="dbmodules">

<h3>[dbmodules]<a class="headerlink" href="#dbmodules" title="Permalink to this headline">¶</a></h3>

The [dbmodules] section contains parameters used by the KDC database

library and database modules. Each tag in the [dbmodules] section is

the name of a Kerberos realm or a section name specified by a realm’s

database_module parameter. The following example shows how to

define one database parameter for the ATHENA.MIT.EDU realm:

-<div class="highlight-default"><div class="highlight"><pre>[dbmodules]

+<div class="highlight-default notranslate"><div class="highlight"><pre>[dbmodules]

ATHENA.MIT.EDU = {

disable_last_success = true

}

</pre></div>

</div>

The following tags may be specified in a [dbmodules] subsection:

-<dl class="docutils">

-<dt>database_name</dt>

-<dd>This DB2-specific tag indicates the location of the database in

-the filesystem. The default is <a class="reference internal" href="../../mitK5defaults.html#paths">LOCALSTATEDIR</a><code class="docutils literal">/krb5kdc</code><code class="docutils literal">/principal</code>.</dd>

-<dt>db_library</dt>

-<dd>This tag indicates the name of the loadable database module. The

-value should be <code class="docutils literal">db2</code> for the DB2 module, <code class="docutils literal">klmdb</code> for the LMDB

-module, or <code class="docutils literal">kldap</code> for the LDAP module.</dd>

-<dt>disable_last_success</dt>

-<dd>If set to <code class="docutils literal">true</code>, suppresses KDC updates to the “Last successful

+<dl class="simple">

+<dt>database_name</dt><dd>This DB2-specific tag indicates the location of the database in

+the filesystem. The default is <a class="reference internal" href="../../mitK5defaults.html#paths">LOCALSTATEDIR</a><code class="docutils literal notranslate">/krb5kdc</code><code class="docutils literal notranslate">/principal</code>.

+</dd>

+<dt>db_library</dt><dd>This tag indicates the name of the loadable database module. The

+value should be <code class="docutils literal notranslate">db2</code> for the DB2 module, <code class="docutils literal notranslate">klmdb</code> for the LMDB

+module, or <code class="docutils literal notranslate">kldap</code> for the LDAP module.

+</dd>

+<dt>disable_last_success</dt><dd>If set to <code class="docutils literal notranslate">true</code>, suppresses KDC updates to the “Last successful

authentication” field of principal entries requiring

preauthentication. Setting this flag may improve performance.

(Principal entries which do not require preauthentication never

update the “Last successful authentication” field.). First

-introduced in release 1.9.</dd>

-<dt>disable_lockout</dt>

-<dd>If set to <code class="docutils literal">true</code>, suppresses KDC updates to the “Last failed

+introduced in release 1.9.

+</dd>

+<dt>disable_lockout</dt><dd>If set to <code class="docutils literal notranslate">true</code>, suppresses KDC updates to the “Last failed

authentication” and “Failed password attempts” fields of principal

entries requiring preauthentication. Setting this flag may

improve performance, but also disables account lockout. First

-introduced in release 1.9.</dd>

-<dt>ldap_conns_per_server</dt>

-<dd>This LDAP-specific tag indicates the number of connections to be

-maintained per LDAP server.</dd>

-<dt>ldap_kdc_dn and ldap_kadmind_dn</dt>

-<dd>These LDAP-specific tags indicate the default DN for binding to

+introduced in release 1.9.

+</dd>

+<dt>ldap_conns_per_server</dt><dd>This LDAP-specific tag indicates the number of connections to be

+maintained per LDAP server.

+</dd>

+<dt>ldap_kdc_dn and ldap_kadmind_dn</dt><dd>These LDAP-specific tags indicate the default DN for binding to

the LDAP server. The <a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8">krb5kdc</a> daemon uses

ldap_kdc_dn, while the <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8">kadmind</a> daemon and other

administrative programs use ldap_kadmind_dn. The kadmind DN

@@ -513,113 +501,113 @@ LDAP database. The KDC DN must have the same rights, unless

disable_lockout and disable_last_success are true, in

which case it only needs to have rights to read the Kerberos data.

These tags are ignored if a SASL mechanism is set with

-ldap_kdc_sasl_mech or ldap_kadmind_sasl_mech.</dd>

-<dt>ldap_kdc_sasl_mech and ldap_kadmind_sasl_mech</dt>

-<dd>These LDAP-specific tags specify the SASL mechanism (such as

-<code class="docutils literal">EXTERNAL</code>) to use when binding to the LDAP server. New in

-release 1.13.</dd>

-<dt>ldap_kdc_sasl_authcid and ldap_kadmind_sasl_authcid</dt>

-<dd>These LDAP-specific tags specify the SASL authentication identity

+ldap_kdc_sasl_mech or ldap_kadmind_sasl_mech.

+</dd>

+<dt>ldap_kdc_sasl_mech and ldap_kadmind_sasl_mech</dt><dd>These LDAP-specific tags specify the SASL mechanism (such as

+<code class="docutils literal notranslate">EXTERNAL</code>) to use when binding to the LDAP server. New in

+release 1.13.

+</dd>

+<dt>ldap_kdc_sasl_authcid and ldap_kadmind_sasl_authcid</dt><dd>These LDAP-specific tags specify the SASL authentication identity

to use when binding to the LDAP server. Not all SASL mechanisms

require an authentication identity. If the SASL mechanism

-requires a secret (such as the password for <code class="docutils literal">DIGEST-MD5</code>), these

+requires a secret (such as the password for <code class="docutils literal notranslate">DIGEST-MD5</code>), these

tags also determine the name within the

ldap_service_password_file where the secret is stashed. New

-in release 1.13.</dd>

-<dt>ldap_kdc_sasl_authzid and ldap_kadmind_sasl_authzid</dt>

-<dd>These LDAP-specific tags specify the SASL authorization identity

+in release 1.13.

+</dd>

+<dt>ldap_kdc_sasl_authzid and ldap_kadmind_sasl_authzid</dt><dd>These LDAP-specific tags specify the SASL authorization identity

to use when binding to the LDAP server. In most circumstances

-they do not need to be specified. New in release 1.13.</dd>

-<dt>ldap_kdc_sasl_realm and ldap_kadmind_sasl_realm</dt>

-<dd>These LDAP-specific tags specify the SASL realm to use when

+they do not need to be specified. New in release 1.13.

+</dd>

+<dt>ldap_kdc_sasl_realm and ldap_kadmind_sasl_realm</dt><dd>These LDAP-specific tags specify the SASL realm to use when

binding to the LDAP server. In most circumstances they do not

-need to be set. New in release 1.13.</dd>

-<dt>ldap_kerberos_container_dn</dt>

-<dd>This LDAP-specific tag indicates the DN of the container object

-where the realm objects will be located.</dd>

-<dt>ldap_servers</dt>

-<dd>This LDAP-specific tag indicates the list of LDAP servers that the

+need to be set. New in release 1.13.

+</dd>

+<dt>ldap_kerberos_container_dn</dt><dd>This LDAP-specific tag indicates the DN of the container object

+where the realm objects will be located.

+</dd>

+<dt>ldap_servers</dt><dd>This LDAP-specific tag indicates the list of LDAP servers that the

Kerberos servers can connect to. The list of LDAP servers is

whitespace-separated. The LDAP server is specified by a LDAP URI.

-It is recommended to use <code class="docutils literal">ldapi:</code> or <code class="docutils literal">ldaps:</code> URLs to connect

-to the LDAP server.</dd>

-<dt>ldap_service_password_file</dt>

-<dd>This LDAP-specific tag indicates the file containing the stashed

-passwords (created by <code class="docutils literal">kdb5_ldap_util stashsrvpw</code>) for the

+It is recommended to use <code class="docutils literal notranslate">ldapi:</code> or <code class="docutils literal notranslate">ldaps:</code> URLs to connect

+to the LDAP server.

+</dd>

+<dt>ldap_service_password_file</dt><dd>This LDAP-specific tag indicates the file containing the stashed

+passwords (created by <code class="docutils literal notranslate">kdb5_ldap_util stashsrvpw</code>) for the

ldap_kdc_dn and ldap_kadmind_dn objects, or for the

ldap_kdc_sasl_authcid or ldap_kadmind_sasl_authcid names

-for SASL authentication. This file must be kept secure.</dd>

-<dt>mapsize</dt>

-<dd>This LMDB-specific tag indicates the maximum size of the two

+for SASL authentication. This file must be kept secure.

+</dd>

+<dt>mapsize</dt><dd>This LMDB-specific tag indicates the maximum size of the two

database environments in megabytes. The default value is 128.

Increase this value to address “Environment mapsize limit reached”

-errors. New in release 1.17.</dd>

-<dt>max_readers</dt>

-<dd>This LMDB-specific tag indicates the maximum number of concurrent

+errors. New in release 1.17.

+</dd>

+<dt>max_readers</dt><dd>This LMDB-specific tag indicates the maximum number of concurrent

reading processes for the databases. The default value is 128.

-New in release 1.17.</dd>

-<dt>nosync</dt>

-<dd>This LMDB-specific tag can be set to improve the throughput of

+New in release 1.17.

+</dd>

+<dt>nosync</dt><dd>This LMDB-specific tag can be set to improve the throughput of

kadmind and other administrative agents, at the expense of

durability (recent database changes may not survive a power outage

or other sudden reboot). It does not affect the throughput of the

-KDC. The default value is false. New in release 1.17.</dd>

-<dt>unlockiter</dt>

-<dd>If set to <code class="docutils literal">true</code>, this DB2-specific tag causes iteration

+KDC. The default value is false. New in release 1.17.

+</dd>

+<dt>unlockiter</dt><dd>If set to <code class="docutils literal notranslate">true</code>, this DB2-specific tag causes iteration

operations to release the database lock while processing each

-principal. Setting this flag to <code class="docutils literal">true</code> can prevent extended

+principal. Setting this flag to <code class="docutils literal notranslate">true</code> can prevent extended

blocking of KDC or kadmin operations when dumps of large databases

-are in progress. First introduced in release 1.13.</dd>

+are in progress. First introduced in release 1.13.

+</dd>

</dl>

The following tag may be specified directly in the [dbmodules]

section to control where database modules are loaded from:

-<dl class="docutils">

-<dt>db_module_dir</dt>

-<dd>This tag controls where the plugin system looks for database

-modules. The value should be an absolute path.</dd>

+<dl class="simple">

+<dt>db_module_dir</dt><dd>This tag controls where the plugin system looks for database

+modules. The value should be an absolute path.

+</dd>

</dl>

-</div>

-<div class="section" id="logging">

+</section>

+<section id="logging">

<h3>[logging]<a class="headerlink" href="#logging" title="Permalink to this headline">¶</a></h3>

The [logging] section indicates how <a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8">krb5kdc</a> and

<a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8">kadmind</a> perform logging. It may contain the following

relations:

-<dl class="docutils">

-<dt>admin_server</dt>

-<dd>Specifies how <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8">kadmind</a> performs logging.</dd>

-<dt>kdc</dt>

-<dd>Specifies how <a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8">krb5kdc</a> performs logging.</dd>

-<dt>default</dt>

-<dd>Specifies how either daemon performs logging in the absence of

-relations specific to the daemon.</dd>

-<dt>debug</dt>

-<dd>(Boolean value.) Specifies whether debugging messages are

+<dl class="simple">

+<dt>admin_server</dt><dd>Specifies how <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8">kadmind</a> performs logging.

+</dd>

+<dt>kdc</dt><dd>Specifies how <a class="reference internal" href="../admin_commands/krb5kdc.html#krb5kdc-8">krb5kdc</a> performs logging.

+</dd>

+<dt>default</dt><dd>Specifies how either daemon performs logging in the absence of

+relations specific to the daemon.

+</dd>

+<dt>debug</dt><dd>(Boolean value.) Specifies whether debugging messages are

included in log outputs other than SYSLOG. Debugging messages are

always included in the system log output because syslog performs

its own priority filtering. The default value is false. New in

-release 1.15.</dd>

+release 1.15.

+</dd>

</dl>

Logging specifications may have the following forms:

-<dl class="docutils">

-<dt>FILE=filename or FILE:filename</dt>

-<dd>This value causes the daemon’s logging messages to go to the

-filename. If the <code class="docutils literal">=</code> form is used, the file is overwritten.

-If the <code class="docutils literal">:</code> form is used, the file is appended to.</dd>

-<dt>STDERR</dt>

-<dd>This value causes the daemon’s logging messages to go to its

-standard error stream.</dd>

-<dt>CONSOLE</dt>

-<dd>This value causes the daemon’s logging messages to go to the

-console, if the system supports it.</dd>

-<dt>DEVICE=<devicename></dt>

-<dd>This causes the daemon’s logging messages to go to the specified

-device.</dd>

-<dt>SYSLOG[:severity[:facility]]</dt>

-<dd>This causes the daemon’s logging messages to go to the system log.

+<dl>

+<dt>FILE=filename or FILE:filename</dt><dd>This value causes the daemon’s logging messages to go to the

+filename. If the <code class="docutils literal notranslate">=</code> form is used, the file is overwritten.

+If the <code class="docutils literal notranslate">:</code> form is used, the file is appended to.

+</dd>

+<dt>STDERR</dt><dd>This value causes the daemon’s logging messages to go to its

+standard error stream.

+</dd>

+<dt>CONSOLE</dt><dd>This value causes the daemon’s logging messages to go to the

+console, if the system supports it.

+</dd>

+<dt>DEVICE=<devicename></dt><dd>This causes the daemon’s logging messages to go to the specified

+device.

+</dd>

+<dt>SYSLOG[:severity[:facility]]</dt><dd>This causes the daemon’s logging messages to go to the system log.

For backward compatibility, a severity argument may be specified,

and must be specified in order to specify a facility. This

argument will be ignored.

-The facility argument specifies the facility under which the

+The facility argument specifies the facility under which the

messages are logged. This may be any of the following facilities

supported by the syslog(3) call minus the LOG_ prefix: KERN,

USER, MAIL, DAEMON, AUTH, LPR, NEWS,

@@ -630,9 +618,9 @@ facility is specified, the default is AUTH.

In the following example, the logging messages from the KDC will go to

the console and to the system log under the facility LOG_DAEMON, and

the logging messages from the administrative server will be appended

-to the file <code class="docutils literal">/var/adm/kadmin.log</code> and sent to the device

-<code class="docutils literal">/dev/tty04</code>.

-<div class="highlight-default"><div class="highlight"><pre>[logging]

+to the file <code class="docutils literal notranslate">/var/adm/kadmin.log</code> and sent to the device

+<code class="docutils literal notranslate">/dev/tty04</code>.

+<div class="highlight-default notranslate"><div class="highlight"><pre>[logging]

kdc = CONSOLE

kdc = SYSLOG:INFO:DAEMON

admin_server = FILE:/var/adm/kadmin.log

@@ -640,47 +628,47 @@ to the file <code class="docutils literal">/var/adm/kadmin.log

</pre></div>

</div>

If no logging specification is given, the default is to use syslog.

-To disable logging entirely, specify <code class="docutils literal">default = DEVICE=/dev/null</code>.

-</div>

-<div class="section" id="otp">

+To disable logging entirely, specify <code class="docutils literal notranslate">default = DEVICE=/dev/null</code>.

+</section>

+<section id="otp">

Each subsection of [otp] is the name of an OTP token type. The tags

within the subsection define the configuration required to forward a

One Time Password request to a RADIUS server.

For each token type, the following tags may be specified:

-<dl class="docutils">

-<dt>server</dt>

-<dd>This is the server to send the RADIUS request to. It can be a

+<dl class="simple">

+<dt>server</dt><dd>This is the server to send the RADIUS request to. It can be a

hostname with optional port, an ip address with optional port, or

a Unix domain socket address. The default is

-<dt>secret</dt>

-<dd>This tag indicates a filename (which may be relative to <a class="reference internal" href="../../mitK5defaults.html#paths">LOCALSTATEDIR</a><code class="docutils literal">/krb5kdc</code>)

+</dd>

+<dt>secret</dt><dd>This tag indicates a filename (which may be relative to <a class="reference internal" href="../../mitK5defaults.html#paths">LOCALSTATEDIR</a><code class="docutils literal notranslate">/krb5kdc</code>)

containing the secret used to encrypt the RADIUS packets. The

secret should appear in the first line of the file by itself;

leading and trailing whitespace on the line will be removed. If

the value of server is a Unix domain socket address, this tag

is optional, and an empty secret will be used if it is not

-specified. Otherwise, this tag is required.</dd>

-<dt>timeout</dt>

-<dd>An integer which specifies the time in seconds during which the

+specified. Otherwise, this tag is required.

+</dd>

+<dt>timeout</dt><dd>An integer which specifies the time in seconds during which the

KDC should attempt to contact the RADIUS server. This tag is the

total time across all retries and should be less than the time

-which an OTP value remains valid for. The default is 5 seconds.</dd>

-<dt>retries</dt>

-<dd>This tag specifies the number of retries to make to the RADIUS

-server. The default is 3 retries (4 tries).</dd>

-<dt>strip_realm</dt>

-<dd>If this tag is <code class="docutils literal">true</code>, the principal without the realm will be

+which an OTP value remains valid for. The default is 5 seconds.

+</dd>

+<dt>retries</dt><dd>This tag specifies the number of retries to make to the RADIUS

+server. The default is 3 retries (4 tries).

+</dd>

+<dt>strip_realm</dt><dd>If this tag is <code class="docutils literal notranslate">true</code>, the principal without the realm will be

passed to the RADIUS server. Otherwise, the realm will be

-included. The default value is <code class="docutils literal">true</code>.</dd>

-<dt>indicator</dt>

-<dd>This tag specifies an authentication indicator to be included in

+included. The default value is <code class="docutils literal notranslate">true</code>.

+</dd>

+<dt>indicator</dt><dd>This tag specifies an authentication indicator to be included in

the ticket if this token type is used to authenticate. This

-option may be specified multiple times. (New in release 1.14.)</dd>

+option may be specified multiple times. (New in release 1.14.)

+</dd>

</dl>

In the following example, requests are sent to a remote server via UDP:

-<div class="highlight-default"><div class="highlight"><pre>[otp]

+<div class="highlight-default notranslate"><div class="highlight"><pre>[otp]

MyRemoteTokenType = {

server = radius.mydomain.com:1812

secret = SEmfiajf42$

@@ -690,39 +678,39 @@ option may be specified multiple times. (New in release 1.14.)</dd>

}

</pre></div>

</div>

-An implicit default token type named <code class="docutils literal">DEFAULT</code> is defined for when

+An implicit default token type named <code class="docutils literal notranslate">DEFAULT</code> is defined for when

the per-principal configuration does not specify a token type. Its

configuration is shown below. You may override this token type to

something applicable for your situation:

-<div class="highlight-default"><div class="highlight"><pre>[otp]

+<div class="highlight-default notranslate"><div class="highlight"><pre>[otp]

DEFAULT = {

strip_realm = false

}

</pre></div>

</div>

-</div>

-<div class="section" id="pkinit-options">

+</section>

+<section id="pkinit-options">

<h2>PKINIT options<a class="headerlink" href="#pkinit-options" title="Permalink to this headline">¶</a></h2>

-Note

-The following are pkinit-specific options. These values may

+Note

+The following are pkinit-specific options. These values may

be specified in [kdcdefaults] as global defaults, or within

a realm-specific subsection of [realms]. Also note that a

realm-specific value over-rides, does not add to, a generic

[kdcdefaults] specification. The search order is:

</div>

-<li>realm-specific subsection of [realms]:

-<div class="highlight-default"><div class="highlight"><pre>[realms]

+<li>realm-specific subsection of [realms]:

+<div class="highlight-default notranslate"><div class="highlight"><pre>[realms]

EXAMPLE.COM = {

pkinit_anchors = FILE:/usr/local/example.com.crt

}

</pre></div>

</div>

</li>

-<li>generic value in the [kdcdefaults] section:

-<div class="highlight-default"><div class="highlight"><pre>[kdcdefaults]

+<li>generic value in the [kdcdefaults] section:

+<div class="highlight-default notranslate"><div class="highlight"><pre>[kdcdefaults]

pkinit_anchors = DIR:/usr/local/generic_trusted_cas/

</pre></div>

</div>

@@ -731,62 +719,59 @@ realm-specific value over-rides, does not add to, a generic

For information about the syntax of some of these options, see

<a class="reference internal" href="krb5_conf.html#pkinit-identity">Specifying PKINIT identity information</a> in

<a class="reference internal" href="krb5_conf.html#krb5-conf-5">krb5.conf</a>.

-<dl class="docutils">

-<dt>pkinit_anchors</dt>

-<dd>Specifies the location of trusted anchor (root) certificates which

+<dl>

+<dt>pkinit_anchors</dt><dd>Specifies the location of trusted anchor (root) certificates which

the KDC trusts to sign client certificates. This option is

required if pkinit is to be supported by the KDC. This option may

-be specified multiple times.</dd>

-<dt>pkinit_dh_min_bits</dt>

-<dd>Specifies the minimum number of bits the KDC is willing to accept

-for a client’s Diffie-Hellman key. The default is 2048.</dd>

-<dt>pkinit_allow_upn</dt>

-<dd>Specifies that the KDC is willing to accept client certificates

+be specified multiple times.

+</dd>

+<dt>pkinit_dh_min_bits</dt><dd>Specifies the minimum number of bits the KDC is willing to accept

+for a client’s Diffie-Hellman key. The default is 2048.

+</dd>

+<dt>pkinit_allow_upn</dt><dd>Specifies that the KDC is willing to accept client certificates

with the Microsoft UserPrincipalName (UPN) Subject Alternative

Name (SAN). This means the KDC accepts the binding of the UPN in

the certificate to the Kerberos principal name. The default value

is false.

-Without this option, the KDC will only accept certificates with

+Without this option, the KDC will only accept certificates with

the id-pkinit-san as defined in <a class="rfc reference external" href="https://tools.ietf.org/html/rfc4556.html">RFC 4556</a>. There is currently

no option to disable SAN checking in the KDC.

</dd>

-<dt>pkinit_eku_checking</dt>

-<dd>This option specifies what Extended Key Usage (EKU) values the KDC

+<dt>pkinit_eku_checking</dt><dd>This option specifies what Extended Key Usage (EKU) values the KDC

is willing to accept in client certificates. The values

recognized in the kdc.conf file are:

-<dl class="last docutils">

-<dt>kpClientAuth</dt>

-<dd>This is the default value and specifies that client

+<dl class="simple">

+<dt>kpClientAuth</dt><dd>This is the default value and specifies that client

certificates must have the id-pkinit-KPClientAuth EKU as

-defined in <a class="rfc reference external" href="https://tools.ietf.org/html/rfc4556.html">RFC 4556</a>.</dd>

-<dt>scLogin</dt>

-<dd>If scLogin is specified, client certificates with the

+defined in <a class="rfc reference external" href="https://tools.ietf.org/html/rfc4556.html">RFC 4556</a>.

+</dd>

+<dt>scLogin</dt><dd>If scLogin is specified, client certificates with the

Microsoft Smart Card Login EKU (id-ms-kp-sc-logon) will be

-accepted.</dd>

-<dt>none</dt>

-<dd>If none is specified, then client certificates will not be

+accepted.

+</dd>

+<dt>none</dt><dd>If none is specified, then client certificates will not be

checked to verify they have an acceptable EKU. The use of

-this option is not recommended.</dd>

+this option is not recommended.

+</dd>

</dl>

</dd>

-<dt>pkinit_identity</dt>

-<dd>Specifies the location of the KDC’s X.509 identity information.

-This option is required if pkinit is to be supported by the KDC.</dd>

-<dt>pkinit_indicator</dt>

-<dd>Specifies an authentication indicator to include in the ticket if

+<dt>pkinit_identity</dt><dd>Specifies the location of the KDC’s X.509 identity information.

+This option is required if pkinit is to be supported by the KDC.

+</dd>

+<dt>pkinit_indicator</dt><dd>Specifies an authentication indicator to include in the ticket if

pkinit is used to authenticate. This option may be specified

-multiple times. (New in release 1.14.)</dd>

-<dt>pkinit_pool</dt>

-<dd>Specifies the location of intermediate certificates which may be

+multiple times. (New in release 1.14.)

+</dd>

+<dt>pkinit_pool</dt><dd>Specifies the location of intermediate certificates which may be

used by the KDC to complete the trust chain between a client’s

certificate and a trusted anchor. This option may be specified

-multiple times.</dd>

-<dt>pkinit_revoke</dt>

-<dd>Specifies the location of Certificate Revocation List (CRL)

+multiple times.

+</dd>

+<dt>pkinit_revoke</dt><dd>Specifies the location of Certificate Revocation List (CRL)

information to be used by the KDC when verifying the validity of

-client certificates. This option may be specified multiple times.</dd>

-<dt>pkinit_require_crl_checking</dt>

-<dd>The default certificate verification process will always check the

+client certificates. This option may be specified multiple times.

+</dd>

+<dt>pkinit_require_crl_checking</dt><dd>The default certificate verification process will always check the

available revocation information to see if a certificate has been

revoked. If a match is found for the certificate in a CRL,

verification fails. If the certificate being verified is not

@@ -796,68 +781,68 @@ succeeds.

However, if pkinit_require_crl_checking is true and there is

no CRL information available for the issuing CA, then verification

fails.

-pkinit_require_crl_checking should be set to true if the

+pkinit_require_crl_checking should be set to true if the

policy is such that up-to-date CRLs must be present for every CA.

</dd>

-<dt>pkinit_require_freshness</dt>

-<dd>Specifies whether to require clients to include a freshness token

+<dt>pkinit_require_freshness</dt><dd>Specifies whether to require clients to include a freshness token

in PKINIT requests. The default value is false. (New in release

-1.17.)</dd>

+1.17.)

+</dd>

</dl>

-</div>

-<div class="section" id="encryption-types">

+</section>

+<section id="encryption-types">

<h2>Encryption types<a class="headerlink" href="#encryption-types" title="Permalink to this headline">¶</a></h2>

Any tag in the configuration files which requires a list of encryption

types can be set to some combination of the following strings.

Encryption types marked as “weak” and “deprecated” are available for

compatibility but not recommended for use.

-<table border="1" class="docutils">

+<table class="docutils align-default">

-<col width="30%" />

-<col width="70%" />

+<col style="width: 30%" />

+<col style="width: 70%" />

</colgroup>

-<tbody valign="top">

-<tr class="row-odd"><td>des3-cbc-raw</td>

-<td>Triple DES cbc mode raw (weak)</td>

+<tbody>

+<tr class="row-odd"><td>des3-cbc-raw</td>

+<td>Triple DES cbc mode raw (weak)</td>

</tr>

-<tr class="row-even"><td>des3-cbc-sha1 des3-hmac-sha1 des3-cbc-sha1-kd</td>

-<td>Triple DES cbc mode with HMAC/sha1 (deprecated)</td>

+<tr class="row-even"><td>des3-cbc-sha1 des3-hmac-sha1 des3-cbc-sha1-kd</td>

+<td>Triple DES cbc mode with HMAC/sha1 (deprecated)</td>

</tr>

-<tr class="row-odd"><td>aes256-cts-hmac-sha1-96 aes256-cts aes256-sha1</td>

-<td>AES-256 CTS mode with 96-bit SHA-1 HMAC</td>

+<tr class="row-odd"><td>aes256-cts-hmac-sha1-96 aes256-cts aes256-sha1</td>

+<td>AES-256 CTS mode with 96-bit SHA-1 HMAC</td>

</tr>

-<tr class="row-even"><td>aes128-cts-hmac-sha1-96 aes128-cts aes128-sha1</td>

-<td>AES-128 CTS mode with 96-bit SHA-1 HMAC</td>

+<tr class="row-even"><td>aes128-cts-hmac-sha1-96 aes128-cts aes128-sha1</td>

+<td>AES-128 CTS mode with 96-bit SHA-1 HMAC</td>

</tr>

-<tr class="row-odd"><td>aes256-cts-hmac-sha384-192 aes256-sha2</td>

-<td>AES-256 CTS mode with 192-bit SHA-384 HMAC</td>

+<tr class="row-odd"><td>aes256-cts-hmac-sha384-192 aes256-sha2</td>

+<td>AES-256 CTS mode with 192-bit SHA-384 HMAC</td>

</tr>

-<tr class="row-even"><td>aes128-cts-hmac-sha256-128 aes128-sha2</td>

-<td>AES-128 CTS mode with 128-bit SHA-256 HMAC</td>

+<tr class="row-even"><td>aes128-cts-hmac-sha256-128 aes128-sha2</td>

+<td>AES-128 CTS mode with 128-bit SHA-256 HMAC</td>

</tr>

-<tr class="row-odd"><td>arcfour-hmac rc4-hmac arcfour-hmac-md5</td>

-<td>RC4 with HMAC/MD5 (deprecated)</td>

+<tr class="row-odd"><td>arcfour-hmac rc4-hmac arcfour-hmac-md5</td>

+<td>RC4 with HMAC/MD5 (deprecated)</td>

</tr>

-<tr class="row-even"><td>arcfour-hmac-exp rc4-hmac-exp arcfour-hmac-md5-exp</td>

-<td>Exportable RC4 with HMAC/MD5 (weak)</td>

+<tr class="row-even"><td>arcfour-hmac-exp rc4-hmac-exp arcfour-hmac-md5-exp</td>

+<td>Exportable RC4 with HMAC/MD5 (weak)</td>

</tr>

-<tr class="row-odd"><td>camellia256-cts-cmac camellia256-cts</td>

-<td>Camellia-256 CTS mode with CMAC</td>

+<tr class="row-odd"><td>camellia256-cts-cmac camellia256-cts</td>

+<td>Camellia-256 CTS mode with CMAC</td>

</tr>

-<tr class="row-even"><td>camellia128-cts-cmac camellia128-cts</td>

-<td>Camellia-128 CTS mode with CMAC</td>

+<tr class="row-even"><td>camellia128-cts-cmac camellia128-cts</td>

+<td>Camellia-128 CTS mode with CMAC</td>

</tr>

-<tr class="row-odd"><td>des3</td>

-<td>The triple DES family: des3-cbc-sha1</td>

+<tr class="row-odd"><td>des3</td>

+<td>The triple DES family: des3-cbc-sha1</td>

</tr>

-<tr class="row-even"><td>aes</td>

-<td>The AES family: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, aes256-cts-hmac-sha384-192, and aes128-cts-hmac-sha256-128</td>

+<tr class="row-even"><td>aes</td>

+<td>The AES family: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, aes256-cts-hmac-sha384-192, and aes128-cts-hmac-sha256-128</td>

</tr>

-<tr class="row-odd"><td>rc4</td>

-<td>The RC4 family: arcfour-hmac</td>

+<tr class="row-odd"><td>rc4</td>

+<td>The RC4 family: arcfour-hmac</td>

</tr>

-<tr class="row-even"><td>camellia</td>

-<td>The Camellia family: camellia256-cts-cmac and camellia128-cts-cmac</td>

+<tr class="row-even"><td>camellia</td>

+<td>The Camellia family: camellia256-cts-cmac and camellia128-cts-cmac</td>

</tr>

</tbody>

</table>

@@ -866,8 +851,8 @@ types for the variable in question. Types or families can be removed

from the current list by prefixing them with a minus sign (“-“).

Types or families can be prefixed with a plus sign (“+”) for symmetry;

it has the same meaning as just listing the type or family. For

-example, “<code class="docutils literal">DEFAULT -rc4</code>” would be the default set of encryption

-types with RC4 types removed, and “<code class="docutils literal">des3 DEFAULT</code>” would be the

+example, “<code class="docutils literal notranslate">DEFAULT -rc4</code>” would be the default set of encryption

+types with RC4 types removed, and “<code class="docutils literal notranslate">des3 DEFAULT</code>” would be the

default set of encryption types with triple DES types moved to the

front.

While aes128-cts and aes256-cts are supported for all Kerberos

@@ -879,8 +864,8 @@ types in the KDC database.

release 1.15. Services running versions of krb5 without support for

these newer encryption types must not be given keys of these

encryption types in the KDC database.

-</div>

-<div class="section" id="keysalt-lists">

+</section>

+<section id="keysalt-lists">

<h2>Keysalt lists<a class="headerlink" href="#keysalt-lists" title="Permalink to this headline">¶</a></h2>

Kerberos keys for users are usually derived from passwords. Kerberos

commands and configuration parameters that affect generation of keys

@@ -888,7 +873,7 @@ take lists of enctype-salttype (“keysalt”) pairs, known as keysalt

lists. Each keysalt pair is an enctype name followed by a salttype

name, in the format enc:salt. Individual keysalt list members are

separated by comma (“,”) characters or space characters. For example:

-<div class="highlight-default"><div class="highlight"><pre>kadmin -e aes256-cts:normal,aes128-cts:normal

+<div class="highlight-default notranslate"><div class="highlight"><pre>kadmin -e aes256-cts:normal,aes128-cts:normal

</pre></div>

</div>

would start up kadmin so that by default it would generate

@@ -898,31 +883,31 @@ encryption types, using a normal salt.

the same key, Kerberos 5 incorporates more information into the key

using something called a salt. The supported salt types are as

follows:

-<table border="1" class="docutils">

+<table class="docutils align-default">

-<col width="25%" />

-<col width="75%" />

+<col style="width: 25%" />

+<col style="width: 75%" />

</colgroup>

-<tbody valign="top">

-<tr class="row-odd"><td>normal</td>

-<td>default for Kerberos Version 5</td>

+<tbody>

+<tr class="row-odd"><td>normal</td>

+<td>default for Kerberos Version 5</td>

</tr>

-<tr class="row-even"><td>norealm</td>

-<td>same as the default, without using realm information</td>

+<tr class="row-even"><td>norealm</td>

+<td>same as the default, without using realm information</td>

</tr>

-<tr class="row-odd"><td>onlyrealm</td>

-<td>uses only realm information as the salt</td>

+<tr class="row-odd"><td>onlyrealm</td>

+<td>uses only realm information as the salt</td>

</tr>

-<tr class="row-even"><td>special</td>

-<td>generate a random salt</td>

+<tr class="row-even"><td>special</td>

+<td>generate a random salt</td>

</tr>

</tbody>

</table>

-</div>

-<div class="section" id="sample-kdc-conf-file">

+</section>

+<section id="sample-kdc-conf-file">

<h2>Sample kdc.conf File<a class="headerlink" href="#sample-kdc-conf-file" title="Permalink to this headline">¶</a></h2>

Here’s an example of a kdc.conf file:

-<div class="highlight-default"><div class="highlight"><pre>[kdcdefaults]

+<div class="highlight-default notranslate"><div class="highlight"><pre>[kdcdefaults]

kdc_listen = 88

kdc_tcp_listen = 88

[realms]

@@ -958,23 +943,25 @@ follows:

}

</pre></div>

</div>

-</div>

-<div class="section" id="files">

+</section>

+<section id="files">

<h2>FILES<a class="headerlink" href="#files" title="Permalink to this headline">¶</a></h2>

-<a class="reference internal" href="../../mitK5defaults.html#paths">LOCALSTATEDIR</a><code class="docutils literal">/krb5kdc</code><code class="docutils literal">/kdc.conf</code>

-</div>

-<div class="section" id="see-also">

+<a class="reference internal" href="../../mitK5defaults.html#paths">LOCALSTATEDIR</a><code class="docutils literal notranslate">/krb5kdc</code><code class="docutils literal notranslate">/kdc.conf</code>

+</section>

+<section id="see-also">

-</div>

+</section>

+ <div class="clearer"></div>

</div>

<ul>

@@ -1054,6 +1041,7 @@ follows:

</form>

</div>

</div>

@@ -1061,8 +1049,8 @@ follows:

- <div class="right" >Release: 1.21.2

+ <div class="right" >Release: 1.21.3

+ © <a href="../../copyright.html">Copyright</a> 1985-2024, MIT.

</div>

diff --git a/doc/html/admin/conf_files/krb5_conf.html b/doc/html/admin/conf_files/krb5_conf.html
index b35cf131805c..7c922675d149 100644
--- a/doc/html/admin/conf_files/krb5_conf.html
+++ b/doc/html/admin/conf_files/krb5_conf.html

@@ -1,35 +1,26 @@

-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"

- "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

+<!DOCTYPE html>

-<html xmlns="http://www.w3.org/1999/xhtml">

+<html>

<head>

- <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

+ <meta charset="utf-8" />

+ <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="generator" content="Docutils 0.17.1: http://docutils.sourceforge.net/" />

<title>krb5.conf — MIT Kerberos Documentation</title>

- <link rel="stylesheet" href="../../_static/agogo.css" type="text/css" />

- <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" />

- <link rel="stylesheet" href="../../_static/kerb.css" type="text/css" />

- <script type="text/javascript">

- var DOCUMENTATION_OPTIONS = {

- URL_ROOT: '../../',

- VERSION: '1.21.2',

- COLLAPSE_INDEX: false,

- FILE_SUFFIX: '.html',

- HAS_SOURCE: true,

- SOURCELINK_SUFFIX: '.txt'

- };

- </script>

- <script type="text/javascript" src="../../_static/jquery.js"></script>

- <script type="text/javascript" src="../../_static/underscore.js"></script>

- <script type="text/javascript" src="../../_static/doctools.js"></script>

+ <link rel="stylesheet" type="text/css" href="../../_static/pygments.css" />

+ <link rel="stylesheet" type="text/css" href="../../_static/agogo.css" />

+ <link rel="stylesheet" type="text/css" href="../../_static/kerb.css" />

+ <script data-url_root="../../" id="documentation_options" src="../../_static/documentation_options.js"></script>

+ <script src="../../_static/jquery.js"></script>

+ <script src="../../_static/underscore.js"></script>

+ <script src="../../_static/doctools.js"></script>

- </head>

- <body>

+ </head><body>

@@ -61,32 +52,32 @@

- <div class="section" id="krb5-conf">

+ <section id="krb5-conf">

The krb5.conf file contains Kerberos configuration information,

including the locations of KDCs and admin servers for the Kerberos

realms of interest, defaults for the current realm and for Kerberos

applications, and mappings of hostnames onto Kerberos realms.

Normally, you should install your krb5.conf file in the directory

-<code class="docutils literal">/etc</code>. You can override the default location by setting the

+<code class="docutils literal notranslate">/etc</code>. You can override the default location by setting the

environment variable KRB5_CONFIG. Multiple colon-separated

filenames may be specified in KRB5_CONFIG; all files which are

present will be read. Starting in release 1.14, directory names can

also be specified in KRB5_CONFIG; all files within the directory

whose names consist solely of alphanumeric characters, dashes, or

underscores will be read.

-<div class="section" id="structure">

+<section id="structure">

<h2>Structure<a class="headerlink" href="#structure" title="Permalink to this headline">¶</a></h2>

The krb5.conf file is set up in the style of a Windows INI file.

Lines beginning with ‘#’ or ‘;’ (possibly after initial whitespace)

are ignored as comments. Sections are headed by the section name, in

square brackets. Each section may contain zero or more relations, of

the form:

-<div class="highlight-default"><div class="highlight"><pre>foo = bar

+<div class="highlight-default notranslate"><div class="highlight"><pre>foo = bar

</pre></div>

</div>

or:

-<div class="highlight-default"><div class="highlight"><pre>fubar = {

+<div class="highlight-default notranslate"><div class="highlight"><pre>fubar = {

foo = bar

baz = quux

}

@@ -99,7 +90,7 @@ A subsection can be marked as final by placing a ‘*’ after either the

tag name or the closing brace.

The krb5.conf file can include other files using either of the

following directives at the beginning of a line:

-<div class="highlight-default"><div class="highlight"><pre>include FILENAME

+<div class="highlight-default notranslate"><div class="highlight"><pre>include FILENAME

includedir DIRNAME

</pre></div>

</div>

@@ -117,110 +108,108 @@ order.

from a loadable module, rather than the file itself, using the

following directive at the beginning of a line before any section

headers:

-<div class="highlight-default"><div class="highlight"><pre>module MODULEPATH:RESIDUAL

+<div class="highlight-default notranslate"><div class="highlight"><pre>module MODULEPATH:RESIDUAL

</pre></div>

</div>

MODULEPATH may be relative to the library path of the krb5

installation, or it may be an absolute path. RESIDUAL is provided

to the module at initialization time. If krb5.conf uses a module

directive, <a class="reference internal" href="kdc_conf.html#kdc-conf-5">kdc.conf</a> should also use one if it exists.

-</div>

-<div class="section" id="sections">

+</section>

+<section id="sections">

<h2>Sections<a class="headerlink" href="#sections" title="Permalink to this headline">¶</a></h2>

The krb5.conf file may contain the following sections:

-<table border="1" class="docutils">

+<table class="docutils align-default">

-<col width="26%" />

-<col width="74%" />

+<col style="width: 26%" />

+<col style="width: 74%" />

</colgroup>

-<tbody valign="top">

-<tr class="row-odd"><td><a class="reference internal" href="#libdefaults">[libdefaults]</a></td>

-<td>Settings used by the Kerberos V5 library</td>

+<tbody>

+<tr class="row-odd"><td><a class="reference internal" href="#libdefaults">[libdefaults]</a></td>

+<td>Settings used by the Kerberos V5 library</td>

</tr>

-<tr class="row-even"><td><a class="reference internal" href="#realms">[realms]</a></td>

-<td>Realm-specific contact information and settings</td>

+<tr class="row-even"><td><a class="reference internal" href="#realms">[realms]</a></td>

+<td>Realm-specific contact information and settings</td>

</tr>

-<tr class="row-odd"><td><a class="reference internal" href="#domain-realm">[domain_realm]</a></td>

-<td>Maps server hostnames to Kerberos realms</td>

+<tr class="row-odd"><td><a class="reference internal" href="#domain-realm">[domain_realm]</a></td>

+<td>Maps server hostnames to Kerberos realms</td>

</tr>

-<tr class="row-even"><td><a class="reference internal" href="#capaths">[capaths]</a></td>

-<td>Authentication paths for non-hierarchical cross-realm</td>

+<tr class="row-even"><td><a class="reference internal" href="#capaths">[capaths]</a></td>

+<td>Authentication paths for non-hierarchical cross-realm</td>

</tr>

-<tr class="row-odd"><td><a class="reference internal" href="#appdefaults">[appdefaults]</a></td>

-<td>Settings used by some Kerberos V5 applications</td>

+<tr class="row-odd"><td><a class="reference internal" href="#appdefaults">[appdefaults]</a></td>

+<td>Settings used by some Kerberos V5 applications</td>

</tr>

-<tr class="row-even"><td><a class="reference internal" href="#plugins">[plugins]</a></td>

-<td>Controls plugin module registration</td>

+<tr class="row-even"><td><a class="reference internal" href="#plugins">[plugins]</a></td>

+<td>Controls plugin module registration</td>

</tr>

</tbody>

</table>

Additionally, krb5.conf may include any of the relations described in

<a class="reference internal" href="kdc_conf.html#kdc-conf-5">kdc.conf</a>, but it is not a recommended practice.

-<div class="section" id="libdefaults">

+<section id="libdefaults">

<h3>[libdefaults]<a class="headerlink" href="#libdefaults" title="Permalink to this headline">¶</a></h3>

The libdefaults section may contain any of the following relations:

-<dl class="docutils">

-<dt>allow_des3</dt>

-<dd>Permit the KDC to issue tickets with des3-cbc-sha1 session keys.

+<dl>

+<dt>allow_des3</dt><dd>Permit the KDC to issue tickets with des3-cbc-sha1 session keys.

In future releases, this flag will allow des3-cbc-sha1 to be used

at all. The default value for this tag is false. (Added in

-release 1.21.)</dd>

-<dt>allow_rc4</dt>

-<dd>Permit the KDC to issue tickets with arcfour-hmac session keys.

+release 1.21.)

+</dd>

+<dt>allow_rc4</dt><dd>Permit the KDC to issue tickets with arcfour-hmac session keys.

In future releases, this flag will allow arcfour-hmac to be used

at all. The default value for this tag is false. (Added in

-release 1.21.)</dd>

-<dt>allow_weak_crypto</dt>

-<dd>If this flag is set to false, then weak encryption types (as noted

+release 1.21.)

+</dd>

+<dt>allow_weak_crypto</dt><dd>If this flag is set to false, then weak encryption types (as noted

in <a class="reference internal" href="kdc_conf.html#encryption-types">Encryption types</a> in <a class="reference internal" href="kdc_conf.html#kdc-conf-5">kdc.conf</a>) will be filtered

out of the lists default_tgs_enctypes,

default_tkt_enctypes, and permitted_enctypes. The default

-value for this tag is false.</dd>

-<dt>canonicalize</dt>

-<dd>If this flag is set to true, initial ticket requests to the KDC

+value for this tag is false.

+</dd>

+<dt>canonicalize</dt><dd>If this flag is set to true, initial ticket requests to the KDC

will request canonicalization of the client principal name, and

answers with different client principals than the requested

-principal will be accepted. The default value is false.</dd>

-<dt>ccache_type</dt>

-<dd>This parameter determines the format of credential cache types

+principal will be accepted. The default value is false.

+</dd>

+<dt>ccache_type</dt><dd>This parameter determines the format of credential cache types

created by <a class="reference internal" href="../../user/user_commands/kinit.html#kinit-1">kinit</a> or other programs. The default value

is 4, which represents the most current format. Smaller values

can be used for compatibility with very old implementations of

-Kerberos which interact with credential caches on the same host.</dd>

-<dt>clockskew</dt>

-<dd>Sets the maximum allowable amount of clockskew in seconds that the

+Kerberos which interact with credential caches on the same host.

+</dd>

+<dt>clockskew</dt><dd>Sets the maximum allowable amount of clockskew in seconds that the

library will tolerate before assuming that a Kerberos message is

invalid. The default value is 300 seconds, or five minutes.

-The clockskew setting is also used when evaluating ticket start

+The clockskew setting is also used when evaluating ticket start

and expiration times. For example, tickets that have reached

their expiration time can still be used (and renewed if they are

renewable tickets) if they have been expired for a shorter

duration than the clockskew setting.

</dd>

-<dt>default_ccache_name</dt>

-<dd>This relation specifies the name of the default credential cache.

+<dt>default_ccache_name</dt><dd>This relation specifies the name of the default credential cache.

The default is <a class="reference internal" href="../../mitK5defaults.html#paths">DEFCCNAME</a>. This relation is subject to parameter

-expansion (see below). New in release 1.11.</dd>

-<dt>default_client_keytab_name</dt>

-<dd>This relation specifies the name of the default keytab for

+expansion (see below). New in release 1.11.

+</dd>

+<dt>default_client_keytab_name</dt><dd>This relation specifies the name of the default keytab for

obtaining client credentials. The default is <a class="reference internal" href="../../mitK5defaults.html#paths">DEFCKTNAME</a>. This

relation is subject to parameter expansion (see below).

-New in release 1.11.</dd>

-<dt>default_keytab_name</dt>

-<dd>This relation specifies the default keytab name to be used by

+New in release 1.11.

+</dd>

+<dt>default_keytab_name</dt><dd>This relation specifies the default keytab name to be used by

application servers such as sshd. The default is <a class="reference internal" href="../../mitK5defaults.html#paths">DEFKTNAME</a>. This

-relation is subject to parameter expansion (see below).</dd>

-<dt>default_rcache_name</dt>

-<dd>This relation specifies the name of the default replay cache.

-The default is <code class="docutils literal">dfl:</code>. This relation is subject to parameter

-expansion (see below). New in release 1.18.</dd>

-<dt>default_realm</dt>

-<dd>Identifies the default Kerberos realm for the client. Set its

+relation is subject to parameter expansion (see below).

+</dd>

+<dt>default_rcache_name</dt><dd>This relation specifies the name of the default replay cache.

+The default is <code class="docutils literal notranslate">dfl:</code>. This relation is subject to parameter

+expansion (see below). New in release 1.18.

+</dd>

+<dt>default_realm</dt><dd>Identifies the default Kerberos realm for the client. Set its

value to your Kerberos realm. If this value is not set, then a

realm must be specified with every Kerberos principal when

-invoking programs such as <a class="reference internal" href="../../user/user_commands/kinit.html#kinit-1">kinit</a>.</dd>

-<dt>default_tgs_enctypes</dt>

-<dd>Identifies the supported list of session key encryption types that

+invoking programs such as <a class="reference internal" href="../../user/user_commands/kinit.html#kinit-1">kinit</a>.

+</dd>

+<dt>default_tgs_enctypes</dt><dd>Identifies the supported list of session key encryption types that

the client should request when making a TGS-REQ, in order of

preference from highest to lowest. The list may be delimited with

commas or whitespace. See <a class="reference internal" href="kdc_conf.html#encryption-types">Encryption types</a> in

@@ -228,42 +217,40 @@ commas or whitespace. See <a class="reference internal" href="kdc_conf.html#enc

Starting in release 1.18, the default value is the value of

permitted_enctypes. For previous releases or if

permitted_enctypes is not set, the default value is

-<code class="docutils literal">aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac</code>.

-Do not set this unless required for specific backward

+<code class="docutils literal notranslate">aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac</code>.

+Do not set this unless required for specific backward

compatibility purposes; stale values of this setting can prevent

clients from taking advantage of new stronger enctypes when the

libraries are upgraded.

</dd>

-<dt>default_tkt_enctypes</dt>

-<dd>Identifies the supported list of session key encryption types that

+<dt>default_tkt_enctypes</dt><dd>Identifies the supported list of session key encryption types that

the client should request when making an AS-REQ, in order of

preference from highest to lowest. The format is the same as for

default_tgs_enctypes. Starting in release 1.18, the default

value is the value of permitted_enctypes. For previous

releases or if permitted_enctypes is not set, the default

-value is <code class="docutils literal">aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac</code>.

-Do not set this unless required for specific backward

+value is <code class="docutils literal notranslate">aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac</code>.

+Do not set this unless required for specific backward

compatibility purposes; stale values of this setting can prevent

clients from taking advantage of new stronger enctypes when the

libraries are upgraded.

</dd>

-<dt>dns_canonicalize_hostname</dt>

-<dd>Indicate whether name lookups will be used to canonicalize

+<dt>dns_canonicalize_hostname</dt><dd>Indicate whether name lookups will be used to canonicalize

hostnames for use in service principal names. Setting this flag

to false can improve security by reducing reliance on DNS, but

means that short hostnames will not be canonicalized to

-fully-qualified hostnames. If this option is set to <code class="docutils literal">fallback</code> (new

+fully-qualified hostnames. If this option is set to <code class="docutils literal notranslate">fallback</code> (new

in release 1.18), DNS canonicalization will only be performed the

server hostname is not found with the original name when

-requesting credentials. The default value is true.</dd>

-<dt>dns_lookup_kdc</dt>

-<dd>Indicate whether DNS SRV records should be used to locate the KDCs

+requesting credentials. The default value is true.

+</dd>

+<dt>dns_lookup_kdc</dt><dd>Indicate whether DNS SRV records should be used to locate the KDCs

and other servers for a realm, if they are not listed in the

krb5.conf information for the realm. (Note that the admin_server

entry must be in the krb5.conf realm information in order to

contact kadmind, because the DNS implementation for kadmin is

incomplete.)

-Enabling this option does open up a type of denial-of-service

+Enabling this option does open up a type of denial-of-service

attack, if someone spoofs the DNS records and redirects you to

another server. However, it’s no worse than a denial of service,

because that fake KDC will be unable to decode anything you send

@@ -271,215 +258,212 @@ it (besides the initial ticket request, which has no encrypted

data), and anything the fake KDC sends will not be trusted without

verification using some secret that it won’t know.

</dd>

-<dt>dns_uri_lookup</dt>

-<dd>Indicate whether DNS URI records should be used to locate the KDCs

+<dt>dns_uri_lookup</dt><dd>Indicate whether DNS URI records should be used to locate the KDCs

and other servers for a realm, if they are not listed in the

krb5.conf information for the realm. SRV records are used as a

fallback if no URI records were found. The default value is true.

-New in release 1.15.</dd>

-<dt>enforce_ok_as_delegate</dt>

-<dd>If this flag to true, GSSAPI credential delegation will be

-disabled when the <code class="docutils literal">ok-as-delegate</code> flag is not set in the

-service ticket. If this flag is false, the <code class="docutils literal">ok-as-delegate</code>

+New in release 1.15.

+</dd>

+<dt>enforce_ok_as_delegate</dt><dd>If this flag to true, GSSAPI credential delegation will be

+disabled when the <code class="docutils literal notranslate">ok-as-delegate</code> flag is not set in the

+service ticket. If this flag is false, the <code class="docutils literal notranslate">ok-as-delegate</code>

ticket flag is only enforced when an application specifically

-requests enforcement. The default value is false.</dd>

-<dt>err_fmt</dt>

-<dd>This relation allows for custom error message formatting. If a

+requests enforcement. The default value is false.

+</dd>

+<dt>err_fmt</dt><dd>This relation allows for custom error message formatting. If a

value is set, error messages will be formatted by substituting a

-normal error message for %M and an error code for %C in the value.</dd>

-<dt>extra_addresses</dt>

-<dd>This allows a computer to use multiple local addresses, in order

+normal error message for %M and an error code for %C in the value.

+</dd>

+<dt>extra_addresses</dt><dd>This allows a computer to use multiple local addresses, in order

to allow Kerberos to work in a network that uses NATs while still

using address-restricted tickets. The addresses should be in a

comma-separated list. This option has no effect if

-noaddresses is true.</dd>

-<dt>forwardable</dt>

-<dd>If this flag is true, initial tickets will be forwardable by

-default, if allowed by the KDC. The default value is false.</dd>

-<dt>ignore_acceptor_hostname</dt>

-<dd>When accepting GSSAPI or krb5 security contexts for host-based

+noaddresses is true.

+</dd>

+<dt>forwardable</dt><dd>If this flag is true, initial tickets will be forwardable by

+default, if allowed by the KDC. The default value is false.

+</dd>

+<dt>ignore_acceptor_hostname</dt><dd>When accepting GSSAPI or krb5 security contexts for host-based

service principals, ignore any hostname passed by the calling

application, and allow clients to authenticate to any service

principal in the keytab matching the service name and realm name

(if given). This option can improve the administrative

flexibility of server applications on multihomed hosts, but could

compromise the security of virtual hosting environments. The

-default value is false. New in release 1.10.</dd>

-<dt>k5login_authoritative</dt>

-<dd>If this flag is true, principals must be listed in a local user’s

+default value is false. New in release 1.10.

+</dd>

+<dt>k5login_authoritative</dt><dd>If this flag is true, principals must be listed in a local user’s

k5login file to be granted login access, if a <a class="reference internal" href="../../user/user_config/k5login.html#k5login-5">.k5login</a>

file exists. If this flag is false, a principal may still be

granted login access through other mechanisms even if a k5login

file exists but does not list the principal. The default value is

-true.</dd>

-<dt>k5login_directory</dt>

-<dd>If set, the library will look for a local user’s k5login file

+true.

+</dd>

+<dt>k5login_directory</dt><dd>If set, the library will look for a local user’s k5login file

within the named directory, with a filename corresponding to the

local username. If not set, the library will look for k5login

files in the user’s home directory, with the filename .k5login.

For security reasons, .k5login files must be owned by

-the local user or by root.</dd>

-<dt>kcm_mach_service</dt>

-<dd>On macOS only, determines the name of the bootstrap service used to

+the local user or by root.

+</dd>

+<dt>kcm_mach_service</dt><dd>On macOS only, determines the name of the bootstrap service used to

contact the KCM daemon for the KCM credential cache type. If the

-value is <code class="docutils literal">-</code>, Mach RPC will not be used to contact the KCM

-daemon. The default value is <code class="docutils literal">org.h5l.kcm</code>.</dd>

-<dt>kcm_socket</dt>

-<dd>Determines the path to the Unix domain socket used to access the

+value is <code class="docutils literal notranslate">-</code>, Mach RPC will not be used to contact the KCM

+daemon. The default value is <code class="docutils literal notranslate">org.h5l.kcm</code>.

+</dd>

+<dt>kcm_socket</dt><dd>Determines the path to the Unix domain socket used to access the

KCM daemon for the KCM credential cache type. If the value is

-<code class="docutils literal">-</code>, Unix domain sockets will not be used to contact the KCM

+<code class="docutils literal notranslate">-</code>, Unix domain sockets will not be used to contact the KCM

daemon. The default value is

-<code class="docutils literal">/var/run/.heim_org.h5l.kcm-socket</code>.</dd>

-<dt>kdc_default_options</dt>

-<dd>Default KDC options (Xored for multiple values) when requesting

+<code class="docutils literal notranslate">/var/run/.heim_org.h5l.kcm-socket</code>.

+</dd>

+<dt>kdc_default_options</dt><dd>Default KDC options (Xored for multiple values) when requesting

initial tickets. By default it is set to 0x00000010

-(KDC_OPT_RENEWABLE_OK).</dd>

-<dt>kdc_timesync</dt>

-<dd>Accepted values for this relation are 1 or 0. If it is nonzero,

+(KDC_OPT_RENEWABLE_OK).

+</dd>

+<dt>kdc_timesync</dt><dd>Accepted values for this relation are 1 or 0. If it is nonzero,

client machines will compute the difference between their time and

the time returned by the KDC in the timestamps in the tickets and

use this value to correct for an inaccurate system clock when

requesting service tickets or authenticating to services. This

corrective factor is only used by the Kerberos library; it is not

-used to change the system clock. The default value is 1.</dd>

-<dt>noaddresses</dt>

-<dd>If this flag is true, requests for initial tickets will not be

+used to change the system clock. The default value is 1.

+</dd>

+<dt>noaddresses</dt><dd>If this flag is true, requests for initial tickets will not be

made with address restrictions set, allowing the tickets to be

-used across NATs. The default value is true.</dd>

-<dt>permitted_enctypes</dt>

-<dd>Identifies the encryption types that servers will permit for

+used across NATs. The default value is true.

+</dd>

+<dt>permitted_enctypes</dt><dd>Identifies the encryption types that servers will permit for

session keys and for ticket and authenticator encryption, ordered

by preference from highest to lowest. Starting in release 1.18,

this tag also acts as the default value for

default_tgs_enctypes and default_tkt_enctypes. The

-default value for this tag is <code class="docutils literal">aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac</code>.</dd>

-<dt>plugin_base_dir</dt>

-<dd>If set, determines the base directory where krb5 plugins are

-located. The default value is the <code class="docutils literal">krb5/plugins</code> subdirectory

+default value for this tag is <code class="docutils literal notranslate">aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac</code>.

+</dd>

+<dt>plugin_base_dir</dt><dd>If set, determines the base directory where krb5 plugins are

+located. The default value is the <code class="docutils literal notranslate">krb5/plugins</code> subdirectory

of the krb5 library directory. This relation is subject to

-parameter expansion (see below) in release 1.17 and later.</dd>

-<dt>preferred_preauth_types</dt>

-<dd>This allows you to set the preferred preauthentication types which

+parameter expansion (see below) in release 1.17 and later.

+</dd>

+<dt>preferred_preauth_types</dt><dd>This allows you to set the preferred preauthentication types which

the client will attempt before others which may be advertised by a

KDC. The default value for this setting is “17, 16, 15, 14”,

-which forces libkrb5 to attempt to use PKINIT if it is supported.</dd>

-<dt>proxiable</dt>

-<dd>If this flag is true, initial tickets will be proxiable by

-default, if allowed by the KDC. The default value is false.</dd>

-<dt>qualify_shortname</dt>

-<dd>If this string is set, it determines the domain suffix for

+which forces libkrb5 to attempt to use PKINIT if it is supported.

+</dd>

+<dt>proxiable</dt><dd>If this flag is true, initial tickets will be proxiable by

+default, if allowed by the KDC. The default value is false.

+</dd>

+<dt>qualify_shortname</dt><dd>If this string is set, it determines the domain suffix for

single-component hostnames when DNS canonicalization is not used

(either because dns_canonicalize_hostname is false or because

forward canonicalization failed). The default value is the first

search domain of the system’s DNS configuration. To disable

qualification of shortnames, set this relation to the empty string

-with <code class="docutils literal">qualify_shortname = ""</code>. (New in release 1.18.)</dd>

-<dt>rdns</dt>

-<dd>If this flag is true, reverse name lookup will be used in addition

+with <code class="docutils literal notranslate">qualify_shortname = ""</code>. (New in release 1.18.)

+</dd>

+<dt>rdns</dt><dd>If this flag is true, reverse name lookup will be used in addition

to forward name lookup to canonicalizing hostnames for use in

service principal names. If dns_canonicalize_hostname is set

-to false, this flag has no effect. The default value is true.</dd>

-<dt>realm_try_domains</dt>

-<dd>Indicate whether a host’s domain components should be used to

+to false, this flag has no effect. The default value is true.

+</dd>

+<dt>realm_try_domains</dt><dd>Indicate whether a host’s domain components should be used to

determine the Kerberos realm of the host. The value of this

variable is an integer: -1 means not to search, 0 means to try the

host’s domain itself, 1 means to also try the domain’s immediate

parent, and so forth. The library’s usual mechanism for locating

Kerberos realms is used to determine whether a domain is a valid

realm, which may involve consulting DNS if dns_lookup_kdc is

-set. The default is not to search domain components.</dd>

-<dt>renew_lifetime</dt>

-<dd>(<a class="reference internal" href="../../basic/date_format.html#duration">Time duration</a> string.) Sets the default renewable lifetime

-for initial ticket requests. The default value is 0.</dd>

-<dt>spake_preauth_groups</dt>

-<dd>A whitespace or comma-separated list of words which specifies the

+set. The default is not to search domain components.

+</dd>

+<dt>renew_lifetime</dt><dd>(<a class="reference internal" href="../../basic/date_format.html#duration">Time duration</a> string.) Sets the default renewable lifetime

+for initial ticket requests. The default value is 0.

+</dd>

+<dt>spake_preauth_groups</dt><dd>A whitespace or comma-separated list of words which specifies the

groups allowed for SPAKE preauthentication. The possible values

are:

-<table border="1" class="docutils">

+<table class="docutils align-default">

-<col width="27%" />

-<col width="73%" />

+<col style="width: 27%" />

+<col style="width: 73%" />

</colgroup>

-<tbody valign="top">

-<tr class="row-odd"><td>edwards25519</td>

-<td>Edwards25519 curve (<a class="rfc reference external" href="https://tools.ietf.org/html/rfc7748.html">RFC 7748</a>)</td>

+<tbody>

+<tr class="row-odd"><td>edwards25519</td>

+<td>Edwards25519 curve (<a class="rfc reference external" href="https://tools.ietf.org/html/rfc7748.html">RFC 7748</a>)</td>

</tr>

-<tr class="row-even"><td>P-256</td>

-<td>NIST P-256 curve (<a class="rfc reference external" href="https://tools.ietf.org/html/rfc5480.html">RFC 5480</a>)</td>

+<tr class="row-even"><td>P-256</td>

+<td>NIST P-256 curve (<a class="rfc reference external" href="https://tools.ietf.org/html/rfc5480.html">RFC 5480</a>)</td>

</tr>

-<tr class="row-odd"><td>P-384</td>

-<td>NIST P-384 curve (<a class="rfc reference external" href="https://tools.ietf.org/html/rfc5480.html">RFC 5480</a>)</td>

+<tr class="row-odd"><td>P-384</td>

+<td>NIST P-384 curve (<a class="rfc reference external" href="https://tools.ietf.org/html/rfc5480.html">RFC 5480</a>)</td>

</tr>

-<tr class="row-even"><td>P-521</td>

-<td>NIST P-521 curve (<a class="rfc reference external" href="https://tools.ietf.org/html/rfc5480.html">RFC 5480</a>)</td>

+<tr class="row-even"><td>P-521</td>

+<td>NIST P-521 curve (<a class="rfc reference external" href="https://tools.ietf.org/html/rfc5480.html">RFC 5480</a>)</td>

</tr>

</tbody>

</table>

-The default value for the client is <code class="docutils literal">edwards25519</code>. The default

+The default value for the client is <code class="docutils literal notranslate">edwards25519</code>. The default

value for the KDC is empty. New in release 1.17.

</dd>

-<dt>ticket_lifetime</dt>

-<dd>(<a class="reference internal" href="../../basic/date_format.html#duration">Time duration</a> string.) Sets the default lifetime for initial

-ticket requests. The default value is 1 day.</dd>

-<dt>udp_preference_limit</dt>

-<dd>When sending a message to the KDC, the library will try using TCP

+<dt>ticket_lifetime</dt><dd>(<a class="reference internal" href="../../basic/date_format.html#duration">Time duration</a> string.) Sets the default lifetime for initial

+ticket requests. The default value is 1 day.

+</dd>

+<dt>udp_preference_limit</dt><dd>When sending a message to the KDC, the library will try using TCP

before UDP if the size of the message is above

udp_preference_limit. If the message is smaller than

udp_preference_limit, then UDP will be tried before TCP.

Regardless of the size, both protocols will be tried if the first

-attempt fails.</dd>

-<dt>verify_ap_req_nofail</dt>

-<dd>If this flag is true, then an attempt to verify initial

+attempt fails.

+</dd>

+<dt>verify_ap_req_nofail</dt><dd>If this flag is true, then an attempt to verify initial

credentials will fail if the client machine does not have a

-keytab. The default value is false.</dd>

-<dt>client_aware_channel_bindings</dt>

-<dd>If this flag is true, then all application protocol authentication

+keytab. The default value is false.

+</dd>

+<dt>client_aware_channel_bindings</dt><dd>If this flag is true, then all application protocol authentication

requests will be flagged to indicate that the application supports

channel bindings when operating over a secure channel. The

-default value is false.</dd>

+default value is false.

+</dd>

</dl>

-</div>

-<div class="section" id="realms">

+</section>

+<section id="realms">

<h3>[realms]<a class="headerlink" href="#realms" title="Permalink to this headline">¶</a></h3>

Each tag in the [realms] section of the file is the name of a Kerberos

realm. The value of the tag is a subsection with relations that

define the properties of that particular realm. For each realm, the

following tags may be specified in the realm’s subsection:

-<dl class="docutils">

-<dt>admin_server</dt>

-<dd>Identifies the host where the administration server is running.

+<dl>

+<dt>admin_server</dt><dd>Identifies the host where the administration server is running.

Typically, this is the primary Kerberos server. This tag must be

given a value in order to communicate with the <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8">kadmind</a>

-server for the realm.</dd>

-<dt>auth_to_local</dt>

-<dd>This tag allows you to set a general rule for mapping principal

+server for the realm.

+</dd>

+<dt>auth_to_local</dt><dd>This tag allows you to set a general rule for mapping principal

names to local user names. It will be used if there is not an

explicit mapping for the principal name that is being

translated. The possible values are:

-<dl class="docutils">

-<dt>RULE:exp</dt>

-<dd>The local name will be formulated from exp.

-The format for exp is [n:string](regexp)s/pattern/replacement/g.

+<dl>

+<dt>RULE:exp</dt><dd>The local name will be formulated from exp.

+The format for exp is [n:string](regexp)s/pattern/replacement/g.

The integer n indicates how many components the target

principal should have. If this matches, then a string will be

formed from string, substituting the realm of the principal

-for <code class="docutils literal">$0</code> and the n’th component of the principal for

-<code class="docutils literal">$n</code> (e.g., if the principal was <code class="docutils literal">johndoe/admin</code> then

-<code class="docutils literal">[2:$2$1foo]</code> would result in the string

-<code class="docutils literal">adminjohndoefoo</code>). If this string matches regexp, then

-the <code class="docutils literal">s//[g]</code> substitution command will be run over the

+for <code class="docutils literal notranslate">$0</code> and the n’th component of the principal for

+<code class="docutils literal notranslate">$n</code> (e.g., if the principal was <code class="docutils literal notranslate">johndoe/admin</code> then

+<code class="docutils literal notranslate">[2:$2$1foo]</code> would result in the string

+<code class="docutils literal notranslate">adminjohndoefoo</code>). If this string matches regexp, then

+the <code class="docutils literal notranslate">s//[g]</code> substitution command will be run over the

string. The optional g will cause the substitution to be

global over the string, instead of replacing only the first

match in the string.

</dd>

-<dt>DEFAULT</dt>

-<dd>The principal name will be used as the local user name. If

+<dt>DEFAULT</dt><dd>The principal name will be used as the local user name. If

the principal has more than one component or is not in the

default realm, this rule is not applicable and the conversion

-will fail.</dd>

+will fail.

+</dd>

</dl>

For example:

-<div class="highlight-default"><div class="highlight"><pre>[realms]

+<div class="highlight-default notranslate"><div class="highlight"><pre>[realms]

ATHENA.MIT.EDU = {

auth_to_local = RULE:[2:$1](johndoe)s/^.*$/guest/

auth_to_local = RULE:[2:$1;$2](^.*;admin$)s/;admin$//

@@ -488,34 +472,33 @@ will fail.</dd>

}

</pre></div>

</div>

-would result in any principal without <code class="docutils literal">root</code> or <code class="docutils literal">admin</code> as the

+would result in any principal without <code class="docutils literal notranslate">root</code> or <code class="docutils literal notranslate">admin</code> as the

second component to be translated with the default rule. A

-principal with a second component of <code class="docutils literal">admin</code> will become its

-first component. <code class="docutils literal">root</code> will be used as the local name for any

-principal with a second component of <code class="docutils literal">root</code>. The exception to

-these two rules are any principals <code class="docutils literal">johndoe/*</code>, which will

-always get the local name <code class="docutils literal">guest</code>.

+principal with a second component of <code class="docutils literal notranslate">admin</code> will become its

+first component. <code class="docutils literal notranslate">root</code> will be used as the local name for any

+principal with a second component of <code class="docutils literal notranslate">root</code>. The exception to

+these two rules are any principals <code class="docutils literal notranslate">johndoe/*</code>, which will

+always get the local name <code class="docutils literal notranslate">guest</code>.

</dd>

-<dt>auth_to_local_names</dt>

-<dd>This subsection allows you to set explicit mappings from principal

+<dt>auth_to_local_names</dt><dd>This subsection allows you to set explicit mappings from principal

names to local user names. The tag is the mapping name, and the

-value is the corresponding local user name.</dd>

-<dt>default_domain</dt>

-<dd>This tag specifies the domain used to expand hostnames when

+value is the corresponding local user name.

+</dd>

+<dt>default_domain</dt><dd>This tag specifies the domain used to expand hostnames when

translating Kerberos 4 service principals to Kerberos 5 principals

-(for example, when converting <code class="docutils literal">rcmd.hostname</code> to

-<code class="docutils literal">host/hostname.domain</code>).</dd>

-<dt>disable_encrypted_timestamp</dt>

-<dd>If this flag is true, the client will not perform encrypted

+(for example, when converting <code class="docutils literal notranslate">rcmd.hostname</code> to

+<code class="docutils literal notranslate">host/hostname.domain</code>).

+</dd>

+<dt>disable_encrypted_timestamp</dt><dd>If this flag is true, the client will not perform encrypted

timestamp preauthentication if requested by the KDC. Setting this

flag can help to prevent dictionary attacks by active attackers,

if the realm’s KDCs support SPAKE preauthentication or if initial

authentication always uses another mechanism or always uses FAST.

This flag persists across client referrals during initial

authentication. This flag does not prevent the KDC from offering

-encrypted timestamp. New in release 1.17.</dd>

-<dt>http_anchors</dt>

-<dd>When KDCs and kpasswd servers are accessed through HTTPS proxies, this tag

+encrypted timestamp. New in release 1.17.

+</dd>

+<dt>http_anchors</dt><dd>When KDCs and kpasswd servers are accessed through HTTPS proxies, this tag

can be used to specify the location of the CA certificate which should be

trusted to issue the certificate for a proxy server. If left unspecified,

the system-wide default set of CA certificates is used.

@@ -528,70 +511,70 @@ the system-wide default set of CA certificates is used.

All files in the directory will be examined; if they contain certificates

(in PEM format), they will be used.

ENV: envvar

-envvar specifies the name of an environment variable which has been set

+envvar specifies the name of an environment variable which has been set

to a value conforming to one of the previous values. For example,

-<code class="docutils literal">ENV:X509_PROXY_CA</code>, where environment variable <code class="docutils literal">X509_PROXY_CA</code> has

-been set to <code class="docutils literal">FILE:/tmp/my_proxy.pem</code>.

+<code class="docutils literal notranslate">ENV:X509_PROXY_CA</code>, where environment variable <code class="docutils literal notranslate">X509_PROXY_CA</code> has

+been set to <code class="docutils literal notranslate">FILE:/tmp/my_proxy.pem</code>.

</dd>

-<dt>kdc</dt>

-<dd>The name or address of a host running a KDC for that realm. An

+<dt>kdc</dt><dd>The name or address of a host running a KDC for that realm. An

optional port number, separated from the hostname by a colon, may

be included. If the name or address contains colons (for example,

if it is an IPv6 address), enclose it in square brackets to

distinguish the colon from a port separator. For your computer to

be able to communicate with the KDC for each realm, this tag must

be given a value in each realm subsection in the configuration

-file, or there must be DNS SRV records specifying the KDCs.</dd>

-<dt>kpasswd_server</dt>

-<dd>Points to the server where all the password changes are performed.

+file, or there must be DNS SRV records specifying the KDCs.

+</dd>

+<dt>kpasswd_server</dt><dd>Points to the server where all the password changes are performed.

If there is no such entry, DNS will be queried (unless forbidden

by dns_lookup_kdc). Finally, port 464 on the admin_server

-host will be tried.</dd>

-<dt>master_kdc</dt>

-<dd>The name for primary_kdc prior to release 1.19. Its value is

-used as a fallback if primary_kdc is not specified.</dd>

-<dt>primary_kdc</dt>

-<dd>Identifies the primary KDC(s). Currently, this tag is used in only

+host will be tried.

+</dd>

+<dt>master_kdc</dt><dd>The name for primary_kdc prior to release 1.19. Its value is

+used as a fallback if primary_kdc is not specified.

+</dd>

+<dt>primary_kdc</dt><dd>Identifies the primary KDC(s). Currently, this tag is used in only

one case: If an attempt to get credentials fails because of an

invalid password, the client software will attempt to contact the

primary KDC, in case the user’s password has just been changed, and

the updated database has not been propagated to the replica

-servers yet. New in release 1.19.</dd>

-<dt>v4_instance_convert</dt>

-<dd>This subsection allows the administrator to configure exceptions

+servers yet. New in release 1.19.

+</dd>

+<dt>v4_instance_convert</dt><dd>This subsection allows the administrator to configure exceptions

to the default_domain mapping rule. It contains V4 instances

(the tag name) which should be translated to some specific

hostname (the tag value) as the second component in a Kerberos V5

-principal name.</dd>

-<dt>v4_realm</dt>

-<dd>This relation is used by the krb524 library routines when

+principal name.

+</dd>

+<dt>v4_realm</dt><dd>This relation is used by the krb524 library routines when

converting a V5 principal name to a V4 principal name. It is used

when the V4 realm name and the V5 realm name are not the same, but

still share the same principal names and passwords. The tag value

-is the Kerberos V4 realm name.</dd>

+is the Kerberos V4 realm name.

+</dd>

</dl>

-</div>

-<div class="section" id="domain-realm">

+</section>

+<section id="domain-realm">

<h3>[domain_realm]<a class="headerlink" href="#domain-realm" title="Permalink to this headline">¶</a></h3>

The [domain_realm] section provides a translation from hostnames to

Kerberos realms. Each tag is a domain name, providing the mapping for

that domain and all subdomains. If the tag begins with a period

-(<code class="docutils literal">.</code>) then it applies only to subdomains. The Kerberos realm may be

+(<code class="docutils literal notranslate">.</code>) then it applies only to subdomains. The Kerberos realm may be

identified either in the <a class="reference internal" href="#realms">realms</a> section or using DNS SRV records.

Tag names should be in lower case. For example:

-<div class="highlight-default"><div class="highlight"><pre>[domain_realm]

+<div class="highlight-default notranslate"><div class="highlight"><pre>[domain_realm]

crash.mit.edu = TEST.ATHENA.MIT.EDU

.dev.mit.edu = TEST.ATHENA.MIT.EDU

mit.edu = ATHENA.MIT.EDU

</pre></div>

</div>

-maps the host with the name <code class="docutils literal">crash.mit.edu</code> into the

-<code class="docutils literal">TEST.ATHENA.MIT.EDU</code> realm. The second entry maps all hosts under the

-domain <code class="docutils literal">dev.mit.edu</code> into the <code class="docutils literal">TEST.ATHENA.MIT.EDU</code> realm, but not

-the host with the name <code class="docutils literal">dev.mit.edu</code>. That host is matched

-by the third entry, which maps the host <code class="docutils literal">mit.edu</code> and all hosts

-under the domain <code class="docutils literal">mit.edu</code> that do not match a preceding rule

-into the realm <code class="docutils literal">ATHENA.MIT.EDU</code>.

+maps the host with the name <code class="docutils literal notranslate">crash.mit.edu</code> into the

+<code class="docutils literal notranslate">TEST.ATHENA.MIT.EDU</code> realm. The second entry maps all hosts under the

+domain <code class="docutils literal notranslate">dev.mit.edu</code> into the <code class="docutils literal notranslate">TEST.ATHENA.MIT.EDU</code> realm, but not

+the host with the name <code class="docutils literal notranslate">dev.mit.edu</code>. That host is matched

+by the third entry, which maps the host <code class="docutils literal notranslate">mit.edu</code> and all hosts

+under the domain <code class="docutils literal notranslate">mit.edu</code> that do not match a preceding rule

+into the realm <code class="docutils literal notranslate">ATHENA.MIT.EDU</code>.

If no translation entry applies to a hostname used for a service

principal for a service ticket request, the library will try to get a

referral to the appropriate realm from the client realm’s KDC. If

@@ -599,8 +582,8 @@ that does not succeed, the host’s realm is considered to be the

hostname’s domain portion converted to uppercase, unless the

realm_try_domains setting in [libdefaults] causes a different

parent domain to be used.

-</div>

-<div class="section" id="capaths">

+</section>

+<section id="capaths">

<h3>[capaths]<a class="headerlink" href="#capaths" title="Permalink to this headline">¶</a></h3>

In order to perform direct (non-hierarchical) cross-realm

authentication, configuration is needed to determine the

@@ -621,12 +604,12 @@ need to be present. A client needs a tag for its local realm with

subtags for all the realms of servers it will need to authenticate to.

A server needs a tag for each realm of the clients it will serve, with

a subtag of the server realm.

-For example, <code class="docutils literal">ANL.GOV</code>, <code class="docutils literal">PNL.GOV</code>, and <code class="docutils literal">NERSC.GOV</code> all wish to

-use the <code class="docutils literal">ES.NET</code> realm as an intermediate realm. ANL has a sub

-realm of <code class="docutils literal">TEST.ANL.GOV</code> which will authenticate with <code class="docutils literal">NERSC.GOV</code>

-but not <code class="docutils literal">PNL.GOV</code>. The [capaths] section for <code class="docutils literal">ANL.GOV</code> systems

+For example, <code class="docutils literal notranslate">ANL.GOV</code>, <code class="docutils literal notranslate">PNL.GOV</code>, and <code class="docutils literal notranslate">NERSC.GOV</code> all wish to

+use the <code class="docutils literal notranslate">ES.NET</code> realm as an intermediate realm. ANL has a sub

+realm of <code class="docutils literal notranslate">TEST.ANL.GOV</code> which will authenticate with <code class="docutils literal notranslate">NERSC.GOV</code>

+but not <code class="docutils literal notranslate">PNL.GOV</code>. The [capaths] section for <code class="docutils literal notranslate">ANL.GOV</code> systems

would look like this:

-<div class="highlight-default"><div class="highlight"><pre>[capaths]

+<div class="highlight-default notranslate"><div class="highlight"><pre>[capaths]

ANL.GOV = {

TEST.ANL.GOV = .

PNL.GOV = ES.NET

@@ -647,9 +630,9 @@ would look like this:

}

</pre></div>

</div>

-The [capaths] section of the configuration file used on <code class="docutils literal">NERSC.GOV</code>

+The [capaths] section of the configuration file used on <code class="docutils literal notranslate">NERSC.GOV</code>

systems would look like this:

-<div class="highlight-default"><div class="highlight"><pre>[capaths]

+<div class="highlight-default notranslate"><div class="highlight"><pre>[capaths]

NERSC.GOV = {

ANL.GOV = ES.NET

TEST.ANL.GOV = ES.NET

@@ -675,14 +658,14 @@ systems would look like this:

When a subtag is used more than once within a tag, clients will use

the order of values to determine the path. The order of values is not

important to servers.

-</div>

-<div class="section" id="appdefaults">

+</section>

+<section id="appdefaults">

<h3>[appdefaults]<a class="headerlink" href="#appdefaults" title="Permalink to this headline">¶</a></h3>

Each tag in the [appdefaults] section names a Kerberos V5 application

or an option that is used by some Kerberos V5 application[s]. The

value of the tag defines the default behaviors for that application.

For example:

-<div class="highlight-default"><div class="highlight"><pre>[appdefaults]

+<div class="highlight-default notranslate"><div class="highlight"><pre>[appdefaults]

telnet = {

ATHENA.MIT.EDU = {

option1 = false

@@ -702,21 +685,21 @@ value of the tag defines the default behaviors for that application.

order of decreasing precedence. In this example, if telnet is running

in the realm EXAMPLE.COM, it should, by default, have option1 and

option2 set to true. However, a telnet program in the realm

-<code class="docutils literal">ATHENA.MIT.EDU</code> should have <code class="docutils literal">option1</code> set to false and

-<code class="docutils literal">option2</code> set to true. Any other programs in ATHENA.MIT.EDU should

-have <code class="docutils literal">option2</code> set to false by default. Any programs running in

-other realms should have <code class="docutils literal">option2</code> set to true.

+<code class="docutils literal notranslate">ATHENA.MIT.EDU</code> should have <code class="docutils literal notranslate">option1</code> set to false and

+<code class="docutils literal notranslate">option2</code> set to true. Any other programs in ATHENA.MIT.EDU should

+have <code class="docutils literal notranslate">option2</code> set to false by default. Any programs running in

+other realms should have <code class="docutils literal notranslate">option2</code> set to true.

The list of specifiable options for each application may be found in

that application’s man pages. The application defaults specified here

are overridden by those specified in the <a class="reference internal" href="#realms">realms</a> section.

-</div>

-<div class="section" id="plugins">

+</section>

+<section id="plugins">

<h3>[plugins]<a class="headerlink" href="#plugins" title="Permalink to this headline">¶</a></h3>

-<li><a class="reference internal" href="#pwqual">pwqual</a> interface</li>

-<li><a class="reference internal" href="#kadm5-hook">kadm5_hook</a> interface</li>

-<li><a class="reference internal" href="#clpreauth">clpreauth</a> and <a class="reference internal" href="#kdcpreauth">kdcpreauth</a> interfaces</li>

+<li><a class="reference internal" href="#pwqual">pwqual</a> interface</li>

+<li><a class="reference internal" href="#kadm5-hook">kadm5_hook</a> interface</li>

+<li><a class="reference internal" href="#clpreauth">clpreauth</a> and <a class="reference internal" href="#kdcpreauth">kdcpreauth</a> interfaces</li>

</ul>

</div></blockquote>

Tags in the [plugins] section can be used to register dynamic plugin

@@ -726,22 +709,22 @@ here.

New in release 1.9.

Each pluggable interface corresponds to a subsection of [plugins].

All subsections support the same tags:

-<dl class="docutils">

-<dt>disable</dt>

-<dd>This tag may have multiple values. If there are values for this

+<dl class="simple">

+<dt>disable</dt><dd>This tag may have multiple values. If there are values for this

tag, then the named modules will be disabled for the pluggable

-interface.</dd>

-<dt>enable_only</dt>

-<dd>This tag may have multiple values. If there are values for this

+interface.

+</dd>

+<dt>enable_only</dt><dd>This tag may have multiple values. If there are values for this

tag, then only the named modules will be enabled for the pluggable

-interface.</dd>

-<dt>module</dt>

-<dd>This tag may have multiple values. Each value is a string of the

-form <code class="docutils literal">modulename:pathname</code>, which causes the shared object

+interface.

+</dd>

+<dt>module</dt><dd>This tag may have multiple values. Each value is a string of the

+form <code class="docutils literal notranslate">modulename:pathname</code>, which causes the shared object

located at pathname to be registered as a dynamic module named

modulename for the pluggable interface. If pathname is not an

absolute path, it will be treated as relative to the

-plugin_base_dir value from <a class="reference internal" href="#libdefaults">[libdefaults]</a>.</dd>

+plugin_base_dir value from <a class="reference internal" href="#libdefaults">[libdefaults]</a>.

+</dd>

</dl>

For pluggable interfaces where module order matters, modules

registered with a module tag normally come first, in the order

@@ -750,159 +733,159 @@ are documented below. If enable_only tags are used, then the

order of those tags overrides the normal module order.

The following subsections are currently supported within the [plugins]

section:

-<div class="section" id="ccselect-interface">

+<section id="ccselect-interface">

<h4>ccselect interface<a class="headerlink" href="#ccselect-interface" title="Permalink to this headline">¶</a></h4>

The ccselect subsection controls modules for credential cache

selection within a cache collection. In addition to any registered

dynamic modules, the following built-in modules exist (and may be

disabled with the disable tag):

-<dl class="docutils">

-<dt>k5identity</dt>

-<dd>Uses a .k5identity file in the user’s home directory to select a

-client principal</dd>

-<dt>realm</dt>

-<dd>Uses the service realm to guess an appropriate cache from the

-collection</dd>

-<dt>hostname</dt>

-<dd>If the service principal is host-based, uses the service hostname

-to guess an appropriate cache from the collection</dd>

+<dl class="simple">

+<dt>k5identity</dt><dd>Uses a .k5identity file in the user’s home directory to select a

+client principal

+</dd>

+<dt>realm</dt><dd>Uses the service realm to guess an appropriate cache from the

+collection

+</dd>

+<dt>hostname</dt><dd>If the service principal is host-based, uses the service hostname

+to guess an appropriate cache from the collection

+</dd>

</dl>

-</div>

-<div class="section" id="pwqual-interface">

+</section>

+<section id="pwqual-interface">

<h4>pwqual interface<a class="headerlink" href="#pwqual-interface" title="Permalink to this headline">¶</a></h4>

The pwqual subsection controls modules for the password quality

interface, which is used to reject weak passwords when passwords are

changed. The following built-in modules exist for this interface:

-<dl class="docutils">

-<dt>dict</dt>

-<dd>Checks against the realm dictionary file</dd>

-<dt>empty</dt>

-<dd>Rejects empty passwords</dd>

-<dt>hesiod</dt>

-<dd>Checks against user information stored in Hesiod (only if Kerberos

-was built with Hesiod support)</dd>

-<dt>princ</dt>

-<dd>Checks against components of the principal name</dd>

+<dl class="simple">

+<dt>dict</dt><dd>Checks against the realm dictionary file

+</dd>

+<dt>empty</dt><dd>Rejects empty passwords

+</dd>

+<dt>hesiod</dt><dd>Checks against user information stored in Hesiod (only if Kerberos

+was built with Hesiod support)

+</dd>

+<dt>princ</dt><dd>Checks against components of the principal name

+</dd>

</dl>

-</div>

-<div class="section" id="kadm5-hook-interface">

+</section>

+<section id="kadm5-hook-interface">

<h4>kadm5_hook interface<a class="headerlink" href="#kadm5-hook-interface" title="Permalink to this headline">¶</a></h4>

The kadm5_hook interface provides plugins with information on

principal creation, modification, password changes and deletion. This

interface can be used to write a plugin to synchronize MIT Kerberos

with another database such as Active Directory. No plugins are built

in for this interface.

-</div>

-<div class="section" id="kadm5-auth-interface">

+</section>

+<section id="kadm5-auth-interface">

<h4>kadm5_auth interface<a class="headerlink" href="#kadm5-auth-interface" title="Permalink to this headline">¶</a></h4>

The kadm5_auth section (introduced in release 1.16) controls modules

for the kadmin authorization interface, which determines whether a

client principal is allowed to perform a kadmin operation. The

following built-in modules exist for this interface:

-<dl class="docutils">

-<dt>acl</dt>

-<dd>This module reads the <a class="reference internal" href="kadm5_acl.html#kadm5-acl-5">kadm5.acl</a> file, and authorizes

-operations which are allowed according to the rules in the file.</dd>

-<dt>self</dt>

-<dd>This module authorizes self-service operations including password

+<dl class="simple">

+<dt>acl</dt><dd>This module reads the <a class="reference internal" href="kadm5_acl.html#kadm5-acl-5">kadm5.acl</a> file, and authorizes

+operations which are allowed according to the rules in the file.

+</dd>

+<dt>self</dt><dd>This module authorizes self-service operations including password

changes, creation of new random keys, fetching the client’s

principal record or string attributes, and fetching the policy

-record associated with the client principal.</dd>

+record associated with the client principal.

+</dd>

</dl>

-</div>

-<div class="section" id="clpreauth-and-kdcpreauth-interfaces">

+</section>

+<section id="clpreauth-and-kdcpreauth-interfaces">

<h4>clpreauth and kdcpreauth interfaces<a class="headerlink" href="#clpreauth-and-kdcpreauth-interfaces" title="Permalink to this headline">¶</a></h4>

The clpreauth and kdcpreauth interfaces allow plugin modules to

provide client and KDC preauthentication mechanisms. The following

built-in modules exist for these interfaces:

-<dl class="docutils">

-<dt>pkinit</dt>

-<dd>This module implements the PKINIT preauthentication mechanism.</dd>

-<dt>encrypted_challenge</dt>

-<dd>This module implements the encrypted challenge FAST factor.</dd>

-<dt>encrypted_timestamp</dt>

-<dd>This module implements the encrypted timestamp mechanism.</dd>

+<dl class="simple">

+<dt>pkinit</dt><dd>This module implements the PKINIT preauthentication mechanism.

+</dd>

+<dt>encrypted_challenge</dt><dd>This module implements the encrypted challenge FAST factor.

+</dd>

+<dt>encrypted_timestamp</dt><dd>This module implements the encrypted timestamp mechanism.

+</dd>

</dl>

-</div>

-<div class="section" id="hostrealm-interface">

+</section>

+<section id="hostrealm-interface">

<h4>hostrealm interface<a class="headerlink" href="#hostrealm-interface" title="Permalink to this headline">¶</a></h4>

The hostrealm section (introduced in release 1.12) controls modules

for the host-to-realm interface, which affects the local mapping of

hostnames to realm names and the choice of default realm. The following

built-in modules exist for this interface:

-<dl class="docutils">

-<dt>profile</dt>

-<dd>This module consults the [domain_realm] section of the profile for

+<dl class="simple">

+<dt>profile</dt><dd>This module consults the [domain_realm] section of the profile for

authoritative host-to-realm mappings, and the default_realm

-variable for the default realm.</dd>

-<dt>dns</dt>

-<dd>This module looks for DNS records for fallback host-to-realm

+variable for the default realm.

+</dd>

+<dt>dns</dt><dd>This module looks for DNS records for fallback host-to-realm

mappings and the default realm. It only operates if the

-dns_lookup_realm variable is set to true.</dd>

-<dt>domain</dt>

-<dd>This module applies heuristics for fallback host-to-realm

+dns_lookup_realm variable is set to true.

+</dd>

+<dt>domain</dt><dd>This module applies heuristics for fallback host-to-realm

mappings. It implements the realm_try_domains variable, and

uses the uppercased parent domain of the hostname if that does not

-produce a result.</dd>

+produce a result.

+</dd>

</dl>

-</div>

-<div class="section" id="localauth-interface">

+</section>

+<section id="localauth-interface">

<h4>localauth interface<a class="headerlink" href="#localauth-interface" title="Permalink to this headline">¶</a></h4>

The localauth section (introduced in release 1.12) controls modules

for the local authorization interface, which affects the relationship

between Kerberos principals and local system accounts. The following

built-in modules exist for this interface:

-<dl class="docutils">

-<dt>default</dt>

-<dd>This module implements the DEFAULT type for auth_to_local

-values.</dd>

-<dt>rule</dt>

-<dd>This module implements the RULE type for auth_to_local

-values.</dd>

-<dt>names</dt>

-<dd>This module looks for an auth_to_local_names mapping for the

-principal name.</dd>

-<dt>auth_to_local</dt>

-<dd>This module processes auth_to_local values in the default

+<dl class="simple">

+<dt>default</dt><dd>This module implements the DEFAULT type for auth_to_local

+values.

+</dd>

+<dt>rule</dt><dd>This module implements the RULE type for auth_to_local

+values.

+</dd>

+<dt>names</dt><dd>This module looks for an auth_to_local_names mapping for the

+principal name.

+</dd>

+<dt>auth_to_local</dt><dd>This module processes auth_to_local values in the default

realm’s section, and applies the default method if no

-auth_to_local values exist.</dd>

-<dt>k5login</dt>

-<dd>This module authorizes a principal to a local account according to

-the account’s <a class="reference internal" href="../../user/user_config/k5login.html#k5login-5">.k5login</a> file.</dd>

-<dt>an2ln</dt>

-<dd>This module authorizes a principal to a local account if the

-principal name maps to the local account name.</dd>

+auth_to_local values exist.

+</dd>

+<dt>k5login</dt><dd>This module authorizes a principal to a local account according to

+the account’s <a class="reference internal" href="../../user/user_config/k5login.html#k5login-5">.k5login</a> file.

+</dd>

+<dt>an2ln</dt><dd>This module authorizes a principal to a local account if the

+principal name maps to the local account name.

+</dd>

</dl>

-</div>

-<div class="section" id="certauth-interface">

+</section>

+<section id="certauth-interface">

<h4>certauth interface<a class="headerlink" href="#certauth-interface" title="Permalink to this headline">¶</a></h4>

The certauth section (introduced in release 1.16) controls modules for

the certificate authorization interface, which determines whether a

certificate is allowed to preauthenticate a user via PKINIT. The

following built-in modules exist for this interface:

-<dl class="docutils">

-<dt>pkinit_san</dt>

-<dd>This module authorizes the certificate if it contains a PKINIT

+<dl class="simple">

+<dt>pkinit_san</dt><dd>This module authorizes the certificate if it contains a PKINIT

Subject Alternative Name for the requested client principal, or a

Microsoft UPN SAN matching the principal if pkinit_allow_upn

-is set to true for the realm.</dd>

-<dt>pkinit_eku</dt>

-<dd>This module rejects the certificate if it does not contain an

+is set to true for the realm.

+</dd>

+<dt>pkinit_eku</dt><dd>This module rejects the certificate if it does not contain an

Extended Key Usage attribute consistent with the

-pkinit_eku_checking value for the realm.</dd>

-<dt>dbmatch</dt>

-<dd>This module authorizes or rejects the certificate according to

+pkinit_eku_checking value for the realm.

+</dd>

+<dt>dbmatch</dt><dd>This module authorizes or rejects the certificate according to

whether it matches the pkinit_cert_match string attribute on

-the client principal, if that attribute is present.</dd>

+the client principal, if that attribute is present.

+</dd>

</dl>

-</div>

-<div class="section" id="pkinit-options">

+</section>

+<section id="pkinit-options">

<h2>PKINIT options<a class="headerlink" href="#pkinit-options" title="Permalink to this headline">¶</a></h2>

-Note

-The following are PKINIT-specific options. These values may

+Note

+The following are PKINIT-specific options. These values may

be specified in [libdefaults] as global defaults, or within

a realm-specific subsection of [libdefaults], or may be

specified as realm-specific values in the [realms] section.

@@ -910,95 +893,92 @@ A realm-specific value overrides, not adds to, a generic

[libdefaults] specification. The search order is:

</div>

-<li>realm-specific subsection of [libdefaults]:

-<div class="highlight-default"><div class="highlight"><pre>[libdefaults]

+<li>realm-specific subsection of [libdefaults]:

+<div class="highlight-default notranslate"><div class="highlight"><pre>[libdefaults]

EXAMPLE.COM = {

}

</pre></div>

</div>

</li>

-<li>realm-specific value in the [realms] section:

-<div class="highlight-default"><div class="highlight"><pre>[realms]

+<li>realm-specific value in the [realms] section:

+<div class="highlight-default notranslate"><div class="highlight"><pre>[realms]

OTHERREALM.ORG = {

pkinit_anchors = FILE:/usr/local/otherrealm.org.crt

}

</pre></div>

</div>

</li>

-<li>generic value in the [libdefaults] section:

-<div class="highlight-default"><div class="highlight"><pre>[libdefaults]

+<li>generic value in the [libdefaults] section:

+<div class="highlight-default notranslate"><div class="highlight"><pre>[libdefaults]

</pre></div>

</div>

</li>

</ol>

-<div class="section" id="specifying-pkinit-identity-information">

+<section id="specifying-pkinit-identity-information">

<h3>Specifying PKINIT identity information<a class="headerlink" href="#specifying-pkinit-identity-information" title="Permalink to this headline">¶</a></h3>

The syntax for specifying Public Key identity, trust, and revocation

information for PKINIT is as follows:

-<dl class="docutils">

-<dt>FILE:filename[,keyfilename]</dt>

-<dd>This option has context-specific behavior.

+<dl>

+<dt>FILE:filename[,keyfilename]</dt><dd>This option has context-specific behavior.

In pkinit_identity or pkinit_identities, filename

specifies the name of a PEM-format file containing the user’s

certificate. If keyfilename is not specified, the user’s

private key is expected to be in filename as well. Otherwise,

keyfilename is the name of the file containing the private key.

-In pkinit_anchors or pkinit_pool, filename is assumed to

+In pkinit_anchors or pkinit_pool, filename is assumed to

be the name of an OpenSSL-style ca-bundle file.

</dd>

-<dt>DIR:dirname</dt>

-<dd>This option has context-specific behavior.

+<dt>DIR:dirname</dt><dd>This option has context-specific behavior.

In pkinit_identity or pkinit_identities, dirname

-specifies a directory with files named <code class="docutils literal">*.crt</code> and <code class="docutils literal">*.key</code>

+specifies a directory with files named <code class="docutils literal notranslate">*.crt</code> and <code class="docutils literal notranslate">*.key</code>

where the first part of the file name is the same for matching

pairs of certificate and private key files. When a file with a

-name ending with <code class="docutils literal">.crt</code> is found, a matching file ending with

-<code class="docutils literal">.key</code> is assumed to contain the private key. If no such file

-is found, then the certificate in the <code class="docutils literal">.crt</code> is not used.

+name ending with <code class="docutils literal notranslate">.crt</code> is found, a matching file ending with

+<code class="docutils literal notranslate">.key</code> is assumed to contain the private key. If no such file

+is found, then the certificate in the <code class="docutils literal notranslate">.crt</code> is not used.

In pkinit_anchors or pkinit_pool, dirname is assumed to

be an OpenSSL-style hashed CA directory where each CA cert is

-stored in a file named <code class="docutils literal">hash-of-ca-cert.#</code>. This infrastructure

+stored in a file named <code class="docutils literal notranslate">hash-of-ca-cert.#</code>. This infrastructure

is encouraged, but all files in the directory will be examined and

if they contain certificates (in PEM format), they will be used.

-In pkinit_revoke, dirname is assumed to be an OpenSSL-style

+In pkinit_revoke, dirname is assumed to be an OpenSSL-style

hashed CA directory where each revocation list is stored in a file

-named <code class="docutils literal">hash-of-ca-cert.r#</code>. This infrastructure is encouraged,

+named <code class="docutils literal notranslate">hash-of-ca-cert.r#</code>. This infrastructure is encouraged,

but all files in the directory will be examined and if they

contain a revocation list (in PEM format), they will be used.

</dd>

-<dt>PKCS12:filename</dt>

-<dd>filename is the name of a PKCS #12 format file, containing the

-user’s certificate and private key.</dd>

-<dt>PKCS11:[module_name=]modname[:slotid=slot-id][:token=token-label][:certid=cert-id][:certlabel=cert-label]</dt>

-<dd>All keyword/values are optional. modname specifies the location

+<dt>PKCS12:filename</dt><dd>filename is the name of a PKCS #12 format file, containing the

+user’s certificate and private key.

+</dd>

+<dt>PKCS11:[module_name=]modname[:slotid=slot-id][:token=token-label][:certid=cert-id][:certlabel=cert-label]</dt><dd>All keyword/values are optional. modname specifies the location

of a library implementing PKCS #11. If a value is encountered

with no keyword, it is assumed to be the modname. If no

module-name is specified, the default is <a class="reference internal" href="../../mitK5defaults.html#paths">PKCS11_MODNAME</a>.

-<code class="docutils literal">slotid=</code> and/or <code class="docutils literal">token=</code> may be specified to force the use of

+<code class="docutils literal notranslate">slotid=</code> and/or <code class="docutils literal notranslate">token=</code> may be specified to force the use of

a particular smard card reader or token if there is more than one

-available. <code class="docutils literal">certid=</code> and/or <code class="docutils literal">certlabel=</code> may be specified to

+available. <code class="docutils literal notranslate">certid=</code> and/or <code class="docutils literal notranslate">certlabel=</code> may be specified to

force the selection of a particular certificate on the device.

See the pkinit_cert_match configuration option for more ways

-to select a particular certificate to use for PKINIT.</dd>

-<dt>ENV:envvar</dt>

-<dd>envvar specifies the name of an environment variable which has

+to select a particular certificate to use for PKINIT.

+</dd>

+<dt>ENV:envvar</dt><dd>envvar specifies the name of an environment variable which has

been set to a value conforming to one of the previous values. For

-example, <code class="docutils literal">ENV:X509_PROXY</code>, where environment variable

-<code class="docutils literal">X509_PROXY</code> has been set to <code class="docutils literal">FILE:/tmp/my_proxy.pem</code>.</dd>

+example, <code class="docutils literal notranslate">ENV:X509_PROXY</code>, where environment variable

+<code class="docutils literal notranslate">X509_PROXY</code> has been set to <code class="docutils literal notranslate">FILE:/tmp/my_proxy.pem</code>.

+</dd>

</dl>

-</div>

-<div class="section" id="pkinit-krb5-conf-options">

+</section>

+<section id="pkinit-krb5-conf-options">

<h3>PKINIT krb5.conf options<a class="headerlink" href="#pkinit-krb5-conf-options" title="Permalink to this headline">¶</a></h3>

-<dl class="docutils">

-<dt>pkinit_anchors</dt>

-<dd>Specifies the location of trusted anchor (root) certificates which

+<dl>

+<dt>pkinit_anchors</dt><dd>Specifies the location of trusted anchor (root) certificates which

the client trusts to sign KDC certificates. This option may be

specified multiple times. These values from the config file are

-not used if the user specifies X509_anchors on the command line.</dd>

-<dt>pkinit_cert_match</dt>

-<dd>Specifies matching rules that the client certificate must match

+not used if the user specifies X509_anchors on the command line.

+</dd>

+<dt>pkinit_cert_match</dt><dd>Specifies matching rules that the client certificate must match

before it is used to attempt PKINIT authentication. If a user has

multiple certificates available (on a smart card, or via other

media), there must be exactly one certificate chosen before

@@ -1011,15 +991,15 @@ string representations from the certificate Subject DN and Issuer

DN values.

The syntax of the matching rules is:

-<div>[relation-operator]component-rule …</div></blockquote>

+<div>[relation-operator]component-rule …

+</div></blockquote>

where:

-<dl class="docutils">

-<dt>relation-operator</dt>

-<dd>can be either <code class="docutils literal">&&</code>, meaning all component rules must match,

-or <code class="docutils literal">||</code>, meaning only one component rule must match. The

-default is <code class="docutils literal">&&</code>.</dd>

-<dt>component-rule</dt>

-<dd>can be one of the following. Note that there is no

+<dl>

+<dt>relation-operator</dt><dd>can be either <code class="docutils literal notranslate">&&</code>, meaning all component rules must match,

+or <code class="docutils literal notranslate">||</code>, meaning only one component rule must match. The

+default is <code class="docutils literal notranslate">&&</code>.

+</dd>

+<dt>component-rule</dt><dd>can be one of the following. Note that there is no

punctuation or whitespace between component rules.

@@ -1035,72 +1015,70 @@ required Extended Key Usage values. All values in the list

must be present in the certificate. Extended Key Usage values

can be:

-<li>pkinit</li>

-<li>msScLogin</li>

-<li>clientAuth</li>

-<li>emailProtection</li>

+<li>pkinit</li>

+<li>msScLogin</li>

+<li>clientAuth</li>

+<li>emailProtection</li>

</ul>

key-usage-list is a comma-separated list of required Key

Usage values. All values in the list must be present in the

certificate. Key Usage values can be:

-<ul class="last simple">

-<li>digitalSignature</li>

-<li>keyEncipherment</li>

+<ul class="simple">

+<li>digitalSignature</li>

+<li>keyEncipherment</li>

</ul>

</dd>

</dl>

Examples:

-<div class="last highlight-default"><div class="highlight"><pre>pkinit_cert_match = ||<SUBJECT>.*DoE.*<SAN>.*@EXAMPLE.COM

+<div class="highlight-default notranslate"><div class="highlight"><pre>pkinit_cert_match = ||<SUBJECT>.*DoE.*<SAN>.*@EXAMPLE.COM

pkinit_cert_match = &&<EKU>msScLogin,clientAuth<ISSUER>.*DoE.*

pkinit_cert_match = <EKU>msScLogin,clientAuth<KU>digitalSignature

</pre></div>

</div>

</dd>

-<dt>pkinit_eku_checking</dt>

-<dd>This option specifies what Extended Key Usage value the KDC

+<dt>pkinit_eku_checking</dt><dd>This option specifies what Extended Key Usage value the KDC

certificate presented to the client must contain. (Note that if

the KDC certificate has the pkinit SubjectAlternativeName encoded

as the Kerberos TGS name, EKU checking is not necessary since the

issuing CA has certified this as a KDC certificate.) The values

recognized in the krb5.conf file are:

-<dl class="last docutils">

-<dt>kpKDC</dt>

-<dd>This is the default value and specifies that the KDC must have

-the id-pkinit-KPKdc EKU as defined in <a class="rfc reference external" href="https://tools.ietf.org/html/rfc4556.html">RFC 4556</a>.</dd>

-<dt>kpServerAuth</dt>

-<dd>If kpServerAuth is specified, a KDC certificate with the

+<dl class="simple">

+<dt>kpKDC</dt><dd>This is the default value and specifies that the KDC must have

+the id-pkinit-KPKdc EKU as defined in <a class="rfc reference external" href="https://tools.ietf.org/html/rfc4556.html">RFC 4556</a>.

+</dd>

+<dt>kpServerAuth</dt><dd>If kpServerAuth is specified, a KDC certificate with the

id-kp-serverAuth EKU will be accepted. This key usage value

-is used in most commercially issued server certificates.</dd>

-<dt>none</dt>

-<dd>If none is specified, then the KDC certificate will not be

+is used in most commercially issued server certificates.

+</dd>

+<dt>none</dt><dd>If none is specified, then the KDC certificate will not be

checked to verify it has an acceptable EKU. The use of this

-option is not recommended.</dd>

+option is not recommended.

+</dd>

</dl>

</dd>

-<dt>pkinit_dh_min_bits</dt>

-<dd>Specifies the size of the Diffie-Hellman key the client will

+<dt>pkinit_dh_min_bits</dt><dd>Specifies the size of the Diffie-Hellman key the client will

attempt to use. The acceptable values are 1024, 2048, and 4096.

-The default is 2048.</dd>

-<dt>pkinit_identities</dt>

-<dd>Specifies the location(s) to be used to find the user’s X.509

+The default is 2048.

+</dd>

+<dt>pkinit_identities</dt><dd>Specifies the location(s) to be used to find the user’s X.509

identity information. If this option is specified multiple times,

each value is attempted in order until certificates are found.

Note that these values are not used if the user specifies

-X509_user_identity on the command line.</dd>

-<dt>pkinit_kdc_hostname</dt>

-<dd>The presence of this option indicates that the client is willing

+X509_user_identity on the command line.

+</dd>

+<dt>pkinit_kdc_hostname</dt><dd>The presence of this option indicates that the client is willing

to accept a KDC certificate with a dNSName SAN (Subject

Alternative Name) rather than requiring the id-pkinit-san as

defined in <a class="rfc reference external" href="https://tools.ietf.org/html/rfc4556.html">RFC 4556</a>. This option may be specified multiple

times. Its value should contain the acceptable hostname for the

-KDC (as contained in its certificate).</dd>

-<dt>pkinit_pool</dt>

-<dd>Specifies the location of intermediate certificates which may be

+KDC (as contained in its certificate).

+</dd>

+<dt>pkinit_pool</dt><dd>Specifies the location of intermediate certificates which may be

used by the client to complete the trust chain between a KDC

certificate and a trusted anchor. This option may be specified

-multiple times.</dd>

-<dt>pkinit_require_crl_checking</dt>

-<dd>The default certificate verification process will always check the

+multiple times.

+</dd>

+<dt>pkinit_require_crl_checking</dt><dd>The default certificate verification process will always check the

available revocation information to see if a certificate has been

revoked. If a match is found for the certificate in a CRL,

verification fails. If the certificate being verified is not

@@ -1110,85 +1088,85 @@ succeeds.

However, if pkinit_require_crl_checking is true and there is

no CRL information available for the issuing CA, then verification

fails.

-pkinit_require_crl_checking should be set to true if the

+pkinit_require_crl_checking should be set to true if the

policy is such that up-to-date CRLs must be present for every CA.

</dd>

-<dt>pkinit_revoke</dt>

-<dd>Specifies the location of Certificate Revocation List (CRL)

+<dt>pkinit_revoke</dt><dd>Specifies the location of Certificate Revocation List (CRL)

information to be used by the client when verifying the validity

of the KDC certificate presented. This option may be specified

-multiple times.</dd>

+multiple times.

+</dd>

</dl>

-</div>

-<div class="section" id="parameter-expansion">

+</section>

+<section id="parameter-expansion">

<h2>Parameter expansion<a class="headerlink" href="#parameter-expansion" title="Permalink to this headline">¶</a></h2>

Starting with release 1.11, several variables, such as

default_keytab_name, allow parameters to be expanded.

Valid parameters are:

-<div><table border="1" class="docutils">

+<div><table class="docutils align-default">

-<col width="25%" />

-<col width="75%" />

+<col style="width: 25%" />

+<col style="width: 75%" />

</colgroup>

-<tbody valign="top">

-<tr class="row-odd"><td>%{TEMP}</td>

-<td>Temporary directory</td>

+<tbody>

+<tr class="row-odd"><td>%{TEMP}</td>

+<td>Temporary directory</td>

</tr>

-<tr class="row-even"><td>%{uid}</td>

-<td>Unix real UID or Windows SID</td>

+<tr class="row-even"><td>%{uid}</td>

+<td>Unix real UID or Windows SID</td>

</tr>

-<tr class="row-odd"><td>%{euid}</td>

-<td>Unix effective user ID or Windows SID</td>

+<tr class="row-odd"><td>%{euid}</td>

+<td>Unix effective user ID or Windows SID</td>

</tr>

-<tr class="row-even"><td>%{USERID}</td>

-<td>Same as %{uid}</td>

+<tr class="row-even"><td>%{USERID}</td>

+<td>Same as %{uid}</td>

</tr>

-<tr class="row-odd"><td>%{null}</td>

-<td>Empty string</td>

+<tr class="row-odd"><td>%{null}</td>

+<td>Empty string</td>

</tr>

-<tr class="row-even"><td>%{LIBDIR}</td>

-<td>Installation library directory</td>

+<tr class="row-even"><td>%{LIBDIR}</td>

+<td>Installation library directory</td>

</tr>

-<tr class="row-odd"><td>%{BINDIR}</td>

-<td>Installation binary directory</td>

+<tr class="row-odd"><td>%{BINDIR}</td>

+<td>Installation binary directory</td>

</tr>

-<tr class="row-even"><td>%{SBINDIR}</td>

-<td>Installation admin binary directory</td>

+<tr class="row-even"><td>%{SBINDIR}</td>

+<td>Installation admin binary directory</td>

</tr>

-<tr class="row-odd"><td>%{username}</td>

-<td>(Unix) Username of effective user ID</td>

+<tr class="row-odd"><td>%{username}</td>

+<td>(Unix) Username of effective user ID</td>

</tr>

-<tr class="row-even"><td>%{APPDATA}</td>

-<td>(Windows) Roaming application data for current user</td>

+<tr class="row-even"><td>%{APPDATA}</td>

+<td>(Windows) Roaming application data for current user</td>

</tr>

-<tr class="row-odd"><td>%{COMMON_APPDATA}</td>

-<td>(Windows) Application data for all users</td>

+<tr class="row-odd"><td>%{COMMON_APPDATA}</td>

+<td>(Windows) Application data for all users</td>

</tr>

-<tr class="row-even"><td>%{LOCAL_APPDATA}</td>

-<td>(Windows) Local application data for current user</td>

+<tr class="row-even"><td>%{LOCAL_APPDATA}</td>

+<td>(Windows) Local application data for current user</td>

</tr>

-<tr class="row-odd"><td>%{SYSTEM}</td>

-<td>(Windows) Windows system folder</td>

+<tr class="row-odd"><td>%{SYSTEM}</td>

+<td>(Windows) Windows system folder</td>

</tr>

-<tr class="row-even"><td>%{WINDOWS}</td>

-<td>(Windows) Windows folder</td>

+<tr class="row-even"><td>%{WINDOWS}</td>

+<td>(Windows) Windows folder</td>

</tr>

-<tr class="row-odd"><td>%{USERCONFIG}</td>

-<td>(Windows) Per-user MIT krb5 config file directory</td>

+<tr class="row-odd"><td>%{USERCONFIG}</td>

+<td>(Windows) Per-user MIT krb5 config file directory</td>

</tr>

-<tr class="row-even"><td>%{COMMONCONFIG}</td>

-<td>(Windows) Common MIT krb5 config file directory</td>

+<tr class="row-even"><td>%{COMMONCONFIG}</td>

+<td>(Windows) Common MIT krb5 config file directory</td>

</tr>

</tbody>

</table>

</div></blockquote>

-</div>

-<div class="section" id="sample-krb5-conf-file">

+</section>

+<section id="sample-krb5-conf-file">

<h2>Sample krb5.conf file<a class="headerlink" href="#sample-krb5-conf-file" title="Permalink to this headline">¶</a></h2>

Here is an example of a generic krb5.conf file:

-<div class="highlight-default"><div class="highlight"><pre>[libdefaults]

+<div class="highlight-default notranslate"><div class="highlight"><pre>[libdefaults]

default_realm = ATHENA.MIT.EDU

dns_lookup_kdc = true

dns_lookup_realm = false

@@ -1219,23 +1197,25 @@ Valid parameters are:

}

</pre></div>

</div>

-</div>

-<div class="section" id="files">

+</section>

+<section id="files">

<h2>FILES<a class="headerlink" href="#files" title="Permalink to this headline">¶</a></h2>

-<code class="docutils literal">/etc/krb5.conf</code>

-</div>

-<div class="section" id="see-also">

+<code class="docutils literal notranslate">/etc/krb5.conf</code>

+</section>

+<section id="see-also">

syslog(3)

-</div>

+</section>

+ <div class="clearer"></div>

</div>

<ul>

@@ -1328,6 +1308,7 @@ Valid parameters are:

</form>

</div>

</div>

@@ -1335,8 +1316,8 @@ Valid parameters are:

- <div class="right" >Release: 1.21.2

+ <div class="right" >Release: 1.21.3

</div>