diff options
Diffstat (limited to 'doc/html/_sources/admin')
9 files changed, 150 insertions, 62 deletions
diff --git a/doc/html/_sources/admin/admin_commands/kadmin_local.rst.txt b/doc/html/_sources/admin/admin_commands/kadmin_local.rst.txt index 2435b3c3611e..b4edc7924345 100644 --- a/doc/html/_sources/admin/admin_commands/kadmin_local.rst.txt +++ b/doc/html/_sources/admin/admin_commands/kadmin_local.rst.txt @@ -460,6 +460,24 @@ This command requires the **add** and **delete** privileges. Alias: **renprinc** +.. _add_alias: + +add_alias +~~~~~~~~~ + + **add_alias** *alias_princ* *target_princ* + +Create an alias *alias_princ* pointing to *target_princ*. Aliases may +be chained (that is, *target_princ* may itself be an alias) up to a +depth of 10. + +This command requires the **add** privilege for *alias_princ* and the +**modify** privilege for *target_princ*. + +(New in release 1.22.) + +Aliases: **alias** + .. _delete_principal: delete_principal @@ -467,8 +485,8 @@ delete_principal **delete_principal** [**-force**] *principal* -Deletes the specified *principal* from the database. This command -prompts for deletion, unless the **-force** option is given. +Deletes the specified *principal* or alias from the database. This +command prompts for deletion, unless the **-force** option is given. This command requires the **delete** privilege. diff --git a/doc/html/_sources/admin/admin_commands/kadmind.rst.txt b/doc/html/_sources/admin/admin_commands/kadmind.rst.txt index 7e1482635d0a..bc66890def3d 100644 --- a/doc/html/_sources/admin/admin_commands/kadmind.rst.txt +++ b/doc/html/_sources/admin/admin_commands/kadmind.rst.txt @@ -121,6 +121,14 @@ ENVIRONMENT See :ref:`kerberos(7)` for a description of Kerberos environment variables. +As of release 1.22, kadmind supports systemd socket activation via the +LISTEN_PID and LISTEN_FDS environment variables. Sockets provided by +the caller must correspond to configured listener addresses (via the +**kadmind_listen** or **kpasswd_listen** variables or equivalents) or +they will be ignored. Any configured listener addresses that do not +correspond to caller-provided sockets will be ignored if socket +activation is used. + SEE ALSO -------- diff --git a/doc/html/_sources/admin/admin_commands/kdb5_util.rst.txt b/doc/html/_sources/admin/admin_commands/kdb5_util.rst.txt index 444c58bcd967..8147e9766eee 100644 --- a/doc/html/_sources/admin/admin_commands/kdb5_util.rst.txt +++ b/doc/html/_sources/admin/admin_commands/kdb5_util.rst.txt @@ -376,6 +376,14 @@ Options: Dump types: +**alias** + principal alias information + + **aliasname** + the name of the alias + **targetname** + the target of the alias + **keydata** principal encryption key information, including actual key data (which is still encrypted in the master key) diff --git a/doc/html/_sources/admin/admin_commands/krb5kdc.rst.txt b/doc/html/_sources/admin/admin_commands/krb5kdc.rst.txt index 631a0de84e50..97fbe5ed7d10 100644 --- a/doc/html/_sources/admin/admin_commands/krb5kdc.rst.txt +++ b/doc/html/_sources/admin/admin_commands/krb5kdc.rst.txt @@ -106,6 +106,13 @@ ENVIRONMENT See :ref:`kerberos(7)` for a description of Kerberos environment variables. +As of release 1.22, krb5kdc supports systemd socket activation via the +LISTEN_PID and LISTEN_FDS environment variables. Sockets provided by +the caller must correspond to configured listener addresses (via the +**kdc_listen** variable or equivalent) or they will be ignored. Any +configured listener addresses that do not correspond to +caller-provided sockets will be ignored if socket activation is used. + SEE ALSO -------- diff --git a/doc/html/_sources/admin/conf_files/kdc_conf.rst.txt b/doc/html/_sources/admin/conf_files/kdc_conf.rst.txt index 74a0a2acef98..63bdb8d48c12 100644 --- a/doc/html/_sources/admin/conf_files/kdc_conf.rst.txt +++ b/doc/html/_sources/admin/conf_files/kdc_conf.rst.txt @@ -289,14 +289,16 @@ The following tags may be specified in a [realms] subsection: **kadmind_listen** (Whitespace- or comma-separated list.) Specifies the kadmin RPC listening addresses and/or ports for the :ref:`kadmind(8)` daemon. - Each entry may be an interface address, a port number, or an - address and port number separated by a colon. If the address - contains colons, enclose it in square brackets. If no address is - specified, the wildcard address is used. If kadmind fails to bind - to any of the specified addresses, it will fail to start. The - default is to bind to the wildcard address at the port specified - in **kadmind_port**, or the standard kadmin port (749). New in - release 1.15. + Each entry may be an interface address, a port number, an address + and port number separated by a colon, or a UNIX domain socket + pathname. If the address contains colons, enclose it in square + brackets. If no address is specified, the wildcard address is + used. To disable listening for kadmin RPC connections, set this + relation to the empty string with ``kadmind_listen = ""``. If + kadmind fails to bind to any of the specified addresses, it will + fail to start. The default is to bind to the wildcard address at + the port specified in **kadmind_port**, or the standard kadmin + port (749). New in release 1.15. **kadmind_port** (Port number.) Specifies the port on which the :ref:`kadmind(8)` @@ -310,16 +312,18 @@ The following tags may be specified in a [realms] subsection: ``/.k5.REALM``, where *REALM* is the Kerberos realm. **kdc_listen** - (Whitespace- or comma-separated list.) Specifies the UDP - listening addresses and/or ports for the :ref:`krb5kdc(8)` daemon. - Each entry may be an interface address, a port number, or an - address and port number separated by a colon. If the address - contains colons, enclose it in square brackets. If no address is - specified, the wildcard address is used. If no port is specified, - the standard port (88) is used. If the KDC daemon fails to bind - to any of the specified addresses, it will fail to start. The - default is to bind to the wildcard address on the standard port. - New in release 1.15. + (Whitespace- or comma-separated list.) Specifies the listening + addresses and/or ports for the :ref:`krb5kdc(8)` daemon. Each + entry may be an interface address, a port number, an address and + port number separated by a colon, or a UNIX domain socket + pathname. If the address contains colons, enclose it in square + brackets. If no address is specified, the wildcard address is + used. If no port is specified, the standard port (88) is used. + To disable listening on UDP, set this relation to the empty string + with ``kdc_listen = ""``. If the KDC daemon fails to bind to any + of the specified addresses, it will fail to start. The default is + to bind to the wildcard address on the standard port. New in + release 1.15. **kdc_ports** (Whitespace- or comma-separated list, deprecated.) Prior to @@ -331,15 +335,10 @@ The following tags may be specified in a [realms] subsection: **kdc_tcp_listen** (Whitespace- or comma-separated list.) Specifies the TCP listening addresses and/or ports for the :ref:`krb5kdc(8)` daemon. - Each entry may be an interface address, a port number, or an - address and port number separated by a colon. If the address - contains colons, enclose it in square brackets. If no address is - specified, the wildcard address is used. If no port is specified, - the standard port (88) is used. To disable listening on TCP, set - this relation to the empty string with ``kdc_tcp_listen = ""``. - If the KDC daemon fails to bind to any of the specified addresses, - it will fail to start. The default is to bind to the wildcard - address on the standard port. New in release 1.15. + The syntax is identical to that of **kdc_listen**. To disable + listening on TCP, set this relation to the empty string with + ``kdc_tcp_listen = ""``. The default is to bind to the same + addresses and ports as for UDP. New in release 1.15. **kdc_tcp_ports** (Whitespace- or comma-separated list, deprecated.) Prior to @@ -349,15 +348,18 @@ The following tags may be specified in a [realms] subsection: **kdc_tcp_listen** if that relation is not defined. **kpasswd_listen** - (Comma-separated list.) Specifies the kpasswd listening addresses - and/or ports for the :ref:`kadmind(8)` daemon. Each entry may be - an interface address, a port number, or an address and port number - separated by a colon. If the address contains colons, enclose it - in square brackets. If no address is specified, the wildcard - address is used. If kadmind fails to bind to any of the specified - addresses, it will fail to start. The default is to bind to the - wildcard address at the port specified in **kpasswd_port**, or the - standard kpasswd port (464). New in release 1.15. + (Comma-separated list.) Specifies the kpasswd listening + addresses and/or ports for the :ref:`kadmind(8)` daemon. Each + entry may be an interface address, a port number, an address and + port number separated by a colon, or a UNIX domain socket + pathname. If the address contains colons, enclose it in square + brackets. If no address is specified, the wildcard address is + used. To disable listening for kpasswd requests, set this + relation to the empty string with ``kpasswd_listen = ""``. If + kadmind fails to bind to any of the specified addresses, it will + fail to start. The default is to bind to the wildcard address at + the port specified in **kpasswd_port**, or the standard kpasswd + port (464). New in release 1.15. **kpasswd_port** (Port number.) Specifies the port on which the :ref:`kadmind(8)` @@ -768,8 +770,11 @@ For information about the syntax of some of these options, see be specified multiple times. **pkinit_dh_min_bits** - Specifies the minimum number of bits the KDC is willing to accept - for a client's Diffie-Hellman key. The default is 2048. + Specifies the minimum strength of Diffie-Hellman group the KDC is + willing to accept for key exchange. Valid values in order of + increasing strength are 1024, 2048, P-256, 4096, P-384, and P-521. + The default is 2048. (P-256, P-384, and P-521 are new in release + 1.22.) **pkinit_allow_upn** Specifies that the KDC is willing to accept client certificates diff --git a/doc/html/_sources/admin/conf_files/krb5_conf.rst.txt b/doc/html/_sources/admin/conf_files/krb5_conf.rst.txt index ecdf91750152..e0c7a633094e 100644 --- a/doc/html/_sources/admin/conf_files/krb5_conf.rst.txt +++ b/doc/html/_sources/admin/conf_files/krb5_conf.rst.txt @@ -35,12 +35,6 @@ or:: baz = quux } -Placing a '\*' after the closing bracket of a section name indicates -that the section is *final*, meaning that if the same section appears -within a later file specified in **KRB5_CONFIG**, it will be ignored. -A subsection can be marked as final by placing a '\*' after either the -tag name or the closing brace. - The krb5.conf file can include other files using either of the following directives at the beginning of a line:: @@ -58,6 +52,16 @@ section header. Starting in release 1.17, files are read in alphanumeric order; in previous releases, they may be read in any order. +Placing a '\*' after the closing bracket of a section name indicates +that the section is *final*, meaning that if the same section appears +again later, it will be ignored. A subsection can be marked as final +by placing a '\*' after either the tag name or the closing brace. A +relation can be marked as final by placing a '\*' after the tag name. +Prior to release 1.22, only sections and subsections can be marked as +final, and the flag only causes values to be ignored if they appear in +later files specified in **KRB5_CONFIG**, not if they appear later +within the same file or an included file. + The krb5.conf file can specify that configuration should be obtained from a loadable module, rather than the file itself, using the following directive at the beginning of a line before any section @@ -221,6 +225,12 @@ The libdefaults section may contain any of the following relations: data), and anything the fake KDC sends will not be trusted without verification using some secret that it won't know. +**dns_lookup_realm** + Indicate whether DNS TXT records should be used to map hostnames + to realm names for hostnames not listed in the [domain_realm] + section, and to determine the default realm if **default_realm** + is not set. The default value is false. + **dns_uri_lookup** Indicate whether DNS URI records should be used to locate the KDCs and other servers for a realm, if they are not listed in the @@ -362,6 +372,15 @@ The libdefaults section may contain any of the following relations: (:ref:`duration` string.) Sets the default renewable lifetime for initial ticket requests. The default value is 0. +**request_timeout** + (:ref:`duration` string.) Sets the maximum total time for KDC and + password change requests. This timeout does not affect the + intervals between requests, so setting a low timeout may result in + fewer requests being attempted and/or some servers not being + contacted. A value of 0 indicates no specific maximum, in which + case requests will time out if no server responds after several + tries. The default value is 0. (New in release 1.22.) + **spake_preauth_groups** A whitespace or comma-separated list of words which specifies the groups allowed for SPAKE preauthentication. The possible values @@ -511,20 +530,21 @@ following tags may be specified in the realm's subsection: been set to ``FILE:/tmp/my_proxy.pem``. **kdc** - The name or address of a host running a KDC for that realm. An - optional port number, separated from the hostname by a colon, may - be included. If the name or address contains colons (for example, - if it is an IPv6 address), enclose it in square brackets to + The name or address of a host running a KDC for the realm, or a + UNIX domain socket path of a locally running KDC. An optional + port number, separated from the hostname by a colon, may be + included. If the name or address contains colons (for example, if + it is an IPv6 address), enclose it in square brackets to distinguish the colon from a port separator. For your computer to be able to communicate with the KDC for each realm, this tag must be given a value in each realm subsection in the configuration file, or there must be DNS SRV records specifying the KDCs. **kpasswd_server** - Points to the server where all the password changes are performed. - If there is no such entry, DNS will be queried (unless forbidden - by **dns_lookup_kdc**). Finally, port 464 on the **admin_server** - host will be tried. + The location of the password change server for the realm, using + the same syntax as **kdc**. If there is no such entry, DNS will + be queried (unless forbidden by **dns_lookup_kdc**). Finally, + port 464 on the **admin_server** host will be tried. **master_kdc** The name for **primary_kdc** prior to release 1.19. Its value is @@ -538,6 +558,10 @@ following tags may be specified in the realm's subsection: the updated database has not been propagated to the replica servers yet. New in release 1.19. +**sitename** + Specifies the name of the host's site for the purpose of DNS-based + KDC discovery for this realm. New in release 1.22. + **v4_instance_convert** This subsection allows the administrator to configure exceptions to the **default_domain** mapping rule. It contains V4 instances @@ -1028,8 +1052,10 @@ information for PKINIT is as follows: a particular smard card reader or token if there is more than one available. ``certid=`` and/or ``certlabel=`` may be specified to force the selection of a particular certificate on the device. - See the **pkinit_cert_match** configuration option for more ways - to select a particular certificate to use for PKINIT. + Specifier values must not contain colon characters, as colons are + always treated as separators. See the **pkinit_cert_match** + configuration option for more ways to select a particular + certificate to use for PKINIT. **ENV:**\ *envvar* *envvar* specifies the name of an environment variable which has @@ -1128,9 +1154,10 @@ PKINIT krb5.conf options option is not recommended. **pkinit_dh_min_bits** - Specifies the size of the Diffie-Hellman key the client will - attempt to use. The acceptable values are 1024, 2048, and 4096. - The default is 2048. + Specifies the group of the Diffie-Hellman key the client will + attempt to use. The acceptable values are 1024, 2048, P-256, + 4096, P-384, and P-521. The default is 2048. (P-256, P-384, and + P-521 are new in release 1.22.) **pkinit_identities** Specifies the location(s) to be used to find the user's X.509 diff --git a/doc/html/_sources/admin/conf_ldap.rst.txt b/doc/html/_sources/admin/conf_ldap.rst.txt index 65542c1a4e42..908dfd1e7e09 100644 --- a/doc/html/_sources/admin/conf_ldap.rst.txt +++ b/doc/html/_sources/admin/conf_ldap.rst.txt @@ -112,9 +112,10 @@ Configuring Kerberos with OpenLDAP back-end details. With the LDAP back end it is possible to provide aliases for principal -entries. Currently we provide no administrative utilities for -creating aliases, so it must be done by direct manipulation of the -LDAP entries. +entries. Beginning in release 1.22, aliases can be added with the +kadmin **add_alias** command, but it is also possible (in release 1.7 +or later) to provide aliases through direct manipulation of the LDAP +entries. An entry with aliases contains multiple values of the *krbPrincipalName* attribute. Since LDAP attribute values are not diff --git a/doc/html/_sources/admin/database.rst.txt b/doc/html/_sources/admin/database.rst.txt index 2fd07242a0f7..685ec272f4b0 100644 --- a/doc/html/_sources/admin/database.rst.txt +++ b/doc/html/_sources/admin/database.rst.txt @@ -93,6 +93,10 @@ To view the attributes of a principal, use the kadmin` To generate a listing of principals, use the kadmin **list_principals** command. +To give a principal additional names, use the kadmin **add_alias** +command to create aliases to the principal (new in release 1.22). +Aliases can be removed with the **delete_principal** command. + .. _policies: diff --git a/doc/html/_sources/admin/realm_config.rst.txt b/doc/html/_sources/admin/realm_config.rst.txt index 9f5ad5074650..32c5b9cf11ee 100644 --- a/doc/html/_sources/admin/realm_config.rst.txt +++ b/doc/html/_sources/admin/realm_config.rst.txt @@ -196,6 +196,13 @@ using the **kdc**, **master_kdc**, **admin_server**, and explicit server locations, providing SRV records will still benefit unconfigured clients, and be useful for other sites. +Clients can be configured with the **sitename** realm variable (new in +release 1.22). If a site name is set, the client first attempts SRV +record lookups with ".*sitename*._sites" inserted after the service +and protocol name and before the Kerberos realm. Site-specific +records may indicate servers more proximal to the client, allowing for +faster access. + .. _kdc_discovery: @@ -244,6 +251,9 @@ URI lookups are enabled by default, and can be disabled by setting precedence over SRV lookups, falling back to SRV lookups if no URI records are found. +The **sitename** variable in the :ref:`realms` section of +:ref:`krb5.conf(5)` applies to URI lookups as well as SRV lookups. + .. _db_prop: |