table of contents
other versions
- wheezy 1.10.1+dfsg-5+deb7u7
- jessie 1.12.1+dfsg-19+deb8u2
- testing 1.15-1
- unstable 1.15-1
- experimental 1.15-2
KDC.CONF(5) | File Formats Manual | KDC.CONF(5) |
NAME¶
kdc.conf - Kerberos V5 KDC configuration fileDESCRIPTION¶
kdc.conf specifies per-realm configuration data to be used by the Kerberos V5 Authentication Service and Key Distribution Center (AS/KDC). This includes database, key and per-realm defaults. The kdc.conf file uses the same format as the krb5.conf file. For a basic description of the syntax, please refer to the krb5.conf description. The following sections are currently used in the kdc.conf file:- [kdcdefaults]
- Contains parameters which control the overall behaviour of the KDC.
- [realms]
- Contains subsections keyed by Kerberos realm names which describe per-realm KDC parameters.
KDCDEFAULTS SECTION¶
The following relations are defined in the [kdcdefaults] section:- kdc_ports
- This relation lists the ports which the Kerberos server should listen on, by default. This list is a comma separated list of integers. If this relation is not specified, the compiled-in default is usually port 88 and port 750.
- kdc_tcp_ports
- This relation lists the ports on which the Kerberos server
should listen for TCP connections by default. This list is a comma
separated list of integers. If this relation is not specified, the
compiled-in default is not to listen for TCP connections at all.
- v4_mode
- This string specifies how the KDC should respond to
Kerberos IV packets. Valid values for this relation are the same as the
valid arguments to the -4 flag to krb5kdc. If this relation
is not specified, the compiled-in default of none is used.
REALMS SECTION¶
Each tag in the [realms] section of the file names a Kerberos realm. The value of the tag is a subsection where the relations in that subsection define KDC parameters for that particular realm. For each realm, the following tags may be specified in the [realms] subsection:- acl_file
- This string specifies the location of the access
control list (acl) file that kadmin uses to determine which principals are
allowed which permissions on the database. The default value is
/etc/krb5kdc/kadm5.acl.
- admin_keytab
- This string Specifies the location of the keytab
file that kadmin uses to authenticate to the database. The default value
is /etc/krb5kdc/kadm5.keytab.
- database_name
- This string specifies the location of the Kerberos
database for this realm.
- default_principal_expiration
- This absolute time string specifies the default
expiration date of principals created in this realm.
- default_principal_flags
- This flag string specifies the default attributes of
principals created in this realm. The format for the string is a
comma-separated list of flags, with '+' before each flag to be enabled and
'-' before each flag to be disabled. The default is for postdateable,
forwardable, tgt-based, renewable, proxiable, dup-skey, allow-tickets, and
service to be enabled, and all others to be disabled.
- postdateable
- Enabling this flag allows the principal to obtain postdateable tickets.
- forwardable
- Enabling this flag allows the principal to obtain forwardable tickets.
- tgt-based
- Enabling this flag allows a principal to obtain tickets based on a ticket-granting-ticket, rather than repeating the authentication process that was used to obtain the TGT.
- renewable
- Enabling this flag allows the principal to obtain renewable tickets.
- proxiable
- Enabling this flag allows the principal to obtain proxy tickets.
- dup-skey
- Enabling this flag allows the principal to obtain a session key for another user, permitting user-to-user authentication for this principal.
- allow-tickets
- Enabling this flag means that the KDC will issue tickets for this principal. Disabling this flag essentially deactivates the principal within this realm.
- preauth
- If this flag is enabled on a client principal, then that principal is required to preauthenticate to the KDC before receiving any tickets. On a service principal, enabling this flag means that service tickets for this principal will only be issued to clients with a TGT that has the preauthenticated ticket set.
- hwauth
- If this flag is enabled, then the principal is required to preauthenticate using a hardware device before receiving any tickets.
- pwchange
- Enabling this flag forces a password change for this principal.
- service
- Enabling this flag allows the the KDC to issue service tickets for this principal.
- pwservice
- If this flag is enabled, it marks this principal as a password change service. This should only be used in special cases, for example, if a user's password has expired, the user has to get tickets for that principal to be able to change it without going through the normal password authentication.
- dict_file
- This string location of the dictionary file
containing strings that are not allowed as passwords. If this tag is not
set or if there is no policy assigned to the principal, then no check will
be done.
- kadmind_port
- This port number specifies the port on which the
kadmind daemon is to listen for this realm.
- kpasswd_port
- This port number specifies the port on which the
kadmind daemon is to listen for this realm.
- key_stash_file
- This string specifies the location where the master
key has been stored with kdb5_stash.
- kdc_ports
- This string specifies the list of ports that the KDC
is to listen to for this realm. By default, the value of kdc_ports
as specified in the [kdcdefaults] section is used.
- kdc_tcp_ports
- This string specifies the list of ports that the KDC
is to listen to for TCP requests for this realm. By default, the value of
kdc_tcp_ports as specified in the [kdcdefaults] section is
used.
- master_key_name
- This string specifies the name of the principal
associated with the master key. The default value is K/M.
- master_key_type
- This key type string represents the master key's key
type.
- max_life
- This delta time string specifies the maximum time
period that a ticket may be valid for in this realm.
- max_renewable_life
- This delta time string specifies the maximum time
period that a ticket may be renewed for in this realm.
- iprop_enable
- This boolean ("true" or "false")
specifies whether incremental database propagation is enabled. The default
is "false".
- iprop_master_ulogsize
- This numeric value specifies the maximum number of
log entries to be retained for incremental propagation. The maximum value
is 2500; default is 1000.
- iprop_slave_poll
- This delta time string specifies how often the slave
KDC polls for new updates from the master. Default is "2m" (that
is, two minutes).
- supported_enctypes
- list of key:salt strings that specifies the default
key/salt combinations of principals for this realm
- reject_bad_transit
- this boolean specifies whether or not the list of
transited realms for cross-realm tickets should be checked against the
transit path computed from the realm names and the [capaths] section of
its krb5.conf file