|
The kdc.conf file contains KDC configuration information, including defaults used when issuing Kerberos tickets. This file must reside on all KDC servers. After you make any changes to the kdc.conf file, stop and restart
the krb5kdc daemon on the KDC for the changes to take effect.
The format of the kdc.conf consists of section headings in square brackets ([]). Each section contains zero or more configuration variables (called relations), of the form of:
|
relation = relation-value
|
or
|
relation-subsection = {
relation = relation-value
relation = relation-value
}
|
The kdc.conf file contains one of more of the following three sections:
-
kdcdefaults
- Contains default values for overall behavior of the KDC.
-
realms
- Contains subsections for Kerberos realms, where relation-subsection is the name of a realm. Each subsection contains relations that define KDC properties for that particular realm, including
where to find the Kerberos servers for that realm.
-
logging
- Contains relations that determine how Kerberos programs perform logging.
The kdcdefaults Section
|
The following relation can be defined in the [kdcdefaults] section:
-
kdc_ports
- This relation lists the ports on which the Kerberos server should listen by default. This list is a comma-separated list of integers. If this relation is not specified, the Kerberos server listens on port 750
and port 88.
|
The realms Section
|
This section contains subsections for Kerberos realms, where relation-subsection is the name of a realm. Each subsection contains relations that define KDC properties for that particular realm.
The following relations can be specified in each subsection:
-
acl_file
- (string) Location of the Kerberos V5 access control list (ACL) file that kadmin uses to determine the privileges allowed to each principal on the database. The default location is /etc/krb5/kadm5.acl.
-
admin_keytab
- (string) Location of the keytab file that kadmin uses to authenticate to the database. The default location is /etc/krb5/kadm5.keytab.
-
database_name
- (string) Location of the Kerberos database for this realm. The default location is /var/krb5/principal.db.
-
default_principal_expiration
- (absolute time string) The default expiration date of principals created in this realm. See the Time Format section in kinit(1) for the valid absolute time formats you can use for default_principal_expiration.
-
default_principal_flags
- (flag string) The default attributes of principals created in this realm.
-
dict_file
- (string) Location of the dictionary file containing strings that are not allowed as passwords. A principal with any password policy is not allowed to select a password in the dictionary. The default location is /var/krb5/kadm5.dict.
-
encryption_type
- (encryption type string) The encryption type used for this realm. The des-cbc-crc and des-cbc-md5 encryption types are supported at this time.
-
kadmind_port
- (port number) The port that the kadmind daemon is to listen on for this realm. The assigned port for kadmind is 749.
-
key_stash_file
- (string) Location where the master key has been stored (by kdb5_util stash). The default location is /var/krb5/.k5.realm, where realm
is the Kerberos realm.
-
kdc_ports
- (string) The list of ports that the KDC listens on for this realm. By default, the value of kdc_ports as specified in the [kdcdefaults] section is used.
-
master_key_name
- (string) The name of the master key.
-
master_key_type
- (key type string) The master key's key type. Only des-cbc-crc is supported at this time.
-
max_life
- (delta time string) The maximum time period for which a ticket is valid in this realm. See the Time Format section in kinit(1) for the valid time duration formats you can use for max_life.
-
max_renewable_life
- (delta time string) The maximum time period during which a valid ticket can be renewed in this realm. See the Time Format section in kinit(1) for the valid time duration formats you can use for max_renewable_life.
-
supported_enctypes
- List of key/salt strings. The default key/salt combinations of principals for this realm. The key is separated from the salt by a period (.). Multiple key/salt strings can be used by separating each string with a space. The salt is additional information encoded within the key that tells what kind of key it is. Only the normal salt is supported at this time, for example, des-cbc-crc:normal.
|
The logging Section
|
This section indicates how Kerberos programs perform logging. The same relation can be repeated if you want to assign it multiple logging methods. The following relations can be defined in the [logging] section:
-
kdc
- Specifies how the KDC is to perform its logging. The default is FILE:/var/krb5/kdc.log.
-
admin_server
- Specifies how the administration server is to perform its logging. The default is FILE:/var/krb5/kadmin.log.
-
default
- Specifies how to perform logging in the absence of explicit specifications.
The [logging] relations can have the following values:
FILE:filename
or
-
FILE=filename
- This value causes the entity's logging messages to go to the specified file. If the `=' form is used, the file is overwritten. If the `:' form is used, the file is appended to.
-
STDERR
- This value sends the entity's logging messages to its standard error stream.
-
CONSOLE
- This value sends the entity's logging messages to the console, if the system supports it.
-
DEVICE=devicename
- This sends the entity's logging messages to the specified device.
-
SYSLOG[:severity[:facility]]
- This sends the entity's logging messages to the system log.
The severity argument specifies the default severity of system log messages. This default can be any of the following severities supported by the syslog(3C) call, minus the LOG_ prefix: LOG_EMERG, LOG_ALERT, LOG_CRIT, LOG_ERR, LOG_WARNING, LOG_NOTICE, LOG_INFO, and LOG_DEBUG. For example, a value of CRIT would specify LOG_CRIT severity.
The facility argument specifies the facility under which the messages are logged. This can be any of the following facilities supported by the syslog(3C) call minus the LOG_ prefix: LOG_KERN, LOG_USER, LOG_MAIL, LOG_DAEMON, LOG_AUTH, LOG_LPR, LOG_NEWS, LOG_UUCP, LOG_CRON, and LOG_LOCAL0 through LOG_LOCAL7.
If no severity is specified, the default is ERR. If no facility is specified, the default is AUTH.
In the following example, the logging messages from the KDC go to the console and to the system log under the facility LOG_DAEMON with default severity of LOG_INFO; the logging messages from the administration server are appended to the /var/krb5/kadmin.log file and sent to the /dev/tty04 device.
|
[logging]
kdc = CONSOLE
kdc = SYSLOG:INFO:DAEMON
admin_server = FILE:/export/logging/kadmin.log
admin_server = DEVICE=/dev/tty04
|
|
|