1 .\" Copyright 1995, 2008 by the Massachusetts Institute of Technology.
3 .\" Export of this software from the United States of America may
4 .\" require a specific license from the United States Government.
5 .\" It is the responsibility of any person or organization contemplating
6 .\" export to obtain such a license before exporting.
8 .\" WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
9 .\" distribute this software and its documentation for any purpose and
10 .\" without fee is hereby granted, provided that the above copyright
11 .\" notice appear in all copies and that both that copyright notice and
12 .\" this permission notice appear in supporting documentation, and that
13 .\" the name of M.I.T. not be used in advertising or publicity pertaining
14 .\" to distribution of the software without specific, written prior
15 .\" permission. Furthermore if you modify this software you must label
16 .\" your software as modified software and not distribute it in such a
17 .\" fashion that it might be confused with the original M.I.T. software.
18 .\" M.I.T. makes no representations about the suitability of
19 .\" this software for any purpose. It is provided "as is" without express
20 .\" or implied warranty.
24 kdc.conf \- Kerberos V5 KDC configuration file
27 specifies per-realm configuration data to be used by the Kerberos V5
28 Authentication Service and Key Distribution Center (AS/KDC). This
29 includes database, key and per-realm defaults.
33 file uses the same format as the
35 file. For a basic description of the syntax, please refer to the
39 The following sections are currently used in the
43 Contains parameters which control the overall behaviour of the KDC.
45 Contains subsections keyed by Kerberos realm names which describe per-realm
47 .SH KDCDEFAULTS SECTION
48 The following relations are defined in the
52 This relation lists the ports which the Kerberos server should listen
53 on, by default. This list is a comma separated list of integers. If
54 this relation is not specified, the compiled-in default is usually
57 This relation lists the ports on which the Kerberos server should
58 listen for TCP connections by default. This list is a comma separated
60 If this relation is not specified, the compiled-in default is not to
61 listen for TCP connections at all.
63 If you wish to change this (which we do not recommend, because the
64 current implementation has little protection against denial-of-service
65 attacks), the standard port number assigned for Kerberos TCP traffic
70 specifies how the KDC should respond to Kerberos IV packets. Valid
71 values for this relation are the same as the valid arguments to the
75 If this relation is not specified, the compiled-in default of
82 section of the file names a Kerberos realm. The value of the tag is a
83 subsection where the relations in that subsection define KDC parameters for
84 that particular realm.
86 For each realm, the following tags may be specified in the
93 specifies the location of the access control list (acl) file that
94 kadmin uses to determine which principals are allowed which permissions
95 on the database. The default value is /usr/local/var/krb5kdc/kadm5.acl.
100 Specifies the location of the keytab file that kadmin uses to
101 authenticate to the database. The default value is
102 /usr/local/var/krb5kdc/kadm5.keytab.
107 specifies the location of the Kerberos database for this realm.
109 .IP default_principal_expiration
111 .B absolute time string
112 specifies the default expiration date of principals created in this realm.
114 .IP default_principal_flags
117 specifies the default attributes of principals created in this realm.
118 The format for the string is a comma-separated list of flags, with '+'
119 before each flag to be enabled and '-' before each flag to be
120 disabled. The default is for postdateable, forwardable, tgt-based,
121 renewable, proxiable, dup-skey, allow-tickets, and service to be
122 enabled, and all others to be disabled.
124 There are a number of possible flags:
128 Enabling this flag allows the principal to obtain postdateable tickets.
131 Enabling this flag allows the principal to obtain forwardable tickets.
134 Enabling this flag allows a principal to obtain tickets based on a
135 ticket-granting-ticket, rather than repeating the authentication
136 process that was used to obtain the TGT.
139 Enabling this flag allows the principal to obtain renewable tickets.
142 Enabling this flag allows the principal to obtain proxy tickets.
145 Enabling this flag allows the principal to obtain a session key for
146 another user, permitting user-to-user authentication for this principal.
149 Enabling this flag means that the KDC will issue tickets for this
150 principal. Disabling this flag essentially deactivates the principal
154 If this flag is enabled on a client principal, then that principal is
155 required to preauthenticate to the KDC before receiving any tickets.
156 On a service principal, enabling this flag means that service tickets
157 for this principal will only be issued to clients with a TGT that has
158 the preauthenticated ticket set.
161 If this flag is enabled, then the principal is required to
162 preauthenticate using a hardware device before receiving any tickets.
165 Enabling this flag forces a password change for this principal.
168 Enabling this flag allows the the KDC to issue service tickets for this
172 If this flag is enabled, it marks this principal as a password change
173 service. This should only be used in special cases, for example, if a
174 user's password has expired, the user has to get tickets for that
175 principal to be able to change it without going through the normal
176 password authentication.
182 location of the dictionary file containing strings that are not allowed
183 as passwords. If this tag is not set or if there is no policy assigned
184 to the principal, then no check will be done.
189 specifies the port on which the kadmind daemon is to listen for this
195 specifies the port on which the kadmind daemon is to listen for this
201 specifies the location where the master key has been stored with
207 specifies the list of ports that the KDC is to listen to for this realm.
208 By default, the value of
217 specifies the list of ports that the KDC is to listen to
218 for TCP requests for this realm. By default, the value of
227 specifies the name of the principal associated with the master key.
228 The default value is K/M.
233 represents the master key's key type.
238 specifies the maximum time period that a ticket may be valid for in
241 .IP max_renewable_life
244 specifies the maximum time period that a ticket may be renewed for in
250 ("true" or "false") specifies whether incremental database propagation
251 is enabled. The default is "false".
253 .IP iprop_master_ulogsize
256 specifies the maximum number of log entries to be retained for
257 incremental propagation. The maximum value is 2500; default is 1000.
262 specifies how often the slave KDC polls for new updates from the
263 master. Default is "2m" (that is, two minutes).
265 .IP supported_enctypes
266 list of key:salt strings that specifies the default key/salt
267 combinations of principals for this realm
269 .IP reject_bad_transit
272 specifies whether or not the list of transited realms for cross-realm
273 tickets should be checked against the transit path computed from the
274 realm names and the [capaths] section of its krb5.conf file
277 /usr/local/var/krb5kdc/kdc.conf
280 krb5.conf(5), krb5kdc(8)