The file consists of one or more sections, containing a number of bindings. The value of each binding can be either a string or a list of other bindings. The grammar looks like:
file:
/* empty */
sections
sections:
section sections
section
section:
'[' section_name ']' bindings
section_name:
STRING
bindings:
binding bindings
binding
binding:
name '=' STRING
name '=' '{' bindings '}'
name:
STRING
STRINGs
consists of one or more non-whitespace characters.
STRINGs that are specified later in this man-page uses the following notation.
Currently recognised sections and bindings are:
[appdefaults]The supported options are:
forwardable = booleanproxiable = booleanno-addresses = booleanticket_lifetime = timerenew_lifetime = timeencrypt = booleanforward = boolean[libdefaults]default_realm = REALMlocal hostname).
clockskew = timekdc_timeout = timev4_name_convertv4_instance_resolvecapath = = next-hop-realmcapaths
section below.
default_cc_name = ccname%{uid}
that expands to the current user id.
default_etypes = etypes ...default_etypes_des = etypes ...default_keytab_name = keytabdns_lookup_kdc = booleandns_lookup_realm = booleankdc_timesync = booleanmax_retries = numberlarge_msg_size = numberticket_lifetime = timerenew_lifetime = timeforwardable = booleanproxiable = booleanverify_ap_req_nofail = booleanwarn_pwexpire = timehttp_proxy = proxy-specdns_proxy = proxy-specextra_addresses = address ...time_format = stringdate_format = stringlog_utc = booleanscan_interfaces = booleanfcache_version = intkrb4_get_tickets = booleanfcc-mit-ticketflags = booleanTRUE
make it store the MIT way, this is default for Heimdal 0.7.
[domain_realm]
domain = realm
The domain can be either a full name of a host or a trailing component, in the latter case the domain-string should start with a period. The trailing component only matches hosts that are in the same domain, ie ``.example.com'' matches ``foo.example.com'', but not ``foo.test.example.com''.
The realm may be the token `dns_locate', in which case the actual realm will be determined using DNS (independently of the setting of the `dns_lookup_realm' option).
[realms] =kdc = [service/]host[:port]The optional service specifies over what medium the kdc should be contacted. Possible services are ``udp'', ``tcp'', and ``http''. Http can also be written as ``http://''. Default service is ``udp'' and ``tcp''.
admin_server = host[:port]kpasswd_server = host[:port]krb524_server = host[:port]v4_instance_convertv4_name_convertdefault_domaintgs_require_subkey[capaths] = = hop-realm ...[logging] = destinationdestination
for logging.
See the
krb5_openlog(3)
manual page for a list of defined destinations.
[kdc]database =dbname = DATABASENAMErealm = REALMrealm
stanza.
mkey_file = FILENAMEacl_file = PA FILENAMElog_file = FILENAMEmax-request = SIZErequire-preauth = BOOLports = list of portsaddresses = list of interfacesenable-kerberos4 = BOOLv4-realm = REALMenable-524 = BOOLenable-http = BOOLenable-kaserver = BOOLcheck-ticket-addresses = BOOLallow-null-ticket-addresses = BOOLallow-anonymous = BOOLencode_as_rep_as_tgs_rep = BOOLkdc_warn_pwexpire = TIMElogging = Logginguse_2b = = BOOLprincipal.
hdb-ldap-structural-object structural objecthdb-ldap-create-base creation dn[kadmin]require-preauth = BOOLpassword_lifetime = timedefault_keys = keytypes...[(des|des3|etype):](pw-salt|afs3-salt)[:string]
If etype is omitted it means everything, and if string is omitted it means the default salt string (for that principal and encryption type). Additional special values of keytypes are:
v5v4use_v4_salt = BOOLdefault_keys = des3:pw-salt v4
and is only left for backwards compatibility.
[password-quality]check_library = library-namecheck_function = function-namepolicy_libraries = library1 ... libraryNpolicies = policy1 ... policyNKRB5_CONFIG
points to the configuration file to read.
/etc/krb5.conf
[libdefaults]
default_realm = FOO.SE
[domain_realm]
.foo.se = FOO.SE
.bar.se = FOO.SE
[realms]
FOO.SE = {
kdc = kerberos.foo.se
v4_name_convert = {
rcmd = host
}
v4_instance_convert = {
xyz = xyz.bar.se
}
default_domain = foo.se
}
[logging]
kdc = FILE:/var/heimdal/kdc.log
kdc = SYSLOG:INFO
default = SYSLOG:INFO:USER