| KRB5.CONF(5) | File Formats Manual | KRB5.CONF(5) | 
krb5.conf —
#include <krb5/krb5.h>
krb5.conf file specifies several configuration
  parameters for the Kerberos 5 library, as well as for some programs.
The file consists of one or more sections, containing a number of bindings. The value of each binding can be either a string or a list of other bindings. The grammar looks like:
file:
	/* empty */
	sections
sections:
	section sections
	section
section:
	'[' section_name ']' bindings
section_name:
	STRING
bindings:
	binding bindings
	binding
binding:
	name '=' STRING
	name '=' '{' bindings '}'
name:
	STRING
STRINGs consists of one or more non-whitespace
  characters.
STRINGs that are specified later in this man-page uses the following notation.
Currently recognised sections and bindings are:
[appdefaults]The supported options are:
forwardable
        = booleanproxiable
        = booleanno-addresses
        = booleanticket_lifetime
        = timerenew_lifetime
        = timeencrypt
        = booleanforward
        = booleanhistorical_anon_pkinit
        = booleantrue, the
          kinit(1)
          --anonymous command
          with no principal argument specified will request an anonymous pkinit
          ticket from the default realm. If a principal argument is specified,
          it is used as an explicit realm name for anonymous pkinit even without
          an @ prefix.[libdefaults]default_realm
        = REALMkrb5_get_host_realm(local
          hostname).allow_weak_crypto
        = booleanclockskew
        = timekdc_timeout
        = timecapath
        = {=
            next-hop-realm}capaths section
          below.default_cc_type
        = cctypedefault_cc_name
        = ccnamedefault_cc_type. The string can
          contain variables that are expanded on runtime. The Only supported
          variable currently is %{uid} which expands to
          the current user id.default_etypes
        = etypes ...default_as_etypes
        = etypes ...default_tgs_etypes
        = etypes ...default_etypes_des
        = etypes ...default_keytab_name
        = keytabdns_lookup_kdc
        = booleandns_lookup_realm
        = booleankdc_timesync
        = booleanmax_retries
        = numberlarge_msg_size
        = numberticket_lifetime
        = timerenew_lifetime
        = timeforwardable
        = booleanproxiable
        = booleanverify_ap_req_nofail
        = booleanwarn_pwexpire
        = timehttp_proxy
        = proxy-specdns_proxy
        = proxy-specextra_addresses
        = address ...time_format
        = stringdate_format
        = stringlog_utc
        = booleanscan_interfaces
        = booleanfcache_version
        = intfcc-mit-ticketflags
        = booleanTRUE makes it store
          the MIT way, this is default for Heimdal 0.7.check-rd-req-serverk5login_directory
        = directoryk5login_authoritative
        = booleankuserok
        = rule ...kuserok
        = DENYkuserok
        = SIMPLEkuserok
        = SYSTEM-K5LOGIN[:directory]kuserok
        = USER-K5LOGINaname2lname-text-db
        = filenamefcache_strict_checkingname_canon_rules
        = rulesNOTE: Name canonicalization rules are an experimental feature.
The first token is a rule type, one of: as-is, qualify, or nss.
Any remaining tokens must be options tokens: use_fast (use FAST to protect TGS exchanges; currently not supported), use_dnssec (use DNSSEC to protect hostname lookups; currently not supported), ccache_only , use_referrals, no_referrals, lookup_realm, mindots=N, maxdots=N, order=N, domain= domain, realm= realm, match_domain= domain, and match_realm= realm.
When trying to obtain a service ticket for a host-based service principal name, name canonicalization rules are applied to that name in the order given, one by one, until one succeds (a service ticket is obtained), or all fail. Similarly when acquiring GSS initiator credentials from a keytab, and when comparing a non-canonical GSS name to a canonical one.
For each rule the system checks that the hostname has at least mindots periods (if given) in it, at most maxdots periods (if given), that the hostname ends in the given match_domain (if given), and that the realm of the principal matches the match_realm (if given).
As-is rules leave the hostname unmodified but may set a realm. Qualify rules qualify the hostname with the given domain and also may set the realm. The nss rule uses the system resolver to lookup the host's canonical name and is usually not secure. Note that using the nss rule type implies having to have principal aliases in the HDB (though not necessarily in keytabs).
The empty realm denotes "ask the client's realm's TGS". The empty realm may be set as well as matched.
The order in which rules are applied is as follows: first all the rules with explicit order then all other rules in the order in which they appear. If any two rules have the same explicit order, their order of appearance in krb5.conf breaks the tie. Explicitly specifying order can be useful where tools read and write the configuration file without preserving parameter order.
Malformed rules are ignored.
allow_hierarchical_capaths
        = boolean[domain_realm]domain = realmThe domain can be either a full name of a host or a trailing component, in the latter case the domain-string should start with a period. The trailing component only matches hosts that are in the same domain, ie “.example.com” matches “foo.example.com”, but not “foo.test.example.com”.
The realm may be the token `dns_locate', in which case the actual realm will be determined using DNS (independently of the setting of the `dns_lookup_realm' option).
[realms]= {kdc
            = [service/]host[:port]The optional service specifies over what medium the kdc should be contacted. Possible services are “udp”, “tcp”, and “http”. Http can also be written as “http://”. Default service is “udp” and “tcp”.
admin_server
            = host[:port]kpasswd_server
            = host[:port]tgs_require_subkeyauth_to_local_names
            = {}auth_to_local
            = HEIMDAL_DEFAULTauth_to_local
            = DEFAULTauth_to_local
            = DB:/path/to/db.txtauth_to_local
            = DB:/path/to/dbauth_to_local
            = RULE:...auth_to_local
            = NONE}[capaths]= {=
            hop-realm ...[logging]=
        destinationdestination for logging. See the
          krb5_openlog(3)
          manual page for a list of defined destinations.[kdc]database
        = {dbname
            =
            [DATBASETYPE:]DATABASENAMErealm
            = REALMrealm
              stanza.mkey_file
            = FILENAMEacl_file
            = PA FILENAMElog_file
            = FILENAMEipropd-master for
              propagating changes to slaves. It is also used by
              kadmind and kadmin
              (when used with the -l option), and by all
              applications using libkadm5 with the local
              backend, for two-phase commit functionality. Slaves also use this.
              Setting this to /dev/null disables
              two-phase commit and incremental propagation. Use
              iprop-log to show the contents of this log
              file.log-max-size
            = number}max-request
        = SIZErequire-preauth
        = BOOLports
        = list of portsaddresses
        = list of interfacesenable-http
        = BOOLtgt-use-strongest-session-key
        = BOOLsvc-use-strongest-session-key
        = BOOLpreauth-use-strongest-session-key
        = BOOLuse-strongest-server-key
        = BOOLcheck-ticket-addresses
        = BOOLallow-null-ticket-addresses
        = BOOLallow-anonymous
        = BOOLhistorical_anon_realm
        = booleantrue the client realm in anonymous pkinit
          AS replies will be the requested realm, rather than the RFC-conformant
          WELLKNOWN:ANONYMOUS realm. This can have a
          security impact on servers that expect to grant access to
          anonymous-but-authenticated to the KDC users of the realm in question:
          they would also grant access to unauthenticated anonymous users. As
          such, it is not recommend to set this option to
          true.encode_as_rep_as_tgs_rep
        = BOOLkdc_warn_pwexpire
        = TIMElogging
        = Logginghdb-ldap-structural-object
        structural objecthdb-ldap-create-base
        creation dnenable-digest
        = BOOLdigests_allowed
        = list of digestsntlm-v2.kx509_ca
        = filerequire_initial_kca_tickets
        = booleankca_service service principal be INITIAL. This
          may be set on a per-realm basis as well as globally. Defaults to true
          for the global setting.kx509_include_pkinit_san
        = booleanid-pkinit-san certificate
          extension. This can be set on a per-realm basis as well as globally.
          Defaults to true for the global setting.kx509_template
        = filekx509, kx509_template,
      kx509_include_pkinit_san, and
      require_initial_kca_tickets parameters may be set
      on a per-realm basis as well.[kadmin]password_lifetime
        = timedefault_keys
        = keytypes...[(des|des3|etype):](pw-salt|afs3-salt)[:string]
If etype is omitted it means everything, and if string is omitted it means the default salt string (for that principal and encryption type). Additional special values of keytypes are:
v5default_key_rules
        = {=
            keytypes...}prune-key-history
        = BOOLuse_v4_salt
        = BOOLdefault_keys = des3:pw-salt v4
and is only left for backwards compatibility.
[password_quality]check_library
            = library-namecheck_function
            = function-namepolicy_libraries
            = library1 ... libraryNpolicies
            = policy1 ... policyNKRB5_CONFIG points to the configuration file to read.
[libdefaults]
	default_realm = FOO.SE
	name_canon_rules = as-is:realm=FOO.SE
	name_canon_rules = qualify:domain=foo.se:realm=FOO.SE
	name_canon_rules = qualify:domain=bar.se:realm=FOO.SE
	name_canon_rules = nss
[domain_realm]
	.foo.se = FOO.SE
	.bar.se = FOO.SE
[realms]
	FOO.SE = {
		kdc = kerberos.foo.se
		default_domain = foo.se
	}
[logging]
	kdc = FILE:/var/heimdal/kdc.log
	kdc = SYSLOG:INFO
	default = SYSLOG:INFO:USER
[kadmin]
	default_key_rules = {
		*/ppp@* = arcfour-hmac-md5:pw-salt
	}
krb5.conf is read and parsed by the krb5 library,
  there is not a lot of opportunities for programs to report parsing errors in
  any useful format. To help overcome this problem, there is a program
  verify_krb5_conf that reads
  krb5.conf and tries to emit useful diagnostics from
  parsing errors. Note that this program does not have any way of knowing what
  options are actually used and thus cannot warn about unknown or misspelled
  ones.
| May 4, 2005 | NetBSD 10.0 |