NAME
kdc.conf − Key Distribution Center (KDC) configuration file
SYNOPSIS
/etc/krb5/kdc.conf
DESCRIPTION
The kdc.conf file contains KDC configuration information, including defaults used when issuing Kerberos tickets. This file must reside on all KDC servers. After you make any changes to the kdc.conf file, stop and restart the krb5kdc daemon on the KDC for the changes to take effect.
The format of the kdc.conf consists of section headings in square brackets ([]). Each section contains zero or more configuration variables (called relations), of the form of:
relation
= relation-value
or
relation-subsection
= {
relation = relation-value
relation = relation-value
}
The
kdc.conf file contains one of more of the following
three sections:
kdcdefaults
Contains default values for overall behavior of the KDC.
realms
Contains subsections for Kerberos realms, where relation-subsection is the name of a realm. Each subsection contains relations that define KDC properties for that particular realm, including where to find the Kerberos servers for that realm.
logging
Contains relations that determine how Kerberos programs perform logging.
The
kdcdefaults Section
The following relation can be defined in the
[kdcdefaults] section:
kdc_ports
This relation lists the ports on which the Kerberos server should listen by default. This list is a comma-separated list of integers. If this relation is not specified, the Kerberos server listens on port 750 and port 88.
The
realms Section
This section contains subsections for Kerberos realms, where
relation-subsection is the name of a realm. Each
subsection contains relations that define KDC
properties for that particular realm.
The following
relations can be specified in each subsection:
acl_file
(string) Location of the Kerberos V5 access control list (ACL) file that kadmin uses to determine the privileges allowed to each principal on the database. The default location is /etc/krb5/kadm5.acl.
admin_keytab
(string) Location of the keytab file that kadmin uses to authenticate to the database. The default location is /etc/krb5/kadm5.keytab.
database_name
(string) Location of the Kerberos database for this realm. The default location is /var/krb5/principal.db.
default_principal_expiration
(absolute time string) The default expiration date of principals created in this realm. See the Time Format section in kinit(1) for the valid absolute time formats you can use for default_principal_expiration.
default_principal_flags
(flag string) The default attributes of principals created in this realm.
dict_file
(string) Location of the dictionary file containing strings that are not allowed as passwords. A principal with any password policy is not allowed to select a password in the dictionary. The default location is /var/krb5/kadm5.dict.
encryption_type
(encryption type string) The encryption type used for this realm. The des-cbc-crc and des-cbc-md5 encryption types are supported at this time.
kadmind_port
(port number) The port that the kadmind daemon is to listen on for this realm. The assigned port for kadmind is 749.
key_stash_file
(string) Location where the master key has been stored (by kdb5_util stash). The default location is /var/krb5/.k5.realm, where realm is the Kerberos realm.
kdc_ports
(string) The list of ports that the KDC listens on for this realm. By default, the value of kdc_ports as specified in the [kdcdefaults] section is used.
master_key_name
(string) The name of the master key.
master_key_type
(key type string) The master key’s key type. Only des-cbc-crc is supported at this time.
max_life
(delta time string) The maximum time period for which a ticket is valid in this realm. See the Time Format section in kinit(1) for the valid time duration formats you can use for max_life.
max_renewable_life
(delta time string) The maximum time period during which a valid ticket can be renewed in this realm. See the Time Format section in kinit(1) for the valid time duration formats you can use for max_renewable_life.
supported_enctypes
List of key/salt strings. The default key/salt combinations of principals for this realm. The key is separated from the salt by a period (.). Multiple key/salt strings can be used by separating each string with a space. The salt is additional information encoded within the key that tells what kind of key it is. Only the normal salt is supported at this time, for example, des-cbc-crc:normal.
The
logging Section
This section indicates how Kerberos programs perform
logging. The same relation can be repeated if you want to
assign it multiple logging methods. The following relations
can be defined in the [logging] section:
kdc |
Specifies how the KDC is to perform its logging. The default is FILE:/var/krb5/kdc.log. |
admin_server
Specifies how the administration server is to perform its logging. The default is FILE:/var/krb5/kadmin.log.
default
Specifies how to perform logging in the absence of explicit specifications.
The [logging] relations can have the following values:
FILE:filename
or
FILE=filename
This value causes the entity’s logging messages to go to the specified file. If the ’=’ form is used, the file is overwritten. If the ’:’ form is used, the file is appended to.
STDERR
This value sends the entity’s logging messages to its standard error stream.
CONSOLE
This value sends the entity’s logging messages to the console, if the system supports it.
DEVICE=devicename
This sends the entity’s logging messages to the specified device.
SYSLOG[:severity[:facility]]
This sends the entity’s logging messages to the system log.
The severity argument specifies the default severity of system log messages. This default can be any of the following severities supported by the syslog(3C) call, minus the LOG_ prefix: LOG_EMERG, LOG_ALERT, LOG_CRIT, LOG_ERR, LOG_WARNING, LOG_NOTICE, LOG_INFO, and LOG_DEBUG. For example, a value of CRIT would specify LOG_CRIT severity.
The facility argument specifies the facility under which the messages are logged. This can be any of the following facilities supported by the syslog(3C) call minus the LOG_ prefix: LOG_KERN, LOG_USER, LOG_MAIL, LOG_DAEMON, LOG_AUTH, LOG_LPR, LOG_NEWS, LOG_UUCP, LOG_CRON, and LOG_LOCAL0 through LOG_LOCAL7.
If no severity is specified, the default is ERR. If no facility is specified, the default is AUTH.
In the following example, the logging messages from the KDC go to the console and to the system log under the facility LOG_DAEMON with default severity of LOG_INFO; the logging messages from the administration server are appended to the /var/krb5/kadmin.log file and sent to the /dev/tty04 device.
[logging]
kdc = CONSOLE
kdc = SYSLOG:INFO:DAEMON
admin_server = FILE:/export/logging/kadmin.log
admin_server = DEVICE=/dev/tty04
EXAMPLES
Example 1: Sample kdc.conf File
The following is an example of a kdc.conf file:
[kdcdefaults]
kdc_ports = 88
[realms]
ATHENA.MIT.EDU = {
kadmind_port = 749
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des-cbc-crc
supported_enctypes = des-cbc-crc:normal
}
[logging]
kdc = FILE:/export/logging/kdc.log
admin_server = FILE:/export/logging/kadmin.log
FILES
/etc/krb5/kadm5.acl
List of principals and their kadmin administrative privileges.
/etc/krb5/kadm5.keytab
Keytab for kadmin/admin Principal.
/var/krb5/principal.db
Kerberos principal database.
/var/krb5/kadm5.dict
Dictionary of strings explicitly disallowed as passwords.
/var/krb5/kdc.log
KDC logging file.
/var/krb5/kadmin.log
Kerberos administration server logging file.
SEE ALSO
kpasswd(1), gkadmin(1M), kadmind(1M), kadmin.local(1M), kdb5_util(1M), syslog(3C), kadm5.acl(4), SEAM(5)