The file consists of one or more sections, containing a number of bindings. The value of each binding can be either a string or a list of other bindings. The grammar looks like:
file:
/* empty */
sections
sections:
section sections
section
section:
'[' section_name ']' bindings
section_name:
STRING
bindings:
binding bindings
binding
binding:
name '=' STRING
name '=' '{' bindings '}'
name:
STRING
STRINGs
consists of one or more non-whitespace characters.
STRINGs that are specified later in this man-page uses the following notation.
Currently recognised sections and bindings are:
[appdefaults]
The supported options are:
forwardable
=
boolean
proxiable
=
boolean
no-addresses
=
boolean
ticket_lifetime
=
time
renew_lifetime
=
time
encrypt
=
boolean
forward
=
boolean
[libdefaults]
default_realm
=
REALM
local hostname
).
clockskew
=
time
kdc_timeout
=
time
v4_name_convert
v4_instance_resolve
capath
=
=
next-hop-realm
capaths
section below.
default_cc_name
=
ccname
%{uid}
that expands to the current user id.
default_etypes
=
etypes ...
default_etypes_des
=
etypes ...
default_keytab_name
=
keytab
dns_lookup_kdc
=
boolean
dns_lookup_realm
=
boolean
kdc_timesync
=
boolean
max_retries
=
number
large_msg_size
=
number
ticket_lifetime
=
time
renew_lifetime
=
time
forwardable
=
boolean
proxiable
=
boolean
verify_ap_req_nofail
=
boolean
warn_pwexpire
=
time
http_proxy
=
proxy-spec
dns_proxy
=
proxy-spec
extra_addresses
=
address ...
time_format
=
string
date_format
=
string
log_utc
=
boolean
scan_interfaces
=
boolean
fcache_version
=
int
krb4_get_tickets
=
boolean
fcc-mit-ticketflags
=
boolean
TRUE
make it store the MIT way, this is default for Heimdal 0.7.
[domain_realm]
domain
=
realm
The domain can be either a full name of a host or a trailing component, in the latter case the domain-string should start with a period. The trailing component only matches hosts that are in the same domain, ie ``.example.com'' matches ``foo.example.com'', but not ``foo.test.example.com''.
The realm may be the token `dns_locate', in which case the actual realm will be determined using DNS (independently of the setting of the `dns_lookup_realm' option).
[realms]
=
kdc
=
[service/]host[:port]The optional service specifies over what medium the kdc should be contacted. Possible services are ``udp'', ``tcp'', and ``http''. Http can also be written as ``http://''. Default service is ``udp'' and ``tcp''.
admin_server
=
host[:port]
kpasswd_server
=
host[:port]
krb524_server
=
host[:port]
v4_instance_convert
v4_name_convert
default_domain
tgs_require_subkey
[capaths]
=
=
hop-realm ...
[logging]
=
destination
destination
for logging.
See the
krb5_openlog(3)
manual page for a list of defined destinations.
[kdc]
database
=
dbname
=
DATABASENAME
realm
=
REALM
realm
stanza.
mkey_file
=
FILENAME
acl_file
=
PA
FILENAME
log_file
=
FILENAME
max-request
=
SIZE
require-preauth
=
BOOL
ports
=
list of ports
addresses
=
list of interfaces
enable-kerberos4
=
BOOL
v4-realm
=
REALM
enable-524
=
BOOL
enable-http
=
BOOL
enable-kaserver
=
BOOL
check-ticket-addresses
=
BOOL
allow-null-ticket-addresses
=
BOOL
allow-anonymous
=
BOOL
encode_as_rep_as_tgs_rep
=
BOOL
kdc_warn_pwexpire
=
TIME
logging
=
Logging
use_2b
=
=
BOOL
principal
.
hdb-ldap-structural-object
structural object
hdb-ldap-create-base
creation dn
[kadmin]
require-preauth
=
BOOL
password_lifetime
=
time
default_keys
=
keytypes...[(des|des3|etype):](pw-salt|afs3-salt)[:string]
If etype is omitted it means everything, and if string is omitted it means the default salt string (for that principal and encryption type). Additional special values of keytypes are:
v5
v4
use_v4_salt
=
BOOLdefault_keys = des3:pw-salt v4
and is only left for backwards compatibility.
[password-quality]
check_library
=
library-name
check_function
=
function-name
policy_libraries
=
library1 ... libraryN
policies
=
policy1 ... policyN
KRB5_CONFIG
points to the configuration file to read.
/etc/krb5.conf
[libdefaults]
default_realm = FOO.SE
[domain_realm]
.foo.se = FOO.SE
.bar.se = FOO.SE
[realms]
FOO.SE = {
kdc = kerberos.foo.se
v4_name_convert = {
rcmd = host
}
v4_instance_convert = {
xyz = xyz.bar.se
}
default_domain = foo.se
}
[logging]
kdc = FILE:/var/heimdal/kdc.log
kdc = SYSLOG:INFO
default = SYSLOG:INFO:USER