Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Programming
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Databases
Mail Systems
openSolaris
Eclipse Documentation
Techotopia.com
Virtuatopia.com
Answertopia.com

How To Guides
Virtualization
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Windows
Problem Solutions
Privacy Policy

  




 

 

krb5.conf

The krb5.conf file contains Kerberos configuration information, including the locations of KDCs and admin servers for the Kerberos realms of interest, defaults for the current realm and for Kerberos applications, and mappings of hostnames onto Kerberos realms. Normally, you should install your krb5.conf file in the directory /etc. You can override the default location by setting the environment variable KRB5_CONFIG.

The krb5.conf file is set up in the style of a Windows INI file. Sections are headed by the section name, in square brackets. Each section may contain zero or more relations, of the form:

     foo = bar
     

or

     fubar = {
             foo = bar
             baz = quux
     }
     

Placing a `*' at the end of a line indicates that this is the final value for the tag. This means that neither the remainder of this configuration file nor any other configuration file will be checked for any other values for this tag.

For example, if you have the following lines:

     foo = bar*
     foo = baz
     

then the second value of foo (baz) would never be read.

The krb5.conf file may contain any or all of the following sections:

libdefaults
Contains default values used by the Kerberos V5 library.
login
Contains default values used by the Kerberos V5 login program.
appdefaults
Contains default values that can be used by Kerberos V5 applications.
realms
Contains subsections keyed by Kerberos realm names. Each subsection describes realm-specific information, including where to find the Kerberos servers for that realm.
domain_realm
Contains relations which map domain names and subdomains onto Kerberos realm names. This is used by programs to determine what realm a host should be in, given its fully qualified domain name.
logging
Contains relations which determine how Kerberos programs are to perform logging.
capaths
Contains the authentication paths used with direct (nonhierarchical) cross-realm authentication. Entries in this section are used by the client to determine the intermediate realms which may be used in cross-realm authentication. It is also used by the end-service when checking the transited field for trusted intermediate realms.

If you are not using DNS TXT records, you must specify the default_realm in the libdefaults section. If you are not using DNS SRV records, you must include the kdc tag for each realm in the realms section. To communicate with the kadmin server in each realm, the admin_server tag must be set in the realms section. If your domain name and realm name are not the same, you must provide a translation in domain_realm. It is also higly recommeneded that you create a [logging] stanza if the computer will be functioning as a KDC so that the KDC and kadmind will generate logging output.

An example krb5.conf file:

     [libdefaults]
         default_realm = ATHENA.MIT.EDU
     
     [realms]
         ATHENA.MIT.EDU = {
         	kdc = kerberos.mit.edu
         	kdc = kerberos-1.mit.edu
         	kdc = kerberos-2.mit.edu
         	admin_server = kerberos.mit.edu
         {
     
     [logging]
         kdc = FILE:/var/log/krb5kdc.log
         admin_server = FILE:/var/log/kadmin.log
         default = FILE:/var/log/krb5lib.log
     

 
 
  © 1985-2006 by the Massachusetts Institute of Technology - Reproduced with permission. Design by Interspire