. means new line

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@11885 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Love Hörnquist Åstrand
2003-03-19 21:01:39 +00:00
parent ddb0a600d4
commit 4e82382d40

View File

@@ -44,8 +44,10 @@ file specifies several configuration parameters for the Kerberos 5
library, as well as for some programs.
.Pp
The file consists of one or more sections, containing a number of
bindings. The value of each binding can be either a string or a list
of other bindings. The grammar looks like:
bindings.
The value of each binding can be either a string or a list of other
bindings.
The grammar looks like:
.Bd -literal -offset indent
file:
/* empty */
@@ -82,8 +84,8 @@ notation.
.It boolean
values can be either yes/true or no/false.
.It time
values can be a list of year, month, day, hour, min, second. Example:
1 month 2 days 30 min.
values can be a list of year, month, day, hour, min, second.
Example: 1 month 2 days 30 min.
.It etypes
valid encryption types are: des-cbc-crc, des-cbc-md4, des-cbc-md5,
des3-cbc-sha1.
@@ -96,7 +98,8 @@ Currently recognised sections and bindings are:
.It Li [appdefaults]
Specifies the default values to be used for Kerberos applications.
You can specify defaults per application, realm, or a combination of
these. The preference order is:
these.
The preference order is:
.Bl -enum -compact
.It
.Va application Va realm Va option
@@ -131,7 +134,8 @@ The default is the result of
.Fn krb5_get_host_realm "local hostname" .
.It Li clockskew = Va time
Maximum time differential (in seconds) allowed when comparing
times. Default is 300 seconds (five minutes).
times.
Default is 300 seconds (five minutes).
.It Li kdc_timeout = Va time
Maximum time to wait for a reply from the kdc, default is 3 seconds.
.It v4_name_convert
@@ -185,12 +189,15 @@ When obtaining initial credentials, make the credentials proxiable.
This option is also valid in the [realms] section.
.It Li verify_ap_req_nofail = Va boolean
If enabled, failure to verify credentials against a local key is a
fatal error. The application has to be able to read the corresponding
service key for this to work. Some applications, like
fatal error.
The application has to be able to read the corresponding service key
for this to work.
Some applications, like
.Xr su 8 ,
enable this option unconditionally.
.It Li warn_pwexpire = Va time
How soon to warn for expiring password. Default is seven days.
How soon to warn for expiring password.
Default is seven days.
.It Li http_proxy = Va proxy-spec
A HTTP-proxy to use when talking to the KDC via HTTP.
.It Li dns_proxy = Va proxy-spec
@@ -218,8 +225,8 @@ and other programs.
This option is also valid in the [realms] section.
.El
.It Li [domain_realm]
This is a list of mappings from DNS domain to Kerberos realm. Each
binding in this section looks like:
This is a list of mappings from DNS domain to Kerberos realm.
Each binding in this section looks like:
.Pp
.Dl domain = realm
.Pp
@@ -234,7 +241,8 @@ of the `dns_lookup_realm' option).
.It Va REALM Li = {
.Bl -tag -width "xxx" -offset indent
.It Li kdc = Va [service/]host[:port]
Specifies a list of kdcs for this realm. If the optional
Specifies a list of kdcs for this realm.
If the optional
.Va port
is absent, the
default value for the
@@ -248,7 +256,8 @@ The kdcs will be used in the order that they are specified.
The optional
.Va service
specifies over what medium the kdc should be
contacted. Possible services are
contacted.
Possible services are
.Dq udp ,
.Dq tcp ,
and
@@ -267,8 +276,8 @@ Points to the server where all the password changes are performed.
If there is no such entry, the kpasswd port on the admin_server host
will be tried.
.It Li krb524_server = Va host[:port]
Points to the server that does 524 conversions. If it is not
mentioned, the krb524 port on the kdcs will be tried.
Points to the server that does 524 conversions.
If it is not mentioned, the krb524 port on the kdcs will be tried.
.It Li v4_instance_convert
.It Li v4_name_convert
.It Li default_domain
@@ -284,7 +293,8 @@ Specifies that
.Va entity
should use the specified
.Li destination
for logging. See the
for logging.
See the
.Xr krb5_openlog 3
manual page for a list of defined destinations.
.El
@@ -304,8 +314,8 @@ will be used.
.It acl_file Li = PA FILENAME
Use this file for the ACL list of this database.
.It log_file Li = Pa FILENAME
Use this file as the log of changes performed to the database. This
file is used by
Use this file as the log of changes performed to the database.
This file is used by
.Nm ipropd-master
for propagating changes to slaves.
.El
@@ -313,8 +323,8 @@ for propagating changes to slaves.
.It max-request = Va SIZE
Maximum size of a kdc request.
.It require-preauth = Va BOOL
If set pre-authentication is required. Since krb4 requests are not
pre-authenticated they will be rejected.
If set pre-authentication is required.
Since krb4 requests are not pre-authenticated they will be rejected.
.It ports = Va "list of ports"
List of ports the kdc should listen to.
.It addresses = Va "list of interfaces"
@@ -365,7 +375,9 @@ syntax of this if something like:
.Pp
If
.Ar etype
is omitted it means everything, and if string is omitted is means the default string (for that principal). Additional special values of keytypes are:
is omitted it means everything, and if string is omitted is means the
default string (for that principal).
Additional special values of keytypes are:
.Bl -tag -width "xxx" -offset indent
.It v5
The kerberos 5 salt
@@ -418,9 +430,10 @@ To help overcome this problem, there is a program
.Nm verify_krb5_conf
that reads
.Nm
and tries to emit useful diagnostics from parsing errors. Note that
this program does not have any way of knowing what options are
actually used and thus cannot warn about unknown or misspelled ones.
and tries to emit useful diagnostics from parsing errors.
Note that this program does not have any way of knowing what options
are actually used and thus cannot warn about unknown or misspelled
ones.
.Sh SEE ALSO
.Xr kinit 1 ,
.Xr krb5_425_conv_principal 3 ,