. means new line
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@11885 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
@@ -44,8 +44,10 @@ file specifies several configuration parameters for the Kerberos 5
|
||||
library, as well as for some programs.
|
||||
.Pp
|
||||
The file consists of one or more sections, containing a number of
|
||||
bindings. The value of each binding can be either a string or a list
|
||||
of other bindings. The grammar looks like:
|
||||
bindings.
|
||||
The value of each binding can be either a string or a list of other
|
||||
bindings.
|
||||
The grammar looks like:
|
||||
.Bd -literal -offset indent
|
||||
file:
|
||||
/* empty */
|
||||
@@ -82,8 +84,8 @@ notation.
|
||||
.It boolean
|
||||
values can be either yes/true or no/false.
|
||||
.It time
|
||||
values can be a list of year, month, day, hour, min, second. Example:
|
||||
1 month 2 days 30 min.
|
||||
values can be a list of year, month, day, hour, min, second.
|
||||
Example: 1 month 2 days 30 min.
|
||||
.It etypes
|
||||
valid encryption types are: des-cbc-crc, des-cbc-md4, des-cbc-md5,
|
||||
des3-cbc-sha1.
|
||||
@@ -96,7 +98,8 @@ Currently recognised sections and bindings are:
|
||||
.It Li [appdefaults]
|
||||
Specifies the default values to be used for Kerberos applications.
|
||||
You can specify defaults per application, realm, or a combination of
|
||||
these. The preference order is:
|
||||
these.
|
||||
The preference order is:
|
||||
.Bl -enum -compact
|
||||
.It
|
||||
.Va application Va realm Va option
|
||||
@@ -131,7 +134,8 @@ The default is the result of
|
||||
.Fn krb5_get_host_realm "local hostname" .
|
||||
.It Li clockskew = Va time
|
||||
Maximum time differential (in seconds) allowed when comparing
|
||||
times. Default is 300 seconds (five minutes).
|
||||
times.
|
||||
Default is 300 seconds (five minutes).
|
||||
.It Li kdc_timeout = Va time
|
||||
Maximum time to wait for a reply from the kdc, default is 3 seconds.
|
||||
.It v4_name_convert
|
||||
@@ -185,12 +189,15 @@ When obtaining initial credentials, make the credentials proxiable.
|
||||
This option is also valid in the [realms] section.
|
||||
.It Li verify_ap_req_nofail = Va boolean
|
||||
If enabled, failure to verify credentials against a local key is a
|
||||
fatal error. The application has to be able to read the corresponding
|
||||
service key for this to work. Some applications, like
|
||||
fatal error.
|
||||
The application has to be able to read the corresponding service key
|
||||
for this to work.
|
||||
Some applications, like
|
||||
.Xr su 8 ,
|
||||
enable this option unconditionally.
|
||||
.It Li warn_pwexpire = Va time
|
||||
How soon to warn for expiring password. Default is seven days.
|
||||
How soon to warn for expiring password.
|
||||
Default is seven days.
|
||||
.It Li http_proxy = Va proxy-spec
|
||||
A HTTP-proxy to use when talking to the KDC via HTTP.
|
||||
.It Li dns_proxy = Va proxy-spec
|
||||
@@ -218,8 +225,8 @@ and other programs.
|
||||
This option is also valid in the [realms] section.
|
||||
.El
|
||||
.It Li [domain_realm]
|
||||
This is a list of mappings from DNS domain to Kerberos realm. Each
|
||||
binding in this section looks like:
|
||||
This is a list of mappings from DNS domain to Kerberos realm.
|
||||
Each binding in this section looks like:
|
||||
.Pp
|
||||
.Dl domain = realm
|
||||
.Pp
|
||||
@@ -234,7 +241,8 @@ of the `dns_lookup_realm' option).
|
||||
.It Va REALM Li = {
|
||||
.Bl -tag -width "xxx" -offset indent
|
||||
.It Li kdc = Va [service/]host[:port]
|
||||
Specifies a list of kdcs for this realm. If the optional
|
||||
Specifies a list of kdcs for this realm.
|
||||
If the optional
|
||||
.Va port
|
||||
is absent, the
|
||||
default value for the
|
||||
@@ -248,7 +256,8 @@ The kdcs will be used in the order that they are specified.
|
||||
The optional
|
||||
.Va service
|
||||
specifies over what medium the kdc should be
|
||||
contacted. Possible services are
|
||||
contacted.
|
||||
Possible services are
|
||||
.Dq udp ,
|
||||
.Dq tcp ,
|
||||
and
|
||||
@@ -267,8 +276,8 @@ Points to the server where all the password changes are performed.
|
||||
If there is no such entry, the kpasswd port on the admin_server host
|
||||
will be tried.
|
||||
.It Li krb524_server = Va host[:port]
|
||||
Points to the server that does 524 conversions. If it is not
|
||||
mentioned, the krb524 port on the kdcs will be tried.
|
||||
Points to the server that does 524 conversions.
|
||||
If it is not mentioned, the krb524 port on the kdcs will be tried.
|
||||
.It Li v4_instance_convert
|
||||
.It Li v4_name_convert
|
||||
.It Li default_domain
|
||||
@@ -284,7 +293,8 @@ Specifies that
|
||||
.Va entity
|
||||
should use the specified
|
||||
.Li destination
|
||||
for logging. See the
|
||||
for logging.
|
||||
See the
|
||||
.Xr krb5_openlog 3
|
||||
manual page for a list of defined destinations.
|
||||
.El
|
||||
@@ -304,8 +314,8 @@ will be used.
|
||||
.It acl_file Li = PA FILENAME
|
||||
Use this file for the ACL list of this database.
|
||||
.It log_file Li = Pa FILENAME
|
||||
Use this file as the log of changes performed to the database. This
|
||||
file is used by
|
||||
Use this file as the log of changes performed to the database.
|
||||
This file is used by
|
||||
.Nm ipropd-master
|
||||
for propagating changes to slaves.
|
||||
.El
|
||||
@@ -313,8 +323,8 @@ for propagating changes to slaves.
|
||||
.It max-request = Va SIZE
|
||||
Maximum size of a kdc request.
|
||||
.It require-preauth = Va BOOL
|
||||
If set pre-authentication is required. Since krb4 requests are not
|
||||
pre-authenticated they will be rejected.
|
||||
If set pre-authentication is required.
|
||||
Since krb4 requests are not pre-authenticated they will be rejected.
|
||||
.It ports = Va "list of ports"
|
||||
List of ports the kdc should listen to.
|
||||
.It addresses = Va "list of interfaces"
|
||||
@@ -365,7 +375,9 @@ syntax of this if something like:
|
||||
.Pp
|
||||
If
|
||||
.Ar etype
|
||||
is omitted it means everything, and if string is omitted is means the default string (for that principal). Additional special values of keytypes are:
|
||||
is omitted it means everything, and if string is omitted is means the
|
||||
default string (for that principal).
|
||||
Additional special values of keytypes are:
|
||||
.Bl -tag -width "xxx" -offset indent
|
||||
.It v5
|
||||
The kerberos 5 salt
|
||||
@@ -418,9 +430,10 @@ To help overcome this problem, there is a program
|
||||
.Nm verify_krb5_conf
|
||||
that reads
|
||||
.Nm
|
||||
and tries to emit useful diagnostics from parsing errors. Note that
|
||||
this program does not have any way of knowing what options are
|
||||
actually used and thus cannot warn about unknown or misspelled ones.
|
||||
and tries to emit useful diagnostics from parsing errors.
|
||||
Note that this program does not have any way of knowing what options
|
||||
are actually used and thus cannot warn about unknown or misspelled
|
||||
ones.
|
||||
.Sh SEE ALSO
|
||||
.Xr kinit 1 ,
|
||||
.Xr krb5_425_conv_principal 3 ,
|
||||
|
Reference in New Issue
Block a user