diff --git a/lib/krb5/krb5.conf.5 b/lib/krb5/krb5.conf.5 index 27c394406..ff8cbc62b 100644 --- a/lib/krb5/krb5.conf.5 +++ b/lib/krb5/krb5.conf.5 @@ -44,8 +44,10 @@ file specifies several configuration parameters for the Kerberos 5 library, as well as for some programs. .Pp The file consists of one or more sections, containing a number of -bindings. The value of each binding can be either a string or a list -of other bindings. The grammar looks like: +bindings. +The value of each binding can be either a string or a list of other +bindings. +The grammar looks like: .Bd -literal -offset indent file: /* empty */ @@ -82,8 +84,8 @@ notation. .It boolean values can be either yes/true or no/false. .It time -values can be a list of year, month, day, hour, min, second. Example: -1 month 2 days 30 min. +values can be a list of year, month, day, hour, min, second. +Example: 1 month 2 days 30 min. .It etypes valid encryption types are: des-cbc-crc, des-cbc-md4, des-cbc-md5, des3-cbc-sha1. @@ -96,7 +98,8 @@ Currently recognised sections and bindings are: .It Li [appdefaults] Specifies the default values to be used for Kerberos applications. You can specify defaults per application, realm, or a combination of -these. The preference order is: +these. +The preference order is: .Bl -enum -compact .It .Va application Va realm Va option @@ -131,7 +134,8 @@ The default is the result of .Fn krb5_get_host_realm "local hostname" . .It Li clockskew = Va time Maximum time differential (in seconds) allowed when comparing -times. Default is 300 seconds (five minutes). +times. +Default is 300 seconds (five minutes). .It Li kdc_timeout = Va time Maximum time to wait for a reply from the kdc, default is 3 seconds. .It v4_name_convert @@ -185,12 +189,15 @@ When obtaining initial credentials, make the credentials proxiable. This option is also valid in the [realms] section. .It Li verify_ap_req_nofail = Va boolean If enabled, failure to verify credentials against a local key is a -fatal error. The application has to be able to read the corresponding -service key for this to work. Some applications, like +fatal error. +The application has to be able to read the corresponding service key +for this to work. +Some applications, like .Xr su 8 , enable this option unconditionally. .It Li warn_pwexpire = Va time -How soon to warn for expiring password. Default is seven days. +How soon to warn for expiring password. +Default is seven days. .It Li http_proxy = Va proxy-spec A HTTP-proxy to use when talking to the KDC via HTTP. .It Li dns_proxy = Va proxy-spec @@ -218,8 +225,8 @@ and other programs. This option is also valid in the [realms] section. .El .It Li [domain_realm] -This is a list of mappings from DNS domain to Kerberos realm. Each -binding in this section looks like: +This is a list of mappings from DNS domain to Kerberos realm. +Each binding in this section looks like: .Pp .Dl domain = realm .Pp @@ -234,7 +241,8 @@ of the `dns_lookup_realm' option). .It Va REALM Li = { .Bl -tag -width "xxx" -offset indent .It Li kdc = Va [service/]host[:port] -Specifies a list of kdcs for this realm. If the optional +Specifies a list of kdcs for this realm. +If the optional .Va port is absent, the default value for the @@ -248,7 +256,8 @@ The kdcs will be used in the order that they are specified. The optional .Va service specifies over what medium the kdc should be -contacted. Possible services are +contacted. +Possible services are .Dq udp , .Dq tcp , and @@ -267,8 +276,8 @@ Points to the server where all the password changes are performed. If there is no such entry, the kpasswd port on the admin_server host will be tried. .It Li krb524_server = Va host[:port] -Points to the server that does 524 conversions. If it is not -mentioned, the krb524 port on the kdcs will be tried. +Points to the server that does 524 conversions. +If it is not mentioned, the krb524 port on the kdcs will be tried. .It Li v4_instance_convert .It Li v4_name_convert .It Li default_domain @@ -284,7 +293,8 @@ Specifies that .Va entity should use the specified .Li destination -for logging. See the +for logging. +See the .Xr krb5_openlog 3 manual page for a list of defined destinations. .El @@ -304,8 +314,8 @@ will be used. .It acl_file Li = PA FILENAME Use this file for the ACL list of this database. .It log_file Li = Pa FILENAME -Use this file as the log of changes performed to the database. This -file is used by +Use this file as the log of changes performed to the database. +This file is used by .Nm ipropd-master for propagating changes to slaves. .El @@ -313,8 +323,8 @@ for propagating changes to slaves. .It max-request = Va SIZE Maximum size of a kdc request. .It require-preauth = Va BOOL -If set pre-authentication is required. Since krb4 requests are not -pre-authenticated they will be rejected. +If set pre-authentication is required. +Since krb4 requests are not pre-authenticated they will be rejected. .It ports = Va "list of ports" List of ports the kdc should listen to. .It addresses = Va "list of interfaces" @@ -365,7 +375,9 @@ syntax of this if something like: .Pp If .Ar etype -is omitted it means everything, and if string is omitted is means the default string (for that principal). Additional special values of keytypes are: +is omitted it means everything, and if string is omitted is means the +default string (for that principal). +Additional special values of keytypes are: .Bl -tag -width "xxx" -offset indent .It v5 The kerberos 5 salt @@ -418,9 +430,10 @@ To help overcome this problem, there is a program .Nm verify_krb5_conf that reads .Nm -and tries to emit useful diagnostics from parsing errors. Note that -this program does not have any way of knowing what options are -actually used and thus cannot warn about unknown or misspelled ones. +and tries to emit useful diagnostics from parsing errors. +Note that this program does not have any way of knowing what options +are actually used and thus cannot warn about unknown or misspelled +ones. .Sh SEE ALSO .Xr kinit 1 , .Xr krb5_425_conv_principal 3 ,