oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

document admin_server and kpasswd_server for realms

Browse Source 
document capath better


git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@9487 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Assar Westerlund
2001-01-19 04:53:24 +00:00
parent 6cce09faf2
commit 7fe46fddf5
1 changed files with 40 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

43
lib/krb5/krb5.conf.5
View File

@@ -46,7 +46,6 @@ name:
.Li STRINGs .Li STRINGs
consists of one or more non-white space characters. consists of one or more non-white space characters.
Currently recognised sections and bindings are: Currently recognised sections and bindings are:
.Bl -tag -width "xxx" -offset indent .Bl -tag -width "xxx" -offset indent
.It Li [libdefaults] .It Li [libdefaults]
.Bl -tag -width "xxx" -offset indent .Bl -tag -width "xxx" -offset indent
@@ -65,7 +64,24 @@ Maximum time to wait for a reply from the kdc, default is 3 seconds.
These are decribed in the These are decribed in the
.Xr krb5_425_conv_principal 3 .Xr krb5_425_conv_principal 3
manual page. manual page.
.It Li capath = Va realm-routing-table .It Li capath = {
.Bl -tag -width "xxx" -offset indent
.It Va destination-realm Li = Va next-hop-realm
.It ...
.El
Normally, all requests to realms different from the one of the current
client are sent to this KDC to get cross-realm tickets.
If this KDC does not have a cross-realm key with the desired realm and
the hierarchical path to that realm does not work, a path can be
configured using this directive.
The text shown above instructs the KDC to try to obtain a cross-realm
ticket to
.Va next-hop-realm
when the desired realm is
.Va destination-realm .
This configuration should preferably be done on the KDC where it will
help all its clients but can also be done on the client itself.
.It Li }
.It Li default_etypes = Va etypes... .It Li default_etypes = Va etypes...
A list of default etypes to use. A list of default etypes to use.
.It Li default_etypes_des = Va etypes... .It Li default_etypes_des = Va etypes...
@@ -113,10 +129,18 @@ perid.
.It Va REALM Li = { .It Va REALM Li = {
.Bl -tag -width "xxx" -offset indent .Bl -tag -width "xxx" -offset indent
.It Li kdc = Va host[:port] .It Li kdc = Va host[:port]
Specifies a kdc for this realm. If the optional port is absent, the Specifies a list of kdcs for this realm. If the optional port is absent, the
default value for the default value for the
.Dq kerberos/udp .Dq kerberos/udp
service will be used. service will be used.
The kdcs will be used in the order that they are specified.
.It Li admin_server = Va host[:port]
Specifies the admin server for this realm, where all the modifications
to the database are perfomed.
.It Li kpasswd_server = Va host[:port]
Points to the server where all the password changes are perfomed.
If there is no such entry, the kpasswd port on the admin_server host
will be tried.
.It Li v4_instance_convert .It Li v4_instance_convert
.It Li v4_name_convert .It Li v4_name_convert
.It Li default_domain .It Li default_domain
@@ -253,6 +277,19 @@ points to the configuration file to read.
kdc = SYSLOG:INFO kdc = SYSLOG:INFO
default = SYSLOG:INFO:USER default = SYSLOG:INFO:USER
.Ed .Ed
.Sh DIAGNOSTICS
Since
.Nm
is read and parsed by the krb5 library, there is not a lot of
opportunities for programs to report parsing errors in any useful
format.
To help overcome this problem, there is a program
.Nm verify_krb5_conf
that reads
.Nm
and tries to emit useful diagnostics from parsing errors. Note that
this program does not have any way of knowing what options are
actually used and thus cannot warn about unknown or misspelt ones.
.Sh SEE ALSO .Sh SEE ALSO
.Xr verify_krb5_conf 8 , .Xr verify_krb5_conf 8 ,
.Xr krb5_openlog 3 , .Xr krb5_openlog 3 ,