.\" $Id$
.\"
.Dd April 11, 1999
.Dt KRB5.CONF 5
.Os HEIMDAL
.Sh NAME
.Nm /etc/krb5.conf
.Nd
Configuration file for Kerberos 5
.Sh DESCRIPTION
The 
.Nm
file specifies several configuration parameters for the Kerberos 5
library, as well as for some programs.
.Pp
The file consists of one or more sections, containing a number of
bindings. The value of each binding can be either a string or a list
of other bindings. The grammar looks like:
.Bd -literal -offset indent
file:
	/* empty */
	sections

sections:
	section sections
	section

section:
	'[' section_name ']' bindings

section_name:
	STRING

bindings:
	binding bindings
	binding

binding:
	name '=' STRING
	name '=' '{' bindings '}'

name:
	STRING

.Ed
.Li STRINGs
consists of one or more non-white space characters.
Currently recognised sections and bindings are:

.Bl -tag -width "xxx" -offset indent
.It Li [libdefaults]
.Bl -tag -width "xxx" -offset indent
.It Li default_realm = Va REALM
Default realm to use, this is also known as your 
.Dq local realm .
The default is the result of
.Fn krb5_get_host_realm "local hostname" .
.It Li clockskew = Va time
Maximum time differential (in seconds) allowed when comparing
times. Default is 300 seconds (five minutes).
.It Li kdc_timeout = Va time
Maximum time to wait for a reply from the kdc, default is 3 seconds.
.It v4_name_convert
.It v4_instance_resolve
These are decribed in the 
.Xr krb5_425_conv_principal  3
manual page.
.It Li capath = Va realm-routing-table
.It Li default_etypes = Va etypes...
A list of default etypes to use.
.It Li default_etypes_des = Va etypes...
A list of default etypes to use when requesting a DES credential.
.It Li default_keytab_name = Va keytab
The keytab to use if none other is specified, default is
.Dq FILE:/etc/krb5.keytab .
.It Li kdc_timesync = Va boolean
Try to keep track of the time differential between the local machine
and the KDC, and then compensate for that when issuing requests.
.It Li max_retries = Va number
The max number of times to try to contact each KDC.
.It Li ticket_lifetime = Va time
Default ticket lifetime.
.It Li renew_lifetime = Va time
Default renewable ticket lifetime.
.It Li verify_ap_req_nofail = Va boolean
Enable to make a failure to verify obtained credentials
non-fatal. This can be useful if there is no keytab on a host.
.It Li warn_pwexpire = Va time
How soon to warn for expiring password. Default is seven days.
.It Li http_proxy = Va proxy-spec
A HTTP-proxy to use when talking to the KDC via HTTP.
.It Li dns_proxy = Va proxy-spec
Enable using DNS via HTTP.
.It Li extra_addresses = Va address...
A list of addresses to get tickets for along with all local addresses.
.It Li time_format = Va string
How to print time strings in logs, this string is passed to
.Xr strftime 3 .
.It Li log_utc = Va boolean
Write log-entries using UTC instead of your local time zone.
.El
.It Li [domain_realm]
This is a list of mappings from DNS domain to Kerberos realm. Each
binding in this section looks like:
.Pp
.Dl domain = realm
.Pp
The domain can be either a full name of a host or a trailing
component, in the latter case the domain-string should start with a
perid.
.It Li [realms]
.Bl -tag -width "xxx" -offset indent
.It Va REALM Li = {
.Bl -tag -width "xxx" -offset indent
.It Li kdc = Va host[:port]
Specifies a kdc for this realm. If the optional port is absent, the
default value for the
.Dq kerberos/udp
service will be used.
.It Li v4_instance_convert
.It Li v4_name_convert
.It Li default_domain
See
.Xr krb5_425_conv_principal 3 .
.El
.It Li }
.El
.It Li [logging]
.Bl -tag -width "xxx" -offset indent
.It Va entity Li = Va destination
Specifies that
.Va entity
should use the specified
.Li destination
for logging. See the
.Xr krb5_openlog 3
manual page for a list of defined destinations.
.El
.It Li [kdc]
.Bl -tag -width "xxx" -offset indent
.It database Li = {
.Bl -tag -width "xxx" -offset indent
.It dbname Li = Va DATABASENAME
use this database for this realm.
.It realm Li = Va REALM
specifies the realm that will be stored in this database.
.It mkey_file Li = Pa FILENAME
use this keytab file for the master key of this database.
If not specified
.Va DATABASENAME Ns .mkey
will be used.
.It acl_file Li = PA FILENAME
use this file for the ACL list of this database.
.It log_file Li = Pa FILENAME
use this file as the log of changes performed to the database.  This
file is used by
.Nm ipropd-master
for propagating changes to slaves.
.El
.It Li }
.It max-request = Va SIZE
Maximum size of a kdc request.
.It require-preauth = Va BOOL
If set pre-authentication is required. Since krb4 requests are not
pre-authenticated they will be rejected.
.It ports = Va "list of ports"
list of ports the kdc should listen to.
.It addresses = Va "list of interfaces"
list of addresses the kdc should bind to.
.It enable-kerberos4 = Va BOOL
turn on kerberos4 support.
.It v4-realm = Va REALM
to what realm v4 requests should be mapped.
.It enable-524 = Va BOOL
should the Kerberos 524 converting facility be turned on. Default is same as
.Va enable-kerberos4 .
.It enable-http = Va BOOL
should the kdc answer kdc-requests over http.
.It enable-kaserver = Va BOOL
if this kdc should emulate the AFS kaserver.
.It check-ticket-addresses = Va BOOL
verify the addresses in the tickets used in tgs requests.
.\" XXX
.It allow-null-ticket-addresses = Va BOOL
allow addresses-less tickets.
.\" XXX 
.It allow-anonymous = Va BOOL
if the kdc is allowed to hand out anonymous tickets.
.It encode_as_rep_as_tgs_rep = Va BOOL
encode as-rep as tgs-rep tobe compatible with mistakes older DCE secd did.
.\" XXX 
.It kdc_warn_pwexpire = Va TIME
the time before expiration that the user should be warned that her
password is about to expire.
.It logging = Va Logging
What type of logging the kdc should use, see also [logging]/kdc.
.El
.It Li [kadmin]
.Bl -tag -width "xxx" -offset indent
.It require-preauth = Va BOOL
If pre-authentication is required to talk to the kadmin server.
.It default_keys = Va keytypes...
for each entry in
.Va default_keys
try to parse it as a sequence of
.Va etype:salttype:salt
syntax of this if something like:
.Pp
[(des|des3|etype):](pw-salt|afs3-salt)[:string]
.Pp
if
.Ar etype
is omitted it means everything, and if string is omitted is means the default string (for that principal). Additional special values of keyttypes are:
.Bl -tag -width "xxx" -offset indent
.It v5 
The kerberos 5 salt
.Va pw-salt
.It v4
The kerberos 4 type
.Va des:pw-salt:
.El
.It use_v4_salt = Va BOOL
When true, this is the same as
.Pp
.Va default_keys = Va des3:pw-salt Va v4
.Pp
and is only left for backwards compatability.
.El
.El
.Sh ENVIRONMENT
.Ev KRB5_CONFIG
points to the configuration file to read.
.Sh EXAMPLE
.Bd -literal -offset indent
[lib_defaults]
	default_domain = FOO.SE
[domain_realm]
	.foo.se = FOO.SE
	.bar.se = FOO.SE
[realms]
	FOO.SE = {
		kdc = kerberos.foo.se
		v4_name_convert = {
			rcmd = host
		}
		v4_instance_convert = {
			xyz = xyz.bar.se
		}
		default_domain = foo.se
	}
[logging]
	kdc = FILE:/var/heimdal/kdc.log
	kdc = SYSLOG:INFO
	default = SYSLOG:INFO:USER
.Ed
.Sh SEE ALSO
.Xr verify_krb5_conf 8 ,
.Xr krb5_openlog 3 ,
.Xr krb5_425_conv_principal 3 ,
.Xr strftime 3 ,
.Xr Source tm