64a0ea3ad4
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@2662 ec53bebd-3082-4978-b11e-865c3cabbd6b
182 lines
4.4 KiB
Groff
182 lines
4.4 KiB
Groff
.\" $Id$
|
|
.\"
|
|
.Dd July 27, 1997
|
|
.Dt KRB5.CONF 5
|
|
.Os HEIMDAL
|
|
.Sh NAME
|
|
.Nm /etc/krb5.conf
|
|
.Nd
|
|
Configuration file for Kerberos 5
|
|
.Sh DESCRIPTION
|
|
The
|
|
.Nm
|
|
file specifies several configuration parameters for the Kerberos 5
|
|
library, as well as for some programs.
|
|
.Pp
|
|
The file consists of one or more sections, containing a number of
|
|
bindings. The value of each binding can be either a string or a list
|
|
of other bindings. The grammar looks like:
|
|
.Bd -literal -offset indent
|
|
file:
|
|
/* empty */
|
|
sections
|
|
|
|
sections:
|
|
section sections
|
|
section
|
|
|
|
section:
|
|
'[' section_name ']' bindings
|
|
|
|
section_name:
|
|
STRING
|
|
|
|
bindings:
|
|
binding bindings
|
|
binding
|
|
|
|
binding:
|
|
name '=' STRING
|
|
name '=' '{' bindings '}'
|
|
|
|
name:
|
|
STRING
|
|
|
|
.Ed
|
|
.Li STRINGs
|
|
consists of one or more non-white space characters.
|
|
Currently recognised sections and bindings are:
|
|
|
|
.Bl -tag -width "xxx" -offset indent
|
|
.It Li [libdefaults]
|
|
.Bl -tag -width "xxx" -offset indent
|
|
.It Li default_realm = Va REALM
|
|
Default realm to use, this is also known as your
|
|
.Dq local realm .
|
|
The default is the result of
|
|
.Fn krb5_get_host_realm "local hostname" .
|
|
.It Li clockskew = Va time
|
|
Maximum time differential (in seconds) allowed when comparing
|
|
times. Default is 300 seconds (five minutes).
|
|
.It Li kdc_timeout = Va time
|
|
Maximum time to wait for a reply from the kdc, default is 3 seconds.
|
|
.El
|
|
.It Li [domain_realm]
|
|
This is a list of mappings from DNS domain to Kerberos realm. Each
|
|
binding in this section looks like:
|
|
.Pp
|
|
.Dl domain = realm
|
|
.Pp
|
|
The domain can be either a full name of a host or a trailing
|
|
component, in the latter case the domain-string should start with a
|
|
perid.
|
|
.It Li [realms]
|
|
.Bl -tag -width "xxx" -offset indent
|
|
.It Va REALM Li = {
|
|
.Bl -tag -width "xxx" -offset indent
|
|
.It Li kdc = Va host[:port]
|
|
Specifies a kdc for this realm. If the optional port is absent, the
|
|
default value for the
|
|
.Dq kerberos/udp
|
|
service will be used.
|
|
.It Li v4_instance_convert = {
|
|
This specifies a list of version 4 instance to version 5 component
|
|
conversions that should be made when converting a version 4 principal
|
|
to a version 5 ditto. Since version 4 host instances only contains the
|
|
first part of the domain name, this section is sometimes
|
|
necessary. See also
|
|
.Li default_domain .
|
|
.It }
|
|
.It Li v4_name_convert = {
|
|
Similar to
|
|
.Li v4_instance_convert ,
|
|
but converts the version 4 name, rather than the instance. Before
|
|
someone thinks up something better you will (to use version 4 support)
|
|
have to have a binding looking like:
|
|
.Pp
|
|
.Dl rcmd = host
|
|
.Pp
|
|
here.
|
|
.It }
|
|
.It Li default_domain = Va domain
|
|
The default domain to use when converting version 4 instances to
|
|
version 5 principals.
|
|
.El
|
|
.It Li }
|
|
.El
|
|
.It Li [logging]
|
|
.Bl -tag -width "xxx" -offset indent
|
|
.It Va entity Li = Va destination
|
|
Specifies that
|
|
.Va entity
|
|
should use the specified
|
|
.Li destination
|
|
for logging. The currently defined destinations are:
|
|
.Bl -tag -width "xxx" -offset indent
|
|
.It Li STDERR
|
|
This logs to the programs stderr.
|
|
.It Li FILE: Ns Pa /file
|
|
.It Li FILE= Ns Pa /file
|
|
Log to the specified file. The form using a colon appends to the file,
|
|
the form with an equal truncates the file. The truncating form keeps
|
|
the file open, while the appending form closes it after each log
|
|
message (which makes it possible to rotate logs).
|
|
.It Li DEVICE= Ns Pa /device
|
|
This logs to the specified device, at present this is the same as
|
|
.Li FILE:/device .
|
|
.It Li CONSOLE
|
|
Log to the console, this is the same as
|
|
.Li DEVICE=/dev/console .
|
|
.It Li SYSLOG Ns Op :priority Ns Op :facility
|
|
Send messages to the syslog system, using priority, and facility. To
|
|
get the name for one of these, you take the name of the macro passed
|
|
to
|
|
.Xr syslog 3 ,
|
|
and remove the leading
|
|
.Li LOG_
|
|
.No ( Li LOG_NOTICE
|
|
becomes
|
|
.Li NOTICE ) .
|
|
The default values (as well as the values used for unrecognised
|
|
values), are
|
|
.Li ERR ,
|
|
and
|
|
.Li AUTH ,
|
|
respectively. See
|
|
.Xr syslog 3
|
|
for a list of priorities and facilities.
|
|
.Pp
|
|
The entity specifies which program should use the specified logging
|
|
destination. If no entity is found for a program, the
|
|
.Li default
|
|
entity will be used. If that is not present either no logging will
|
|
happen.
|
|
.El
|
|
.El
|
|
.El
|
|
.Sh EXAMPLE
|
|
.Bd -literal -offset indent
|
|
[lib_defaults]
|
|
default_domain = FOO.SE
|
|
[domain_realm]
|
|
.foo.se = FOO.SE
|
|
.bar.se = FOO.SE
|
|
[realms]
|
|
FOO.SE = {
|
|
kdc = kerberos.foo.se
|
|
v4_name_convert = {
|
|
rcmd = host
|
|
}
|
|
v4_instance_convert = {
|
|
xyz = xyz.bar.se
|
|
}
|
|
default_domain = foo.se
|
|
}
|
|
[logging]
|
|
kdc = FILE:/var/heimdal/kdc.log
|
|
kdc = SYSLOG:INFO
|
|
default = SYSLOG:INFO:USER
|
|
.Ed
|
|
.Sh SEE ALSO
|
|
.Xr Source tm
|