This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthor

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Page revision history

Version Date Modified Size Author Changes ... Change note

Page References

Incoming links Outgoing links
Krb5.conf
Krb5.conf

Version management

Difference between version and

At line 1 added 79 lines
!!! Overview
The krb5.conf file contains Kerberos configuration information, including the locations of KDCs and admin servers for the Kerberos realms of interest, defaults for the current realm and for Kerberos applications, and mappings of hostnames onto Kerberos realms.
Normally, you should install your [{$pagename}] file in the directory /etc. You can override the default location by setting the environment variable KRB5_CONFIG.
We recommend that you use a [{$pagename}] as provided by your [Kerberos] team or the a Minimal [{$pagename}] to get started.
!! Format
The [{$pagename}] file is set up in the style of a Windows INI file. Sections are headed by the section name, in square brackets. Each section may contain zero or more relations
Placing a `*' at the end of a line indicates that this is the final value for the tag. This means that neither the remainder of this configuration file nor any other configuration file will be checked for any other values for this tag.
For example, if you have the following lines:
{{{
foo = bar*
foo = baz
}}}
then the second value of foo (baz) would never be read.
!! What does [{$pagename}] Control?
The file consists of several stanzas, each of which controls certain aspects of the installation:
* [[libdefaults] - Contains default values used by the Kerberos V5 library.
* [[login] - Contains default values used by the Kerberos V5 login program.
* [[appdefaults] - Contains default values that can be used by Kerberos V5 applications.
* [[realms] - Contains subsections keyed by Kerberos realm names. Each subsection describes realm-specific information, including where to find the Kerberos servers for that realm.
* [[domain_realm] - Contains relations which map domain names and subdomains onto Kerberos realm names. This is used by programs to determine what realm a host should be in, given its fully qualified domain name.
* [[logging] - Contains relations which determine how Kerberos programs are to perform logging.
* [[capaths] - Contains the authentication paths used with direct (nonhierarchical) cross-realm authentication. Entries in this section are used by the client to determine the intermediate realms which may be used in cross-realm authentication. It is also used by the end-service when checking the transited field for trusted intermediate realms.
!! [Example] Minimal [{$pagename}]
A minimal /etc/krb5.conf file looks as follows (make sure the port and host name matches!):
{{{
[libdefaults]
default_realm = EXAMPLE.COM
[realms]
EXAMPLE.COM = {
kdc = example.net:60088
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
}}}
!! [Example] of a Typical [{$pagename}] for Microsoft Active Directory
An [Example] YOURDOMAIN [{$pagename}] that may help others:
{{{
##### /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = YOURDOMAIN.NET
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
[realms]
YOURDOMAIN.NET = {
default_domain = yourdomain.net
}
[domain_realm]
.yourdomain.net = YOURDOMAIN.NET
yourdomain.net = YOURDOMAIN.NET
}}}
!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthorTop