"Fossies" - the Fresh Open Source Software Archive

Member "krb5-1.18/doc/pdf/admin.tex" (12 Feb 2020, 623146 Bytes) of package /linux/misc/krb5-1.18.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) TeX and LaTeX source code syntax highlighting (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file.

    1 %% Generated by Sphinx.
    2 \def\sphinxdocclass{report}
    3 \documentclass[letterpaper,10pt,english]{sphinxmanual}
    4 \ifdefined\pdfpxdimen
    5    \let\sphinxpxdimen\pdfpxdimen\else\newdimen\sphinxpxdimen
    6 \fi \sphinxpxdimen=.75bp\relax
    7 
    8 \usepackage[utf8]{inputenc}
    9 \ifdefined\DeclareUnicodeCharacter
   10  \ifdefined\DeclareUnicodeCharacterAsOptional
   11   \DeclareUnicodeCharacter{"00A0}{\nobreakspace}
   12   \DeclareUnicodeCharacter{"2500}{\sphinxunichar{2500}}
   13   \DeclareUnicodeCharacter{"2502}{\sphinxunichar{2502}}
   14   \DeclareUnicodeCharacter{"2514}{\sphinxunichar{2514}}
   15   \DeclareUnicodeCharacter{"251C}{\sphinxunichar{251C}}
   16   \DeclareUnicodeCharacter{"2572}{\textbackslash}
   17  \else
   18   \DeclareUnicodeCharacter{00A0}{\nobreakspace}
   19   \DeclareUnicodeCharacter{2500}{\sphinxunichar{2500}}
   20   \DeclareUnicodeCharacter{2502}{\sphinxunichar{2502}}
   21   \DeclareUnicodeCharacter{2514}{\sphinxunichar{2514}}
   22   \DeclareUnicodeCharacter{251C}{\sphinxunichar{251C}}
   23   \DeclareUnicodeCharacter{2572}{\textbackslash}
   24  \fi
   25 \fi
   26 \usepackage{cmap}
   27 \usepackage[T1]{fontenc}
   28 \usepackage{amsmath,amssymb,amstext}
   29 \usepackage{babel}
   30 \usepackage{times}
   31 \usepackage[Bjarne]{fncychap}
   32 \usepackage[dontkeepoldnames]{sphinx}
   33 
   34 \usepackage{geometry}
   35 
   36 % Include hyperref last.
   37 \usepackage{hyperref}
   38 % Fix anchor placement for figures with captions.
   39 \usepackage{hypcap}% it must be loaded after hyperref.
   40 % Set up styles of URL: it should be placed after hyperref.
   41 \urlstyle{same}
   42 
   43 \addto\captionsenglish{\renewcommand{\figurename}{Fig.}}
   44 \addto\captionsenglish{\renewcommand{\tablename}{Table}}
   45 \addto\captionsenglish{\renewcommand{\literalblockname}{Listing}}
   46 
   47 \addto\captionsenglish{\renewcommand{\literalblockcontinuedname}{continued from previous page}}
   48 \addto\captionsenglish{\renewcommand{\literalblockcontinuesname}{continues on next page}}
   49 
   50 \addto\extrasenglish{\def\pageautorefname{page}}
   51 
   52 \setcounter{tocdepth}{0}
   53 
   54 
   55 
   56 \title{Kerberos Administration Guide}
   57 \date{ }
   58 \release{1.18}
   59 \author{MIT}
   60 \newcommand{\sphinxlogo}{\vbox{}}
   61 \renewcommand{\releasename}{Release}
   62 \makeindex
   63 
   64 \begin{document}
   65 
   66 \maketitle
   67 \sphinxtableofcontents
   68 \phantomsection\label{\detokenize{admin/index::doc}}
   69 
   70 
   71 
   72 \chapter{Installation guide}
   73 \label{\detokenize{admin/install:for-administrators}}\label{\detokenize{admin/install::doc}}\label{\detokenize{admin/install:installation-guide}}
   74 
   75 \section{Contents}
   76 \label{\detokenize{admin/install:contents}}
   77 
   78 \subsection{Installing KDCs}
   79 \label{\detokenize{admin/install_kdc:installing-kdcs}}\label{\detokenize{admin/install_kdc::doc}}
   80 When setting up Kerberos in a production environment, it is best to
   81 have multiple replica KDCs alongside with a master KDC to ensure the
   82 continued availability of the Kerberized services.  Each KDC contains
   83 a copy of the Kerberos database.  The master KDC contains the writable
   84 copy of the realm database, which it replicates to the replica KDCs at
   85 regular intervals.  All database changes (such as password changes)
   86 are made on the master KDC.  Replica KDCs provide Kerberos
   87 ticket-granting services, but not database administration, when the
   88 master KDC is unavailable.  MIT recommends that you install all of
   89 your KDCs to be able to function as either the master or one of the
   90 replicas.  This will enable you to easily switch your master KDC with
   91 one of the replicas if necessary (see {\hyperref[\detokenize{admin/install_kdc:switch-master-replica}]{\sphinxcrossref{\DUrole{std,std-ref}{Switching master and replica KDCs}}}}).
   92 This installation procedure is based on that recommendation.
   93 
   94 \begin{sphinxadmonition}{warning}{Warning:}\begin{itemize}
   95 \item {} 
   96 The Kerberos system relies on the availability of correct time
   97 information.  Ensure that the master and all replica KDCs have
   98 properly synchronized clocks.
   99 
  100 \item {} 
  101 It is best to install and run KDCs on secured and dedicated
  102 hardware with limited access.  If your KDC is also a file
  103 server, FTP server, Web server, or even just a client machine,
  104 someone who obtained root access through a security hole in any
  105 of those areas could potentially gain access to the Kerberos
  106 database.
  107 
  108 \end{itemize}
  109 \end{sphinxadmonition}
  110 
  111 
  112 \subsubsection{Install and configure the master KDC}
  113 \label{\detokenize{admin/install_kdc:install-and-configure-the-master-kdc}}
  114 Install Kerberos either from the OS-provided packages or from the
  115 source (See \DUrole{xref,std,std-ref}{do\_build}).
  116 
  117 \begin{sphinxadmonition}{note}{Note:}
  118 For the purpose of this document we will use the following
  119 names:
  120 
  121 \fvset{hllines={, ,}}%
  122 \begin{sphinxVerbatim}[commandchars=\\\{\}]
  123 \PYG{n}{kerberos}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}    \PYG{o}{\PYGZhy{}} \PYG{n}{master} \PYG{n}{KDC}
  124 \PYG{n}{kerberos}\PYG{o}{\PYGZhy{}}\PYG{l+m+mf}{1.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}  \PYG{o}{\PYGZhy{}} \PYG{n}{replica} \PYG{n}{KDC}
  125 \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}      \PYG{o}{\PYGZhy{}} \PYG{n}{realm} \PYG{n}{name}
  126 \PYG{o}{.}\PYG{n}{k5}\PYG{o}{.}\PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}  \PYG{o}{\PYGZhy{}} \PYG{n}{stash} \PYG{n}{file}
  127 \PYG{n}{admin}\PYG{o}{/}\PYG{n}{admin}         \PYG{o}{\PYGZhy{}} \PYG{n}{admin} \PYG{n}{principal}
  128 \end{sphinxVerbatim}
  129 
  130 See {\hyperref[\detokenize{mitK5defaults:mitk5defaults}]{\sphinxcrossref{\DUrole{std,std-ref}{MIT Kerberos defaults}}}} for the default names and locations
  131 of the relevant to this topic files.  Adjust the names and
  132 paths to your system environment.
  133 \end{sphinxadmonition}
  134 
  135 
  136 \subsubsection{Edit KDC configuration files}
  137 \label{\detokenize{admin/install_kdc:edit-kdc-configuration-files}}
  138 Modify the configuration files, {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}} and
  139 {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}, to reflect the correct information (such as
  140 domain-realm mappings and Kerberos servers names) for your realm.
  141 (See {\hyperref[\detokenize{mitK5defaults:mitk5defaults}]{\sphinxcrossref{\DUrole{std,std-ref}{MIT Kerberos defaults}}}} for the recommended default locations for
  142 these files).
  143 
  144 Most of the tags in the configuration have default values that will
  145 work well for most sites.  There are some tags in the
  146 {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}} file whose values must be specified, and this
  147 section will explain those.
  148 
  149 If the locations for these configuration files differs from the
  150 default ones, set \sphinxstylestrong{KRB5\_CONFIG} and \sphinxstylestrong{KRB5\_KDC\_PROFILE} environment
  151 variables to point to the krb5.conf and kdc.conf respectively.  For
  152 example:
  153 
  154 \fvset{hllines={, ,}}%
  155 \begin{sphinxVerbatim}[commandchars=\\\{\}]
  156 \PYG{n}{export} \PYG{n}{KRB5\PYGZus{}CONFIG}\PYG{o}{=}\PYG{o}{/}\PYG{n}{yourdir}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{conf}
  157 \PYG{n}{export} \PYG{n}{KRB5\PYGZus{}KDC\PYGZus{}PROFILE}\PYG{o}{=}\PYG{o}{/}\PYG{n}{yourdir}\PYG{o}{/}\PYG{n}{kdc}\PYG{o}{.}\PYG{n}{conf}
  158 \end{sphinxVerbatim}
  159 
  160 
  161 \paragraph{krb5.conf}
  162 \label{\detokenize{admin/install_kdc:krb5-conf}}
  163 If you are not using DNS TXT records (see {\hyperref[\detokenize{admin/realm_config:mapping-hostnames}]{\sphinxcrossref{\DUrole{std,std-ref}{Mapping hostnames onto Kerberos realms}}}}),
  164 you must specify the \sphinxstylestrong{default\_realm} in the {\hyperref[\detokenize{admin/conf_files/krb5_conf:libdefaults}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}libdefaults{]}}}}}
  165 section.  If you are not using DNS URI or SRV records (see
  166 {\hyperref[\detokenize{admin/realm_config:kdc-hostnames}]{\sphinxcrossref{\DUrole{std,std-ref}{Hostnames for KDCs}}}} and {\hyperref[\detokenize{admin/realm_config:kdc-discovery}]{\sphinxcrossref{\DUrole{std,std-ref}{KDC Discovery}}}}), you must include the
  167 \sphinxstylestrong{kdc} tag for each \sphinxstyleemphasis{realm} in the {\hyperref[\detokenize{admin/conf_files/krb5_conf:realms}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}realms{]}}}}} section.  To
  168 communicate with the kadmin server in each realm, the \sphinxstylestrong{admin\_server}
  169 tag must be set in the
  170 {\hyperref[\detokenize{admin/conf_files/krb5_conf:realms}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}realms{]}}}}} section.
  171 
  172 An example krb5.conf file:
  173 
  174 \fvset{hllines={, ,}}%
  175 \begin{sphinxVerbatim}[commandchars=\\\{\}]
  176 \PYG{p}{[}\PYG{n}{libdefaults}\PYG{p}{]}
  177     \PYG{n}{default\PYGZus{}realm} \PYG{o}{=} \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}
  178 
  179 \PYG{p}{[}\PYG{n}{realms}\PYG{p}{]}
  180     \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{o}{=} \PYG{p}{\PYGZob{}}
  181         \PYG{n}{kdc} \PYG{o}{=} \PYG{n}{kerberos}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}
  182         \PYG{n}{kdc} \PYG{o}{=} \PYG{n}{kerberos}\PYG{o}{\PYGZhy{}}\PYG{l+m+mf}{1.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}
  183         \PYG{n}{admin\PYGZus{}server} \PYG{o}{=} \PYG{n}{kerberos}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}
  184     \PYG{p}{\PYGZcb{}}
  185 \end{sphinxVerbatim}
  186 
  187 
  188 \paragraph{kdc.conf}
  189 \label{\detokenize{admin/install_kdc:kdc-conf}}
  190 The kdc.conf file can be used to control the listening ports of the
  191 KDC and kadmind, as well as realm-specific defaults, the database type
  192 and location, and logging.
  193 
  194 An example kdc.conf file:
  195 
  196 \fvset{hllines={, ,}}%
  197 \begin{sphinxVerbatim}[commandchars=\\\{\}]
  198 \PYG{p}{[}\PYG{n}{kdcdefaults}\PYG{p}{]}
  199     \PYG{n}{kdc\PYGZus{}listen} \PYG{o}{=} \PYG{l+m+mi}{88}
  200     \PYG{n}{kdc\PYGZus{}tcp\PYGZus{}listen} \PYG{o}{=} \PYG{l+m+mi}{88}
  201 
  202 \PYG{p}{[}\PYG{n}{realms}\PYG{p}{]}
  203     \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{o}{=} \PYG{p}{\PYGZob{}}
  204         \PYG{n}{kadmind\PYGZus{}port} \PYG{o}{=} \PYG{l+m+mi}{749}
  205         \PYG{n}{max\PYGZus{}life} \PYG{o}{=} \PYG{l+m+mi}{12}\PYG{n}{h} \PYG{l+m+mi}{0}\PYG{n}{m} \PYG{l+m+mi}{0}\PYG{n}{s}
  206         \PYG{n}{max\PYGZus{}renewable\PYGZus{}life} \PYG{o}{=} \PYG{l+m+mi}{7}\PYG{n}{d} \PYG{l+m+mi}{0}\PYG{n}{h} \PYG{l+m+mi}{0}\PYG{n}{m} \PYG{l+m+mi}{0}\PYG{n}{s}
  207         \PYG{n}{master\PYGZus{}key\PYGZus{}type} \PYG{o}{=} \PYG{n}{aes256}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}
  208         \PYG{n}{supported\PYGZus{}enctypes} \PYG{o}{=} \PYG{n}{aes256}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{p}{:}\PYG{n}{normal} \PYG{n}{aes128}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{p}{:}\PYG{n}{normal}
  209         \PYG{c+c1}{\PYGZsh{} If the default location does not suit your setup,}
  210         \PYG{c+c1}{\PYGZsh{} explicitly configure the following values:}
  211         \PYG{c+c1}{\PYGZsh{}    database\PYGZus{}name = /var/krb5kdc/principal}
  212         \PYG{c+c1}{\PYGZsh{}    key\PYGZus{}stash\PYGZus{}file = /var/krb5kdc/.k5.ATHENA.MIT.EDU}
  213         \PYG{c+c1}{\PYGZsh{}    acl\PYGZus{}file = /var/krb5kdc/kadm5.acl}
  214     \PYG{p}{\PYGZcb{}}
  215 
  216 \PYG{p}{[}\PYG{n}{logging}\PYG{p}{]}
  217     \PYG{c+c1}{\PYGZsh{} By default, the KDC and kadmind will log output using}
  218     \PYG{c+c1}{\PYGZsh{} syslog.  You can instead send log output to files like this:}
  219     \PYG{n}{kdc} \PYG{o}{=} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{var}\PYG{o}{/}\PYG{n}{log}\PYG{o}{/}\PYG{n}{krb5kdc}\PYG{o}{.}\PYG{n}{log}
  220     \PYG{n}{admin\PYGZus{}server} \PYG{o}{=} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{var}\PYG{o}{/}\PYG{n}{log}\PYG{o}{/}\PYG{n}{kadmin}\PYG{o}{.}\PYG{n}{log}
  221     \PYG{n}{default} \PYG{o}{=} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{var}\PYG{o}{/}\PYG{n}{log}\PYG{o}{/}\PYG{n}{krb5lib}\PYG{o}{.}\PYG{n}{log}
  222 \end{sphinxVerbatim}
  223 
  224 Replace \sphinxcode{ATHENA.MIT.EDU} and \sphinxcode{kerberos.mit.edu} with the name of
  225 your Kerberos realm and server respectively.
  226 
  227 \begin{sphinxadmonition}{note}{Note:}
  228 You have to have write permission on the target directories
  229 (these directories must exist) used by \sphinxstylestrong{database\_name},
  230 \sphinxstylestrong{key\_stash\_file}, and \sphinxstylestrong{acl\_file}.
  231 \end{sphinxadmonition}
  232 
  233 
  234 \subsubsection{Create the KDC database}
  235 \label{\detokenize{admin/install_kdc:create-the-kdc-database}}\label{\detokenize{admin/install_kdc:create-db}}
  236 You will use the {\hyperref[\detokenize{admin/admin_commands/kdb5_util:kdb5-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_util}}}} command on the master KDC to
  237 create the Kerberos database and the optional \DUrole{xref,std,std-ref}{stash\_definition}.
  238 
  239 \begin{sphinxadmonition}{note}{Note:}
  240 If you choose not to install a stash file, the KDC will
  241 prompt you for the master key each time it starts up.  This
  242 means that the KDC will not be able to start automatically,
  243 such as after a system reboot.
  244 \end{sphinxadmonition}
  245 
  246 {\hyperref[\detokenize{admin/admin_commands/kdb5_util:kdb5-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_util}}}} will prompt you for the master password for the
  247 Kerberos database.  This password can be any string.  A good password
  248 is one you can remember, but that no one else can guess.  Examples of
  249 bad passwords are words that can be found in a dictionary, any common
  250 or popular name, especially a famous person (or cartoon character),
  251 your username in any form (e.g., forward, backward, repeated twice,
  252 etc.), and any of the sample passwords that appear in this manual.
  253 One example of a password which might be good if it did not appear in
  254 this manual is “MITiys4K5!”, which represents the sentence “MIT is
  255 your source for Kerberos 5!”  (It’s the first letter of each word,
  256 substituting the numeral “4” for the word “for”, and includes the
  257 punctuation mark at the end.)
  258 
  259 The following is an example of how to create a Kerberos database and
  260 stash file on the master KDC, using the {\hyperref[\detokenize{admin/admin_commands/kdb5_util:kdb5-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_util}}}} command.
  261 Replace \sphinxcode{ATHENA.MIT.EDU} with the name of your Kerberos realm:
  262 
  263 \fvset{hllines={, ,}}%
  264 \begin{sphinxVerbatim}[commandchars=\\\{\}]
  265 \PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{kdb5\PYGZus{}util} \PYG{n}{create} \PYG{o}{\PYGZhy{}}\PYG{n}{r} \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{o}{\PYGZhy{}}\PYG{n}{s}
  266 
  267 \PYG{n}{Initializing} \PYG{n}{database} \PYG{l+s+s1}{\PYGZsq{}}\PYG{l+s+s1}{/usr/local/var/krb5kdc/principal}\PYG{l+s+s1}{\PYGZsq{}} \PYG{k}{for} \PYG{n}{realm} \PYG{l+s+s1}{\PYGZsq{}}\PYG{l+s+s1}{ATHENA.MIT.EDU}\PYG{l+s+s1}{\PYGZsq{}}\PYG{p}{,}
  268 \PYG{n}{master} \PYG{n}{key} \PYG{n}{name} \PYG{l+s+s1}{\PYGZsq{}}\PYG{l+s+s1}{K/M@ATHENA.MIT.EDU}\PYG{l+s+s1}{\PYGZsq{}}
  269 \PYG{n}{You} \PYG{n}{will} \PYG{n}{be} \PYG{n}{prompted} \PYG{k}{for} \PYG{n}{the} \PYG{n}{database} \PYG{n}{Master} \PYG{n}{Password}\PYG{o}{.}
  270 \PYG{n}{It} \PYG{o+ow}{is} \PYG{n}{important} \PYG{n}{that} \PYG{n}{you} \PYG{n}{NOT} \PYG{n}{FORGET} \PYG{n}{this} \PYG{n}{password}\PYG{o}{.}
  271 \PYG{n}{Enter} \PYG{n}{KDC} \PYG{n}{database} \PYG{n}{master} \PYG{n}{key}\PYG{p}{:}  \PYG{o}{\PYGZlt{}}\PYG{o}{=} \PYG{n}{Type} \PYG{n}{the} \PYG{n}{master} \PYG{n}{password}\PYG{o}{.}
  272 \PYG{n}{Re}\PYG{o}{\PYGZhy{}}\PYG{n}{enter} \PYG{n}{KDC} \PYG{n}{database} \PYG{n}{master} \PYG{n}{key} \PYG{n}{to} \PYG{n}{verify}\PYG{p}{:}  \PYG{o}{\PYGZlt{}}\PYG{o}{=} \PYG{n}{Type} \PYG{n}{it} \PYG{n}{again}\PYG{o}{.}
  273 \PYG{n}{shell}\PYG{o}{\PYGZpc{}}
  274 \end{sphinxVerbatim}
  275 
  276 This will create five files in {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LOCALSTATEDIR}}}}\sphinxcode{/krb5kdc} (or at the locations specified
  277 in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}):
  278 \begin{itemize}
  279 \item {} 
  280 two Kerberos database files, \sphinxcode{principal}, and \sphinxcode{principal.ok}
  281 
  282 \item {} 
  283 the Kerberos administrative database file, \sphinxcode{principal.kadm5}
  284 
  285 \item {} 
  286 the administrative database lock file, \sphinxcode{principal.kadm5.lock}
  287 
  288 \item {} 
  289 the stash file, in this example \sphinxcode{.k5.ATHENA.MIT.EDU}.  If you do
  290 not want a stash file, run the above command without the \sphinxstylestrong{-s}
  291 option.
  292 
  293 \end{itemize}
  294 
  295 For more information on administrating Kerberos database see
  296 {\hyperref[\detokenize{admin/database:db-operations}]{\sphinxcrossref{\DUrole{std,std-ref}{Operations on the Kerberos database}}}}.
  297 
  298 
  299 \subsubsection{Add administrators to the ACL file}
  300 \label{\detokenize{admin/install_kdc:add-administrators-to-the-acl-file}}\label{\detokenize{admin/install_kdc:admin-acl}}
  301 Next, you need create an Access Control List (ACL) file and put the
  302 Kerberos principal of at least one of the administrators into it.
  303 This file is used by the {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} daemon to control which
  304 principals may view and make privileged modifications to the Kerberos
  305 database files.  The ACL filename is determined by the \sphinxstylestrong{acl\_file}
  306 variable in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}; the default is {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LOCALSTATEDIR}}}}\sphinxcode{/krb5kdc}\sphinxcode{/kadm5.acl}.
  307 
  308 For more information on Kerberos ACL file see {\hyperref[\detokenize{admin/conf_files/kadm5_acl:kadm5-acl-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kadm5.acl}}}}.
  309 
  310 
  311 \subsubsection{Add administrators to the Kerberos database}
  312 \label{\detokenize{admin/install_kdc:add-administrators-to-the-kerberos-database}}\label{\detokenize{admin/install_kdc:addadmin-kdb}}
  313 Next you need to add administrative principals (i.e., principals who
  314 are allowed to administer Kerberos database) to the Kerberos database.
  315 You \sphinxstyleemphasis{must} add at least one principal now to allow communication
  316 between the Kerberos administration daemon kadmind and the kadmin
  317 program over the network for further administration.  To do this, use
  318 the kadmin.local utility on the master KDC.  kadmin.local is designed
  319 to be run on the master KDC host without using Kerberos authentication
  320 to an admin server; instead, it must have read and write access to the
  321 Kerberos database on the local filesystem.
  322 
  323 The administrative principals you create should be the ones you added
  324 to the ACL file (see {\hyperref[\detokenize{admin/install_kdc:admin-acl}]{\sphinxcrossref{\DUrole{std,std-ref}{Add administrators to the ACL file}}}}).
  325 
  326 In the following example, the administrative principal \sphinxcode{admin/admin}
  327 is created:
  328 
  329 \fvset{hllines={, ,}}%
  330 \begin{sphinxVerbatim}[commandchars=\\\{\}]
  331 \PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{kadmin}\PYG{o}{.}\PYG{n}{local}
  332 
  333 \PYG{n}{kadmin}\PYG{o}{.}\PYG{n}{local}\PYG{p}{:} \PYG{n}{addprinc} \PYG{n}{admin}\PYG{o}{/}\PYG{n}{admin}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}
  334 
  335 \PYG{n}{No} \PYG{n}{policy} \PYG{n}{specified} \PYG{k}{for} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{admin/admin@ATHENA.MIT.EDU}\PYG{l+s+s2}{\PYGZdq{}}\PYG{p}{;}
  336 \PYG{n}{assigning} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{default}\PYG{l+s+s2}{\PYGZdq{}}\PYG{o}{.}
  337 \PYG{n}{Enter} \PYG{n}{password} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{admin}\PYG{o}{/}\PYG{n}{admin}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}\PYG{p}{:}  \PYG{o}{\PYGZlt{}}\PYG{o}{=} \PYG{n}{Enter} \PYG{n}{a} \PYG{n}{password}\PYG{o}{.}
  338 \PYG{n}{Re}\PYG{o}{\PYGZhy{}}\PYG{n}{enter} \PYG{n}{password} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{admin}\PYG{o}{/}\PYG{n}{admin}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}\PYG{p}{:}  \PYG{o}{\PYGZlt{}}\PYG{o}{=} \PYG{n}{Type} \PYG{n}{it} \PYG{n}{again}\PYG{o}{.}
  339 \PYG{n}{Principal} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{admin/admin@ATHENA.MIT.EDU}\PYG{l+s+s2}{\PYGZdq{}} \PYG{n}{created}\PYG{o}{.}
  340 \PYG{n}{kadmin}\PYG{o}{.}\PYG{n}{local}\PYG{p}{:}
  341 \end{sphinxVerbatim}
  342 
  343 
  344 \subsubsection{Start the Kerberos daemons on the master KDC}
  345 \label{\detokenize{admin/install_kdc:start-the-kerberos-daemons-on-the-master-kdc}}\label{\detokenize{admin/install_kdc:start-kdc-daemons}}
  346 At this point, you are ready to start the Kerberos KDC
  347 ({\hyperref[\detokenize{admin/admin_commands/krb5kdc:krb5kdc-8}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5kdc}}}}) and administrative daemons on the Master KDC.  To
  348 do so, type:
  349 
  350 \fvset{hllines={, ,}}%
  351 \begin{sphinxVerbatim}[commandchars=\\\{\}]
  352 \PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{krb5kdc}
  353 \PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{kadmind}
  354 \end{sphinxVerbatim}
  355 
  356 Each server daemon will fork and run in the background.
  357 
  358 \begin{sphinxadmonition}{note}{Note:}
  359 Assuming you want these daemons to start up automatically at
  360 boot time, you can add them to the KDC’s \sphinxcode{/etc/rc} or
  361 \sphinxcode{/etc/inittab} file.  You need to have a
  362 \DUrole{xref,std,std-ref}{stash\_definition} in order to do this.
  363 \end{sphinxadmonition}
  364 
  365 You can verify that they started properly by checking for their
  366 startup messages in the logging locations you defined in
  367 {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}} (see {\hyperref[\detokenize{admin/conf_files/kdc_conf:logging}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}logging{]}}}}}).  For example:
  368 
  369 \fvset{hllines={, ,}}%
  370 \begin{sphinxVerbatim}[commandchars=\\\{\}]
  371 \PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{tail} \PYG{o}{/}\PYG{n}{var}\PYG{o}{/}\PYG{n}{log}\PYG{o}{/}\PYG{n}{krb5kdc}\PYG{o}{.}\PYG{n}{log}
  372 \PYG{n}{Dec} \PYG{l+m+mi}{02} \PYG{l+m+mi}{12}\PYG{p}{:}\PYG{l+m+mi}{35}\PYG{p}{:}\PYG{l+m+mi}{47} \PYG{n}{beeblebrox} \PYG{n}{krb5kdc}\PYG{p}{[}\PYG{l+m+mi}{3187}\PYG{p}{]}\PYG{p}{(}\PYG{n}{info}\PYG{p}{)}\PYG{p}{:} \PYG{n}{commencing} \PYG{n}{operation}
  373 \PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{tail} \PYG{o}{/}\PYG{n}{var}\PYG{o}{/}\PYG{n}{log}\PYG{o}{/}\PYG{n}{kadmin}\PYG{o}{.}\PYG{n}{log}
  374 \PYG{n}{Dec} \PYG{l+m+mi}{02} \PYG{l+m+mi}{12}\PYG{p}{:}\PYG{l+m+mi}{35}\PYG{p}{:}\PYG{l+m+mi}{52} \PYG{n}{beeblebrox} \PYG{n}{kadmind}\PYG{p}{[}\PYG{l+m+mi}{3189}\PYG{p}{]}\PYG{p}{(}\PYG{n}{info}\PYG{p}{)}\PYG{p}{:} \PYG{n}{starting}
  375 \end{sphinxVerbatim}
  376 
  377 Any errors the daemons encounter while starting will also be listed in
  378 the logging output.
  379 
  380 As an additional verification, check if \DUrole{xref,std,std-ref}{kinit(1)} succeeds
  381 against the principals that you have created on the previous step
  382 ({\hyperref[\detokenize{admin/install_kdc:addadmin-kdb}]{\sphinxcrossref{\DUrole{std,std-ref}{Add administrators to the Kerberos database}}}}).  Run:
  383 
  384 \fvset{hllines={, ,}}%
  385 \begin{sphinxVerbatim}[commandchars=\\\{\}]
  386 \PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{kinit} \PYG{n}{admin}\PYG{o}{/}\PYG{n}{admin}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}
  387 \end{sphinxVerbatim}
  388 
  389 
  390 \subsubsection{Install the replica KDCs}
  391 \label{\detokenize{admin/install_kdc:install-the-replica-kdcs}}
  392 You are now ready to start configuring the replica KDCs.
  393 
  394 \begin{sphinxadmonition}{note}{Note:}
  395 Assuming you are setting the KDCs up so that you can easily
  396 switch the master KDC with one of the replicas, you should
  397 perform each of these steps on the master KDC as well as the
  398 replica KDCs, unless these instructions specify otherwise.
  399 \end{sphinxadmonition}
  400 
  401 
  402 \paragraph{Create host keytabs for replica KDCs}
  403 \label{\detokenize{admin/install_kdc:create-host-keytabs-for-replica-kdcs}}\label{\detokenize{admin/install_kdc:replica-host-key}}
  404 Each KDC needs a \sphinxcode{host} key in the Kerberos database.  These keys
  405 are used for mutual authentication when propagating the database dump
  406 file from the master KDC to the secondary KDC servers.
  407 
  408 On the master KDC, connect to administrative interface and create the
  409 host principal for each of the KDCs’ \sphinxcode{host} services.  For example,
  410 if the master KDC were called \sphinxcode{kerberos.mit.edu}, and you had a
  411 replica KDC named \sphinxcode{kerberos-1.mit.edu}, you would type the
  412 following:
  413 
  414 \fvset{hllines={, ,}}%
  415 \begin{sphinxVerbatim}[commandchars=\\\{\}]
  416 \PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{kadmin}
  417 \PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{addprinc} \PYG{o}{\PYGZhy{}}\PYG{n}{randkey} \PYG{n}{host}\PYG{o}{/}\PYG{n}{kerberos}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}
  418 \PYG{n}{No} \PYG{n}{policy} \PYG{n}{specified} \PYG{k}{for} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{host/kerberos.mit.edu@ATHENA.MIT.EDU}\PYG{l+s+s2}{\PYGZdq{}}\PYG{p}{;} \PYG{n}{assigning} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{default}\PYG{l+s+s2}{\PYGZdq{}}
  419 \PYG{n}{Principal} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{host/kerberos.mit.edu@ATHENA.MIT.EDU}\PYG{l+s+s2}{\PYGZdq{}} \PYG{n}{created}\PYG{o}{.}
  420 
  421 \PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{addprinc} \PYG{o}{\PYGZhy{}}\PYG{n}{randkey} \PYG{n}{host}\PYG{o}{/}\PYG{n}{kerberos}\PYG{o}{\PYGZhy{}}\PYG{l+m+mf}{1.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}
  422 \PYG{n}{No} \PYG{n}{policy} \PYG{n}{specified} \PYG{k}{for} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{host/kerberos\PYGZhy{}1.mit.edu@ATHENA.MIT.EDU}\PYG{l+s+s2}{\PYGZdq{}}\PYG{p}{;} \PYG{n}{assigning} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{default}\PYG{l+s+s2}{\PYGZdq{}}
  423 \PYG{n}{Principal} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{host/kerberos\PYGZhy{}1.mit.edu@ATHENA.MIT.EDU}\PYG{l+s+s2}{\PYGZdq{}} \PYG{n}{created}\PYG{o}{.}
  424 \end{sphinxVerbatim}
  425 
  426 It is not strictly necessary to have the master KDC server in the
  427 Kerberos database, but it can be handy if you want to be able to swap
  428 the master KDC with one of the replicas.
  429 
  430 Next, extract \sphinxcode{host} random keys for all participating KDCs and
  431 store them in each host’s default keytab file.  Ideally, you should
  432 extract each keytab locally on its own KDC.  If this is not feasible,
  433 you should use an encrypted session to send them across the network.
  434 To extract a keytab directly on a replica KDC called
  435 \sphinxcode{kerberos-1.mit.edu}, you would execute the following command:
  436 
  437 \fvset{hllines={, ,}}%
  438 \begin{sphinxVerbatim}[commandchars=\\\{\}]
  439 \PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{ktadd} \PYG{n}{host}\PYG{o}{/}\PYG{n}{kerberos}\PYG{o}{\PYGZhy{}}\PYG{l+m+mf}{1.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}
  440 \PYG{n}{Entry} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{host}\PYG{o}{/}\PYG{n}{kerberos}\PYG{o}{\PYGZhy{}}\PYG{l+m+mf}{1.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{k}{with} \PYG{n}{kvno} \PYG{l+m+mi}{2}\PYG{p}{,} \PYG{n}{encryption}
  441     \PYG{n+nb}{type} \PYG{n}{aes256}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{96} \PYG{n}{added} \PYG{n}{to} \PYG{n}{keytab} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab}\PYG{o}{.}
  442 \PYG{n}{Entry} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{host}\PYG{o}{/}\PYG{n}{kerberos}\PYG{o}{\PYGZhy{}}\PYG{l+m+mf}{1.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{k}{with} \PYG{n}{kvno} \PYG{l+m+mi}{2}\PYG{p}{,} \PYG{n}{encryption}
  443     \PYG{n+nb}{type} \PYG{n}{aes128}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{96} \PYG{n}{added} \PYG{n}{to} \PYG{n}{keytab} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab}\PYG{o}{.}
  444 \PYG{n}{Entry} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{host}\PYG{o}{/}\PYG{n}{kerberos}\PYG{o}{\PYGZhy{}}\PYG{l+m+mf}{1.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{k}{with} \PYG{n}{kvno} \PYG{l+m+mi}{2}\PYG{p}{,} \PYG{n}{encryption}
  445     \PYG{n+nb}{type} \PYG{n}{aes256}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha384}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{192} \PYG{n}{added} \PYG{n}{to} \PYG{n}{keytab} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab}\PYG{o}{.}
  446 \PYG{n}{Entry} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{host}\PYG{o}{/}\PYG{n}{kerberos}\PYG{o}{\PYGZhy{}}\PYG{l+m+mf}{1.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{k}{with} \PYG{n}{kvno} \PYG{l+m+mi}{2}\PYG{p}{,} \PYG{n}{encryption}
  447     \PYG{n+nb}{type} \PYG{n}{arcfour}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac} \PYG{n}{added} \PYG{n}{to} \PYG{n}{keytab} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab}\PYG{o}{.}
  448 \end{sphinxVerbatim}
  449 
  450 If you are instead extracting a keytab for the replica KDC called
  451 \sphinxcode{kerberos-1.mit.edu} on the master KDC, you should use a dedicated
  452 temporary keytab file for that machine’s keytab:
  453 
  454 \fvset{hllines={, ,}}%
  455 \begin{sphinxVerbatim}[commandchars=\\\{\}]
  456 \PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{ktadd} \PYG{o}{\PYGZhy{}}\PYG{n}{k} \PYG{o}{/}\PYG{n}{tmp}\PYG{o}{/}\PYG{n}{kerberos}\PYG{o}{\PYGZhy{}}\PYG{l+m+mf}{1.}\PYG{n}{keytab} \PYG{n}{host}\PYG{o}{/}\PYG{n}{kerberos}\PYG{o}{\PYGZhy{}}\PYG{l+m+mf}{1.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}
  457 \PYG{n}{Entry} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{host}\PYG{o}{/}\PYG{n}{kerberos}\PYG{o}{\PYGZhy{}}\PYG{l+m+mf}{1.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{k}{with} \PYG{n}{kvno} \PYG{l+m+mi}{2}\PYG{p}{,} \PYG{n}{encryption}
  458     \PYG{n+nb}{type} \PYG{n}{aes256}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{96} \PYG{n}{added} \PYG{n}{to} \PYG{n}{keytab} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab}\PYG{o}{.}
  459 \PYG{n}{Entry} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{host}\PYG{o}{/}\PYG{n}{kerberos}\PYG{o}{\PYGZhy{}}\PYG{l+m+mf}{1.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{k}{with} \PYG{n}{kvno} \PYG{l+m+mi}{2}\PYG{p}{,} \PYG{n}{encryption}
  460     \PYG{n+nb}{type} \PYG{n}{aes128}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{96} \PYG{n}{added} \PYG{n}{to} \PYG{n}{keytab} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab}\PYG{o}{.}
  461 \end{sphinxVerbatim}
  462 
  463 The file \sphinxcode{/tmp/kerberos-1.keytab} can then be installed as
  464 \sphinxcode{/etc/krb5.keytab} on the host \sphinxcode{kerberos-1.mit.edu}.
  465 
  466 
  467 \paragraph{Configure replica KDCs}
  468 \label{\detokenize{admin/install_kdc:configure-replica-kdcs}}
  469 Database propagation copies the contents of the master’s database, but
  470 does not propagate configuration files, stash files, or the kadm5 ACL
  471 file.  The following files must be copied by hand to each replica (see
  472 {\hyperref[\detokenize{mitK5defaults:mitk5defaults}]{\sphinxcrossref{\DUrole{std,std-ref}{MIT Kerberos defaults}}}} for the default locations for these files):
  473 \begin{itemize}
  474 \item {} 
  475 krb5.conf
  476 
  477 \item {} 
  478 kdc.conf
  479 
  480 \item {} 
  481 kadm5.acl
  482 
  483 \item {} 
  484 master key stash file
  485 
  486 \end{itemize}
  487 
  488 Move the copied files into their appropriate directories, exactly as
  489 on the master KDC.  kadm5.acl is only needed to allow a replica to
  490 swap with the master KDC.
  491 
  492 The database is propagated from the master KDC to the replica KDCs via
  493 the {\hyperref[\detokenize{admin/admin_commands/kpropd:kpropd-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kpropd}}}} daemon.  You must explicitly specify the
  494 principals which are allowed to provide Kerberos dump updates on the
  495 replica machine with a new database.  Create a file named kpropd.acl
  496 in the KDC state directory containing the \sphinxcode{host} principals for each
  497 of the KDCs:
  498 
  499 \fvset{hllines={, ,}}%
  500 \begin{sphinxVerbatim}[commandchars=\\\{\}]
  501 \PYG{n}{host}\PYG{o}{/}\PYG{n}{kerberos}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}
  502 \PYG{n}{host}\PYG{o}{/}\PYG{n}{kerberos}\PYG{o}{\PYGZhy{}}\PYG{l+m+mf}{1.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}
  503 \end{sphinxVerbatim}
  504 
  505 \begin{sphinxadmonition}{note}{Note:}
  506 If you expect that the master and replica KDCs will be
  507 switched at some point of time, list the host principals
  508 from all participating KDC servers in kpropd.acl files on
  509 all of the KDCs.  Otherwise, you only need to list the
  510 master KDC’s host principal in the kpropd.acl files of the
  511 replica KDCs.
  512 \end{sphinxadmonition}
  513 
  514 Then, add the following line to \sphinxcode{/etc/inetd.conf} on each KDC
  515 (adjust the path to kpropd):
  516 
  517 \fvset{hllines={, ,}}%
  518 \begin{sphinxVerbatim}[commandchars=\\\{\}]
  519 \PYG{n}{krb5\PYGZus{}prop} \PYG{n}{stream} \PYG{n}{tcp} \PYG{n}{nowait} \PYG{n}{root} \PYG{o}{/}\PYG{n}{usr}\PYG{o}{/}\PYG{n}{local}\PYG{o}{/}\PYG{n}{sbin}\PYG{o}{/}\PYG{n}{kpropd} \PYG{n}{kpropd}
  520 \end{sphinxVerbatim}
  521 
  522 You also need to add the following line to \sphinxcode{/etc/services} on each
  523 KDC, if it is not already present (assuming that the default port is
  524 used):
  525 
  526 \fvset{hllines={, ,}}%
  527 \begin{sphinxVerbatim}[commandchars=\\\{\}]
  528 \PYG{n}{krb5\PYGZus{}prop}       \PYG{l+m+mi}{754}\PYG{o}{/}\PYG{n}{tcp}               \PYG{c+c1}{\PYGZsh{} Kerberos replica propagation}
  529 \end{sphinxVerbatim}
  530 
  531 Restart inetd daemon.
  532 
  533 Alternatively, start {\hyperref[\detokenize{admin/admin_commands/kpropd:kpropd-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kpropd}}}} as a stand-alone daemon.  This is
  534 required when incremental propagation is enabled.
  535 
  536 Now that the replica KDC is able to accept database propagation,
  537 you’ll need to propagate the database from the master server.
  538 
  539 NOTE: Do not start the replica KDC yet; you still do not have a copy
  540 of the master’s database.
  541 
  542 
  543 \paragraph{Propagate the database to each replica KDC}
  544 \label{\detokenize{admin/install_kdc:kprop-to-replicas}}\label{\detokenize{admin/install_kdc:propagate-the-database-to-each-replica-kdc}}
  545 First, create a dump file of the database on the master KDC, as
  546 follows:
  547 
  548 \fvset{hllines={, ,}}%
  549 \begin{sphinxVerbatim}[commandchars=\\\{\}]
  550 \PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{kdb5\PYGZus{}util} \PYG{n}{dump} \PYG{o}{/}\PYG{n}{usr}\PYG{o}{/}\PYG{n}{local}\PYG{o}{/}\PYG{n}{var}\PYG{o}{/}\PYG{n}{krb5kdc}\PYG{o}{/}\PYG{n}{replica\PYGZus{}datatrans}
  551 \end{sphinxVerbatim}
  552 
  553 Then, manually propagate the database to each replica KDC, as in the
  554 following example:
  555 
  556 \fvset{hllines={, ,}}%
  557 \begin{sphinxVerbatim}[commandchars=\\\{\}]
  558 \PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{kprop} \PYG{o}{\PYGZhy{}}\PYG{n}{f} \PYG{o}{/}\PYG{n}{usr}\PYG{o}{/}\PYG{n}{local}\PYG{o}{/}\PYG{n}{var}\PYG{o}{/}\PYG{n}{krb5kdc}\PYG{o}{/}\PYG{n}{replica\PYGZus{}datatrans} \PYG{n}{kerberos}\PYG{o}{\PYGZhy{}}\PYG{l+m+mf}{1.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}
  559 
  560 \PYG{n}{Database} \PYG{n}{propagation} \PYG{n}{to} \PYG{n}{kerberos}\PYG{o}{\PYGZhy{}}\PYG{l+m+mf}{1.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}\PYG{p}{:} \PYG{n}{SUCCEEDED}
  561 \end{sphinxVerbatim}
  562 
  563 You will need a script to dump and propagate the database. The
  564 following is an example of a Bourne shell script that will do this.
  565 
  566 \begin{sphinxadmonition}{note}{Note:}
  567 Remember that you need to replace \sphinxcode{/usr/local/var/krb5kdc}
  568 with the name of the KDC state directory.
  569 \end{sphinxadmonition}
  570 
  571 \fvset{hllines={, ,}}%
  572 \begin{sphinxVerbatim}[commandchars=\\\{\}]
  573 \PYGZsh{}!/bin/sh
  574 
  575 kdclist = \PYGZdq{}kerberos\PYGZhy{}1.mit.edu kerberos\PYGZhy{}2.mit.edu\PYGZdq{}
  576 
  577 kdb5\PYGZus{}util dump /usr/local/var/krb5kdc/replica\PYGZus{}datatrans
  578 
  579 for kdc in \PYGZdl{}kdclist
  580 do
  581     kprop \PYGZhy{}f /usr/local/var/krb5kdc/replica\PYGZus{}datatrans \PYGZdl{}kdc
  582 done
  583 \end{sphinxVerbatim}
  584 
  585 You will need to set up a cron job to run this script at the intervals
  586 you decided on earlier (see {\hyperref[\detokenize{admin/realm_config:db-prop}]{\sphinxcrossref{\DUrole{std,std-ref}{Database propagation}}}}).
  587 
  588 Now that the replica KDC has a copy of the Kerberos database, you can
  589 start the krb5kdc daemon:
  590 
  591 \fvset{hllines={, ,}}%
  592 \begin{sphinxVerbatim}[commandchars=\\\{\}]
  593 \PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{krb5kdc}
  594 \end{sphinxVerbatim}
  595 
  596 As with the master KDC, you will probably want to add this command to
  597 the KDCs’ \sphinxcode{/etc/rc} or \sphinxcode{/etc/inittab} files, so they will start
  598 the krb5kdc daemon automatically at boot time.
  599 
  600 
  601 \subparagraph{Propagation failed?}
  602 \label{\detokenize{admin/install_kdc:propagation-failed}}
  603 You may encounter the following error messages. For a more detailed
  604 discussion on possible causes and solutions click on the error link
  605 to be redirected to {\hyperref[\detokenize{admin/troubleshoot:troubleshoot}]{\sphinxcrossref{\DUrole{std,std-ref}{Troubleshooting}}}} section.
  606 \begin{enumerate}
  607 \item {} 
  608 {\hyperref[\detokenize{admin/troubleshoot:kprop-no-route}]{\sphinxcrossref{\DUrole{std,std-ref}{kprop: No route to host while connecting to server}}}}
  609 
  610 \item {} 
  611 {\hyperref[\detokenize{admin/troubleshoot:kprop-con-refused}]{\sphinxcrossref{\DUrole{std,std-ref}{kprop: Connection refused while connecting to server}}}}
  612 
  613 \item {} 
  614 {\hyperref[\detokenize{admin/troubleshoot:kprop-sendauth-exchange}]{\sphinxcrossref{\DUrole{std,std-ref}{kprop: Server rejected authentication (during sendauth exchange) while authenticating to server}}}}
  615 
  616 \end{enumerate}
  617 
  618 
  619 \subsubsection{Add Kerberos principals to the database}
  620 \label{\detokenize{admin/install_kdc:add-kerberos-principals-to-the-database}}
  621 Once your KDCs are set up and running, you are ready to use
  622 {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} to load principals for your users, hosts, and other
  623 services into the Kerberos database.  This procedure is described
  624 fully in {\hyperref[\detokenize{admin/database:add-mod-del-princs}]{\sphinxcrossref{\DUrole{std,std-ref}{Adding, modifying and deleting principals}}}}.
  625 
  626 You may occasionally want to use one of your replica KDCs as the
  627 master.  This might happen if you are upgrading the master KDC, or if
  628 your master KDC has a disk crash.  See the following section for the
  629 instructions.
  630 
  631 
  632 \subsubsection{Switching master and replica KDCs}
  633 \label{\detokenize{admin/install_kdc:switch-master-replica}}\label{\detokenize{admin/install_kdc:switching-master-and-replica-kdcs}}
  634 You may occasionally want to use one of your replica KDCs as the
  635 master.  This might happen if you are upgrading the master KDC, or if
  636 your master KDC has a disk crash.
  637 
  638 Assuming you have configured all of your KDCs to be able to function
  639 as either the master KDC or a replica KDC (as this document
  640 recommends), all you need to do to make the changeover is:
  641 
  642 If the master KDC is still running, do the following on the \sphinxstyleemphasis{old}
  643 master KDC:
  644 \begin{enumerate}
  645 \item {} 
  646 Kill the kadmind process.
  647 
  648 \item {} 
  649 Disable the cron job that propagates the database.
  650 
  651 \item {} 
  652 Run your database propagation script manually, to ensure that the
  653 replicas all have the latest copy of the database (see
  654 {\hyperref[\detokenize{admin/install_kdc:kprop-to-replicas}]{\sphinxcrossref{\DUrole{std,std-ref}{Propagate the database to each replica KDC}}}}).
  655 
  656 \end{enumerate}
  657 
  658 On the \sphinxstyleemphasis{new} master KDC:
  659 \begin{enumerate}
  660 \item {} 
  661 Start the {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} daemon (see {\hyperref[\detokenize{admin/install_kdc:start-kdc-daemons}]{\sphinxcrossref{\DUrole{std,std-ref}{Start the Kerberos daemons on the master KDC}}}}).
  662 
  663 \item {} 
  664 Set up the cron job to propagate the database (see
  665 {\hyperref[\detokenize{admin/install_kdc:kprop-to-replicas}]{\sphinxcrossref{\DUrole{std,std-ref}{Propagate the database to each replica KDC}}}}).
  666 
  667 \item {} 
  668 Switch the CNAMEs of the old and new master KDCs.  If you can’t do
  669 this, you’ll need to change the {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}} file on every
  670 client machine in your Kerberos realm.
  671 
  672 \end{enumerate}
  673 
  674 
  675 \subsubsection{Incremental database propagation}
  676 \label{\detokenize{admin/install_kdc:incremental-database-propagation}}
  677 If you expect your Kerberos database to become large, you may wish to
  678 set up incremental propagation to replica KDCs.  See
  679 {\hyperref[\detokenize{admin/database:incr-db-prop}]{\sphinxcrossref{\DUrole{std,std-ref}{Incremental database propagation}}}} for details.
  680 
  681 
  682 \subsection{Installing and configuring UNIX client machines}
  683 \label{\detokenize{admin/install_clients:installing-and-configuring-unix-client-machines}}\label{\detokenize{admin/install_clients::doc}}
  684 The Kerberized client programs include \DUrole{xref,std,std-ref}{kinit(1)},
  685 \DUrole{xref,std,std-ref}{klist(1)}, \DUrole{xref,std,std-ref}{kdestroy(1)}, and \DUrole{xref,std,std-ref}{kpasswd(1)}.  All of
  686 these programs are in the directory {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{BINDIR}}}}.
  687 
  688 You can often integrate Kerberos with the login system on client
  689 machines, typically through the use of PAM.  The details vary by
  690 operating system, and should be covered in your operating system’s
  691 documentation.  If you do this, you will need to make sure your users
  692 know to use their Kerberos passwords when they log in.
  693 
  694 You will also need to educate your users to use the ticket management
  695 programs kinit, klist, and kdestroy.  If you do not have Kerberos
  696 password changing integrated into the native password program (again,
  697 typically through PAM), you will need to educate users to use kpasswd
  698 in place of its non-Kerberos counterparts passwd.
  699 
  700 
  701 \subsubsection{Client machine configuration files}
  702 \label{\detokenize{admin/install_clients:client-machine-configuration-files}}
  703 Each machine running Kerberos should have a {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}} file.
  704 At a minimum, it should define a \sphinxstylestrong{default\_realm} setting in
  705 {\hyperref[\detokenize{admin/conf_files/krb5_conf:libdefaults}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}libdefaults{]}}}}}.  If you are not using DNS SRV records
  706 ({\hyperref[\detokenize{admin/realm_config:kdc-hostnames}]{\sphinxcrossref{\DUrole{std,std-ref}{Hostnames for KDCs}}}}) or URI records ({\hyperref[\detokenize{admin/realm_config:kdc-discovery}]{\sphinxcrossref{\DUrole{std,std-ref}{KDC Discovery}}}}), it must
  707 also contain a {\hyperref[\detokenize{admin/conf_files/krb5_conf:realms}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}realms{]}}}}} section containing information for your
  708 realm’s KDCs.
  709 
  710 Consider setting \sphinxstylestrong{rdns} to false in order to reduce your dependence
  711 on precisely correct DNS information for service hostnames.  Turning
  712 this flag off means that service hostnames will be canonicalized
  713 through forward name resolution (which adds your domain name to
  714 unqualified hostnames, and resolves CNAME records in DNS), but not
  715 through reverse address lookup.  The default value of this flag is
  716 true for historical reasons only.
  717 
  718 If you anticipate users frequently logging into remote hosts
  719 (e.g., using ssh) using forwardable credentials, consider setting
  720 \sphinxstylestrong{forwardable} to true so that users obtain forwardable tickets by
  721 default.  Otherwise users will need to use \sphinxcode{kinit -f} to get
  722 forwardable tickets.
  723 
  724 Consider adjusting the \sphinxstylestrong{ticket\_lifetime} setting to match the likely
  725 length of sessions for your users.  For instance, if most of your
  726 users will be logging in for an eight-hour workday, you could set the
  727 default to ten hours so that tickets obtained in the morning expire
  728 shortly after the end of the workday.  Users can still manually
  729 request longer tickets when necessary, up to the maximum allowed by
  730 each user’s principal record on the KDC.
  731 
  732 If a client host may access services in different realms, it may be
  733 useful to define a {\hyperref[\detokenize{admin/conf_files/krb5_conf:domain-realm}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}domain\_realm{]}}}}} mapping so that clients know
  734 which hosts belong to which realms.  However, if your clients and KDC
  735 are running release 1.7 or later, it is also reasonable to leave this
  736 section out on client machines and just define it in the KDC’s
  737 krb5.conf.
  738 
  739 
  740 \subsection{UNIX Application Servers}
  741 \label{\detokenize{admin/install_appl_srv:unix-application-servers}}\label{\detokenize{admin/install_appl_srv::doc}}
  742 An application server is a host that provides one or more services
  743 over the network.  Application servers can be “secure” or “insecure.”
  744 A “secure” host is set up to require authentication from every client
  745 connecting to it.  An “insecure” host will still provide Kerberos
  746 authentication, but will also allow unauthenticated clients to
  747 connect.
  748 
  749 If you have Kerberos V5 installed on all of your client machines, MIT
  750 recommends that you make your hosts secure, to take advantage of the
  751 security that Kerberos authentication affords.  However, if you have
  752 some clients that do not have Kerberos V5 installed, you can run an
  753 insecure server, and still take advantage of Kerberos V5’s single
  754 sign-on capability.
  755 
  756 
  757 \subsubsection{The keytab file}
  758 \label{\detokenize{admin/install_appl_srv:the-keytab-file}}\label{\detokenize{admin/install_appl_srv:keytab-file}}
  759 All Kerberos server machines need a keytab file to authenticate to the
  760 KDC.  By default on UNIX-like systems this file is named {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{DEFKTNAME}}}}.
  761 The keytab file is an local copy of the host’s key.  The keytab file
  762 is a potential point of entry for a break-in, and if compromised,
  763 would allow unrestricted access to its host.  The keytab file should
  764 be readable only by root, and should exist only on the machine’s local
  765 disk.  The file should not be part of any backup of the machine,
  766 unless access to the backup data is secured as tightly as access to
  767 the machine’s root password.
  768 
  769 In order to generate a keytab for a host, the host must have a
  770 principal in the Kerberos database.  The procedure for adding hosts to
  771 the database is described fully in {\hyperref[\detokenize{admin/database:add-mod-del-princs}]{\sphinxcrossref{\DUrole{std,std-ref}{Adding, modifying and deleting principals}}}}.  (See
  772 {\hyperref[\detokenize{admin/install_kdc:replica-host-key}]{\sphinxcrossref{\DUrole{std,std-ref}{Create host keytabs for replica KDCs}}}} for a brief description.)  The keytab is
  773 generated by running {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} and issuing the {\hyperref[\detokenize{admin/admin_commands/kadmin_local:ktadd}]{\sphinxcrossref{\DUrole{std,std-ref}{ktadd}}}}
  774 command.
  775 
  776 For example, to generate a keytab file to allow the host
  777 \sphinxcode{trillium.mit.edu} to authenticate for the services host, ftp, and
  778 pop, the administrator \sphinxcode{joeadmin} would issue the command (on
  779 \sphinxcode{trillium.mit.edu}):
  780 
  781 \fvset{hllines={, ,}}%
  782 \begin{sphinxVerbatim}[commandchars=\\\{\}]
  783 \PYG{n}{trillium}\PYG{o}{\PYGZpc{}} \PYG{n}{kadmin}
  784 \PYG{n}{Authenticating} \PYG{k}{as} \PYG{n}{principal} \PYG{n}{root}\PYG{o}{/}\PYG{n}{admin}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{k}{with} \PYG{n}{password}\PYG{o}{.}
  785 \PYG{n}{Password} \PYG{k}{for} \PYG{n}{root}\PYG{o}{/}\PYG{n}{admin}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}\PYG{p}{:}
  786 \PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{ktadd} \PYG{n}{host}\PYG{o}{/}\PYG{n}{trillium}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{n}{ftp}\PYG{o}{/}\PYG{n}{trillium}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{n}{pop}\PYG{o}{/}\PYG{n}{trillium}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}
  787 \PYG{n}{Entry} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{host}\PYG{o}{/}\PYG{n}{trillium}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{k}{with} \PYG{n}{kvno} \PYG{l+m+mi}{3}\PYG{p}{,} \PYG{n}{encryption} \PYG{n+nb}{type} \PYG{n}{aes256}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha384}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{192} \PYG{n}{added} \PYG{n}{to} \PYG{n}{keytab} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab}\PYG{o}{.}
  788 \PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{Entry} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{ftp}\PYG{o}{/}\PYG{n}{trillium}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{k}{with} \PYG{n}{kvno} \PYG{l+m+mi}{3}\PYG{p}{,} \PYG{n}{encryption} \PYG{n+nb}{type} \PYG{n}{aes256}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha384}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{192} \PYG{n}{added} \PYG{n}{to} \PYG{n}{keytab} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab}\PYG{o}{.}
  789 \PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{Entry} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{pop}\PYG{o}{/}\PYG{n}{trillium}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{k}{with} \PYG{n}{kvno} \PYG{l+m+mi}{3}\PYG{p}{,} \PYG{n}{encryption} \PYG{n+nb}{type} \PYG{n}{aes256}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha384}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{192} \PYG{n}{added} \PYG{n}{to} \PYG{n}{keytab} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab}\PYG{o}{.}
  790 \PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{quit}
  791 \PYG{n}{trillium}\PYG{o}{\PYGZpc{}}
  792 \end{sphinxVerbatim}
  793 
  794 If you generate the keytab file on another host, you need to get a
  795 copy of the keytab file onto the destination host (\sphinxcode{trillium}, in
  796 the above example) without sending it unencrypted over the network.
  797 
  798 
  799 \subsubsection{Some advice about secure hosts}
  800 \label{\detokenize{admin/install_appl_srv:some-advice-about-secure-hosts}}
  801 Kerberos V5 can protect your host from certain types of break-ins, but
  802 it is possible to install Kerberos V5 and still leave your host
  803 vulnerable to attack.  Obviously an installation guide is not the
  804 place to try to include an exhaustive list of countermeasures for
  805 every possible attack, but it is worth noting some of the larger holes
  806 and how to close them.
  807 
  808 We recommend that backups of secure machines exclude the keytab file
  809 ({\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{DEFKTNAME}}}}).  If this is not possible, the backups should at least be
  810 done locally, rather than over a network, and the backup tapes should
  811 be physically secured.
  812 
  813 The keytab file and any programs run by root, including the Kerberos
  814 V5 binaries, should be kept on local disk.  The keytab file should be
  815 readable only by root.
  816 
  817 
  818 \section{Additional references}
  819 \label{\detokenize{admin/install:additional-references}}\begin{enumerate}
  820 \item {} 
  821 Debian: \sphinxhref{http://techpubs.spinlocksolutions.com/dklar/kerberos.html}{Setting up MIT Kerberos 5}
  822 
  823 \item {} 
  824 Solaris: \sphinxhref{https://docs.oracle.com/cd/E19253-01/816-4557/6maosrjv2/index.html}{Configuring the Kerberos Service}
  825 
  826 \end{enumerate}
  827 
  828 
  829 \chapter{Configuration Files}
  830 \label{\detokenize{admin/conf_files/index:configuration-files}}\label{\detokenize{admin/conf_files/index::doc}}
  831 Kerberos uses configuration files to allow administrators to specify
  832 settings on a per-machine basis.  {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}} applies to all
  833 applications using the Kerboros library, on clients and servers.
  834 For KDC-specific applications, additional settings can be specified in
  835 {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}; the two files are merged into a configuration profile
  836 used by applications accessing the KDC database directly.  {\hyperref[\detokenize{admin/conf_files/kadm5_acl:kadm5-acl-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kadm5.acl}}}}
  837 is also only used on the KDC, it controls permissions for modifying the
  838 KDC database.
  839 
  840 
  841 \section{Contents}
  842 \label{\detokenize{admin/conf_files/index:contents}}
  843 
  844 \subsection{krb5.conf}
  845 \label{\detokenize{admin/conf_files/krb5_conf::doc}}\label{\detokenize{admin/conf_files/krb5_conf:krb5-conf}}\label{\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}}
  846 The krb5.conf file contains Kerberos configuration information,
  847 including the locations of KDCs and admin servers for the Kerberos
  848 realms of interest, defaults for the current realm and for Kerberos
  849 applications, and mappings of hostnames onto Kerberos realms.
  850 Normally, you should install your krb5.conf file in the directory
  851 \sphinxcode{/etc}.  You can override the default location by setting the
  852 environment variable \sphinxstylestrong{KRB5\_CONFIG}.  Multiple colon-separated
  853 filenames may be specified in \sphinxstylestrong{KRB5\_CONFIG}; all files which are
  854 present will be read.  Starting in release 1.14, directory names can
  855 also be specified in \sphinxstylestrong{KRB5\_CONFIG}; all files within the directory
  856 whose names consist solely of alphanumeric characters, dashes, or
  857 underscores will be read.
  858 
  859 
  860 \subsubsection{Structure}
  861 \label{\detokenize{admin/conf_files/krb5_conf:structure}}
  862 The krb5.conf file is set up in the style of a Windows INI file.
  863 Lines beginning with ‘\#’ or ‘;’ (possibly after initial whitespace)
  864 are ignored as comments.  Sections are headed by the section name, in
  865 square brackets.  Each section may contain zero or more relations, of
  866 the form:
  867 
  868 \fvset{hllines={, ,}}%
  869 \begin{sphinxVerbatim}[commandchars=\\\{\}]
  870 \PYG{n}{foo} \PYG{o}{=} \PYG{n}{bar}
  871 \end{sphinxVerbatim}
  872 
  873 or:
  874 
  875 \fvset{hllines={, ,}}%
  876 \begin{sphinxVerbatim}[commandchars=\\\{\}]
  877 \PYG{n}{fubar} \PYG{o}{=} \PYG{p}{\PYGZob{}}
  878     \PYG{n}{foo} \PYG{o}{=} \PYG{n}{bar}
  879     \PYG{n}{baz} \PYG{o}{=} \PYG{n}{quux}
  880 \PYG{p}{\PYGZcb{}}
  881 \end{sphinxVerbatim}
  882 
  883 Placing a ‘*’ after the closing bracket of a section name indicates
  884 that the section is \sphinxstyleemphasis{final}, meaning that if the same section appears
  885 within a later file specified in \sphinxstylestrong{KRB5\_CONFIG}, it will be ignored.
  886 A subsection can be marked as final by placing a ‘*’ after either the
  887 tag name or the closing brace.
  888 
  889 The krb5.conf file can include other files using either of the
  890 following directives at the beginning of a line:
  891 
  892 \fvset{hllines={, ,}}%
  893 \begin{sphinxVerbatim}[commandchars=\\\{\}]
  894 \PYG{n}{include} \PYG{n}{FILENAME}
  895 \PYG{n}{includedir} \PYG{n}{DIRNAME}
  896 \end{sphinxVerbatim}
  897 
  898 \sphinxstyleemphasis{FILENAME} or \sphinxstyleemphasis{DIRNAME} should be an absolute path. The named file or
  899 directory must exist and be readable.  Including a directory includes
  900 all files within the directory whose names consist solely of
  901 alphanumeric characters, dashes, or underscores.  Starting in release
  902 1.15, files with names ending in “.conf” are also included, unless the
  903 name begins with “.”.  Included profile files are syntactically
  904 independent of their parents, so each included file must begin with a
  905 section header.  Starting in release 1.17, files are read in
  906 alphanumeric order; in previous releases, they may be read in any
  907 order.
  908 
  909 The krb5.conf file can specify that configuration should be obtained
  910 from a loadable module, rather than the file itself, using the
  911 following directive at the beginning of a line before any section
  912 headers:
  913 
  914 \fvset{hllines={, ,}}%
  915 \begin{sphinxVerbatim}[commandchars=\\\{\}]
  916 \PYG{n}{module} \PYG{n}{MODULEPATH}\PYG{p}{:}\PYG{n}{RESIDUAL}
  917 \end{sphinxVerbatim}
  918 
  919 \sphinxstyleemphasis{MODULEPATH} may be relative to the library path of the krb5
  920 installation, or it may be an absolute path.  \sphinxstyleemphasis{RESIDUAL} is provided
  921 to the module at initialization time.  If krb5.conf uses a module
  922 directive, {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}} should also use one if it exists.
  923 
  924 
  925 \subsubsection{Sections}
  926 \label{\detokenize{admin/conf_files/krb5_conf:sections}}
  927 The krb5.conf file may contain the following sections:
  928 
  929 
  930 \begin{savenotes}\sphinxattablestart
  931 \centering
  932 \begin{tabulary}{\linewidth}[t]{|T|T|}
  933 \hline
  934 
  935 {\hyperref[\detokenize{admin/conf_files/krb5_conf:libdefaults}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}libdefaults{]}}}}}
  936 &
  937 Settings used by the Kerberos V5 library
  938 \\
  939 \hline
  940 {\hyperref[\detokenize{admin/conf_files/krb5_conf:realms}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}realms{]}}}}}
  941 &
  942 Realm-specific contact information and settings
  943 \\
  944 \hline
  945 {\hyperref[\detokenize{admin/conf_files/krb5_conf:domain-realm}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}domain\_realm{]}}}}}
  946 &
  947 Maps server hostnames to Kerberos realms
  948 \\
  949 \hline
  950 {\hyperref[\detokenize{admin/conf_files/krb5_conf:capaths}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}capaths{]}}}}}
  951 &
  952 Authentication paths for non-hierarchical cross-realm
  953 \\
  954 \hline
  955 {\hyperref[\detokenize{admin/conf_files/krb5_conf:appdefaults}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}appdefaults{]}}}}}
  956 &
  957 Settings used by some Kerberos V5 applications
  958 \\
  959 \hline
  960 {\hyperref[\detokenize{admin/conf_files/krb5_conf:plugins}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}plugins{]}}}}}
  961 &
  962 Controls plugin module registration
  963 \\
  964 \hline
  965 \end{tabulary}
  966 \par
  967 \sphinxattableend\end{savenotes}
  968 
  969 Additionally, krb5.conf may include any of the relations described in
  970 {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}, but it is not a recommended practice.
  971 
  972 
  973 \paragraph{{[}libdefaults{]}}
  974 \label{\detokenize{admin/conf_files/krb5_conf:libdefaults}}\label{\detokenize{admin/conf_files/krb5_conf:id1}}
  975 The libdefaults section may contain any of the following relations:
  976 \begin{description}
  977 \item[{\sphinxstylestrong{allow\_weak\_crypto}}] \leavevmode
  978 If this flag is set to false, then weak encryption types (as noted
  979 in {\hyperref[\detokenize{admin/conf_files/kdc_conf:encryption-types}]{\sphinxcrossref{\DUrole{std,std-ref}{Encryption types}}}} in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}) will be filtered
  980 out of the lists \sphinxstylestrong{default\_tgs\_enctypes},
  981 \sphinxstylestrong{default\_tkt\_enctypes}, and \sphinxstylestrong{permitted\_enctypes}.  The default
  982 value for this tag is false.
  983 
  984 \item[{\sphinxstylestrong{canonicalize}}] \leavevmode
  985 If this flag is set to true, initial ticket requests to the KDC
  986 will request canonicalization of the client principal name, and
  987 answers with different client principals than the requested
  988 principal will be accepted.  The default value is false.
  989 
  990 \item[{\sphinxstylestrong{ccache\_type}}] \leavevmode
  991 This parameter determines the format of credential cache types
  992 created by \DUrole{xref,std,std-ref}{kinit(1)} or other programs.  The default value
  993 is 4, which represents the most current format.  Smaller values
  994 can be used for compatibility with very old implementations of
  995 Kerberos which interact with credential caches on the same host.
  996 
  997 \item[{\sphinxstylestrong{clockskew}}] \leavevmode
  998 Sets the maximum allowable amount of clockskew in seconds that the
  999 library will tolerate before assuming that a Kerberos message is
 1000 invalid.  The default value is 300 seconds, or five minutes.
 1001 
 1002 The clockskew setting is also used when evaluating ticket start
 1003 and expiration times.  For example, tickets that have reached
 1004 their expiration time can still be used (and renewed if they are
 1005 renewable tickets) if they have been expired for a shorter
 1006 duration than the \sphinxstylestrong{clockskew} setting.
 1007 
 1008 \item[{\sphinxstylestrong{default\_ccache\_name}}] \leavevmode
 1009 This relation specifies the name of the default credential cache.
 1010 The default is {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{DEFCCNAME}}}}.  This relation is subject to parameter
 1011 expansion (see below).  New in release 1.11.
 1012 
 1013 \item[{\sphinxstylestrong{default\_client\_keytab\_name}}] \leavevmode
 1014 This relation specifies the name of the default keytab for
 1015 obtaining client credentials.  The default is {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{DEFCKTNAME}}}}.  This
 1016 relation is subject to parameter expansion (see below).
 1017 New in release 1.11.
 1018 
 1019 \item[{\sphinxstylestrong{default\_keytab\_name}}] \leavevmode
 1020 This relation specifies the default keytab name to be used by
 1021 application servers such as sshd.  The default is {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{DEFKTNAME}}}}.  This
 1022 relation is subject to parameter expansion (see below).
 1023 
 1024 \item[{\sphinxstylestrong{default\_rcache\_name}}] \leavevmode
 1025 This relation specifies the name of the default replay cache.
 1026 The default is \sphinxcode{dfl:}.  This relation is subject to parameter
 1027 expansion (see below).  New in release 1.18.
 1028 
 1029 \item[{\sphinxstylestrong{default\_realm}}] \leavevmode
 1030 Identifies the default Kerberos realm for the client.  Set its
 1031 value to your Kerberos realm.  If this value is not set, then a
 1032 realm must be specified with every Kerberos principal when
 1033 invoking programs such as \DUrole{xref,std,std-ref}{kinit(1)}.
 1034 
 1035 \item[{\sphinxstylestrong{default\_tgs\_enctypes}}] \leavevmode
 1036 Identifies the supported list of session key encryption types that
 1037 the client should request when making a TGS-REQ, in order of
 1038 preference from highest to lowest.  The list may be delimited with
 1039 commas or whitespace.  See {\hyperref[\detokenize{admin/conf_files/kdc_conf:encryption-types}]{\sphinxcrossref{\DUrole{std,std-ref}{Encryption types}}}} in
 1040 {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}} for a list of the accepted values for this tag.
 1041 Starting in release 1.18, the default value is the value of
 1042 \sphinxstylestrong{permitted\_enctypes}.  For previous releases or if
 1043 \sphinxstylestrong{permitted\_enctypes} is not set, the default value is
 1044 \sphinxcode{aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac}.
 1045 
 1046 Do not set this unless required for specific backward
 1047 compatibility purposes; stale values of this setting can prevent
 1048 clients from taking advantage of new stronger enctypes when the
 1049 libraries are upgraded.
 1050 
 1051 \item[{\sphinxstylestrong{default\_tkt\_enctypes}}] \leavevmode
 1052 Identifies the supported list of session key encryption types that
 1053 the client should request when making an AS-REQ, in order of
 1054 preference from highest to lowest.  The format is the same as for
 1055 default\_tgs\_enctypes.  Starting in release 1.18, the default
 1056 value is the value of \sphinxstylestrong{permitted\_enctypes}.  For previous
 1057 releases or if \sphinxstylestrong{permitted\_enctypes} is not set, the default
 1058 value is \sphinxcode{aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac}.
 1059 
 1060 Do not set this unless required for specific backward
 1061 compatibility purposes; stale values of this setting can prevent
 1062 clients from taking advantage of new stronger enctypes when the
 1063 libraries are upgraded.
 1064 
 1065 \item[{\sphinxstylestrong{dns\_canonicalize\_hostname}}] \leavevmode
 1066 Indicate whether name lookups will be used to canonicalize
 1067 hostnames for use in service principal names.  Setting this flag
 1068 to false can improve security by reducing reliance on DNS, but
 1069 means that short hostnames will not be canonicalized to
 1070 fully-qualified hostnames.  The default value is true.
 1071 
 1072 If this option is set to \sphinxcode{fallback} (new in release 1.18), DNS
 1073 canonicalization will only be performed the server hostname is not
 1074 found with the original name when requesting credentials.
 1075 
 1076 \item[{\sphinxstylestrong{dns\_lookup\_kdc}}] \leavevmode
 1077 Indicate whether DNS SRV records should be used to locate the KDCs
 1078 and other servers for a realm, if they are not listed in the
 1079 krb5.conf information for the realm.  (Note that the admin\_server
 1080 entry must be in the krb5.conf realm information in order to
 1081 contact kadmind, because the DNS implementation for kadmin is
 1082 incomplete.)
 1083 
 1084 Enabling this option does open up a type of denial-of-service
 1085 attack, if someone spoofs the DNS records and redirects you to
 1086 another server.  However, it’s no worse than a denial of service,
 1087 because that fake KDC will be unable to decode anything you send
 1088 it (besides the initial ticket request, which has no encrypted
 1089 data), and anything the fake KDC sends will not be trusted without
 1090 verification using some secret that it won’t know.
 1091 
 1092 \item[{\sphinxstylestrong{dns\_uri\_lookup}}] \leavevmode
 1093 Indicate whether DNS URI records should be used to locate the KDCs
 1094 and other servers for a realm, if they are not listed in the
 1095 krb5.conf information for the realm.  SRV records are used as a
 1096 fallback if no URI records were found.  The default value is true.
 1097 New in release 1.15.
 1098 
 1099 \item[{\sphinxstylestrong{enforce\_ok\_as\_delegate}}] \leavevmode
 1100 If this flag to true, GSSAPI credential delegation will be
 1101 disabled when the \sphinxcode{ok-as-delegate} flag is not set in the
 1102 service ticket.  If this flag is false, the \sphinxcode{ok-as-delegate}
 1103 ticket flag is only enforced when an application specifically
 1104 requests enforcement.  The default value is false.
 1105 
 1106 \item[{\sphinxstylestrong{err\_fmt}}] \leavevmode
 1107 This relation allows for custom error message formatting.  If a
 1108 value is set, error messages will be formatted by substituting a
 1109 normal error message for \%M and an error code for \%C in the value.
 1110 
 1111 \item[{\sphinxstylestrong{extra\_addresses}}] \leavevmode
 1112 This allows a computer to use multiple local addresses, in order
 1113 to allow Kerberos to work in a network that uses NATs while still
 1114 using address-restricted tickets.  The addresses should be in a
 1115 comma-separated list.  This option has no effect if
 1116 \sphinxstylestrong{noaddresses} is true.
 1117 
 1118 \item[{\sphinxstylestrong{forwardable}}] \leavevmode
 1119 If this flag is true, initial tickets will be forwardable by
 1120 default, if allowed by the KDC.  The default value is false.
 1121 
 1122 \item[{\sphinxstylestrong{ignore\_acceptor\_hostname}}] \leavevmode
 1123 When accepting GSSAPI or krb5 security contexts for host-based
 1124 service principals, ignore any hostname passed by the calling
 1125 application, and allow clients to authenticate to any service
 1126 principal in the keytab matching the service name and realm name
 1127 (if given).  This option can improve the administrative
 1128 flexibility of server applications on multihomed hosts, but could
 1129 compromise the security of virtual hosting environments.  The
 1130 default value is false.  New in release 1.10.
 1131 
 1132 \item[{\sphinxstylestrong{k5login\_authoritative}}] \leavevmode
 1133 If this flag is true, principals must be listed in a local user’s
 1134 k5login file to be granted login access, if a \DUrole{xref,std,std-ref}{.k5login(5)}
 1135 file exists.  If this flag is false, a principal may still be
 1136 granted login access through other mechanisms even if a k5login
 1137 file exists but does not list the principal.  The default value is
 1138 true.
 1139 
 1140 \item[{\sphinxstylestrong{k5login\_directory}}] \leavevmode
 1141 If set, the library will look for a local user’s k5login file
 1142 within the named directory, with a filename corresponding to the
 1143 local username.  If not set, the library will look for k5login
 1144 files in the user’s home directory, with the filename .k5login.
 1145 For security reasons, .k5login files must be owned by
 1146 the local user or by root.
 1147 
 1148 \item[{\sphinxstylestrong{kcm\_mach\_service}}] \leavevmode
 1149 On macOS only, determines the name of the bootstrap service used to
 1150 contact the KCM daemon for the KCM credential cache type.  If the
 1151 value is \sphinxcode{-}, Mach RPC will not be used to contact the KCM
 1152 daemon.  The default value is \sphinxcode{org.h5l.kcm}.
 1153 
 1154 \item[{\sphinxstylestrong{kcm\_socket}}] \leavevmode
 1155 Determines the path to the Unix domain socket used to access the
 1156 KCM daemon for the KCM credential cache type.  If the value is
 1157 \sphinxcode{-}, Unix domain sockets will not be used to contact the KCM
 1158 daemon.  The default value is
 1159 \sphinxcode{/var/run/.heim\_org.h5l.kcm-socket}.
 1160 
 1161 \item[{\sphinxstylestrong{kdc\_default\_options}}] \leavevmode
 1162 Default KDC options (Xored for multiple values) when requesting
 1163 initial tickets.  By default it is set to 0x00000010
 1164 (KDC\_OPT\_RENEWABLE\_OK).
 1165 
 1166 \item[{\sphinxstylestrong{kdc\_timesync}}] \leavevmode
 1167 Accepted values for this relation are 1 or 0.  If it is nonzero,
 1168 client machines will compute the difference between their time and
 1169 the time returned by the KDC in the timestamps in the tickets and
 1170 use this value to correct for an inaccurate system clock when
 1171 requesting service tickets or authenticating to services.  This
 1172 corrective factor is only used by the Kerberos library; it is not
 1173 used to change the system clock.  The default value is 1.
 1174 
 1175 \item[{\sphinxstylestrong{noaddresses}}] \leavevmode
 1176 If this flag is true, requests for initial tickets will not be
 1177 made with address restrictions set, allowing the tickets to be
 1178 used across NATs.  The default value is true.
 1179 
 1180 \item[{\sphinxstylestrong{permitted\_enctypes}}] \leavevmode
 1181 Identifies the encryption types that servers will permit for
 1182 session keys and for ticket and authenticator encryption, ordered
 1183 by preference from highest to lowest.  Starting in release 1.18,
 1184 this tag also acts as the default value for
 1185 \sphinxstylestrong{default\_tgs\_enctypes} and \sphinxstylestrong{default\_tkt\_enctypes}.  The
 1186 default value for this tag is \sphinxcode{aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac}.
 1187 
 1188 \item[{\sphinxstylestrong{plugin\_base\_dir}}] \leavevmode
 1189 If set, determines the base directory where krb5 plugins are
 1190 located.  The default value is the \sphinxcode{krb5/plugins} subdirectory
 1191 of the krb5 library directory.  This relation is subject to
 1192 parameter expansion (see below) in release 1.17 and later.
 1193 
 1194 \item[{\sphinxstylestrong{preferred\_preauth\_types}}] \leavevmode
 1195 This allows you to set the preferred preauthentication types which
 1196 the client will attempt before others which may be advertised by a
 1197 KDC.  The default value for this setting is “17, 16, 15, 14”,
 1198 which forces libkrb5 to attempt to use PKINIT if it is supported.
 1199 
 1200 \item[{\sphinxstylestrong{proxiable}}] \leavevmode
 1201 If this flag is true, initial tickets will be proxiable by
 1202 default, if allowed by the KDC.  The default value is false.
 1203 
 1204 \item[{\sphinxstylestrong{qualify\_shortname}}] \leavevmode
 1205 If this string is set, it determines the domain suffix for
 1206 single-component hostnames when DNS canonicalization is not used
 1207 (either because \sphinxstylestrong{dns\_canonicalize\_hostname} is false or because
 1208 forward canonicalization failed).  The default value is the first
 1209 search domain of the system’s DNS configuration.  To disable
 1210 qualification of shortnames, set this relation to the empty string
 1211 with \sphinxcode{qualify\_shortname = ""}.  (New in release 1.18.)
 1212 
 1213 \item[{\sphinxstylestrong{rdns}}] \leavevmode
 1214 If this flag is true, reverse name lookup will be used in addition
 1215 to forward name lookup to canonicalizing hostnames for use in
 1216 service principal names.  If \sphinxstylestrong{dns\_canonicalize\_hostname} is set
 1217 to false, this flag has no effect.  The default value is true.
 1218 
 1219 \item[{\sphinxstylestrong{realm\_try\_domains}}] \leavevmode
 1220 Indicate whether a host’s domain components should be used to
 1221 determine the Kerberos realm of the host.  The value of this
 1222 variable is an integer: -1 means not to search, 0 means to try the
 1223 host’s domain itself, 1 means to also try the domain’s immediate
 1224 parent, and so forth.  The library’s usual mechanism for locating
 1225 Kerberos realms is used to determine whether a domain is a valid
 1226 realm, which may involve consulting DNS if \sphinxstylestrong{dns\_lookup\_kdc} is
 1227 set.  The default is not to search domain components.
 1228 
 1229 \item[{\sphinxstylestrong{renew\_lifetime}}] \leavevmode
 1230 (\DUrole{xref,std,std-ref}{duration} string.)  Sets the default renewable lifetime
 1231 for initial ticket requests.  The default value is 0.
 1232 
 1233 \item[{\sphinxstylestrong{spake\_preauth\_groups}}] \leavevmode
 1234 A whitespace or comma-separated list of words which specifies the
 1235 groups allowed for SPAKE preauthentication.  The possible values
 1236 are:
 1237 
 1238 
 1239 \begin{savenotes}\sphinxattablestart
 1240 \centering
 1241 \begin{tabulary}{\linewidth}[t]{|T|T|}
 1242 \hline
 1243 
 1244 edwards25519
 1245 &
 1246 Edwards25519 curve (\index{RFC!RFC 7748}\sphinxhref{https://tools.ietf.org/html/rfc7748.html}{\sphinxstylestrong{RFC 7748}})
 1247 \\
 1248 \hline
 1249 P-256
 1250 &
 1251 NIST P-256 curve (\index{RFC!RFC 5480}\sphinxhref{https://tools.ietf.org/html/rfc5480.html}{\sphinxstylestrong{RFC 5480}})
 1252 \\
 1253 \hline
 1254 P-384
 1255 &
 1256 NIST P-384 curve (\index{RFC!RFC 5480}\sphinxhref{https://tools.ietf.org/html/rfc5480.html}{\sphinxstylestrong{RFC 5480}})
 1257 \\
 1258 \hline
 1259 P-521
 1260 &
 1261 NIST P-521 curve (\index{RFC!RFC 5480}\sphinxhref{https://tools.ietf.org/html/rfc5480.html}{\sphinxstylestrong{RFC 5480}})
 1262 \\
 1263 \hline
 1264 \end{tabulary}
 1265 \par
 1266 \sphinxattableend\end{savenotes}
 1267 
 1268 The default value for the client is \sphinxcode{edwards25519}.  The default
 1269 value for the KDC is empty.  New in release 1.17.
 1270 
 1271 \item[{\sphinxstylestrong{ticket\_lifetime}}] \leavevmode
 1272 (\DUrole{xref,std,std-ref}{duration} string.)  Sets the default lifetime for initial
 1273 ticket requests.  The default value is 1 day.
 1274 
 1275 \item[{\sphinxstylestrong{udp\_preference\_limit}}] \leavevmode
 1276 When sending a message to the KDC, the library will try using TCP
 1277 before UDP if the size of the message is above
 1278 \sphinxstylestrong{udp\_preference\_limit}.  If the message is smaller than
 1279 \sphinxstylestrong{udp\_preference\_limit}, then UDP will be tried before TCP.
 1280 Regardless of the size, both protocols will be tried if the first
 1281 attempt fails.
 1282 
 1283 \item[{\sphinxstylestrong{verify\_ap\_req\_nofail}}] \leavevmode
 1284 If this flag is true, then an attempt to verify initial
 1285 credentials will fail if the client machine does not have a
 1286 keytab.  The default value is false.
 1287 
 1288 \end{description}
 1289 
 1290 
 1291 \paragraph{{[}realms{]}}
 1292 \label{\detokenize{admin/conf_files/krb5_conf:id2}}\label{\detokenize{admin/conf_files/krb5_conf:realms}}
 1293 Each tag in the {[}realms{]} section of the file is the name of a Kerberos
 1294 realm.  The value of the tag is a subsection with relations that
 1295 define the properties of that particular realm.  For each realm, the
 1296 following tags may be specified in the realm’s subsection:
 1297 \begin{description}
 1298 \item[{\sphinxstylestrong{admin\_server}}] \leavevmode
 1299 Identifies the host where the administration server is running.
 1300 Typically, this is the master Kerberos server.  This tag must be
 1301 given a value in order to communicate with the {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}}
 1302 server for the realm.
 1303 
 1304 \item[{\sphinxstylestrong{auth\_to\_local}}] \leavevmode
 1305 This tag allows you to set a general rule for mapping principal
 1306 names to local user names.  It will be used if there is not an
 1307 explicit mapping for the principal name that is being
 1308 translated. The possible values are:
 1309 \begin{description}
 1310 \item[{\sphinxstylestrong{RULE:}\sphinxstyleemphasis{exp}}] \leavevmode
 1311 The local name will be formulated from \sphinxstyleemphasis{exp}.
 1312 
 1313 The format for \sphinxstyleemphasis{exp} is \sphinxstylestrong{{[}}\sphinxstyleemphasis{n}\sphinxstylestrong{:}\sphinxstyleemphasis{string}\sphinxstylestrong{{]}(}\sphinxstyleemphasis{regexp}\sphinxstylestrong{)s/}\sphinxstyleemphasis{pattern}\sphinxstylestrong{/}\sphinxstyleemphasis{replacement}\sphinxstylestrong{/g}.
 1314 The integer \sphinxstyleemphasis{n} indicates how many components the target
 1315 principal should have.  If this matches, then a string will be
 1316 formed from \sphinxstyleemphasis{string}, substituting the realm of the principal
 1317 for \sphinxcode{\$0} and the \sphinxstyleemphasis{n}’th component of the principal for
 1318 \sphinxcode{\$n} (e.g., if the principal was \sphinxcode{johndoe/admin} then
 1319 \sphinxcode{{[}2:\$2\$1foo{]}} would result in the string
 1320 \sphinxcode{adminjohndoefoo}).  If this string matches \sphinxstyleemphasis{regexp}, then
 1321 the \sphinxcode{s//{[}g{]}} substitution command will be run over the
 1322 string.  The optional \sphinxstylestrong{g} will cause the substitution to be
 1323 global over the \sphinxstyleemphasis{string}, instead of replacing only the first
 1324 match in the \sphinxstyleemphasis{string}.
 1325 
 1326 \item[{\sphinxstylestrong{DEFAULT}}] \leavevmode
 1327 The principal name will be used as the local user name.  If
 1328 the principal has more than one component or is not in the
 1329 default realm, this rule is not applicable and the conversion
 1330 will fail.
 1331 
 1332 \end{description}
 1333 
 1334 For example:
 1335 
 1336 \fvset{hllines={, ,}}%
 1337 \begin{sphinxVerbatim}[commandchars=\\\{\}]
 1338 [realms]
 1339     ATHENA.MIT.EDU = \PYGZob{}
 1340         auth\PYGZus{}to\PYGZus{}local = RULE:[2:\PYGZdl{}1](johndoe)s/\PYGZca{}.*\PYGZdl{}/guest/
 1341         auth\PYGZus{}to\PYGZus{}local = RULE:[2:\PYGZdl{}1;\PYGZdl{}2](\PYGZca{}.*;admin\PYGZdl{})s/;admin\PYGZdl{}//
 1342         auth\PYGZus{}to\PYGZus{}local = RULE:[2:\PYGZdl{}2](\PYGZca{}.*;root)s/\PYGZca{}.*\PYGZdl{}/root/
 1343         auth\PYGZus{}to\PYGZus{}local = DEFAULT
 1344     \PYGZcb{}
 1345 \end{sphinxVerbatim}
 1346 
 1347 would result in any principal without \sphinxcode{root} or \sphinxcode{admin} as the
 1348 second component to be translated with the default rule.  A
 1349 principal with a second component of \sphinxcode{admin} will become its
 1350 first component.  \sphinxcode{root} will be used as the local name for any
 1351 principal with a second component of \sphinxcode{root}.  The exception to
 1352 these two rules are any principals \sphinxcode{johndoe/*}, which will
 1353 always get the local name \sphinxcode{guest}.
 1354 
 1355 \item[{\sphinxstylestrong{auth\_to\_local\_names}}] \leavevmode
 1356 This subsection allows you to set explicit mappings from principal
 1357 names to local user names.  The tag is the mapping name, and the
 1358 value is the corresponding local user name.
 1359 
 1360 \item[{\sphinxstylestrong{default\_domain}}] \leavevmode
 1361 This tag specifies the domain used to expand hostnames when
 1362 translating Kerberos 4 service principals to Kerberos 5 principals
 1363 (for example, when converting \sphinxcode{rcmd.hostname} to
 1364 \sphinxcode{host/hostname.domain}).
 1365 
 1366 \item[{\sphinxstylestrong{disable\_encrypted\_timestamp}}] \leavevmode
 1367 If this flag is true, the client will not perform encrypted
 1368 timestamp preauthentication if requested by the KDC.  Setting this
 1369 flag can help to prevent dictionary attacks by active attackers,
 1370 if the realm’s KDCs support SPAKE preauthentication or if initial
 1371 authentication always uses another mechanism or always uses FAST.
 1372 This flag persists across client referrals during initial
 1373 authentication.  This flag does not prevent the KDC from offering
 1374 encrypted timestamp.  New in release 1.17.
 1375 
 1376 \item[{\sphinxstylestrong{http\_anchors}}] \leavevmode
 1377 When KDCs and kpasswd servers are accessed through HTTPS proxies, this tag
 1378 can be used to specify the location of the CA certificate which should be
 1379 trusted to issue the certificate for a proxy server.  If left unspecified,
 1380 the system-wide default set of CA certificates is used.
 1381 
 1382 The syntax for values is similar to that of values for the
 1383 \sphinxstylestrong{pkinit\_anchors} tag:
 1384 
 1385 \sphinxstylestrong{FILE:} \sphinxstyleemphasis{filename}
 1386 
 1387 \sphinxstyleemphasis{filename} is assumed to be the name of an OpenSSL-style ca-bundle file.
 1388 
 1389 \sphinxstylestrong{DIR:} \sphinxstyleemphasis{dirname}
 1390 
 1391 \sphinxstyleemphasis{dirname} is assumed to be an directory which contains CA certificates.
 1392 All files in the directory will be examined; if they contain certificates
 1393 (in PEM format), they will be used.
 1394 
 1395 \sphinxstylestrong{ENV:} \sphinxstyleemphasis{envvar}
 1396 
 1397 \sphinxstyleemphasis{envvar} specifies the name of an environment variable which has been set
 1398 to a value conforming to one of the previous values.  For example,
 1399 \sphinxcode{ENV:X509\_PROXY\_CA}, where environment variable \sphinxcode{X509\_PROXY\_CA} has
 1400 been set to \sphinxcode{FILE:/tmp/my\_proxy.pem}.
 1401 
 1402 \item[{\sphinxstylestrong{kdc}}] \leavevmode
 1403 The name or address of a host running a KDC for that realm.  An
 1404 optional port number, separated from the hostname by a colon, may
 1405 be included.  If the name or address contains colons (for example,
 1406 if it is an IPv6 address), enclose it in square brackets to
 1407 distinguish the colon from a port separator.  For your computer to
 1408 be able to communicate with the KDC for each realm, this tag must
 1409 be given a value in each realm subsection in the configuration
 1410 file, or there must be DNS SRV records specifying the KDCs.
 1411 
 1412 \item[{\sphinxstylestrong{kpasswd\_server}}] \leavevmode
 1413 Points to the server where all the password changes are performed.
 1414 If there is no such entry, DNS will be queried (unless forbidden
 1415 by \sphinxstylestrong{dns\_lookup\_kdc}).  Finally, port 464 on the \sphinxstylestrong{admin\_server}
 1416 host will be tried.
 1417 
 1418 \item[{\sphinxstylestrong{master\_kdc}}] \leavevmode
 1419 Identifies the master KDC(s).  Currently, this tag is used in only
 1420 one case: If an attempt to get credentials fails because of an
 1421 invalid password, the client software will attempt to contact the
 1422 master KDC, in case the user’s password has just been changed, and
 1423 the updated database has not been propagated to the replica
 1424 servers yet.
 1425 
 1426 \item[{\sphinxstylestrong{v4\_instance\_convert}}] \leavevmode
 1427 This subsection allows the administrator to configure exceptions
 1428 to the \sphinxstylestrong{default\_domain} mapping rule.  It contains V4 instances
 1429 (the tag name) which should be translated to some specific
 1430 hostname (the tag value) as the second component in a Kerberos V5
 1431 principal name.
 1432 
 1433 \item[{\sphinxstylestrong{v4\_realm}}] \leavevmode
 1434 This relation is used by the krb524 library routines when
 1435 converting a V5 principal name to a V4 principal name.  It is used
 1436 when the V4 realm name and the V5 realm name are not the same, but
 1437 still share the same principal names and passwords. The tag value
 1438 is the Kerberos V4 realm name.
 1439 
 1440 \end{description}
 1441 
 1442 
 1443 \paragraph{{[}domain\_realm{]}}
 1444 \label{\detokenize{admin/conf_files/krb5_conf:id3}}\label{\detokenize{admin/conf_files/krb5_conf:domain-realm}}
 1445 The {[}domain\_realm{]} section provides a translation from a domain name
 1446 or hostname to a Kerberos realm name.  The tag name can be a host name
 1447 or domain name, where domain names are indicated by a prefix of a
 1448 period (\sphinxcode{.}).  The value of the relation is the Kerberos realm name
 1449 for that particular host or domain.  A host name relation implicitly
 1450 provides the corresponding domain name relation, unless an explicit domain
 1451 name relation is provided.  The Kerberos realm may be
 1452 identified either in the {\hyperref[\detokenize{admin/conf_files/krb5_conf:realms}]{\sphinxcrossref{realms}}} section or using DNS SRV records.
 1453 Host names and domain names should be in lower case.  For example:
 1454 
 1455 \fvset{hllines={, ,}}%
 1456 \begin{sphinxVerbatim}[commandchars=\\\{\}]
 1457 \PYG{p}{[}\PYG{n}{domain\PYGZus{}realm}\PYG{p}{]}
 1458     \PYG{n}{crash}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{o}{=} \PYG{n}{TEST}\PYG{o}{.}\PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}
 1459     \PYG{o}{.}\PYG{n}{dev}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{o}{=} \PYG{n}{TEST}\PYG{o}{.}\PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}
 1460     \PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{o}{=} \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}
 1461 \end{sphinxVerbatim}
 1462 
 1463 maps the host with the name \sphinxcode{crash.mit.edu} into the
 1464 \sphinxcode{TEST.ATHENA.MIT.EDU} realm.  The second entry maps all hosts under the
 1465 domain \sphinxcode{dev.mit.edu} into the \sphinxcode{TEST.ATHENA.MIT.EDU} realm, but not
 1466 the host with the name \sphinxcode{dev.mit.edu}.  That host is matched
 1467 by the third entry, which maps the host \sphinxcode{mit.edu} and all hosts
 1468 under the domain \sphinxcode{mit.edu} that do not match a preceding rule
 1469 into the realm \sphinxcode{ATHENA.MIT.EDU}.
 1470 
 1471 If no translation entry applies to a hostname used for a service
 1472 principal for a service ticket request, the library will try to get a
 1473 referral to the appropriate realm from the client realm’s KDC.  If
 1474 that does not succeed, the host’s realm is considered to be the
 1475 hostname’s domain portion converted to uppercase, unless the
 1476 \sphinxstylestrong{realm\_try\_domains} setting in {[}libdefaults{]} causes a different
 1477 parent domain to be used.
 1478 
 1479 
 1480 \paragraph{{[}capaths{]}}
 1481 \label{\detokenize{admin/conf_files/krb5_conf:id4}}\label{\detokenize{admin/conf_files/krb5_conf:capaths}}
 1482 In order to perform direct (non-hierarchical) cross-realm
 1483 authentication, configuration is needed to determine the
 1484 authentication paths between realms.
 1485 
 1486 A client will use this section to find the authentication path between
 1487 its realm and the realm of the server.  The server will use this
 1488 section to verify the authentication path used by the client, by
 1489 checking the transited field of the received ticket.
 1490 
 1491 There is a tag for each participating client realm, and each tag has
 1492 subtags for each of the server realms.  The value of the subtags is an
 1493 intermediate realm which may participate in the cross-realm
 1494 authentication.  The subtags may be repeated if there is more then one
 1495 intermediate realm.  A value of “.” means that the two realms share
 1496 keys directly, and no intermediate realms should be allowed to
 1497 participate.
 1498 
 1499 Only those entries which will be needed on the client or the server
 1500 need to be present.  A client needs a tag for its local realm with
 1501 subtags for all the realms of servers it will need to authenticate to.
 1502 A server needs a tag for each realm of the clients it will serve, with
 1503 a subtag of the server realm.
 1504 
 1505 For example, \sphinxcode{ANL.GOV}, \sphinxcode{PNL.GOV}, and \sphinxcode{NERSC.GOV} all wish to
 1506 use the \sphinxcode{ES.NET} realm as an intermediate realm.  ANL has a sub
 1507 realm of \sphinxcode{TEST.ANL.GOV} which will authenticate with \sphinxcode{NERSC.GOV}
 1508 but not \sphinxcode{PNL.GOV}.  The {[}capaths{]} section for \sphinxcode{ANL.GOV} systems
 1509 would look like this:
 1510 
 1511 \fvset{hllines={, ,}}%
 1512 \begin{sphinxVerbatim}[commandchars=\\\{\}]
 1513 \PYG{p}{[}\PYG{n}{capaths}\PYG{p}{]}
 1514     \PYG{n}{ANL}\PYG{o}{.}\PYG{n}{GOV} \PYG{o}{=} \PYG{p}{\PYGZob{}}
 1515         \PYG{n}{TEST}\PYG{o}{.}\PYG{n}{ANL}\PYG{o}{.}\PYG{n}{GOV} \PYG{o}{=} \PYG{o}{.}
 1516         \PYG{n}{PNL}\PYG{o}{.}\PYG{n}{GOV} \PYG{o}{=} \PYG{n}{ES}\PYG{o}{.}\PYG{n}{NET}
 1517         \PYG{n}{NERSC}\PYG{o}{.}\PYG{n}{GOV} \PYG{o}{=} \PYG{n}{ES}\PYG{o}{.}\PYG{n}{NET}
 1518         \PYG{n}{ES}\PYG{o}{.}\PYG{n}{NET} \PYG{o}{=} \PYG{o}{.}
 1519     \PYG{p}{\PYGZcb{}}
 1520     \PYG{n}{TEST}\PYG{o}{.}\PYG{n}{ANL}\PYG{o}{.}\PYG{n}{GOV} \PYG{o}{=} \PYG{p}{\PYGZob{}}
 1521         \PYG{n}{ANL}\PYG{o}{.}\PYG{n}{GOV} \PYG{o}{=} \PYG{o}{.}
 1522     \PYG{p}{\PYGZcb{}}
 1523     \PYG{n}{PNL}\PYG{o}{.}\PYG{n}{GOV} \PYG{o}{=} \PYG{p}{\PYGZob{}}
 1524         \PYG{n}{ANL}\PYG{o}{.}\PYG{n}{GOV} \PYG{o}{=} \PYG{n}{ES}\PYG{o}{.}\PYG{n}{NET}
 1525     \PYG{p}{\PYGZcb{}}
 1526     \PYG{n}{NERSC}\PYG{o}{.}\PYG{n}{GOV} \PYG{o}{=} \PYG{p}{\PYGZob{}}
 1527         \PYG{n}{ANL}\PYG{o}{.}\PYG{n}{GOV} \PYG{o}{=} \PYG{n}{ES}\PYG{o}{.}\PYG{n}{NET}
 1528     \PYG{p}{\PYGZcb{}}
 1529     \PYG{n}{ES}\PYG{o}{.}\PYG{n}{NET} \PYG{o}{=} \PYG{p}{\PYGZob{}}
 1530         \PYG{n}{ANL}\PYG{o}{.}\PYG{n}{GOV} \PYG{o}{=} \PYG{o}{.}
 1531     \PYG{p}{\PYGZcb{}}
 1532 \end{sphinxVerbatim}
 1533 
 1534 The {[}capaths{]} section of the configuration file used on \sphinxcode{NERSC.GOV}
 1535 systems would look like this:
 1536 
 1537 \fvset{hllines={, ,}}%
 1538 \begin{sphinxVerbatim}[commandchars=\\\{\}]
 1539 \PYG{p}{[}\PYG{n}{capaths}\PYG{p}{]}
 1540     \PYG{n}{NERSC}\PYG{o}{.}\PYG{n}{GOV} \PYG{o}{=} \PYG{p}{\PYGZob{}}
 1541         \PYG{n}{ANL}\PYG{o}{.}\PYG{n}{GOV} \PYG{o}{=} \PYG{n}{ES}\PYG{o}{.}\PYG{n}{NET}
 1542         \PYG{n}{TEST}\PYG{o}{.}\PYG{n}{ANL}\PYG{o}{.}\PYG{n}{GOV} \PYG{o}{=} \PYG{n}{ES}\PYG{o}{.}\PYG{n}{NET}
 1543         \PYG{n}{TEST}\PYG{o}{.}\PYG{n}{ANL}\PYG{o}{.}\PYG{n}{GOV} \PYG{o}{=} \PYG{n}{ANL}\PYG{o}{.}\PYG{n}{GOV}
 1544         \PYG{n}{PNL}\PYG{o}{.}\PYG{n}{GOV} \PYG{o}{=} \PYG{n}{ES}\PYG{o}{.}\PYG{n}{NET}
 1545         \PYG{n}{ES}\PYG{o}{.}\PYG{n}{NET} \PYG{o}{=} \PYG{o}{.}
 1546     \PYG{p}{\PYGZcb{}}
 1547     \PYG{n}{ANL}\PYG{o}{.}\PYG{n}{GOV} \PYG{o}{=} \PYG{p}{\PYGZob{}}
 1548         \PYG{n}{NERSC}\PYG{o}{.}\PYG{n}{GOV} \PYG{o}{=} \PYG{n}{ES}\PYG{o}{.}\PYG{n}{NET}
 1549     \PYG{p}{\PYGZcb{}}
 1550     \PYG{n}{PNL}\PYG{o}{.}\PYG{n}{GOV} \PYG{o}{=} \PYG{p}{\PYGZob{}}
 1551         \PYG{n}{NERSC}\PYG{o}{.}\PYG{n}{GOV} \PYG{o}{=} \PYG{n}{ES}\PYG{o}{.}\PYG{n}{NET}
 1552     \PYG{p}{\PYGZcb{}}
 1553     \PYG{n}{ES}\PYG{o}{.}\PYG{n}{NET} \PYG{o}{=} \PYG{p}{\PYGZob{}}
 1554         \PYG{n}{NERSC}\PYG{o}{.}\PYG{n}{GOV} \PYG{o}{=} \PYG{o}{.}
 1555     \PYG{p}{\PYGZcb{}}
 1556     \PYG{n}{TEST}\PYG{o}{.}\PYG{n}{ANL}\PYG{o}{.}\PYG{n}{GOV} \PYG{o}{=} \PYG{p}{\PYGZob{}}
 1557         \PYG{n}{NERSC}\PYG{o}{.}\PYG{n}{GOV} \PYG{o}{=} \PYG{n}{ANL}\PYG{o}{.}\PYG{n}{GOV}
 1558         \PYG{n}{NERSC}\PYG{o}{.}\PYG{n}{GOV} \PYG{o}{=} \PYG{n}{ES}\PYG{o}{.}\PYG{n}{NET}
 1559     \PYG{p}{\PYGZcb{}}
 1560 \end{sphinxVerbatim}
 1561 
 1562 When a subtag is used more than once within a tag, clients will use
 1563 the order of values to determine the path.  The order of values is not
 1564 important to servers.
 1565 
 1566 
 1567 \paragraph{{[}appdefaults{]}}
 1568 \label{\detokenize{admin/conf_files/krb5_conf:id5}}\label{\detokenize{admin/conf_files/krb5_conf:appdefaults}}
 1569 Each tag in the {[}appdefaults{]} section names a Kerberos V5 application
 1570 or an option that is used by some Kerberos V5 application{[}s{]}.  The
 1571 value of the tag defines the default behaviors for that application.
 1572 
 1573 For example:
 1574 
 1575 \fvset{hllines={, ,}}%
 1576 \begin{sphinxVerbatim}[commandchars=\\\{\}]
 1577 \PYG{p}{[}\PYG{n}{appdefaults}\PYG{p}{]}
 1578     \PYG{n}{telnet} \PYG{o}{=} \PYG{p}{\PYGZob{}}
 1579         \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{o}{=} \PYG{p}{\PYGZob{}}
 1580             \PYG{n}{option1} \PYG{o}{=} \PYG{n}{false}
 1581         \PYG{p}{\PYGZcb{}}
 1582     \PYG{p}{\PYGZcb{}}
 1583     \PYG{n}{telnet} \PYG{o}{=} \PYG{p}{\PYGZob{}}
 1584         \PYG{n}{option1} \PYG{o}{=} \PYG{n}{true}
 1585         \PYG{n}{option2} \PYG{o}{=} \PYG{n}{true}
 1586     \PYG{p}{\PYGZcb{}}
 1587     \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{o}{=} \PYG{p}{\PYGZob{}}
 1588         \PYG{n}{option2} \PYG{o}{=} \PYG{n}{false}
 1589     \PYG{p}{\PYGZcb{}}
 1590     \PYG{n}{option2} \PYG{o}{=} \PYG{n}{true}
 1591 \end{sphinxVerbatim}
 1592 
 1593 The above four ways of specifying the value of an option are shown in
 1594 order of decreasing precedence. In this example, if telnet is running
 1595 in the realm EXAMPLE.COM, it should, by default, have option1 and
 1596 option2 set to true.  However, a telnet program in the realm
 1597 \sphinxcode{ATHENA.MIT.EDU} should have \sphinxcode{option1} set to false and
 1598 \sphinxcode{option2} set to true.  Any other programs in ATHENA.MIT.EDU should
 1599 have \sphinxcode{option2} set to false by default.  Any programs running in
 1600 other realms should have \sphinxcode{option2} set to true.
 1601 
 1602 The list of specifiable options for each application may be found in
 1603 that application’s man pages.  The application defaults specified here
 1604 are overridden by those specified in the {\hyperref[\detokenize{admin/conf_files/krb5_conf:realms}]{\sphinxcrossref{realms}}} section.
 1605 
 1606 
 1607 \paragraph{{[}plugins{]}}
 1608 \label{\detokenize{admin/conf_files/krb5_conf:id6}}\label{\detokenize{admin/conf_files/krb5_conf:plugins}}\begin{itemize}
 1609 \item {} 
 1610 {\hyperref[\detokenize{admin/conf_files/krb5_conf:pwqual}]{\sphinxcrossref{pwqual}}} interface
 1611 
 1612 \item {} 
 1613 {\hyperref[\detokenize{admin/conf_files/krb5_conf:kadm5-hook}]{\sphinxcrossref{kadm5\_hook}}} interface
 1614 
 1615 \item {} 
 1616 {\hyperref[\detokenize{admin/conf_files/krb5_conf:clpreauth}]{\sphinxcrossref{clpreauth}}} and {\hyperref[\detokenize{admin/conf_files/krb5_conf:kdcpreauth}]{\sphinxcrossref{kdcpreauth}}} interfaces
 1617 
 1618 \end{itemize}
 1619 
 1620 Tags in the {[}plugins{]} section can be used to register dynamic plugin
 1621 modules and to turn modules on and off.  Not every krb5 pluggable
 1622 interface uses the {[}plugins{]} section; the ones that do are documented
 1623 here.
 1624 
 1625 New in release 1.9.
 1626 
 1627 Each pluggable interface corresponds to a subsection of {[}plugins{]}.
 1628 All subsections support the same tags:
 1629 \begin{description}
 1630 \item[{\sphinxstylestrong{disable}}] \leavevmode
 1631 This tag may have multiple values. If there are values for this
 1632 tag, then the named modules will be disabled for the pluggable
 1633 interface.
 1634 
 1635 \item[{\sphinxstylestrong{enable\_only}}] \leavevmode
 1636 This tag may have multiple values. If there are values for this
 1637 tag, then only the named modules will be enabled for the pluggable
 1638 interface.
 1639 
 1640 \item[{\sphinxstylestrong{module}}] \leavevmode
 1641 This tag may have multiple values.  Each value is a string of the
 1642 form \sphinxcode{modulename:pathname}, which causes the shared object
 1643 located at \sphinxstyleemphasis{pathname} to be registered as a dynamic module named
 1644 \sphinxstyleemphasis{modulename} for the pluggable interface.  If \sphinxstyleemphasis{pathname} is not an
 1645 absolute path, it will be treated as relative to the
 1646 \sphinxstylestrong{plugin\_base\_dir} value from {\hyperref[\detokenize{admin/conf_files/krb5_conf:libdefaults}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}libdefaults{]}}}}}.
 1647 
 1648 \end{description}
 1649 
 1650 For pluggable interfaces where module order matters, modules
 1651 registered with a \sphinxstylestrong{module} tag normally come first, in the order
 1652 they are registered, followed by built-in modules in the order they
 1653 are documented below.  If \sphinxstylestrong{enable\_only} tags are used, then the
 1654 order of those tags overrides the normal module order.
 1655 
 1656 The following subsections are currently supported within the {[}plugins{]}
 1657 section:
 1658 
 1659 
 1660 \subparagraph{ccselect interface}
 1661 \label{\detokenize{admin/conf_files/krb5_conf:ccselect}}\label{\detokenize{admin/conf_files/krb5_conf:ccselect-interface}}
 1662 The ccselect subsection controls modules for credential cache
 1663 selection within a cache collection.  In addition to any registered
 1664 dynamic modules, the following built-in modules exist (and may be
 1665 disabled with the disable tag):
 1666 \begin{description}
 1667 \item[{\sphinxstylestrong{k5identity}}] \leavevmode
 1668 Uses a .k5identity file in the user’s home directory to select a
 1669 client principal
 1670 
 1671 \item[{\sphinxstylestrong{realm}}] \leavevmode
 1672 Uses the service realm to guess an appropriate cache from the
 1673 collection
 1674 
 1675 \item[{\sphinxstylestrong{hostname}}] \leavevmode
 1676 If the service principal is host-based, uses the service hostname
 1677 to guess an appropriate cache from the collection
 1678 
 1679 \end{description}
 1680 
 1681 
 1682 \subparagraph{pwqual interface}
 1683 \label{\detokenize{admin/conf_files/krb5_conf:pwqual-interface}}\label{\detokenize{admin/conf_files/krb5_conf:pwqual}}
 1684 The pwqual subsection controls modules for the password quality
 1685 interface, which is used to reject weak passwords when passwords are
 1686 changed.  The following built-in modules exist for this interface:
 1687 \begin{description}
 1688 \item[{\sphinxstylestrong{dict}}] \leavevmode
 1689 Checks against the realm dictionary file
 1690 
 1691 \item[{\sphinxstylestrong{empty}}] \leavevmode
 1692 Rejects empty passwords
 1693 
 1694 \item[{\sphinxstylestrong{hesiod}}] \leavevmode
 1695 Checks against user information stored in Hesiod (only if Kerberos
 1696 was built with Hesiod support)
 1697 
 1698 \item[{\sphinxstylestrong{princ}}] \leavevmode
 1699 Checks against components of the principal name
 1700 
 1701 \end{description}
 1702 
 1703 
 1704 \subparagraph{kadm5\_hook interface}
 1705 \label{\detokenize{admin/conf_files/krb5_conf:kadm5-hook-interface}}\label{\detokenize{admin/conf_files/krb5_conf:kadm5-hook}}
 1706 The kadm5\_hook interface provides plugins with information on
 1707 principal creation, modification, password changes and deletion.  This
 1708 interface can be used to write a plugin to synchronize MIT Kerberos
 1709 with another database such as Active Directory.  No plugins are built
 1710 in for this interface.
 1711 
 1712 
 1713 \subparagraph{kadm5\_auth interface}
 1714 \label{\detokenize{admin/conf_files/krb5_conf:kadm5-auth-interface}}\label{\detokenize{admin/conf_files/krb5_conf:kadm5-auth}}
 1715 The kadm5\_auth section (introduced in release 1.16) controls modules
 1716 for the kadmin authorization interface, which determines whether a
 1717 client principal is allowed to perform a kadmin operation.  The
 1718 following built-in modules exist for this interface:
 1719 \begin{description}
 1720 \item[{\sphinxstylestrong{acl}}] \leavevmode
 1721 This module reads the {\hyperref[\detokenize{admin/conf_files/kadm5_acl:kadm5-acl-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kadm5.acl}}}} file, and authorizes
 1722 operations which are allowed according to the rules in the file.
 1723 
 1724 \item[{\sphinxstylestrong{self}}] \leavevmode
 1725 This module authorizes self-service operations including password
 1726 changes, creation of new random keys, fetching the client’s
 1727 principal record or string attributes, and fetching the policy
 1728 record associated with the client principal.
 1729 
 1730 \end{description}
 1731 \phantomsection\label{\detokenize{admin/conf_files/krb5_conf:clpreauth}}
 1732 
 1733 \subparagraph{clpreauth and kdcpreauth interfaces}
 1734 \label{\detokenize{admin/conf_files/krb5_conf:clpreauth-and-kdcpreauth-interfaces}}\label{\detokenize{admin/conf_files/krb5_conf:clpreauth}}\label{\detokenize{admin/conf_files/krb5_conf:kdcpreauth}}
 1735 The clpreauth and kdcpreauth interfaces allow plugin modules to
 1736 provide client and KDC preauthentication mechanisms.  The following
 1737 built-in modules exist for these interfaces:
 1738 \begin{description}
 1739 \item[{\sphinxstylestrong{pkinit}}] \leavevmode
 1740 This module implements the PKINIT preauthentication mechanism.
 1741 
 1742 \item[{\sphinxstylestrong{encrypted\_challenge}}] \leavevmode
 1743 This module implements the encrypted challenge FAST factor.
 1744 
 1745 \item[{\sphinxstylestrong{encrypted\_timestamp}}] \leavevmode
 1746 This module implements the encrypted timestamp mechanism.
 1747 
 1748 \end{description}
 1749 
 1750 
 1751 \subparagraph{hostrealm interface}
 1752 \label{\detokenize{admin/conf_files/krb5_conf:hostrealm-interface}}\label{\detokenize{admin/conf_files/krb5_conf:hostrealm}}
 1753 The hostrealm section (introduced in release 1.12) controls modules
 1754 for the host-to-realm interface, which affects the local mapping of
 1755 hostnames to realm names and the choice of default realm.  The following
 1756 built-in modules exist for this interface:
 1757 \begin{description}
 1758 \item[{\sphinxstylestrong{profile}}] \leavevmode
 1759 This module consults the {[}domain\_realm{]} section of the profile for
 1760 authoritative host-to-realm mappings, and the \sphinxstylestrong{default\_realm}
 1761 variable for the default realm.
 1762 
 1763 \item[{\sphinxstylestrong{dns}}] \leavevmode
 1764 This module looks for DNS records for fallback host-to-realm
 1765 mappings and the default realm.  It only operates if the
 1766 \sphinxstylestrong{dns\_lookup\_realm} variable is set to true.
 1767 
 1768 \item[{\sphinxstylestrong{domain}}] \leavevmode
 1769 This module applies heuristics for fallback host-to-realm
 1770 mappings.  It implements the \sphinxstylestrong{realm\_try\_domains} variable, and
 1771 uses the uppercased parent domain of the hostname if that does not
 1772 produce a result.
 1773 
 1774 \end{description}
 1775 
 1776 
 1777 \subparagraph{localauth interface}
 1778 \label{\detokenize{admin/conf_files/krb5_conf:localauth-interface}}\label{\detokenize{admin/conf_files/krb5_conf:localauth}}
 1779 The localauth section (introduced in release 1.12) controls modules
 1780 for the local authorization interface, which affects the relationship
 1781 between Kerberos principals and local system accounts.  The following
 1782 built-in modules exist for this interface:
 1783 \begin{description}
 1784 \item[{\sphinxstylestrong{default}}] \leavevmode
 1785 This module implements the \sphinxstylestrong{DEFAULT} type for \sphinxstylestrong{auth\_to\_local}
 1786 values.
 1787 
 1788 \item[{\sphinxstylestrong{rule}}] \leavevmode
 1789 This module implements the \sphinxstylestrong{RULE} type for \sphinxstylestrong{auth\_to\_local}
 1790 values.
 1791 
 1792 \item[{\sphinxstylestrong{names}}] \leavevmode
 1793 This module looks for an \sphinxstylestrong{auth\_to\_local\_names} mapping for the
 1794 principal name.
 1795 
 1796 \item[{\sphinxstylestrong{auth\_to\_local}}] \leavevmode
 1797 This module processes \sphinxstylestrong{auth\_to\_local} values in the default
 1798 realm’s section, and applies the default method if no
 1799 \sphinxstylestrong{auth\_to\_local} values exist.
 1800 
 1801 \item[{\sphinxstylestrong{k5login}}] \leavevmode
 1802 This module authorizes a principal to a local account according to
 1803 the account’s \DUrole{xref,std,std-ref}{.k5login(5)} file.
 1804 
 1805 \item[{\sphinxstylestrong{an2ln}}] \leavevmode
 1806 This module authorizes a principal to a local account if the
 1807 principal name maps to the local account name.
 1808 
 1809 \end{description}
 1810 
 1811 
 1812 \subparagraph{certauth interface}
 1813 \label{\detokenize{admin/conf_files/krb5_conf:certauth}}\label{\detokenize{admin/conf_files/krb5_conf:certauth-interface}}
 1814 The certauth section (introduced in release 1.16) controls modules for
 1815 the certificate authorization interface, which determines whether a
 1816 certificate is allowed to preauthenticate a user via PKINIT.  The
 1817 following built-in modules exist for this interface:
 1818 \begin{description}
 1819 \item[{\sphinxstylestrong{pkinit\_san}}] \leavevmode
 1820 This module authorizes the certificate if it contains a PKINIT
 1821 Subject Alternative Name for the requested client principal, or a
 1822 Microsoft UPN SAN matching the principal if \sphinxstylestrong{pkinit\_allow\_upn}
 1823 is set to true for the realm.
 1824 
 1825 \item[{\sphinxstylestrong{pkinit\_eku}}] \leavevmode
 1826 This module rejects the certificate if it does not contain an
 1827 Extended Key Usage attribute consistent with the
 1828 \sphinxstylestrong{pkinit\_eku\_checking} value for the realm.
 1829 
 1830 \item[{\sphinxstylestrong{dbmatch}}] \leavevmode
 1831 This module authorizes or rejects the certificate according to
 1832 whether it matches the \sphinxstylestrong{pkinit\_cert\_match} string attribute on
 1833 the client principal, if that attribute is present.
 1834 
 1835 \end{description}
 1836 
 1837 
 1838 \subsubsection{PKINIT options}
 1839 \label{\detokenize{admin/conf_files/krb5_conf:pkinit-options}}
 1840 \begin{sphinxadmonition}{note}{Note:}
 1841 The following are PKINIT-specific options.  These values may
 1842 be specified in {[}libdefaults{]} as global defaults, or within
 1843 a realm-specific subsection of {[}libdefaults{]}, or may be
 1844 specified as realm-specific values in the {[}realms{]} section.
 1845 A realm-specific value overrides, not adds to, a generic
 1846 {[}libdefaults{]} specification.  The search order is:
 1847 \end{sphinxadmonition}
 1848 \begin{enumerate}
 1849 \item {} 
 1850 realm-specific subsection of {[}libdefaults{]}:
 1851 
 1852 \fvset{hllines={, ,}}%
 1853 \begin{sphinxVerbatim}[commandchars=\\\{\}]
 1854 \PYG{p}{[}\PYG{n}{libdefaults}\PYG{p}{]}
 1855     \PYG{n}{EXAMPLE}\PYG{o}{.}\PYG{n}{COM} \PYG{o}{=} \PYG{p}{\PYGZob{}}
 1856         \PYG{n}{pkinit\PYGZus{}anchors} \PYG{o}{=} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{usr}\PYG{o}{/}\PYG{n}{local}\PYG{o}{/}\PYG{n}{example}\PYG{o}{.}\PYG{n}{com}\PYG{o}{.}\PYG{n}{crt}
 1857     \PYG{p}{\PYGZcb{}}
 1858 \end{sphinxVerbatim}
 1859 
 1860 \item {} 
 1861 realm-specific value in the {[}realms{]} section:
 1862 
 1863 \fvset{hllines={, ,}}%
 1864 \begin{sphinxVerbatim}[commandchars=\\\{\}]
 1865 \PYG{p}{[}\PYG{n}{realms}\PYG{p}{]}
 1866     \PYG{n}{OTHERREALM}\PYG{o}{.}\PYG{n}{ORG} \PYG{o}{=} \PYG{p}{\PYGZob{}}
 1867         \PYG{n}{pkinit\PYGZus{}anchors} \PYG{o}{=} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{usr}\PYG{o}{/}\PYG{n}{local}\PYG{o}{/}\PYG{n}{otherrealm}\PYG{o}{.}\PYG{n}{org}\PYG{o}{.}\PYG{n}{crt}
 1868     \PYG{p}{\PYGZcb{}}
 1869 \end{sphinxVerbatim}
 1870 
 1871 \item {} 
 1872 generic value in the {[}libdefaults{]} section:
 1873 
 1874 \fvset{hllines={, ,}}%
 1875 \begin{sphinxVerbatim}[commandchars=\\\{\}]
 1876 \PYG{p}{[}\PYG{n}{libdefaults}\PYG{p}{]}
 1877     \PYG{n}{pkinit\PYGZus{}anchors} \PYG{o}{=} \PYG{n}{DIR}\PYG{p}{:}\PYG{o}{/}\PYG{n}{usr}\PYG{o}{/}\PYG{n}{local}\PYG{o}{/}\PYG{n}{generic\PYGZus{}trusted\PYGZus{}cas}\PYG{o}{/}
 1878 \end{sphinxVerbatim}
 1879 
 1880 \end{enumerate}
 1881 
 1882 
 1883 \paragraph{Specifying PKINIT identity information}
 1884 \label{\detokenize{admin/conf_files/krb5_conf:specifying-pkinit-identity-information}}\label{\detokenize{admin/conf_files/krb5_conf:pkinit-identity}}
 1885 The syntax for specifying Public Key identity, trust, and revocation
 1886 information for PKINIT is as follows:
 1887 \begin{description}
 1888 \item[{\sphinxstylestrong{FILE:}\sphinxstyleemphasis{filename}{[}\sphinxstylestrong{,}\sphinxstyleemphasis{keyfilename}{]}}] \leavevmode
 1889 This option has context-specific behavior.
 1890 
 1891 In \sphinxstylestrong{pkinit\_identity} or \sphinxstylestrong{pkinit\_identities}, \sphinxstyleemphasis{filename}
 1892 specifies the name of a PEM-format file containing the user’s
 1893 certificate.  If \sphinxstyleemphasis{keyfilename} is not specified, the user’s
 1894 private key is expected to be in \sphinxstyleemphasis{filename} as well.  Otherwise,
 1895 \sphinxstyleemphasis{keyfilename} is the name of the file containing the private key.
 1896 
 1897 In \sphinxstylestrong{pkinit\_anchors} or \sphinxstylestrong{pkinit\_pool}, \sphinxstyleemphasis{filename} is assumed to
 1898 be the name of an OpenSSL-style ca-bundle file.
 1899 
 1900 \item[{\sphinxstylestrong{DIR:}\sphinxstyleemphasis{dirname}}] \leavevmode
 1901 This option has context-specific behavior.
 1902 
 1903 In \sphinxstylestrong{pkinit\_identity} or \sphinxstylestrong{pkinit\_identities}, \sphinxstyleemphasis{dirname}
 1904 specifies a directory with files named \sphinxcode{*.crt} and \sphinxcode{*.key}
 1905 where the first part of the file name is the same for matching
 1906 pairs of certificate and private key files.  When a file with a
 1907 name ending with \sphinxcode{.crt} is found, a matching file ending with
 1908 \sphinxcode{.key} is assumed to contain the private key.  If no such file
 1909 is found, then the certificate in the \sphinxcode{.crt} is not used.
 1910 
 1911 In \sphinxstylestrong{pkinit\_anchors} or \sphinxstylestrong{pkinit\_pool}, \sphinxstyleemphasis{dirname} is assumed to
 1912 be an OpenSSL-style hashed CA directory where each CA cert is
 1913 stored in a file named \sphinxcode{hash-of-ca-cert.\#}.  This infrastructure
 1914 is encouraged, but all files in the directory will be examined and
 1915 if they contain certificates (in PEM format), they will be used.
 1916 
 1917 In \sphinxstylestrong{pkinit\_revoke}, \sphinxstyleemphasis{dirname} is assumed to be an OpenSSL-style
 1918 hashed CA directory where each revocation list is stored in a file
 1919 named \sphinxcode{hash-of-ca-cert.r\#}.  This infrastructure is encouraged,
 1920 but all files in the directory will be examined and if they
 1921 contain a revocation list (in PEM format), they will be used.
 1922 
 1923 \item[{\sphinxstylestrong{PKCS12:}\sphinxstyleemphasis{filename}}] \leavevmode
 1924 \sphinxstyleemphasis{filename} is the name of a PKCS \#12 format file, containing the
 1925 user’s certificate and private key.
 1926 
 1927 \item[{\sphinxstylestrong{PKCS11:}{[}\sphinxstylestrong{module\_name=}{]}\sphinxstyleemphasis{modname}{[}\sphinxstylestrong{:slotid=}\sphinxstyleemphasis{slot-id}{]}{[}\sphinxstylestrong{:token=}\sphinxstyleemphasis{token-label}{]}{[}\sphinxstylestrong{:certid=}\sphinxstyleemphasis{cert-id}{]}{[}\sphinxstylestrong{:certlabel=}\sphinxstyleemphasis{cert-label}{]}}] \leavevmode
 1928 All keyword/values are optional.  \sphinxstyleemphasis{modname} specifies the location
 1929 of a library implementing PKCS \#11.  If a value is encountered
 1930 with no keyword, it is assumed to be the \sphinxstyleemphasis{modname}.  If no
 1931 module-name is specified, the default is \sphinxcode{opensc-pkcs11.so}.
 1932 \sphinxcode{slotid=} and/or \sphinxcode{token=} may be specified to force the use of
 1933 a particular smard card reader or token if there is more than one
 1934 available.  \sphinxcode{certid=} and/or \sphinxcode{certlabel=} may be specified to
 1935 force the selection of a particular certificate on the device.
 1936 See the \sphinxstylestrong{pkinit\_cert\_match} configuration option for more ways
 1937 to select a particular certificate to use for PKINIT.
 1938 
 1939 \item[{\sphinxstylestrong{ENV:}\sphinxstyleemphasis{envvar}}] \leavevmode
 1940 \sphinxstyleemphasis{envvar} specifies the name of an environment variable which has
 1941 been set to a value conforming to one of the previous values.  For
 1942 example, \sphinxcode{ENV:X509\_PROXY}, where environment variable
 1943 \sphinxcode{X509\_PROXY} has been set to \sphinxcode{FILE:/tmp/my\_proxy.pem}.
 1944 
 1945 \end{description}
 1946 
 1947 
 1948 \paragraph{PKINIT krb5.conf options}
 1949 \label{\detokenize{admin/conf_files/krb5_conf:pkinit-krb5-conf-options}}\begin{description}
 1950 \item[{\sphinxstylestrong{pkinit\_anchors}}] \leavevmode
 1951 Specifies the location of trusted anchor (root) certificates which
 1952 the client trusts to sign KDC certificates.  This option may be
 1953 specified multiple times.  These values from the config file are
 1954 not used if the user specifies X509\_anchors on the command line.
 1955 
 1956 \item[{\sphinxstylestrong{pkinit\_cert\_match}}] \leavevmode
 1957 Specifies matching rules that the client certificate must match
 1958 before it is used to attempt PKINIT authentication.  If a user has
 1959 multiple certificates available (on a smart card, or via other
 1960 media), there must be exactly one certificate chosen before
 1961 attempting PKINIT authentication.  This option may be specified
 1962 multiple times.  All the available certificates are checked
 1963 against each rule in order until there is a match of exactly one
 1964 certificate.
 1965 
 1966 The Subject and Issuer comparison strings are the \index{RFC!RFC 2253}\sphinxhref{https://tools.ietf.org/html/rfc2253.html}{\sphinxstylestrong{RFC 2253}}
 1967 string representations from the certificate Subject DN and Issuer
 1968 DN values.
 1969 
 1970 The syntax of the matching rules is:
 1971 \begin{quote}
 1972 
 1973 {[}\sphinxstyleemphasis{relation-operator}{]}\sphinxstyleemphasis{component-rule}
 1974 \end{quote}
 1975 
 1976 where:
 1977 \begin{description}
 1978 \item[{\sphinxstyleemphasis{relation-operator}}] \leavevmode
 1979 can be either \sphinxcode{\&\&}, meaning all component rules must match,
 1980 or \sphinxcode{\textbar{}\textbar{}}, meaning only one component rule must match.  The
 1981 default is \sphinxcode{\&\&}.
 1982 
 1983 \item[{\sphinxstyleemphasis{component-rule}}] \leavevmode
 1984 can be one of the following.  Note that there is no
 1985 punctuation or whitespace between component rules.
 1986 \begin{quote}
 1987 
 1988 \begin{DUlineblock}{0em}
 1989 \item[] \sphinxstylestrong{\textless{}SUBJECT\textgreater{}}\sphinxstyleemphasis{regular-expression}
 1990 \item[] \sphinxstylestrong{\textless{}ISSUER\textgreater{}}\sphinxstyleemphasis{regular-expression}
 1991 \item[] \sphinxstylestrong{\textless{}SAN\textgreater{}}\sphinxstyleemphasis{regular-expression}
 1992 \item[] \sphinxstylestrong{\textless{}EKU\textgreater{}}\sphinxstyleemphasis{extended-key-usage-list}
 1993 \item[] \sphinxstylestrong{\textless{}KU\textgreater{}}\sphinxstyleemphasis{key-usage-list}
 1994 \end{DUlineblock}
 1995 \end{quote}
 1996 
 1997 \sphinxstyleemphasis{extended-key-usage-list} is a comma-separated list of
 1998 required Extended Key Usage values.  All values in the list
 1999 must be present in the certificate.  Extended Key Usage values
 2000 can be:
 2001 \begin{itemize}
 2002 \item {} 
 2003 pkinit
 2004 
 2005 \item {} 
 2006 msScLogin
 2007 
 2008 \item {} 
 2009 clientAuth
 2010 
 2011 \item {} 
 2012 emailProtection
 2013 
 2014 \end{itemize}
 2015 
 2016 \sphinxstyleemphasis{key-usage-list} is a comma-separated list of required Key
 2017 Usage values.  All values in the list must be present in the
 2018 certificate.  Key Usage values can be:
 2019 \begin{itemize}
 2020 \item {} 
 2021 digitalSignature
 2022 
 2023 \item {} 
 2024 keyEncipherment
 2025 
 2026 \end{itemize}
 2027 
 2028 \end{description}
 2029 
 2030 Examples:
 2031 
 2032 \fvset{hllines={, ,}}%
 2033 \begin{sphinxVerbatim}[commandchars=\\\{\}]
 2034 \PYG{n}{pkinit\PYGZus{}cert\PYGZus{}match} \PYG{o}{=} \PYG{o}{\textbar{}}\PYG{o}{\textbar{}}\PYG{o}{\PYGZlt{}}\PYG{n}{SUBJECT}\PYG{o}{\PYGZgt{}}\PYG{o}{.}\PYG{o}{*}\PYG{n}{DoE}\PYG{o}{.}\PYG{o}{*}\PYG{o}{\PYGZlt{}}\PYG{n}{SAN}\PYG{o}{\PYGZgt{}}\PYG{o}{.}\PYG{o}{*}\PYG{n+nd}{@EXAMPLE}\PYG{o}{.}\PYG{n}{COM}
 2035 \PYG{n}{pkinit\PYGZus{}cert\PYGZus{}match} \PYG{o}{=} \PYG{o}{\PYGZam{}}\PYG{o}{\PYGZam{}}\PYG{o}{\PYGZlt{}}\PYG{n}{EKU}\PYG{o}{\PYGZgt{}}\PYG{n}{msScLogin}\PYG{p}{,}\PYG{n}{clientAuth}\PYG{o}{\PYGZlt{}}\PYG{n}{ISSUER}\PYG{o}{\PYGZgt{}}\PYG{o}{.}\PYG{o}{*}\PYG{n}{DoE}\PYG{o}{.}\PYG{o}{*}
 2036 \PYG{n}{pkinit\PYGZus{}cert\PYGZus{}match} \PYG{o}{=} \PYG{o}{\PYGZlt{}}\PYG{n}{EKU}\PYG{o}{\PYGZgt{}}\PYG{n}{msScLogin}\PYG{p}{,}\PYG{n}{clientAuth}\PYG{o}{\PYGZlt{}}\PYG{n}{KU}\PYG{o}{\PYGZgt{}}\PYG{n}{digitalSignature}
 2037 \end{sphinxVerbatim}
 2038 
 2039 \item[{\sphinxstylestrong{pkinit\_eku\_checking}}] \leavevmode
 2040 This option specifies what Extended Key Usage value the KDC
 2041 certificate presented to the client must contain.  (Note that if
 2042 the KDC certificate has the pkinit SubjectAlternativeName encoded
 2043 as the Kerberos TGS name, EKU checking is not necessary since the
 2044 issuing CA has certified this as a KDC certificate.)  The values
 2045 recognized in the krb5.conf file are:
 2046 \begin{description}
 2047 \item[{\sphinxstylestrong{kpKDC}}] \leavevmode
 2048 This is the default value and specifies that the KDC must have
 2049 the id-pkinit-KPKdc EKU as defined in \index{RFC!RFC 4556}\sphinxhref{https://tools.ietf.org/html/rfc4556.html}{\sphinxstylestrong{RFC 4556}}.
 2050 
 2051 \item[{\sphinxstylestrong{kpServerAuth}}] \leavevmode
 2052 If \sphinxstylestrong{kpServerAuth} is specified, a KDC certificate with the
 2053 id-kp-serverAuth EKU will be accepted.  This key usage value
 2054 is used in most commercially issued server certificates.
 2055 
 2056 \item[{\sphinxstylestrong{none}}] \leavevmode
 2057 If \sphinxstylestrong{none} is specified, then the KDC certificate will not be
 2058 checked to verify it has an acceptable EKU.  The use of this
 2059 option is not recommended.
 2060 
 2061 \end{description}
 2062 
 2063 \item[{\sphinxstylestrong{pkinit\_dh\_min\_bits}}] \leavevmode
 2064 Specifies the size of the Diffie-Hellman key the client will
 2065 attempt to use.  The acceptable values are 1024, 2048, and 4096.
 2066 The default is 2048.
 2067 
 2068 \item[{\sphinxstylestrong{pkinit\_identities}}] \leavevmode
 2069 Specifies the location(s) to be used to find the user’s X.509
 2070 identity information.  If this option is specified multiple times,
 2071 the first valid value is used; this can be used to specify an
 2072 environment variable (with \sphinxstylestrong{ENV:}\sphinxstyleemphasis{envvar}) followed by a
 2073 default value.  Note that these values are not used if the user
 2074 specifies \sphinxstylestrong{X509\_user\_identity} on the command line.
 2075 
 2076 \item[{\sphinxstylestrong{pkinit\_kdc\_hostname}}] \leavevmode
 2077 The presense of this option indicates that the client is willing
 2078 to accept a KDC certificate with a dNSName SAN (Subject
 2079 Alternative Name) rather than requiring the id-pkinit-san as
 2080 defined in \index{RFC!RFC 4556}\sphinxhref{https://tools.ietf.org/html/rfc4556.html}{\sphinxstylestrong{RFC 4556}}.  This option may be specified multiple
 2081 times.  Its value should contain the acceptable hostname for the
 2082 KDC (as contained in its certificate).
 2083 
 2084 \item[{\sphinxstylestrong{pkinit\_pool}}] \leavevmode
 2085 Specifies the location of intermediate certificates which may be
 2086 used by the client to complete the trust chain between a KDC
 2087 certificate and a trusted anchor.  This option may be specified
 2088 multiple times.
 2089 
 2090 \item[{\sphinxstylestrong{pkinit\_require\_crl\_checking}}] \leavevmode
 2091 The default certificate verification process will always check the
 2092 available revocation information to see if a certificate has been
 2093 revoked.  If a match is found for the certificate in a CRL,
 2094 verification fails.  If the certificate being verified is not
 2095 listed in a CRL, or there is no CRL present for its issuing CA,
 2096 and \sphinxstylestrong{pkinit\_require\_crl\_checking} is false, then verification
 2097 succeeds.
 2098 
 2099 However, if \sphinxstylestrong{pkinit\_require\_crl\_checking} is true and there is
 2100 no CRL information available for the issuing CA, then verification
 2101 fails.
 2102 
 2103 \sphinxstylestrong{pkinit\_require\_crl\_checking} should be set to true if the
 2104 policy is such that up-to-date CRLs must be present for every CA.
 2105 
 2106 \item[{\sphinxstylestrong{pkinit\_revoke}}] \leavevmode
 2107 Specifies the location of Certificate Revocation List (CRL)
 2108 information to be used by the client when verifying the validity
 2109 of the KDC certificate presented.  This option may be specified
 2110 multiple times.
 2111 
 2112 \end{description}
 2113 
 2114 
 2115 \subsubsection{Parameter expansion}
 2116 \label{\detokenize{admin/conf_files/krb5_conf:id7}}\label{\detokenize{admin/conf_files/krb5_conf:parameter-expansion}}
 2117 Starting with release 1.11, several variables, such as
 2118 \sphinxstylestrong{default\_keytab\_name}, allow parameters to be expanded.
 2119 Valid parameters are:
 2120 \begin{quote}
 2121 
 2122 
 2123 \begin{savenotes}\sphinxattablestart
 2124 \centering
 2125 \begin{tabulary}{\linewidth}[t]{|T|T|}
 2126 \hline
 2127 
 2128 \%\{TEMP\}
 2129 &
 2130 Temporary directory
 2131 \\
 2132 \hline
 2133 \%\{uid\}
 2134 &
 2135 Unix real UID or Windows SID
 2136 \\
 2137 \hline
 2138 \%\{euid\}
 2139 &
 2140 Unix effective user ID or Windows SID
 2141 \\
 2142 \hline
 2143 \%\{USERID\}
 2144 &
 2145 Same as \%\{uid\}
 2146 \\
 2147 \hline
 2148 \%\{null\}
 2149 &
 2150 Empty string
 2151 \\
 2152 \hline
 2153 \%\{LIBDIR\}
 2154 &
 2155 Installation library directory
 2156 \\
 2157 \hline
 2158 \%\{BINDIR\}
 2159 &
 2160 Installation binary directory
 2161 \\
 2162 \hline
 2163 \%\{SBINDIR\}
 2164 &
 2165 Installation admin binary directory
 2166 \\
 2167 \hline
 2168 \%\{username\}
 2169 &
 2170 (Unix) Username of effective user ID
 2171 \\
 2172 \hline
 2173 \%\{APPDATA\}
 2174 &
 2175 (Windows) Roaming application data for current user
 2176 \\
 2177 \hline
 2178 \%\{COMMON\_APPDATA\}
 2179 &
 2180 (Windows) Application data for all users
 2181 \\
 2182 \hline
 2183 \%\{LOCAL\_APPDATA\}
 2184 &
 2185 (Windows) Local application data for current user
 2186 \\
 2187 \hline
 2188 \%\{SYSTEM\}
 2189 &
 2190 (Windows) Windows system folder
 2191 \\
 2192 \hline
 2193 \%\{WINDOWS\}
 2194 &
 2195 (Windows) Windows folder
 2196 \\
 2197 \hline
 2198 \%\{USERCONFIG\}
 2199 &
 2200 (Windows) Per-user MIT krb5 config file directory
 2201 \\
 2202 \hline
 2203 \%\{COMMONCONFIG\}
 2204 &
 2205 (Windows) Common MIT krb5 config file directory
 2206 \\
 2207 \hline
 2208 \end{tabulary}
 2209 \par
 2210 \sphinxattableend\end{savenotes}
 2211 \end{quote}
 2212 
 2213 
 2214 \subsubsection{Sample krb5.conf file}
 2215 \label{\detokenize{admin/conf_files/krb5_conf:sample-krb5-conf-file}}
 2216 Here is an example of a generic krb5.conf file:
 2217 
 2218 \fvset{hllines={, ,}}%
 2219 \begin{sphinxVerbatim}[commandchars=\\\{\}]
 2220 \PYG{p}{[}\PYG{n}{libdefaults}\PYG{p}{]}
 2221     \PYG{n}{default\PYGZus{}realm} \PYG{o}{=} \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}
 2222     \PYG{n}{dns\PYGZus{}lookup\PYGZus{}kdc} \PYG{o}{=} \PYG{n}{true}
 2223     \PYG{n}{dns\PYGZus{}lookup\PYGZus{}realm} \PYG{o}{=} \PYG{n}{false}
 2224 
 2225 \PYG{p}{[}\PYG{n}{realms}\PYG{p}{]}
 2226     \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{o}{=} \PYG{p}{\PYGZob{}}
 2227         \PYG{n}{kdc} \PYG{o}{=} \PYG{n}{kerberos}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}
 2228         \PYG{n}{kdc} \PYG{o}{=} \PYG{n}{kerberos}\PYG{o}{\PYGZhy{}}\PYG{l+m+mf}{1.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}
 2229         \PYG{n}{kdc} \PYG{o}{=} \PYG{n}{kerberos}\PYG{o}{\PYGZhy{}}\PYG{l+m+mf}{2.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}
 2230         \PYG{n}{admin\PYGZus{}server} \PYG{o}{=} \PYG{n}{kerberos}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}
 2231         \PYG{n}{master\PYGZus{}kdc} \PYG{o}{=} \PYG{n}{kerberos}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}
 2232     \PYG{p}{\PYGZcb{}}
 2233     \PYG{n}{EXAMPLE}\PYG{o}{.}\PYG{n}{COM} \PYG{o}{=} \PYG{p}{\PYGZob{}}
 2234         \PYG{n}{kdc} \PYG{o}{=} \PYG{n}{kerberos}\PYG{o}{.}\PYG{n}{example}\PYG{o}{.}\PYG{n}{com}
 2235         \PYG{n}{kdc} \PYG{o}{=} \PYG{n}{kerberos}\PYG{o}{\PYGZhy{}}\PYG{l+m+mf}{1.}\PYG{n}{example}\PYG{o}{.}\PYG{n}{com}
 2236         \PYG{n}{admin\PYGZus{}server} \PYG{o}{=} \PYG{n}{kerberos}\PYG{o}{.}\PYG{n}{example}\PYG{o}{.}\PYG{n}{com}
 2237     \PYG{p}{\PYGZcb{}}
 2238 
 2239 \PYG{p}{[}\PYG{n}{domain\PYGZus{}realm}\PYG{p}{]}
 2240     \PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{o}{=} \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}
 2241 
 2242 \PYG{p}{[}\PYG{n}{capaths}\PYG{p}{]}
 2243     \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{o}{=} \PYG{p}{\PYGZob{}}
 2244            \PYG{n}{EXAMPLE}\PYG{o}{.}\PYG{n}{COM} \PYG{o}{=} \PYG{o}{.}
 2245     \PYG{p}{\PYGZcb{}}
 2246     \PYG{n}{EXAMPLE}\PYG{o}{.}\PYG{n}{COM} \PYG{o}{=} \PYG{p}{\PYGZob{}}
 2247            \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{o}{=} \PYG{o}{.}
 2248     \PYG{p}{\PYGZcb{}}
 2249 \end{sphinxVerbatim}
 2250 
 2251 
 2252 \subsubsection{FILES}
 2253 \label{\detokenize{admin/conf_files/krb5_conf:files}}
 2254 \sphinxcode{/etc/krb5.conf}
 2255 
 2256 
 2257 \subsubsection{SEE ALSO}
 2258 \label{\detokenize{admin/conf_files/krb5_conf:see-also}}
 2259 syslog(3)
 2260 
 2261 
 2262 \subsection{kdc.conf}
 2263 \label{\detokenize{admin/conf_files/kdc_conf:kdc-conf}}\label{\detokenize{admin/conf_files/kdc_conf::doc}}\label{\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}}
 2264 The kdc.conf file supplements {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}} for programs which
 2265 are typically only used on a KDC, such as the {\hyperref[\detokenize{admin/admin_commands/krb5kdc:krb5kdc-8}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5kdc}}}} and
 2266 {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} daemons and the {\hyperref[\detokenize{admin/admin_commands/kdb5_util:kdb5-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_util}}}} program.
 2267 Relations documented here may also be specified in krb5.conf; for the
 2268 KDC programs mentioned, krb5.conf and kdc.conf will be merged into a
 2269 single configuration profile.
 2270 
 2271 Normally, the kdc.conf file is found in the KDC state directory,
 2272 {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LOCALSTATEDIR}}}}\sphinxcode{/krb5kdc}.  You can override the default location by setting the
 2273 environment variable \sphinxstylestrong{KRB5\_KDC\_PROFILE}.
 2274 
 2275 Please note that you need to restart the KDC daemon for any configuration
 2276 changes to take effect.
 2277 
 2278 
 2279 \subsubsection{Structure}
 2280 \label{\detokenize{admin/conf_files/kdc_conf:structure}}
 2281 The kdc.conf file is set up in the same format as the
 2282 {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}} file.
 2283 
 2284 
 2285 \subsubsection{Sections}
 2286 \label{\detokenize{admin/conf_files/kdc_conf:sections}}
 2287 The kdc.conf file may contain the following sections:
 2288 
 2289 
 2290 \begin{savenotes}\sphinxattablestart
 2291 \centering
 2292 \begin{tabulary}{\linewidth}[t]{|T|T|}
 2293 \hline
 2294 
 2295 {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdcdefaults}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}kdcdefaults{]}}}}}
 2296 &
 2297 Default values for KDC behavior
 2298 \\
 2299 \hline
 2300 {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-realms}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}realms{]}}}}}
 2301 &
 2302 Realm-specific database configuration and settings
 2303 \\
 2304 \hline
 2305 {\hyperref[\detokenize{admin/conf_files/kdc_conf:dbdefaults}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}dbdefaults{]}}}}}
 2306 &
 2307 Default database settings
 2308 \\
 2309 \hline
 2310 {\hyperref[\detokenize{admin/conf_files/kdc_conf:dbmodules}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}dbmodules{]}}}}}
 2311 &
 2312 Per-database settings
 2313 \\
 2314 \hline
 2315 {\hyperref[\detokenize{admin/conf_files/kdc_conf:logging}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}logging{]}}}}}
 2316 &
 2317 Controls how Kerberos daemons perform logging
 2318 \\
 2319 \hline
 2320 \end{tabulary}
 2321 \par
 2322 \sphinxattableend\end{savenotes}
 2323 
 2324 
 2325 \paragraph{{[}kdcdefaults{]}}
 2326 \label{\detokenize{admin/conf_files/kdc_conf:kdcdefaults}}\label{\detokenize{admin/conf_files/kdc_conf:id1}}
 2327 Some relations in the {[}kdcdefaults{]} section specify default values for
 2328 realm variables, to be used if the {[}realms{]} subsection does not
 2329 contain a relation for the tag.  See the {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-realms}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}realms{]}}}}} section for
 2330 the definitions of these relations.
 2331 \begin{itemize}
 2332 \item {} 
 2333 \sphinxstylestrong{host\_based\_services}
 2334 
 2335 \item {} 
 2336 \sphinxstylestrong{kdc\_listen}
 2337 
 2338 \item {} 
 2339 \sphinxstylestrong{kdc\_ports}
 2340 
 2341 \item {} 
 2342 \sphinxstylestrong{kdc\_tcp\_listen}
 2343 
 2344 \item {} 
 2345 \sphinxstylestrong{kdc\_tcp\_ports}
 2346 
 2347 \item {} 
 2348 \sphinxstylestrong{no\_host\_referral}
 2349 
 2350 \item {} 
 2351 \sphinxstylestrong{restrict\_anonymous\_to\_tgt}
 2352 
 2353 \end{itemize}
 2354 
 2355 The following {[}kdcdefaults{]} variables have no per-realm equivalent:
 2356 \begin{description}
 2357 \item[{\sphinxstylestrong{kdc\_max\_dgram\_reply\_size}}] \leavevmode
 2358 Specifies the maximum packet size that can be sent over UDP.  The
 2359 default value is 4096 bytes.
 2360 
 2361 \item[{\sphinxstylestrong{kdc\_tcp\_listen\_backlog}}] \leavevmode
 2362 (Integer.)  Set the size of the listen queue length for the KDC
 2363 daemon.  The value may be limited by OS settings.  The default
 2364 value is 5.
 2365 
 2366 \item[{\sphinxstylestrong{spake\_preauth\_kdc\_challenge}}] \leavevmode
 2367 (String.)  Specifies the group for a SPAKE optimistic challenge.
 2368 See the \sphinxstylestrong{spake\_preauth\_groups} variable in {\hyperref[\detokenize{admin/conf_files/krb5_conf:libdefaults}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}libdefaults{]}}}}}
 2369 for possible values.  The default is not to issue an optimistic
 2370 challenge.  (New in release 1.17.)
 2371 
 2372 \end{description}
 2373 
 2374 
 2375 \paragraph{{[}realms{]}}
 2376 \label{\detokenize{admin/conf_files/kdc_conf:realms}}\label{\detokenize{admin/conf_files/kdc_conf:kdc-realms}}
 2377 Each tag in the {[}realms{]} section is the name of a Kerberos realm.  The
 2378 value of the tag is a subsection where the relations define KDC
 2379 parameters for that particular realm.  The following example shows how
 2380 to define one parameter for the ATHENA.MIT.EDU realm:
 2381 
 2382 \fvset{hllines={, ,}}%
 2383 \begin{sphinxVerbatim}[commandchars=\\\{\}]
 2384 \PYG{p}{[}\PYG{n}{realms}\PYG{p}{]}
 2385     \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{o}{=} \PYG{p}{\PYGZob{}}
 2386         \PYG{n}{max\PYGZus{}renewable\PYGZus{}life} \PYG{o}{=} \PYG{l+m+mi}{7}\PYG{n}{d} \PYG{l+m+mi}{0}\PYG{n}{h} \PYG{l+m+mi}{0}\PYG{n}{m} \PYG{l+m+mi}{0}\PYG{n}{s}
 2387     \PYG{p}{\PYGZcb{}}
 2388 \end{sphinxVerbatim}
 2389 
 2390 The following tags may be specified in a {[}realms{]} subsection:
 2391 \begin{description}
 2392 \item[{\sphinxstylestrong{acl\_file}}] \leavevmode
 2393 (String.)  Location of the access control list file that
 2394 {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} uses to determine which principals are allowed
 2395 which permissions on the Kerberos database.  To operate without an
 2396 ACL file, set this relation to the empty string with \sphinxcode{acl\_file =
 2397 ""}.  The default value is {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LOCALSTATEDIR}}}}\sphinxcode{/krb5kdc}\sphinxcode{/kadm5.acl}.  For more
 2398 information on Kerberos ACL file see {\hyperref[\detokenize{admin/conf_files/kadm5_acl:kadm5-acl-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kadm5.acl}}}}.
 2399 
 2400 \item[{\sphinxstylestrong{database\_module}}] \leavevmode
 2401 (String.)  This relation indicates the name of the configuration
 2402 section under {\hyperref[\detokenize{admin/conf_files/kdc_conf:dbmodules}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}dbmodules{]}}}}} for database-specific parameters
 2403 used by the loadable database library.  The default value is the
 2404 realm name.  If this configuration section does not exist, default
 2405 values will be used for all database parameters.
 2406 
 2407 \item[{\sphinxstylestrong{database\_name}}] \leavevmode
 2408 (String, deprecated.)  This relation specifies the location of the
 2409 Kerberos database for this realm, if the DB2 module is being used
 2410 and the {\hyperref[\detokenize{admin/conf_files/kdc_conf:dbmodules}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}dbmodules{]}}}}} configuration section does not specify a
 2411 database name.  The default value is {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LOCALSTATEDIR}}}}\sphinxcode{/krb5kdc}\sphinxcode{/principal}.
 2412 
 2413 \item[{\sphinxstylestrong{default\_principal\_expiration}}] \leavevmode
 2414 (\DUrole{xref,std,std-ref}{abstime} string.)  Specifies the default expiration date of
 2415 principals created in this realm.  The default value is 0, which
 2416 means no expiration date.
 2417 
 2418 \item[{\sphinxstylestrong{default\_principal\_flags}}] \leavevmode
 2419 (Flag string.)  Specifies the default attributes of principals
 2420 created in this realm.  The format for this string is a
 2421 comma-separated list of flags, with ‘+’ before each flag that
 2422 should be enabled and ‘-‘ before each flag that should be
 2423 disabled.  The \sphinxstylestrong{postdateable}, \sphinxstylestrong{forwardable}, \sphinxstylestrong{tgt-based},
 2424 \sphinxstylestrong{renewable}, \sphinxstylestrong{proxiable}, \sphinxstylestrong{dup-skey}, \sphinxstylestrong{allow-tickets}, and
 2425 \sphinxstylestrong{service} flags default to enabled.
 2426 
 2427 There are a number of possible flags:
 2428 \begin{description}
 2429 \item[{\sphinxstylestrong{allow-tickets}}] \leavevmode
 2430 Enabling this flag means that the KDC will issue tickets for
 2431 this principal.  Disabling this flag essentially deactivates
 2432 the principal within this realm.
 2433 
 2434 \item[{\sphinxstylestrong{dup-skey}}] \leavevmode
 2435 Enabling this flag allows the KDC to issue user-to-user
 2436 service tickets for this principal.
 2437 
 2438 \item[{\sphinxstylestrong{forwardable}}] \leavevmode
 2439 Enabling this flag allows the principal to obtain forwardable
 2440 tickets.
 2441 
 2442 \item[{\sphinxstylestrong{hwauth}}] \leavevmode
 2443 If this flag is enabled, then the principal is required to
 2444 preauthenticate using a hardware device before receiving any
 2445 tickets.
 2446 
 2447 \item[{\sphinxstylestrong{no-auth-data-required}}] \leavevmode
 2448 Enabling this flag prevents PAC or AD-SIGNEDPATH data from
 2449 being added to service tickets for the principal.
 2450 
 2451 \item[{\sphinxstylestrong{ok-as-delegate}}] \leavevmode
 2452 If this flag is enabled, it hints the client that credentials
 2453 can and should be delegated when authenticating to the
 2454 service.
 2455 
 2456 \item[{\sphinxstylestrong{ok-to-auth-as-delegate}}] \leavevmode
 2457 Enabling this flag allows the principal to use S4USelf tickets.
 2458 
 2459 \item[{\sphinxstylestrong{postdateable}}] \leavevmode
 2460 Enabling this flag allows the principal to obtain postdateable
 2461 tickets.
 2462 
 2463 \item[{\sphinxstylestrong{preauth}}] \leavevmode
 2464 If this flag is enabled on a client principal, then that
 2465 principal is required to preauthenticate to the KDC before
 2466 receiving any tickets.  On a service principal, enabling this
 2467 flag means that service tickets for this principal will only
 2468 be issued to clients with a TGT that has the preauthenticated
 2469 bit set.
 2470 
 2471 \item[{\sphinxstylestrong{proxiable}}] \leavevmode
 2472 Enabling this flag allows the principal to obtain proxy
 2473 tickets.
 2474 
 2475 \item[{\sphinxstylestrong{pwchange}}] \leavevmode
 2476 Enabling this flag forces a password change for this
 2477 principal.
 2478 
 2479 \item[{\sphinxstylestrong{pwservice}}] \leavevmode
 2480 If this flag is enabled, it marks this principal as a password
 2481 change service.  This should only be used in special cases,
 2482 for example, if a user’s password has expired, then the user
 2483 has to get tickets for that principal without going through
 2484 the normal password authentication in order to be able to
 2485 change the password.
 2486 
 2487 \item[{\sphinxstylestrong{renewable}}] \leavevmode
 2488 Enabling this flag allows the principal to obtain renewable
 2489 tickets.
 2490 
 2491 \item[{\sphinxstylestrong{service}}] \leavevmode
 2492 Enabling this flag allows the the KDC to issue service tickets
 2493 for this principal.  In release 1.17 and later, user-to-user
 2494 service tickets are still allowed if the \sphinxstylestrong{dup-skey} flag is
 2495 set.
 2496 
 2497 \item[{\sphinxstylestrong{tgt-based}}] \leavevmode
 2498 Enabling this flag allows a principal to obtain tickets based
 2499 on a ticket-granting-ticket, rather than repeating the
 2500 authentication process that was used to obtain the TGT.
 2501 
 2502 \end{description}
 2503 
 2504 \item[{\sphinxstylestrong{dict\_file}}] \leavevmode
 2505 (String.)  Location of the dictionary file containing strings that
 2506 are not allowed as passwords.  The file should contain one string
 2507 per line, with no additional whitespace.  If none is specified or
 2508 if there is no policy assigned to the principal, no dictionary
 2509 checks of passwords will be performed.
 2510 
 2511 \item[{\sphinxstylestrong{encrypted\_challenge\_indicator}}] \leavevmode
 2512 (String.)  Specifies the authentication indicator value that the KDC
 2513 asserts into tickets obtained using FAST encrypted challenge
 2514 pre-authentication.  New in 1.16.
 2515 
 2516 \item[{\sphinxstylestrong{host\_based\_services}}] \leavevmode
 2517 (Whitespace- or comma-separated list.)  Lists services which will
 2518 get host-based referral processing even if the server principal is
 2519 not marked as host-based by the client.
 2520 
 2521 \item[{\sphinxstylestrong{iprop\_enable}}] \leavevmode
 2522 (Boolean value.)  Specifies whether incremental database
 2523 propagation is enabled.  The default value is false.
 2524 
 2525 \item[{\sphinxstylestrong{iprop\_master\_ulogsize}}] \leavevmode
 2526 (Integer.)  Specifies the maximum number of log entries to be
 2527 retained for incremental propagation.  The default value is 1000.
 2528 Prior to release 1.11, the maximum value was 2500.
 2529 
 2530 \item[{\sphinxstylestrong{iprop\_replica\_poll}}] \leavevmode
 2531 (Delta time string.)  Specifies how often the replica KDC polls
 2532 for new updates from the master.  The default value is \sphinxcode{2m}
 2533 (that is, two minutes).  New in release 1.17.
 2534 
 2535 \item[{\sphinxstylestrong{iprop\_slave\_poll}}] \leavevmode
 2536 (Delta time string.)  The name for \sphinxstylestrong{iprop\_replica\_poll} prior to
 2537 release 1.17.  Its value is used as a fallback if
 2538 \sphinxstylestrong{iprop\_replica\_poll} is not specified.
 2539 
 2540 \item[{\sphinxstylestrong{iprop\_listen}}] \leavevmode
 2541 (Whitespace- or comma-separated list.)  Specifies the iprop RPC
 2542 listening addresses and/or ports for the {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} daemon.
 2543 Each entry may be an interface address, a port number, or an
 2544 address and port number separated by a colon.  If the address
 2545 contains colons, enclose it in square brackets.  If no address is
 2546 specified, the wildcard address is used.  If kadmind fails to bind
 2547 to any of the specified addresses, it will fail to start.  The
 2548 default (when \sphinxstylestrong{iprop\_enable} is true) is to bind to the wildcard
 2549 address at the port specified in \sphinxstylestrong{iprop\_port}.  New in release
 2550 1.15.
 2551 
 2552 \item[{\sphinxstylestrong{iprop\_port}}] \leavevmode
 2553 (Port number.)  Specifies the port number to be used for
 2554 incremental propagation.  When \sphinxstylestrong{iprop\_enable} is true, this
 2555 relation is required in the replica KDC configuration file, and
 2556 this relation or \sphinxstylestrong{iprop\_listen} is required in the master
 2557 configuration file, as there is no default port number.  Port
 2558 numbers specified in \sphinxstylestrong{iprop\_listen} entries will override this
 2559 port number for the {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} daemon.
 2560 
 2561 \item[{\sphinxstylestrong{iprop\_resync\_timeout}}] \leavevmode
 2562 (Delta time string.)  Specifies the amount of time to wait for a
 2563 full propagation to complete.  This is optional in configuration
 2564 files, and is used by replica KDCs only.  The default value is 5
 2565 minutes (\sphinxcode{5m}).  New in release 1.11.
 2566 
 2567 \item[{\sphinxstylestrong{iprop\_logfile}}] \leavevmode
 2568 (File name.)  Specifies where the update log file for the realm
 2569 database is to be stored.  The default is to use the
 2570 \sphinxstylestrong{database\_name} entry from the realms section of the krb5 config
 2571 file, with \sphinxcode{.ulog} appended.  (NOTE: If \sphinxstylestrong{database\_name} isn’t
 2572 specified in the realms section, perhaps because the LDAP database
 2573 back end is being used, or the file name is specified in the
 2574 {[}dbmodules{]} section, then the hard-coded default for
 2575 \sphinxstylestrong{database\_name} is used.  Determination of the \sphinxstylestrong{iprop\_logfile}
 2576 default value will not use values from the {[}dbmodules{]} section.)
 2577 
 2578 \item[{\sphinxstylestrong{kadmind\_listen}}] \leavevmode
 2579 (Whitespace- or comma-separated list.)  Specifies the kadmin RPC
 2580 listening addresses and/or ports for the {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} daemon.
 2581 Each entry may be an interface address, a port number, or an
 2582 address and port number separated by a colon.  If the address
 2583 contains colons, enclose it in square brackets.  If no address is
 2584 specified, the wildcard address is used.  If kadmind fails to bind
 2585 to any of the specified addresses, it will fail to start.  The
 2586 default is to bind to the wildcard address at the port specified
 2587 in \sphinxstylestrong{kadmind\_port}, or the standard kadmin port (749).  New in
 2588 release 1.15.
 2589 
 2590 \item[{\sphinxstylestrong{kadmind\_port}}] \leavevmode
 2591 (Port number.)  Specifies the port on which the {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}}
 2592 daemon is to listen for this realm.  Port numbers specified in
 2593 \sphinxstylestrong{kadmind\_listen} entries will override this port number.  The
 2594 assigned port for kadmind is 749, which is used by default.
 2595 
 2596 \item[{\sphinxstylestrong{key\_stash\_file}}] \leavevmode
 2597 (String.)  Specifies the location where the master key has been
 2598 stored (via kdb5\_util stash).  The default is {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LOCALSTATEDIR}}}}\sphinxcode{/krb5kdc}\sphinxcode{/.k5.REALM}, where \sphinxstyleemphasis{REALM} is the Kerberos realm.
 2599 
 2600 \item[{\sphinxstylestrong{kdc\_listen}}] \leavevmode
 2601 (Whitespace- or comma-separated list.)  Specifies the UDP
 2602 listening addresses and/or ports for the {\hyperref[\detokenize{admin/admin_commands/krb5kdc:krb5kdc-8}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5kdc}}}} daemon.
 2603 Each entry may be an interface address, a port number, or an
 2604 address and port number separated by a colon.  If the address
 2605 contains colons, enclose it in square brackets.  If no address is
 2606 specified, the wildcard address is used.  If no port is specified,
 2607 the standard port (88) is used.  If the KDC daemon fails to bind
 2608 to any of the specified addresses, it will fail to start.  The
 2609 default is to bind to the wildcard address on the standard port.
 2610 New in release 1.15.
 2611 
 2612 \item[{\sphinxstylestrong{kdc\_ports}}] \leavevmode
 2613 (Whitespace- or comma-separated list, deprecated.)  Prior to
 2614 release 1.15, this relation lists the ports for the
 2615 {\hyperref[\detokenize{admin/admin_commands/krb5kdc:krb5kdc-8}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5kdc}}}} daemon to listen on for UDP requests.  In
 2616 release 1.15 and later, it has the same meaning as \sphinxstylestrong{kdc\_listen}
 2617 if that relation is not defined.
 2618 
 2619 \item[{\sphinxstylestrong{kdc\_tcp\_listen}}] \leavevmode
 2620 (Whitespace- or comma-separated list.)  Specifies the TCP
 2621 listening addresses and/or ports for the {\hyperref[\detokenize{admin/admin_commands/krb5kdc:krb5kdc-8}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5kdc}}}} daemon.
 2622 Each entry may be an interface address, a port number, or an
 2623 address and port number separated by a colon.  If the address
 2624 contains colons, enclose it in square brackets.  If no address is
 2625 specified, the wildcard address is used.  If no port is specified,
 2626 the standard port (88) is used.  To disable listening on TCP, set
 2627 this relation to the empty string with \sphinxcode{kdc\_tcp\_listen = ""}.
 2628 If the KDC daemon fails to bind to any of the specified addresses,
 2629 it will fail to start.  The default is to bind to the wildcard
 2630 address on the standard port.  New in release 1.15.
 2631 
 2632 \item[{\sphinxstylestrong{kdc\_tcp\_ports}}] \leavevmode
 2633 (Whitespace- or comma-separated list, deprecated.)  Prior to
 2634 release 1.15, this relation lists the ports for the
 2635 {\hyperref[\detokenize{admin/admin_commands/krb5kdc:krb5kdc-8}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5kdc}}}} daemon to listen on for UDP requests.  In
 2636 release 1.15 and later, it has the same meaning as
 2637 \sphinxstylestrong{kdc\_tcp\_listen} if that relation is not defined.
 2638 
 2639 \item[{\sphinxstylestrong{kpasswd\_listen}}] \leavevmode
 2640 (Comma-separated list.)  Specifies the kpasswd listening addresses
 2641 and/or ports for the {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} daemon.  Each entry may be
 2642 an interface address, a port number, or an address and port number
 2643 separated by a colon.  If the address contains colons, enclose it
 2644 in square brackets.  If no address is specified, the wildcard
 2645 address is used.  If kadmind fails to bind to any of the specified
 2646 addresses, it will fail to start.  The default is to bind to the
 2647 wildcard address at the port specified in \sphinxstylestrong{kpasswd\_port}, or the
 2648 standard kpasswd port (464).  New in release 1.15.
 2649 
 2650 \item[{\sphinxstylestrong{kpasswd\_port}}] \leavevmode
 2651 (Port number.)  Specifies the port on which the {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}}
 2652 daemon is to listen for password change requests for this realm.
 2653 Port numbers specified in \sphinxstylestrong{kpasswd\_listen} entries will override
 2654 this port number.  The assigned port for password change requests
 2655 is 464, which is used by default.
 2656 
 2657 \item[{\sphinxstylestrong{master\_key\_name}}] \leavevmode
 2658 (String.)  Specifies the name of the principal associated with the
 2659 master key.  The default is \sphinxcode{K/M}.
 2660 
 2661 \item[{\sphinxstylestrong{master\_key\_type}}] \leavevmode
 2662 (Key type string.)  Specifies the master key’s key type.  The
 2663 default value for this is \sphinxcode{aes256-cts-hmac-sha1-96}.  For a list of all possible
 2664 values, see {\hyperref[\detokenize{admin/conf_files/kdc_conf:encryption-types}]{\sphinxcrossref{\DUrole{std,std-ref}{Encryption types}}}}.
 2665 
 2666 \item[{\sphinxstylestrong{max\_life}}] \leavevmode
 2667 (\DUrole{xref,std,std-ref}{duration} string.)  Specifies the maximum time period for
 2668 which a ticket may be valid in this realm.  The default value is
 2669 24 hours.
 2670 
 2671 \item[{\sphinxstylestrong{max\_renewable\_life}}] \leavevmode
 2672 (\DUrole{xref,std,std-ref}{duration} string.)  Specifies the maximum time period
 2673 during which a valid ticket may be renewed in this realm.
 2674 The default value is 0.
 2675 
 2676 \item[{\sphinxstylestrong{no\_host\_referral}}] \leavevmode
 2677 (Whitespace- or comma-separated list.)  Lists services to block
 2678 from getting host-based referral processing, even if the client
 2679 marks the server principal as host-based or the service is also
 2680 listed in \sphinxstylestrong{host\_based\_services}.  \sphinxcode{no\_host\_referral = *} will
 2681 disable referral processing altogether.
 2682 
 2683 \item[{\sphinxstylestrong{reject\_bad\_transit}}] \leavevmode
 2684 (Boolean value.)  If set to true, the KDC will check the list of
 2685 transited realms for cross-realm tickets against the transit path
 2686 computed from the realm names and the capaths section of its
 2687 {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}} file; if the path in the ticket to be issued
 2688 contains any realms not in the computed path, the ticket will not
 2689 be issued, and an error will be returned to the client instead.
 2690 If this value is set to false, such tickets will be issued
 2691 anyways, and it will be left up to the application server to
 2692 validate the realm transit path.
 2693 
 2694 If the disable-transited-check flag is set in the incoming
 2695 request, this check is not performed at all.  Having the
 2696 \sphinxstylestrong{reject\_bad\_transit} option will cause such ticket requests to
 2697 be rejected always.
 2698 
 2699 This transit path checking and config file option currently apply
 2700 only to TGS requests.
 2701 
 2702 The default value is true.
 2703 
 2704 \item[{\sphinxstylestrong{restrict\_anonymous\_to\_tgt}}] \leavevmode
 2705 (Boolean value.)  If set to true, the KDC will reject ticket
 2706 requests from anonymous principals to service principals other
 2707 than the realm’s ticket-granting service.  This option allows
 2708 anonymous PKINIT to be enabled for use as FAST armor tickets
 2709 without allowing anonymous authentication to services.  The
 2710 default value is false.  New in release 1.9.
 2711 
 2712 \item[{\sphinxstylestrong{spake\_preauth\_indicator}}] \leavevmode
 2713 (String.)  Specifies an authentication indicator value that the
 2714 KDC asserts into tickets obtained using SPAKE pre-authentication.
 2715 The default is not to add any indicators.  This option may be
 2716 specified multiple times.  New in release 1.17.
 2717 
 2718 \item[{\sphinxstylestrong{supported\_enctypes}}] \leavevmode
 2719 (List of \sphinxstyleemphasis{key}:\sphinxstyleemphasis{salt} strings.)  Specifies the default key/salt
 2720 combinations of principals for this realm.  Any principals created
 2721 through {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} will have keys of these types.  The
 2722 default value for this tag is \sphinxcode{aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal}.  For lists of
 2723 possible values, see {\hyperref[\detokenize{admin/conf_files/kdc_conf:keysalt-lists}]{\sphinxcrossref{\DUrole{std,std-ref}{Keysalt lists}}}}.
 2724 
 2725 \end{description}
 2726 
 2727 
 2728 \paragraph{{[}dbdefaults{]}}
 2729 \label{\detokenize{admin/conf_files/kdc_conf:id2}}\label{\detokenize{admin/conf_files/kdc_conf:dbdefaults}}
 2730 The {[}dbdefaults{]} section specifies default values for some database
 2731 parameters, to be used if the {[}dbmodules{]} subsection does not contain
 2732 a relation for the tag.  See the {\hyperref[\detokenize{admin/conf_files/kdc_conf:dbmodules}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}dbmodules{]}}}}} section for the
 2733 definitions of these relations.
 2734 \begin{itemize}
 2735 \item {} 
 2736 \sphinxstylestrong{ldap\_kerberos\_container\_dn}
 2737 
 2738 \item {} 
 2739 \sphinxstylestrong{ldap\_kdc\_dn}
 2740 
 2741 \item {} 
 2742 \sphinxstylestrong{ldap\_kdc\_sasl\_authcid}
 2743 
 2744 \item {} 
 2745 \sphinxstylestrong{ldap\_kdc\_sasl\_authzid}
 2746 
 2747 \item {} 
 2748 \sphinxstylestrong{ldap\_kdc\_sasl\_mech}
 2749 
 2750 \item {} 
 2751 \sphinxstylestrong{ldap\_kdc\_sasl\_realm}
 2752 
 2753 \item {} 
 2754 \sphinxstylestrong{ldap\_kadmind\_dn}
 2755 
 2756 \item {} 
 2757 \sphinxstylestrong{ldap\_kadmind\_sasl\_authcid}
 2758 
 2759 \item {} 
 2760 \sphinxstylestrong{ldap\_kadmind\_sasl\_authzid}
 2761 
 2762 \item {} 
 2763 \sphinxstylestrong{ldap\_kadmind\_sasl\_mech}
 2764 
 2765 \item {} 
 2766 \sphinxstylestrong{ldap\_kadmind\_sasl\_realm}
 2767 
 2768 \item {} 
 2769 \sphinxstylestrong{ldap\_service\_password\_file}
 2770 
 2771 \item {} 
 2772 \sphinxstylestrong{ldap\_conns\_per\_server}
 2773 
 2774 \end{itemize}
 2775 
 2776 
 2777 \paragraph{{[}dbmodules{]}}
 2778 \label{\detokenize{admin/conf_files/kdc_conf:dbmodules}}\label{\detokenize{admin/conf_files/kdc_conf:id3}}
 2779 The {[}dbmodules{]} section contains parameters used by the KDC database
 2780 library and database modules.  Each tag in the {[}dbmodules{]} section is
 2781 the name of a Kerberos realm or a section name specified by a realm’s
 2782 \sphinxstylestrong{database\_module} parameter.  The following example shows how to
 2783 define one database parameter for the ATHENA.MIT.EDU realm:
 2784 
 2785 \fvset{hllines={, ,}}%
 2786 \begin{sphinxVerbatim}[commandchars=\\\{\}]
 2787 \PYG{p}{[}\PYG{n}{dbmodules}\PYG{p}{]}
 2788     \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{o}{=} \PYG{p}{\PYGZob{}}
 2789         \PYG{n}{disable\PYGZus{}last\PYGZus{}success} \PYG{o}{=} \PYG{n}{true}
 2790     \PYG{p}{\PYGZcb{}}
 2791 \end{sphinxVerbatim}
 2792 
 2793 The following tags may be specified in a {[}dbmodules{]} subsection:
 2794 \begin{description}
 2795 \item[{\sphinxstylestrong{database\_name}}] \leavevmode
 2796 This DB2-specific tag indicates the location of the database in
 2797 the filesystem.  The default is {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LOCALSTATEDIR}}}}\sphinxcode{/krb5kdc}\sphinxcode{/principal}.
 2798 
 2799 \item[{\sphinxstylestrong{db\_library}}] \leavevmode
 2800 This tag indicates the name of the loadable database module.  The
 2801 value should be \sphinxcode{db2} for the DB2 module, \sphinxcode{klmdb} for the LMDB
 2802 module, or \sphinxcode{kldap} for the LDAP module.
 2803 
 2804 \item[{\sphinxstylestrong{disable\_last\_success}}] \leavevmode
 2805 If set to \sphinxcode{true}, suppresses KDC updates to the “Last successful
 2806 authentication” field of principal entries requiring
 2807 preauthentication.  Setting this flag may improve performance.
 2808 (Principal entries which do not require preauthentication never
 2809 update the “Last successful authentication” field.).  First
 2810 introduced in release 1.9.
 2811 
 2812 \item[{\sphinxstylestrong{disable\_lockout}}] \leavevmode
 2813 If set to \sphinxcode{true}, suppresses KDC updates to the “Last failed
 2814 authentication” and “Failed password attempts” fields of principal
 2815 entries requiring preauthentication.  Setting this flag may
 2816 improve performance, but also disables account lockout.  First
 2817 introduced in release 1.9.
 2818 
 2819 \item[{\sphinxstylestrong{ldap\_conns\_per\_server}}] \leavevmode
 2820 This LDAP-specific tag indicates the number of connections to be
 2821 maintained per LDAP server.
 2822 
 2823 \item[{\sphinxstylestrong{ldap\_kdc\_dn} and \sphinxstylestrong{ldap\_kadmind\_dn}}] \leavevmode
 2824 These LDAP-specific tags indicate the default DN for binding to
 2825 the LDAP server.  The {\hyperref[\detokenize{admin/admin_commands/krb5kdc:krb5kdc-8}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5kdc}}}} daemon uses
 2826 \sphinxstylestrong{ldap\_kdc\_dn}, while the {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} daemon and other
 2827 administrative programs use \sphinxstylestrong{ldap\_kadmind\_dn}.  The kadmind DN
 2828 must have the rights to read and write the Kerberos data in the
 2829 LDAP database.  The KDC DN must have the same rights, unless
 2830 \sphinxstylestrong{disable\_lockout} and \sphinxstylestrong{disable\_last\_success} are true, in
 2831 which case it only needs to have rights to read the Kerberos data.
 2832 These tags are ignored if a SASL mechanism is set with
 2833 \sphinxstylestrong{ldap\_kdc\_sasl\_mech} or \sphinxstylestrong{ldap\_kadmind\_sasl\_mech}.
 2834 
 2835 \item[{\sphinxstylestrong{ldap\_kdc\_sasl\_mech} and \sphinxstylestrong{ldap\_kadmind\_sasl\_mech}}] \leavevmode
 2836 These LDAP-specific tags specify the SASL mechanism (such as
 2837 \sphinxcode{EXTERNAL}) to use when binding to the LDAP server.  New in
 2838 release 1.13.
 2839 
 2840 \item[{\sphinxstylestrong{ldap\_kdc\_sasl\_authcid} and \sphinxstylestrong{ldap\_kadmind\_sasl\_authcid}}] \leavevmode
 2841 These LDAP-specific tags specify the SASL authentication identity
 2842 to use when binding to the LDAP server.  Not all SASL mechanisms
 2843 require an authentication identity.  If the SASL mechanism
 2844 requires a secret (such as the password for \sphinxcode{DIGEST-MD5}), these
 2845 tags also determine the name within the
 2846 \sphinxstylestrong{ldap\_service\_password\_file} where the secret is stashed.  New
 2847 in release 1.13.
 2848 
 2849 \item[{\sphinxstylestrong{ldap\_kdc\_sasl\_authzid} and \sphinxstylestrong{ldap\_kadmind\_sasl\_authzid}}] \leavevmode
 2850 These LDAP-specific tags specify the SASL authorization identity
 2851 to use when binding to the LDAP server.  In most circumstances
 2852 they do not need to be specified.  New in release 1.13.
 2853 
 2854 \item[{\sphinxstylestrong{ldap\_kdc\_sasl\_realm} and \sphinxstylestrong{ldap\_kadmind\_sasl\_realm}}] \leavevmode
 2855 These LDAP-specific tags specify the SASL realm to use when
 2856 binding to the LDAP server.  In most circumstances they do not
 2857 need to be set.  New in release 1.13.
 2858 
 2859 \item[{\sphinxstylestrong{ldap\_kerberos\_container\_dn}}] \leavevmode
 2860 This LDAP-specific tag indicates the DN of the container object
 2861 where the realm objects will be located.
 2862 
 2863 \item[{\sphinxstylestrong{ldap\_servers}}] \leavevmode
 2864 This LDAP-specific tag indicates the list of LDAP servers that the
 2865 Kerberos servers can connect to.  The list of LDAP servers is
 2866 whitespace-separated.  The LDAP server is specified by a LDAP URI.
 2867 It is recommended to use \sphinxcode{ldapi:} or \sphinxcode{ldaps:} URLs to connect
 2868 to the LDAP server.
 2869 
 2870 \item[{\sphinxstylestrong{ldap\_service\_password\_file}}] \leavevmode
 2871 This LDAP-specific tag indicates the file containing the stashed
 2872 passwords (created by \sphinxcode{kdb5\_ldap\_util stashsrvpw}) for the
 2873 \sphinxstylestrong{ldap\_kdc\_dn} and \sphinxstylestrong{ldap\_kadmind\_dn} objects, or for the
 2874 \sphinxstylestrong{ldap\_kdc\_sasl\_authcid} or \sphinxstylestrong{ldap\_kadmind\_sasl\_authcid} names
 2875 for SASL authentication.  This file must be kept secure.
 2876 
 2877 \item[{\sphinxstylestrong{mapsize}}] \leavevmode
 2878 This LMDB-specific tag indicates the maximum size of the two
 2879 database environments in megabytes.  The default value is 128.
 2880 Increase this value to address “Environment mapsize limit reached”
 2881 errors.  New in release 1.17.
 2882 
 2883 \item[{\sphinxstylestrong{max\_readers}}] \leavevmode
 2884 This LMDB-specific tag indicates the maximum number of concurrent
 2885 reading processes for the databases.  The default value is 128.
 2886 New in release 1.17.
 2887 
 2888 \item[{\sphinxstylestrong{nosync}}] \leavevmode
 2889 This LMDB-specific tag can be set to improve the throughput of
 2890 kadmind and other administrative agents, at the expense of
 2891 durability (recent database changes may not survive a power outage
 2892 or other sudden reboot).  It does not affect the throughput of the
 2893 KDC.  The default value is false.  New in release 1.17.
 2894 
 2895 \item[{\sphinxstylestrong{unlockiter}}] \leavevmode
 2896 If set to \sphinxcode{true}, this DB2-specific tag causes iteration
 2897 operations to release the database lock while processing each
 2898 principal.  Setting this flag to \sphinxcode{true} can prevent extended
 2899 blocking of KDC or kadmin operations when dumps of large databases
 2900 are in progress.  First introduced in release 1.13.
 2901 
 2902 \end{description}
 2903 
 2904 The following tag may be specified directly in the {[}dbmodules{]}
 2905 section to control where database modules are loaded from:
 2906 \begin{description}
 2907 \item[{\sphinxstylestrong{db\_module\_dir}}] \leavevmode
 2908 This tag controls where the plugin system looks for database
 2909 modules.  The value should be an absolute path.
 2910 
 2911 \end{description}
 2912 
 2913 
 2914 \paragraph{{[}logging{]}}
 2915 \label{\detokenize{admin/conf_files/kdc_conf:id4}}\label{\detokenize{admin/conf_files/kdc_conf:logging}}
 2916 The {[}logging{]} section indicates how {\hyperref[\detokenize{admin/admin_commands/krb5kdc:krb5kdc-8}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5kdc}}}} and
 2917 {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} perform logging.  It may contain the following
 2918 relations:
 2919 \begin{description}
 2920 \item[{\sphinxstylestrong{admin\_server}}] \leavevmode
 2921 Specifies how {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} performs logging.
 2922 
 2923 \item[{\sphinxstylestrong{kdc}}] \leavevmode
 2924 Specifies how {\hyperref[\detokenize{admin/admin_commands/krb5kdc:krb5kdc-8}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5kdc}}}} performs logging.
 2925 
 2926 \item[{\sphinxstylestrong{default}}] \leavevmode
 2927 Specifies how either daemon performs logging in the absence of
 2928 relations specific to the daemon.
 2929 
 2930 \item[{\sphinxstylestrong{debug}}] \leavevmode
 2931 (Boolean value.)  Specifies whether debugging messages are
 2932 included in log outputs other than SYSLOG.  Debugging messages are
 2933 always included in the system log output because syslog performs
 2934 its own priority filtering.  The default value is false.  New in
 2935 release 1.15.
 2936 
 2937 \end{description}
 2938 
 2939 Logging specifications may have the following forms:
 2940 \begin{description}
 2941 \item[{\sphinxstylestrong{FILE=}\sphinxstyleemphasis{filename} or \sphinxstylestrong{FILE:}\sphinxstyleemphasis{filename}}] \leavevmode
 2942 This value causes the daemon’s logging messages to go to the
 2943 \sphinxstyleemphasis{filename}.  If the \sphinxcode{=} form is used, the file is overwritten.
 2944 If the \sphinxcode{:} form is used, the file is appended to.
 2945 
 2946 \item[{\sphinxstylestrong{STDERR}}] \leavevmode
 2947 This value causes the daemon’s logging messages to go to its
 2948 standard error stream.
 2949 
 2950 \item[{\sphinxstylestrong{CONSOLE}}] \leavevmode
 2951 This value causes the daemon’s logging messages to go to the
 2952 console, if the system supports it.
 2953 
 2954 \item[{\sphinxstylestrong{DEVICE=}\sphinxstyleemphasis{\textless{}devicename\textgreater{}}}] \leavevmode
 2955 This causes the daemon’s logging messages to go to the specified
 2956 device.
 2957 
 2958 \item[{\sphinxstylestrong{SYSLOG}{[}\sphinxstylestrong{:}\sphinxstyleemphasis{severity}{[}\sphinxstylestrong{:}\sphinxstyleemphasis{facility}{]}{]}}] \leavevmode
 2959 This causes the daemon’s logging messages to go to the system log.
 2960 
 2961 For backward compatibility, a severity argument may be specified,
 2962 and must be specified in order to specify a facility.  This
 2963 argument will be ignored.
 2964 
 2965 The facility argument specifies the facility under which the
 2966 messages are logged.  This may be any of the following facilities
 2967 supported by the syslog(3) call minus the LOG\_ prefix: \sphinxstylestrong{KERN},
 2968 \sphinxstylestrong{USER}, \sphinxstylestrong{MAIL}, \sphinxstylestrong{DAEMON}, \sphinxstylestrong{AUTH}, \sphinxstylestrong{LPR}, \sphinxstylestrong{NEWS},
 2969 \sphinxstylestrong{UUCP}, \sphinxstylestrong{CRON}, and \sphinxstylestrong{LOCAL0} through \sphinxstylestrong{LOCAL7}.  If no
 2970 facility is specified, the default is \sphinxstylestrong{AUTH}.
 2971 
 2972 \end{description}
 2973 
 2974 In the following example, the logging messages from the KDC will go to
 2975 the console and to the system log under the facility LOG\_DAEMON, and
 2976 the logging messages from the administrative server will be appended
 2977 to the file \sphinxcode{/var/adm/kadmin.log} and sent to the device
 2978 \sphinxcode{/dev/tty04}.
 2979 
 2980 \fvset{hllines={, ,}}%
 2981 \begin{sphinxVerbatim}[commandchars=\\\{\}]
 2982 \PYG{p}{[}\PYG{n}{logging}\PYG{p}{]}
 2983     \PYG{n}{kdc} \PYG{o}{=} \PYG{n}{CONSOLE}
 2984     \PYG{n}{kdc} \PYG{o}{=} \PYG{n}{SYSLOG}\PYG{p}{:}\PYG{n}{INFO}\PYG{p}{:}\PYG{n}{DAEMON}
 2985     \PYG{n}{admin\PYGZus{}server} \PYG{o}{=} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{var}\PYG{o}{/}\PYG{n}{adm}\PYG{o}{/}\PYG{n}{kadmin}\PYG{o}{.}\PYG{n}{log}
 2986     \PYG{n}{admin\PYGZus{}server} \PYG{o}{=} \PYG{n}{DEVICE}\PYG{o}{=}\PYG{o}{/}\PYG{n}{dev}\PYG{o}{/}\PYG{n}{tty04}
 2987 \end{sphinxVerbatim}
 2988 
 2989 If no logging specification is given, the default is to use syslog.
 2990 To disable logging entirely, specify \sphinxcode{default = DEVICE=/dev/null}.
 2991 
 2992 
 2993 \paragraph{{[}otp{]}}
 2994 \label{\detokenize{admin/conf_files/kdc_conf:otp}}\label{\detokenize{admin/conf_files/kdc_conf:id5}}
 2995 Each subsection of {[}otp{]} is the name of an OTP token type.  The tags
 2996 within the subsection define the configuration required to forward a
 2997 One Time Password request to a RADIUS server.
 2998 
 2999 For each token type, the following tags may be specified:
 3000 \begin{description}
 3001 \item[{\sphinxstylestrong{server}}] \leavevmode
 3002 This is the server to send the RADIUS request to.  It can be a
 3003 hostname with optional port, an ip address with optional port, or
 3004 a Unix domain socket address.  The default is
 3005 {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LOCALSTATEDIR}}}}\sphinxcode{/krb5kdc}\sphinxcode{/\textless{}name\textgreater{}.socket}.
 3006 
 3007 \item[{\sphinxstylestrong{secret}}] \leavevmode
 3008 This tag indicates a filename (which may be relative to {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LOCALSTATEDIR}}}}\sphinxcode{/krb5kdc})
 3009 containing the secret used to encrypt the RADIUS packets.  The
 3010 secret should appear in the first line of the file by itself;
 3011 leading and trailing whitespace on the line will be removed.  If
 3012 the value of \sphinxstylestrong{server} is a Unix domain socket address, this tag
 3013 is optional, and an empty secret will be used if it is not
 3014 specified.  Otherwise, this tag is required.
 3015 
 3016 \item[{\sphinxstylestrong{timeout}}] \leavevmode
 3017 An integer which specifies the time in seconds during which the
 3018 KDC should attempt to contact the RADIUS server.  This tag is the
 3019 total time across all retries and should be less than the time
 3020 which an OTP value remains valid for.  The default is 5 seconds.
 3021 
 3022 \item[{\sphinxstylestrong{retries}}] \leavevmode
 3023 This tag specifies the number of retries to make to the RADIUS
 3024 server.  The default is 3 retries (4 tries).
 3025 
 3026 \item[{\sphinxstylestrong{strip\_realm}}] \leavevmode
 3027 If this tag is \sphinxcode{true}, the principal without the realm will be
 3028 passed to the RADIUS server.  Otherwise, the realm will be
 3029 included.  The default value is \sphinxcode{true}.
 3030 
 3031 \item[{\sphinxstylestrong{indicator}}] \leavevmode
 3032 This tag specifies an authentication indicator to be included in
 3033 the ticket if this token type is used to authenticate.  This
 3034 option may be specified multiple times.  (New in release 1.14.)
 3035 
 3036 \end{description}
 3037 
 3038 In the following example, requests are sent to a remote server via UDP:
 3039 
 3040 \fvset{hllines={, ,}}%
 3041 \begin{sphinxVerbatim}[commandchars=\\\{\}]
 3042 [otp]
 3043     MyRemoteTokenType = \PYGZob{}
 3044         server = radius.mydomain.com:1812
 3045         secret = SEmfiajf42\PYGZdl{}
 3046         timeout = 15
 3047         retries = 5
 3048         strip\PYGZus{}realm = true
 3049     \PYGZcb{}
 3050 \end{sphinxVerbatim}
 3051 
 3052 An implicit default token type named \sphinxcode{DEFAULT} is defined for when
 3053 the per-principal configuration does not specify a token type.  Its
 3054 configuration is shown below.  You may override this token type to
 3055 something applicable for your situation:
 3056 
 3057 \fvset{hllines={, ,}}%
 3058 \begin{sphinxVerbatim}[commandchars=\\\{\}]
 3059 \PYG{p}{[}\PYG{n}{otp}\PYG{p}{]}
 3060     \PYG{n}{DEFAULT} \PYG{o}{=} \PYG{p}{\PYGZob{}}
 3061         \PYG{n}{strip\PYGZus{}realm} \PYG{o}{=} \PYG{n}{false}
 3062     \PYG{p}{\PYGZcb{}}
 3063 \end{sphinxVerbatim}
 3064 
 3065 
 3066 \subsubsection{PKINIT options}
 3067 \label{\detokenize{admin/conf_files/kdc_conf:pkinit-options}}
 3068 \begin{sphinxadmonition}{note}{Note:}
 3069 The following are pkinit-specific options.  These values may
 3070 be specified in {[}kdcdefaults{]} as global defaults, or within
 3071 a realm-specific subsection of {[}realms{]}.  Also note that a
 3072 realm-specific value over-rides, does not add to, a generic
 3073 {[}kdcdefaults{]} specification.  The search order is:
 3074 \end{sphinxadmonition}
 3075 \begin{enumerate}
 3076 \item {} 
 3077 realm-specific subsection of {[}realms{]}:
 3078 
 3079 \fvset{hllines={, ,}}%
 3080 \begin{sphinxVerbatim}[commandchars=\\\{\}]
 3081 \PYG{p}{[}\PYG{n}{realms}\PYG{p}{]}
 3082     \PYG{n}{EXAMPLE}\PYG{o}{.}\PYG{n}{COM} \PYG{o}{=} \PYG{p}{\PYGZob{}}
 3083         \PYG{n}{pkinit\PYGZus{}anchors} \PYG{o}{=} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{usr}\PYG{o}{/}\PYG{n}{local}\PYG{o}{/}\PYG{n}{example}\PYG{o}{.}\PYG{n}{com}\PYG{o}{.}\PYG{n}{crt}
 3084     \PYG{p}{\PYGZcb{}}
 3085 \end{sphinxVerbatim}
 3086 
 3087 \item {} 
 3088 generic value in the {[}kdcdefaults{]} section:
 3089 
 3090 \fvset{hllines={, ,}}%
 3091 \begin{sphinxVerbatim}[commandchars=\\\{\}]
 3092 \PYG{p}{[}\PYG{n}{kdcdefaults}\PYG{p}{]}
 3093     \PYG{n}{pkinit\PYGZus{}anchors} \PYG{o}{=} \PYG{n}{DIR}\PYG{p}{:}\PYG{o}{/}\PYG{n}{usr}\PYG{o}{/}\PYG{n}{local}\PYG{o}{/}\PYG{n}{generic\PYGZus{}trusted\PYGZus{}cas}\PYG{o}{/}
 3094 \end{sphinxVerbatim}
 3095 
 3096 \end{enumerate}
 3097 
 3098 For information about the syntax of some of these options, see
 3099 {\hyperref[\detokenize{admin/conf_files/krb5_conf:pkinit-identity}]{\sphinxcrossref{\DUrole{std,std-ref}{Specifying PKINIT identity information}}}} in
 3100 {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}}.
 3101 \begin{description}
 3102 \item[{\sphinxstylestrong{pkinit\_anchors}}] \leavevmode
 3103 Specifies the location of trusted anchor (root) certificates which
 3104 the KDC trusts to sign client certificates.  This option is
 3105 required if pkinit is to be supported by the KDC.  This option may
 3106 be specified multiple times.
 3107 
 3108 \item[{\sphinxstylestrong{pkinit\_dh\_min\_bits}}] \leavevmode
 3109 Specifies the minimum number of bits the KDC is willing to accept
 3110 for a client’s Diffie-Hellman key.  The default is 2048.
 3111 
 3112 \item[{\sphinxstylestrong{pkinit\_allow\_upn}}] \leavevmode
 3113 Specifies that the KDC is willing to accept client certificates
 3114 with the Microsoft UserPrincipalName (UPN) Subject Alternative
 3115 Name (SAN).  This means the KDC accepts the binding of the UPN in
 3116 the certificate to the Kerberos principal name.  The default value
 3117 is false.
 3118 
 3119 Without this option, the KDC will only accept certificates with
 3120 the id-pkinit-san as defined in \index{RFC!RFC 4556}\sphinxhref{https://tools.ietf.org/html/rfc4556.html}{\sphinxstylestrong{RFC 4556}}.  There is currently
 3121 no option to disable SAN checking in the KDC.
 3122 
 3123 \item[{\sphinxstylestrong{pkinit\_eku\_checking}}] \leavevmode
 3124 This option specifies what Extended Key Usage (EKU) values the KDC
 3125 is willing to accept in client certificates.  The values
 3126 recognized in the kdc.conf file are:
 3127 \begin{description}
 3128 \item[{\sphinxstylestrong{kpClientAuth}}] \leavevmode
 3129 This is the default value and specifies that client
 3130 certificates must have the id-pkinit-KPClientAuth EKU as
 3131 defined in \index{RFC!RFC 4556}\sphinxhref{https://tools.ietf.org/html/rfc4556.html}{\sphinxstylestrong{RFC 4556}}.
 3132 
 3133 \item[{\sphinxstylestrong{scLogin}}] \leavevmode
 3134 If scLogin is specified, client certificates with the
 3135 Microsoft Smart Card Login EKU (id-ms-kp-sc-logon) will be
 3136 accepted.
 3137 
 3138 \item[{\sphinxstylestrong{none}}] \leavevmode
 3139 If none is specified, then client certificates will not be
 3140 checked to verify they have an acceptable EKU.  The use of
 3141 this option is not recommended.
 3142 
 3143 \end{description}
 3144 
 3145 \item[{\sphinxstylestrong{pkinit\_identity}}] \leavevmode
 3146 Specifies the location of the KDC’s X.509 identity information.
 3147 This option is required if pkinit is to be supported by the KDC.
 3148 
 3149 \item[{\sphinxstylestrong{pkinit\_indicator}}] \leavevmode
 3150 Specifies an authentication indicator to include in the ticket if
 3151 pkinit is used to authenticate.  This option may be specified
 3152 multiple times.  (New in release 1.14.)
 3153 
 3154 \item[{\sphinxstylestrong{pkinit\_pool}}] \leavevmode
 3155 Specifies the location of intermediate certificates which may be
 3156 used by the KDC to complete the trust chain between a client’s
 3157 certificate and a trusted anchor.  This option may be specified
 3158 multiple times.
 3159 
 3160 \item[{\sphinxstylestrong{pkinit\_revoke}}] \leavevmode
 3161 Specifies the location of Certificate Revocation List (CRL)
 3162 information to be used by the KDC when verifying the validity of
 3163 client certificates.  This option may be specified multiple times.
 3164 
 3165 \item[{\sphinxstylestrong{pkinit\_require\_crl\_checking}}] \leavevmode
 3166 The default certificate verification process will always check the
 3167 available revocation information to see if a certificate has been
 3168 revoked.  If a match is found for the certificate in a CRL,
 3169 verification fails.  If the certificate being verified is not
 3170 listed in a CRL, or there is no CRL present for its issuing CA,
 3171 and \sphinxstylestrong{pkinit\_require\_crl\_checking} is false, then verification
 3172 succeeds.
 3173 
 3174 However, if \sphinxstylestrong{pkinit\_require\_crl\_checking} is true and there is
 3175 no CRL information available for the issuing CA, then verification
 3176 fails.
 3177 
 3178 \sphinxstylestrong{pkinit\_require\_crl\_checking} should be set to true if the
 3179 policy is such that up-to-date CRLs must be present for every CA.
 3180 
 3181 \item[{\sphinxstylestrong{pkinit\_require\_freshness}}] \leavevmode
 3182 Specifies whether to require clients to include a freshness token
 3183 in PKINIT requests.  The default value is false.  (New in release
 3184 1.17.)
 3185 
 3186 \end{description}
 3187 
 3188 
 3189 \subsubsection{Encryption types}
 3190 \label{\detokenize{admin/conf_files/kdc_conf:id6}}\label{\detokenize{admin/conf_files/kdc_conf:encryption-types}}
 3191 Any tag in the configuration files which requires a list of encryption
 3192 types can be set to some combination of the following strings.
 3193 Encryption types marked as “weak” are available for compatibility but
 3194 not recommended for use.
 3195 
 3196 
 3197 \begin{savenotes}\sphinxattablestart
 3198 \centering
 3199 \begin{tabulary}{\linewidth}[t]{|T|T|}
 3200 \hline
 3201 
 3202 des3-cbc-raw
 3203 &
 3204 Triple DES cbc mode raw (weak)
 3205 \\
 3206 \hline
 3207 des3-cbc-sha1 des3-hmac-sha1 des3-cbc-sha1-kd
 3208 &
 3209 Triple DES cbc mode with HMAC/sha1
 3210 \\
 3211 \hline
 3212 aes256-cts-hmac-sha1-96 aes256-cts aes256-sha1
 3213 &
 3214 AES-256 CTS mode with 96-bit SHA-1 HMAC
 3215 \\
 3216 \hline
 3217 aes128-cts-hmac-sha1-96 aes128-cts aes128-sha1
 3218 &
 3219 AES-128 CTS mode with 96-bit SHA-1 HMAC
 3220 \\
 3221 \hline
 3222 aes256-cts-hmac-sha384-192 aes256-sha2
 3223 &
 3224 AES-256 CTS mode with 192-bit SHA-384 HMAC
 3225 \\
 3226 \hline
 3227 aes128-cts-hmac-sha256-128 aes128-sha2
 3228 &
 3229 AES-128 CTS mode with 128-bit SHA-256 HMAC
 3230 \\
 3231 \hline
 3232 arcfour-hmac rc4-hmac arcfour-hmac-md5
 3233 &
 3234 RC4 with HMAC/MD5
 3235 \\
 3236 \hline
 3237 arcfour-hmac-exp rc4-hmac-exp arcfour-hmac-md5-exp
 3238 &
 3239 Exportable RC4 with HMAC/MD5 (weak)
 3240 \\
 3241 \hline
 3242 camellia256-cts-cmac camellia256-cts
 3243 &
 3244 Camellia-256 CTS mode with CMAC
 3245 \\
 3246 \hline
 3247 camellia128-cts-cmac camellia128-cts
 3248 &
 3249 Camellia-128 CTS mode with CMAC
 3250 \\
 3251 \hline
 3252 des3
 3253 &
 3254 The triple DES family: des3-cbc-sha1
 3255 \\
 3256 \hline
 3257 aes
 3258 &
 3259 The AES family: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, aes256-cts-hmac-sha384-192, and aes128-cts-hmac-sha256-128
 3260 \\
 3261 \hline
 3262 rc4
 3263 &
 3264 The RC4 family: arcfour-hmac
 3265 \\
 3266 \hline
 3267 camellia
 3268 &
 3269 The Camellia family: camellia256-cts-cmac and camellia128-cts-cmac
 3270 \\
 3271 \hline
 3272 \end{tabulary}
 3273 \par
 3274 \sphinxattableend\end{savenotes}
 3275 
 3276 The string \sphinxstylestrong{DEFAULT} can be used to refer to the default set of
 3277 types for the variable in question.  Types or families can be removed
 3278 from the current list by prefixing them with a minus sign (“-“).
 3279 Types or families can be prefixed with a plus sign (“+”) for symmetry;
 3280 it has the same meaning as just listing the type or family.  For
 3281 example, “\sphinxcode{DEFAULT -rc4}” would be the default set of encryption
 3282 types with RC4 types removed, and “\sphinxcode{des3 DEFAULT}” would be the
 3283 default set of encryption types with triple DES types moved to the
 3284 front.
 3285 
 3286 While \sphinxstylestrong{aes128-cts} and \sphinxstylestrong{aes256-cts} are supported for all Kerberos
 3287 operations, they are not supported by very old versions of our GSSAPI
 3288 implementation (krb5-1.3.1 and earlier).  Services running versions of
 3289 krb5 without AES support must not be given keys of these encryption
 3290 types in the KDC database.
 3291 
 3292 The \sphinxstylestrong{aes128-sha2} and \sphinxstylestrong{aes256-sha2} encryption types are new in
 3293 release 1.15.  Services running versions of krb5 without support for
 3294 these newer encryption types must not be given keys of these
 3295 encryption types in the KDC database.
 3296 
 3297 
 3298 \subsubsection{Keysalt lists}
 3299 \label{\detokenize{admin/conf_files/kdc_conf:id7}}\label{\detokenize{admin/conf_files/kdc_conf:keysalt-lists}}
 3300 Kerberos keys for users are usually derived from passwords.  Kerberos
 3301 commands and configuration parameters that affect generation of keys
 3302 take lists of enctype-salttype (“keysalt”) pairs, known as \sphinxstyleemphasis{keysalt
 3303 lists}.  Each keysalt pair is an enctype name followed by a salttype
 3304 name, in the format \sphinxstyleemphasis{enc}:\sphinxstyleemphasis{salt}.  Individual keysalt list members are
 3305 separated by comma (“,”) characters or space characters.  For example:
 3306 
 3307 \fvset{hllines={, ,}}%
 3308 \begin{sphinxVerbatim}[commandchars=\\\{\}]
 3309 \PYG{n}{kadmin} \PYG{o}{\PYGZhy{}}\PYG{n}{e} \PYG{n}{aes256}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{p}{:}\PYG{n}{normal}\PYG{p}{,}\PYG{n}{aes128}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{p}{:}\PYG{n}{normal}
 3310 \end{sphinxVerbatim}
 3311 
 3312 would start up kadmin so that by default it would generate
 3313 password-derived keys for the \sphinxstylestrong{aes256-cts} and \sphinxstylestrong{aes128-cts}
 3314 encryption types, using a \sphinxstylestrong{normal} salt.
 3315 
 3316 To ensure that people who happen to pick the same password do not have
 3317 the same key, Kerberos 5 incorporates more information into the key
 3318 using something called a salt.  The supported salt types are as
 3319 follows:
 3320 
 3321 
 3322 \begin{savenotes}\sphinxattablestart
 3323 \centering
 3324 \begin{tabulary}{\linewidth}[t]{|T|T|}
 3325 \hline
 3326 
 3327 normal
 3328 &
 3329 default for Kerberos Version 5
 3330 \\
 3331 \hline
 3332 norealm
 3333 &
 3334 same as the default, without using realm information
 3335 \\
 3336 \hline
 3337 onlyrealm
 3338 &
 3339 uses only realm information as the salt
 3340 \\
 3341 \hline
 3342 special
 3343 &
 3344 generate a random salt
 3345 \\
 3346 \hline
 3347 \end{tabulary}
 3348 \par
 3349 \sphinxattableend\end{savenotes}
 3350 
 3351 
 3352 \subsubsection{Sample kdc.conf File}
 3353 \label{\detokenize{admin/conf_files/kdc_conf:sample-kdc-conf-file}}
 3354 Here’s an example of a kdc.conf file:
 3355 
 3356 \fvset{hllines={, ,}}%
 3357 \begin{sphinxVerbatim}[commandchars=\\\{\}]
 3358 \PYG{p}{[}\PYG{n}{kdcdefaults}\PYG{p}{]}
 3359     \PYG{n}{kdc\PYGZus{}listen} \PYG{o}{=} \PYG{l+m+mi}{88}
 3360     \PYG{n}{kdc\PYGZus{}tcp\PYGZus{}listen} \PYG{o}{=} \PYG{l+m+mi}{88}
 3361 \PYG{p}{[}\PYG{n}{realms}\PYG{p}{]}
 3362     \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{o}{=} \PYG{p}{\PYGZob{}}
 3363         \PYG{n}{kadmind\PYGZus{}port} \PYG{o}{=} \PYG{l+m+mi}{749}
 3364         \PYG{n}{max\PYGZus{}life} \PYG{o}{=} \PYG{l+m+mi}{12}\PYG{n}{h} \PYG{l+m+mi}{0}\PYG{n}{m} \PYG{l+m+mi}{0}\PYG{n}{s}
 3365         \PYG{n}{max\PYGZus{}renewable\PYGZus{}life} \PYG{o}{=} \PYG{l+m+mi}{7}\PYG{n}{d} \PYG{l+m+mi}{0}\PYG{n}{h} \PYG{l+m+mi}{0}\PYG{n}{m} \PYG{l+m+mi}{0}\PYG{n}{s}
 3366         \PYG{n}{master\PYGZus{}key\PYGZus{}type} \PYG{o}{=} \PYG{n}{aes256}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{96}
 3367         \PYG{n}{supported\PYGZus{}enctypes} \PYG{o}{=} \PYG{n}{aes256}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{96}\PYG{p}{:}\PYG{n}{normal} \PYG{n}{aes128}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{96}\PYG{p}{:}\PYG{n}{normal}
 3368         \PYG{n}{database\PYGZus{}module} \PYG{o}{=} \PYG{n}{openldap\PYGZus{}ldapconf}
 3369     \PYG{p}{\PYGZcb{}}
 3370 
 3371 \PYG{p}{[}\PYG{n}{logging}\PYG{p}{]}
 3372     \PYG{n}{kdc} \PYG{o}{=} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{usr}\PYG{o}{/}\PYG{n}{local}\PYG{o}{/}\PYG{n}{var}\PYG{o}{/}\PYG{n}{krb5kdc}\PYG{o}{/}\PYG{n}{kdc}\PYG{o}{.}\PYG{n}{log}
 3373     \PYG{n}{admin\PYGZus{}server} \PYG{o}{=} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{usr}\PYG{o}{/}\PYG{n}{local}\PYG{o}{/}\PYG{n}{var}\PYG{o}{/}\PYG{n}{krb5kdc}\PYG{o}{/}\PYG{n}{kadmin}\PYG{o}{.}\PYG{n}{log}
 3374 
 3375 \PYG{p}{[}\PYG{n}{dbdefaults}\PYG{p}{]}
 3376     \PYG{n}{ldap\PYGZus{}kerberos\PYGZus{}container\PYGZus{}dn} \PYG{o}{=} \PYG{n}{cn}\PYG{o}{=}\PYG{n}{krbcontainer}\PYG{p}{,}\PYG{n}{dc}\PYG{o}{=}\PYG{n}{mit}\PYG{p}{,}\PYG{n}{dc}\PYG{o}{=}\PYG{n}{edu}
 3377 
 3378 \PYG{p}{[}\PYG{n}{dbmodules}\PYG{p}{]}
 3379     \PYG{n}{openldap\PYGZus{}ldapconf} \PYG{o}{=} \PYG{p}{\PYGZob{}}
 3380         \PYG{n}{db\PYGZus{}library} \PYG{o}{=} \PYG{n}{kldap}
 3381         \PYG{n}{disable\PYGZus{}last\PYGZus{}success} \PYG{o}{=} \PYG{n}{true}
 3382         \PYG{n}{ldap\PYGZus{}kdc\PYGZus{}dn} \PYG{o}{=} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{cn=krbadmin,dc=mit,dc=edu}\PYG{l+s+s2}{\PYGZdq{}}
 3383             \PYG{c+c1}{\PYGZsh{} this object needs to have read rights on}
 3384             \PYG{c+c1}{\PYGZsh{} the realm container and principal subtrees}
 3385         \PYG{n}{ldap\PYGZus{}kadmind\PYGZus{}dn} \PYG{o}{=} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{cn=krbadmin,dc=mit,dc=edu}\PYG{l+s+s2}{\PYGZdq{}}
 3386             \PYG{c+c1}{\PYGZsh{} this object needs to have read and write rights on}
 3387             \PYG{c+c1}{\PYGZsh{} the realm container and principal subtrees}
 3388         \PYG{n}{ldap\PYGZus{}service\PYGZus{}password\PYGZus{}file} \PYG{o}{=} \PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{kerberos}\PYG{o}{/}\PYG{n}{service}\PYG{o}{.}\PYG{n}{keyfile}
 3389         \PYG{n}{ldap\PYGZus{}servers} \PYG{o}{=} \PYG{n}{ldaps}\PYG{p}{:}\PYG{o}{/}\PYG{o}{/}\PYG{n}{kerberos}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}
 3390         \PYG{n}{ldap\PYGZus{}conns\PYGZus{}per\PYGZus{}server} \PYG{o}{=} \PYG{l+m+mi}{5}
 3391     \PYG{p}{\PYGZcb{}}
 3392 \end{sphinxVerbatim}
 3393 
 3394 
 3395 \subsubsection{FILES}
 3396 \label{\detokenize{admin/conf_files/kdc_conf:files}}
 3397 {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LOCALSTATEDIR}}}}\sphinxcode{/krb5kdc}\sphinxcode{/kdc.conf}
 3398 
 3399 
 3400 \subsubsection{SEE ALSO}
 3401 \label{\detokenize{admin/conf_files/kdc_conf:see-also}}
 3402 {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}}, {\hyperref[\detokenize{admin/admin_commands/krb5kdc:krb5kdc-8}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5kdc}}}}, {\hyperref[\detokenize{admin/conf_files/kadm5_acl:kadm5-acl-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kadm5.acl}}}}
 3403 
 3404 
 3405 \subsection{kadm5.acl}
 3406 \label{\detokenize{admin/conf_files/kadm5_acl:kadm5-acl}}\label{\detokenize{admin/conf_files/kadm5_acl:kadm5-acl-5}}\label{\detokenize{admin/conf_files/kadm5_acl::doc}}
 3407 
 3408 \subsubsection{DESCRIPTION}
 3409 \label{\detokenize{admin/conf_files/kadm5_acl:description}}
 3410 The Kerberos {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} daemon uses an Access Control List
 3411 (ACL) file to manage access rights to the Kerberos database.
 3412 For operations that affect principals, the ACL file also controls
 3413 which principals can operate on which other principals.
 3414 
 3415 The default location of the Kerberos ACL file is
 3416 {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LOCALSTATEDIR}}}}\sphinxcode{/krb5kdc}\sphinxcode{/kadm5.acl}  unless this is overridden by the \sphinxstyleemphasis{acl\_file}
 3417 variable in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}.
 3418 
 3419 
 3420 \subsubsection{SYNTAX}
 3421 \label{\detokenize{admin/conf_files/kadm5_acl:syntax}}
 3422 Empty lines and lines starting with the sharp sign (\sphinxcode{\#}) are
 3423 ignored.  Lines containing ACL entries have the format:
 3424 
 3425 \fvset{hllines={, ,}}%
 3426 \begin{sphinxVerbatim}[commandchars=\\\{\}]
 3427 \PYG{n}{principal}  \PYG{n}{permissions}  \PYG{p}{[}\PYG{n}{target\PYGZus{}principal}  \PYG{p}{[}\PYG{n}{restrictions}\PYG{p}{]} \PYG{p}{]}
 3428 \end{sphinxVerbatim}
 3429 
 3430 \begin{sphinxadmonition}{note}{Note:}
 3431 Line order in the ACL file is important.  The first matching entry
 3432 will control access for an actor principal on a target principal.
 3433 \end{sphinxadmonition}
 3434 \begin{description}
 3435 \item[{\sphinxstyleemphasis{principal}}] \leavevmode
 3436 (Partially or fully qualified Kerberos principal name.) Specifies
 3437 the principal whose permissions are to be set.
 3438 
 3439 Each component of the name may be wildcarded using the \sphinxcode{*}
 3440 character.
 3441 
 3442 \item[{\sphinxstyleemphasis{permissions}}] \leavevmode
 3443 Specifies what operations may or may not be performed by a
 3444 \sphinxstyleemphasis{principal} matching a particular entry.  This is a string of one or
 3445 more of the following list of characters or their upper-case
 3446 counterparts.  If the character is \sphinxstyleemphasis{upper-case}, then the operation
 3447 is disallowed.  If the character is \sphinxstyleemphasis{lower-case}, then the operation
 3448 is permitted.
 3449 
 3450 
 3451 \begin{savenotes}\sphinxattablestart
 3452 \centering
 3453 \begin{tabulary}{\linewidth}[t]{|T|T|}
 3454 \hline
 3455 
 3456 a
 3457 &
 3458 {[}Dis{]}allows the addition of principals or policies
 3459 \\
 3460 \hline
 3461 c
 3462 &
 3463 {[}Dis{]}allows the changing of passwords for principals
 3464 \\
 3465 \hline
 3466 d
 3467 &
 3468 {[}Dis{]}allows the deletion of principals or policies
 3469 \\
 3470 \hline
 3471 e
 3472 &
 3473 {[}Dis{]}allows the extraction of principal keys
 3474 \\
 3475 \hline
 3476 i
 3477 &
 3478 {[}Dis{]}allows inquiries about principals or policies
 3479 \\
 3480 \hline
 3481 l
 3482 &
 3483 {[}Dis{]}allows the listing of all principals or policies
 3484 \\
 3485 \hline
 3486 m
 3487 &
 3488 {[}Dis{]}allows the modification of principals or policies
 3489 \\
 3490 \hline
 3491 p
 3492 &
 3493 {[}Dis{]}allows the propagation of the principal database (used in {\hyperref[\detokenize{admin/database:incr-db-prop}]{\sphinxcrossref{\DUrole{std,std-ref}{Incremental database propagation}}}})
 3494 \\
 3495 \hline
 3496 s
 3497 &
 3498 {[}Dis{]}allows the explicit setting of the key for a principal
 3499 \\
 3500 \hline
 3501 x
 3502 &
 3503 Short for admcilsp. All privileges (except \sphinxcode{e})
 3504 \\
 3505 \hline
 3506 *
 3507 &
 3508 Same as x.
 3509 \\
 3510 \hline
 3511 \end{tabulary}
 3512 \par
 3513 \sphinxattableend\end{savenotes}
 3514 
 3515 \end{description}
 3516 
 3517 \begin{sphinxadmonition}{note}{Note:}
 3518 The \sphinxcode{extract} privilege is not included in the wildcard
 3519 privilege; it must be explicitly assigned.  This privilege
 3520 allows the user to extract keys from the database, and must be
 3521 handled with great care to avoid disclosure of important keys
 3522 like those of the kadmin/* or krbtgt/* principals.  The
 3523 \sphinxstylestrong{lockdown\_keys} principal attribute can be used to prevent
 3524 key extraction from specific principals regardless of the
 3525 granted privilege.
 3526 \end{sphinxadmonition}
 3527 \begin{description}
 3528 \item[{\sphinxstyleemphasis{target\_principal}}] \leavevmode
 3529 (Optional. Partially or fully qualified Kerberos principal name.)
 3530 Specifies the principal on which \sphinxstyleemphasis{permissions} may be applied.
 3531 Each component of the name may be wildcarded using the \sphinxcode{*}
 3532 character.
 3533 
 3534 \sphinxstyleemphasis{target\_principal} can also include back-references to \sphinxstyleemphasis{principal},
 3535 in which \sphinxcode{*number} matches the corresponding wildcard in
 3536 \sphinxstyleemphasis{principal}.
 3537 
 3538 \item[{\sphinxstyleemphasis{restrictions}}] \leavevmode
 3539 (Optional) A string of flags. Allowed restrictions are:
 3540 \begin{quote}
 3541 \begin{description}
 3542 \item[{\{+\textbar{}-\}\sphinxstyleemphasis{flagname}}] \leavevmode
 3543 flag is forced to the indicated value.  The permissible flags
 3544 are the same as those for the \sphinxstylestrong{default\_principal\_flags}
 3545 variable in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}.
 3546 
 3547 \item[{\sphinxstyleemphasis{-clearpolicy}}] \leavevmode
 3548 policy is forced to be empty.
 3549 
 3550 \item[{\sphinxstyleemphasis{-policy pol}}] \leavevmode
 3551 policy is forced to be \sphinxstyleemphasis{pol}.
 3552 
 3553 \item[{-\{\sphinxstyleemphasis{expire, pwexpire, maxlife, maxrenewlife}\} \sphinxstyleemphasis{time}}] \leavevmode
 3554 (\DUrole{xref,std,std-ref}{getdate} string) associated value will be forced to
 3555 MIN(\sphinxstyleemphasis{time}, requested value).
 3556 
 3557 \end{description}
 3558 \end{quote}
 3559 
 3560 The above flags act as restrictions on any add or modify operation
 3561 which is allowed due to that ACL line.
 3562 
 3563 \end{description}
 3564 
 3565 \begin{sphinxadmonition}{warning}{Warning:}
 3566 If the kadmind ACL file is modified, the kadmind daemon needs to be
 3567 restarted for changes to take effect.
 3568 \end{sphinxadmonition}
 3569 
 3570 
 3571 \subsubsection{EXAMPLE}
 3572 \label{\detokenize{admin/conf_files/kadm5_acl:example}}
 3573 Here is an example of a kadm5.acl file:
 3574 
 3575 \fvset{hllines={, ,}}%
 3576 \begin{sphinxVerbatim}[commandchars=\\\{\}]
 3577 \PYG{o}{*}\PYG{o}{/}\PYG{n}{admin}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}    \PYG{o}{*}                               \PYG{c+c1}{\PYGZsh{} line 1}
 3578 \PYG{n}{joeadmin}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}   \PYG{n}{ADMCIL}                          \PYG{c+c1}{\PYGZsh{} line 2}
 3579 \PYG{n}{joeadmin}\PYG{o}{/}\PYG{o}{*}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{n}{i}   \PYG{o}{*}\PYG{o}{/}\PYG{n}{root}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}       \PYG{c+c1}{\PYGZsh{} line 3}
 3580 \PYG{o}{*}\PYG{o}{/}\PYG{n}{root}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}     \PYG{n}{ci}  \PYG{o}{*}\PYG{l+m+mi}{1}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}           \PYG{c+c1}{\PYGZsh{} line 4}
 3581 \PYG{o}{*}\PYG{o}{/}\PYG{n}{root}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}     \PYG{n}{l}   \PYG{o}{*}                           \PYG{c+c1}{\PYGZsh{} line 5}
 3582 \PYG{n}{sms}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}        \PYG{n}{x}   \PYG{o}{*} \PYG{o}{\PYGZhy{}}\PYG{n}{maxlife} \PYG{l+m+mi}{9}\PYG{n}{h} \PYG{o}{\PYGZhy{}}\PYG{n}{postdateable} \PYG{c+c1}{\PYGZsh{} line 6}
 3583 \end{sphinxVerbatim}
 3584 
 3585 (line 1) Any principal in the \sphinxcode{ATHENA.MIT.EDU} realm with an
 3586 \sphinxcode{admin} instance has all administrative privileges except extracting
 3587 keys.
 3588 
 3589 (lines 1-3) The user \sphinxcode{joeadmin} has all permissions except
 3590 extracting keys with his \sphinxcode{admin} instance,
 3591 \sphinxcode{joeadmin/admin@ATHENA.MIT.EDU} (matches line 1).  He has no
 3592 permissions at all with his null instance, \sphinxcode{joeadmin@ATHENA.MIT.EDU}
 3593 (matches line 2).  His \sphinxcode{root} and other non-\sphinxcode{admin}, non-null
 3594 instances (e.g., \sphinxcode{extra} or \sphinxcode{dbadmin}) have inquire permissions
 3595 with any principal that has the instance \sphinxcode{root} (matches line 3).
 3596 
 3597 (line 4) Any \sphinxcode{root} principal in \sphinxcode{ATHENA.MIT.EDU} can inquire
 3598 or change the password of their null instance, but not any other
 3599 null instance.  (Here, \sphinxcode{*1} denotes a back-reference to the
 3600 component matching the first wildcard in the actor principal.)
 3601 
 3602 (line 5) Any \sphinxcode{root} principal in \sphinxcode{ATHENA.MIT.EDU} can generate
 3603 the list of principals in the database, and the list of policies
 3604 in the database.  This line is separate from line 4, because list
 3605 permission can only be granted globally, not to specific target
 3606 principals.
 3607 
 3608 (line 6) Finally, the Service Management System principal
 3609 \sphinxcode{sms@ATHENA.MIT.EDU} has all permissions except extracting keys, but
 3610 any principal that it creates or modifies will not be able to get
 3611 postdateable tickets or tickets with a life of longer than 9 hours.
 3612 
 3613 
 3614 \subsubsection{MODULE BEHAVIOR}
 3615 \label{\detokenize{admin/conf_files/kadm5_acl:module-behavior}}
 3616 The ACL file can coexist with other authorization modules in release
 3617 1.16 and later, as configured in the {\hyperref[\detokenize{admin/conf_files/krb5_conf:kadm5-auth}]{\sphinxcrossref{\DUrole{std,std-ref}{kadm5\_auth interface}}}} section of
 3618 {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}}.  The ACL file will positively authorize
 3619 operations according to the rules above, but will never
 3620 authoritatively deny an operation, so other modules can authorize
 3621 operations in addition to those authorized by the ACL file.
 3622 
 3623 To operate without an ACL file, set the \sphinxstyleemphasis{acl\_file} variable in
 3624 {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}} to the empty string with \sphinxcode{acl\_file = ""}.
 3625 
 3626 
 3627 \subsubsection{SEE ALSO}
 3628 \label{\detokenize{admin/conf_files/kadm5_acl:see-also}}
 3629 {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}, {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}}
 3630 
 3631 
 3632 \chapter{Realm configuration decisions}
 3633 \label{\detokenize{admin/realm_config:realm-configuration-decisions}}\label{\detokenize{admin/realm_config::doc}}
 3634 Before installing Kerberos V5, it is necessary to consider the
 3635 following issues:
 3636 \begin{itemize}
 3637 \item {} 
 3638 The name of your Kerberos realm (or the name of each realm, if you
 3639 need more than one).
 3640 
 3641 \item {} 
 3642 How you will assign your hostnames to Kerberos realms.
 3643 
 3644 \item {} 
 3645 Which ports your KDC and and kadmind services will use, if they will
 3646 not be using the default ports.
 3647 
 3648 \item {} 
 3649 How many replica KDCs you need and where they should be located.
 3650 
 3651 \item {} 
 3652 The hostnames of your master and replica KDCs.
 3653 
 3654 \item {} 
 3655 How frequently you will propagate the database from the master KDC
 3656 to the replica KDCs.
 3657 
 3658 \end{itemize}
 3659 
 3660 
 3661 \section{Realm name}
 3662 \label{\detokenize{admin/realm_config:realm-name}}
 3663 Although your Kerberos realm can be any ASCII string, convention is to
 3664 make it the same as your domain name, in upper-case letters.
 3665 
 3666 For example, hosts in the domain \sphinxcode{example.com} would be in the
 3667 Kerberos realm:
 3668 
 3669 \fvset{hllines={, ,}}%
 3670 \begin{sphinxVerbatim}[commandchars=\\\{\}]
 3671 \PYG{n}{EXAMPLE}\PYG{o}{.}\PYG{n}{COM}
 3672 \end{sphinxVerbatim}
 3673 
 3674 If you need multiple Kerberos realms, MIT recommends that you use
 3675 descriptive names which end with your domain name, such as:
 3676 
 3677 \fvset{hllines={, ,}}%
 3678 \begin{sphinxVerbatim}[commandchars=\\\{\}]
 3679 \PYG{n}{BOSTON}\PYG{o}{.}\PYG{n}{EXAMPLE}\PYG{o}{.}\PYG{n}{COM}
 3680 \PYG{n}{HOUSTON}\PYG{o}{.}\PYG{n}{EXAMPLE}\PYG{o}{.}\PYG{n}{COM}
 3681 \end{sphinxVerbatim}
 3682 
 3683 
 3684 \section{Mapping hostnames onto Kerberos realms}
 3685 \label{\detokenize{admin/realm_config:mapping-hostnames-onto-kerberos-realms}}\label{\detokenize{admin/realm_config:mapping-hostnames}}
 3686 Mapping hostnames onto Kerberos realms is done in one of three ways.
 3687 
 3688 The first mechanism works through a set of rules in the
 3689 {\hyperref[\detokenize{admin/conf_files/krb5_conf:domain-realm}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}domain\_realm{]}}}}} section of {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}}.  You can specify
 3690 mappings for an entire domain or on a per-hostname basis.  Typically
 3691 you would do this by specifying the mappings for a given domain or
 3692 subdomain and listing the exceptions.
 3693 
 3694 The second mechanism is to use KDC host-based service referrals.  With
 3695 this method, the KDC’s krb5.conf has a full {[}domain\_realm{]} mapping for
 3696 hosts, but the clients do not, or have mappings for only a subset of
 3697 the hosts they might contact.  When a client needs to contact a server
 3698 host for which it has no mapping, it will ask the client realm’s KDC
 3699 for the service ticket, and will receive a referral to the appropriate
 3700 service realm.
 3701 
 3702 To use referrals, clients must be running MIT krb5 1.6 or later, and
 3703 the KDC must be running MIT krb5 1.7 or later.  The
 3704 \sphinxstylestrong{host\_based\_services} and \sphinxstylestrong{no\_host\_referral} variables in the
 3705 {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-realms}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}realms{]}}}}} section of {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}} can be used to
 3706 fine-tune referral behavior on the KDC.
 3707 
 3708 It is also possible for clients to use DNS TXT records, if
 3709 \sphinxstylestrong{dns\_lookup\_realm} is enabled in {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}}.  Such lookups
 3710 are disabled by default because DNS is an insecure protocol and security
 3711 holes could result if DNS records are spoofed.  If enabled, the client
 3712 will try to look up a TXT record formed by prepending the prefix
 3713 \sphinxcode{\_kerberos} to the hostname in question.  If that record is not
 3714 found, the client will attempt a lookup by prepending \sphinxcode{\_kerberos} to the
 3715 host’s domain name, then its parent domain, up to the top-level domain.
 3716 For the hostname \sphinxcode{boston.engineering.example.com}, the names looked up
 3717 would be:
 3718 
 3719 \fvset{hllines={, ,}}%
 3720 \begin{sphinxVerbatim}[commandchars=\\\{\}]
 3721 \PYG{n}{\PYGZus{}kerberos}\PYG{o}{.}\PYG{n}{boston}\PYG{o}{.}\PYG{n}{engineering}\PYG{o}{.}\PYG{n}{example}\PYG{o}{.}\PYG{n}{com}
 3722 \PYG{n}{\PYGZus{}kerberos}\PYG{o}{.}\PYG{n}{engineering}\PYG{o}{.}\PYG{n}{example}\PYG{o}{.}\PYG{n}{com}
 3723 \PYG{n}{\PYGZus{}kerberos}\PYG{o}{.}\PYG{n}{example}\PYG{o}{.}\PYG{n}{com}
 3724 \PYG{n}{\PYGZus{}kerberos}\PYG{o}{.}\PYG{n}{com}
 3725 \end{sphinxVerbatim}
 3726 
 3727 The value of the first TXT record found is taken as the realm name.
 3728 
 3729 Even if you do not choose to use this mechanism within your site,
 3730 you may wish to set it up anyway, for use when interacting with other sites.
 3731 
 3732 
 3733 \section{Ports for the KDC and admin services}
 3734 \label{\detokenize{admin/realm_config:ports-for-the-kdc-and-admin-services}}
 3735 The default ports used by Kerberos are port 88 for the KDC and port
 3736 749 for the admin server.  You can, however, choose to run on other
 3737 ports, as long as they are specified in each host’s
 3738 {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}} files or in DNS SRV records, and the
 3739 {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}} file on each KDC.  For a more thorough treatment of
 3740 port numbers used by the Kerberos V5 programs, refer to the
 3741 {\hyperref[\detokenize{admin/appl_servers:conf-firewall}]{\sphinxcrossref{\DUrole{std,std-ref}{Configuring your firewall to work with Kerberos V5}}}}.
 3742 
 3743 
 3744 \section{Replica KDCs}
 3745 \label{\detokenize{admin/realm_config:replica-kdcs}}
 3746 Replica KDCs provide an additional source of Kerberos ticket-granting
 3747 services in the event of inaccessibility of the master KDC.  The
 3748 number of replica KDCs you need and the decision of where to place them,
 3749 both physically and logically, depends on the specifics of your
 3750 network.
 3751 
 3752 Kerberos authentication requires that each client be able to contact a
 3753 KDC.  Therefore, you need to anticipate any likely reason a KDC might
 3754 be unavailable and have a replica KDC to take up the slack.
 3755 
 3756 Some considerations include:
 3757 \begin{itemize}
 3758 \item {} 
 3759 Have at least one replica KDC as a backup, for when the master KDC
 3760 is down, is being upgraded, or is otherwise unavailable.
 3761 
 3762 \item {} 
 3763 If your network is split such that a network outage is likely to
 3764 cause a network partition (some segment or segments of the network
 3765 to become cut off or isolated from other segments), have a replica
 3766 KDC accessible to each segment.
 3767 
 3768 \item {} 
 3769 If possible, have at least one replica KDC in a different building
 3770 from the master, in case of power outages, fires, or other localized
 3771 disasters.
 3772 
 3773 \end{itemize}
 3774 
 3775 
 3776 \section{Hostnames for KDCs}
 3777 \label{\detokenize{admin/realm_config:kdc-hostnames}}\label{\detokenize{admin/realm_config:hostnames-for-kdcs}}
 3778 MIT recommends that your KDCs have a predefined set of CNAME records
 3779 (DNS hostname aliases), such as \sphinxcode{kerberos} for the master KDC and
 3780 \sphinxcode{kerberos-1}, \sphinxcode{kerberos-2}, … for the replica KDCs.  This way,
 3781 if you need to swap a machine, you only need to change a DNS entry,
 3782 rather than having to change hostnames.
 3783 
 3784 As of MIT krb5 1.4, clients can locate a realm’s KDCs through DNS
 3785 using SRV records (\index{RFC!RFC 2782}\sphinxhref{https://tools.ietf.org/html/rfc2782.html}{\sphinxstylestrong{RFC 2782}}), assuming the Kerberos realm name is
 3786 also a DNS domain name.  These records indicate the hostname and port
 3787 number to contact for that service, optionally with weighting and
 3788 prioritization.  The domain name used in the SRV record name is the
 3789 realm name.  Several different Kerberos-related service names are
 3790 used:
 3791 \begin{description}
 3792 \item[{\_kerberos.\_udp}] \leavevmode
 3793 This is for contacting any KDC by UDP.  This entry will be used
 3794 the most often.  Normally you should list port 88 on each of your
 3795 KDCs.
 3796 
 3797 \item[{\_kerberos.\_tcp}] \leavevmode
 3798 This is for contacting any KDC by TCP.  The MIT KDC by default
 3799 will not listen on any TCP ports, so unless you’ve changed the
 3800 configuration or you’re running another KDC implementation, you
 3801 should leave this unspecified.  If you do enable TCP support,
 3802 normally you should use port 88.
 3803 
 3804 \item[{\_kerberos-master.\_udp}] \leavevmode
 3805 This entry should refer to those KDCs, if any, that will
 3806 immediately see password changes to the Kerberos database.  If a
 3807 user is logging in and the password appears to be incorrect, the
 3808 client will retry with the master KDC before failing with an
 3809 “incorrect password” error given.
 3810 
 3811 If you have only one KDC, or for whatever reason there is no
 3812 accessible KDC that would get database changes faster than the
 3813 others, you do not need to define this entry.
 3814 
 3815 \item[{\_kerberos-adm.\_tcp}] \leavevmode
 3816 This should list port 749 on your master KDC.  Support for it is
 3817 not complete at this time, but it will eventually be used by the
 3818 {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} program and related utilities.  For now, you will
 3819 also need the \sphinxstylestrong{admin\_server} variable in {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}}.
 3820 
 3821 \item[{\_kpasswd.\_udp}] \leavevmode
 3822 This should list port 464 on your master KDC.  It is used when a
 3823 user changes her password.  If this entry is not defined but a
 3824 \_kerberos-adm.\_tcp entry is defined, the client will use the
 3825 \_kerberos-adm.\_tcp entry with the port number changed to 749.
 3826 
 3827 \end{description}
 3828 
 3829 The DNS SRV specification requires that the hostnames listed be the
 3830 canonical names, not aliases.  So, for example, you might include the
 3831 following records in your (BIND-style) zone file:
 3832 
 3833 \fvset{hllines={, ,}}%
 3834 \begin{sphinxVerbatim}[commandchars=\\\{\}]
 3835 \PYGZdl{}ORIGIN foobar.com.
 3836 \PYGZus{}kerberos               TXT       \PYGZdq{}FOOBAR.COM\PYGZdq{}
 3837 kerberos                CNAME     daisy
 3838 kerberos\PYGZhy{}1              CNAME     use\PYGZhy{}the\PYGZhy{}force\PYGZhy{}luke
 3839 kerberos\PYGZhy{}2              CNAME     bunny\PYGZhy{}rabbit
 3840 \PYGZus{}kerberos.\PYGZus{}udp          SRV       0 0 88 daisy
 3841                         SRV       0 0 88 use\PYGZhy{}the\PYGZhy{}force\PYGZhy{}luke
 3842                         SRV       0 0 88 bunny\PYGZhy{}rabbit
 3843 \PYGZus{}kerberos\PYGZhy{}master.\PYGZus{}udp   SRV       0 0 88 daisy
 3844 \PYGZus{}kerberos\PYGZhy{}adm.\PYGZus{}tcp      SRV       0 0 749 daisy
 3845 \PYGZus{}kpasswd.\PYGZus{}udp           SRV       0 0 464 daisy
 3846 \end{sphinxVerbatim}
 3847 
 3848 Clients can also be configured with the explicit location of services
 3849 using the \sphinxstylestrong{kdc}, \sphinxstylestrong{master\_kdc}, \sphinxstylestrong{admin\_server}, and
 3850 \sphinxstylestrong{kpasswd\_server} variables in the {\hyperref[\detokenize{admin/conf_files/krb5_conf:realms}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}realms{]}}}}} section of
 3851 {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}}.  Even if some clients will be configured with
 3852 explicit server locations, providing SRV records will still benefit
 3853 unconfigured clients, and be useful for other sites.
 3854 
 3855 
 3856 \section{KDC Discovery}
 3857 \label{\detokenize{admin/realm_config:kdc-discovery}}\label{\detokenize{admin/realm_config:id1}}
 3858 As of MIT krb5 1.15, clients can also locate KDCs in DNS through URI
 3859 records (\index{RFC!RFC 7553}\sphinxhref{https://tools.ietf.org/html/rfc7553.html}{\sphinxstylestrong{RFC 7553}}).  Limitations with the SRV record format may
 3860 result in extra DNS queries in situations where a client must failover
 3861 to other transport types, or find a master server.  The URI record can
 3862 convey more information about a realm’s KDCs with a single query.
 3863 
 3864 The client performs a query for the following URI records:
 3865 \begin{itemize}
 3866 \item {} 
 3867 \sphinxcode{\_kerberos.REALM} for finding KDCs.
 3868 
 3869 \item {} 
 3870 \sphinxcode{\_kerberos-adm.REALM} for finding kadmin services.
 3871 
 3872 \item {} 
 3873 \sphinxcode{\_kpasswd.REALM} for finding password services.
 3874 
 3875 \end{itemize}
 3876 
 3877 The URI record includes a priority, weight, and a URI string that
 3878 consists of case-insensitive colon separated fields, in the form
 3879 \sphinxcode{scheme:{[}flags{]}:transport:residual}.
 3880 \begin{itemize}
 3881 \item {} 
 3882 \sphinxstyleemphasis{scheme} defines the registered URI type.  It should always be
 3883 \sphinxcode{krb5srv}.
 3884 
 3885 \item {} 
 3886 \sphinxstyleemphasis{flags} contains zero or more flag characters.  Currently the only
 3887 valid flag is \sphinxcode{m}, which indicates that the record is for a master
 3888 server.
 3889 
 3890 \item {} 
 3891 \sphinxstyleemphasis{transport} defines the transport type of the residual URL or
 3892 address.  Accepted values are \sphinxcode{tcp}, \sphinxcode{udp}, or \sphinxcode{kkdcp} for the
 3893 MS-KKDCP type.
 3894 
 3895 \item {} 
 3896 \sphinxstyleemphasis{residual} contains the hostname, IP address, or URL to be
 3897 contacted using the specified transport, with an optional port
 3898 extension.  The MS-KKDCP transport type uses a HTTPS URL, and can
 3899 include a port and/or path extension.
 3900 
 3901 \end{itemize}
 3902 
 3903 An example of URI records in a zone file:
 3904 
 3905 \fvset{hllines={, ,}}%
 3906 \begin{sphinxVerbatim}[commandchars=\\\{\}]
 3907 \PYG{n}{\PYGZus{}kerberos}\PYG{o}{.}\PYG{n}{EXAMPLE}\PYG{o}{.}\PYG{n}{COM}  \PYG{n}{URI}  \PYG{l+m+mi}{10} \PYG{l+m+mi}{1} \PYG{n}{krb5srv}\PYG{p}{:}\PYG{n}{m}\PYG{p}{:}\PYG{n}{tcp}\PYG{p}{:}\PYG{n}{kdc1}\PYG{o}{.}\PYG{n}{example}\PYG{o}{.}\PYG{n}{com}
 3908                        \PYG{n}{URI}  \PYG{l+m+mi}{20} \PYG{l+m+mi}{1} \PYG{n}{krb5srv}\PYG{p}{:}\PYG{n}{m}\PYG{p}{:}\PYG{n}{udp}\PYG{p}{:}\PYG{n}{kdc2}\PYG{o}{.}\PYG{n}{example}\PYG{o}{.}\PYG{n}{com}\PYG{p}{:}\PYG{l+m+mi}{89}
 3909                        \PYG{n}{URI}  \PYG{l+m+mi}{40} \PYG{l+m+mi}{1} \PYG{n}{krb5srv}\PYG{p}{:}\PYG{p}{:}\PYG{n}{udp}\PYG{p}{:}\PYG{l+m+mf}{10.10}\PYG{o}{.}\PYG{l+m+mf}{0.23}
 3910                        \PYG{n}{URI}  \PYG{l+m+mi}{30} \PYG{l+m+mi}{1} \PYG{n}{krb5srv}\PYG{p}{:}\PYG{p}{:}\PYG{n}{kkdcp}\PYG{p}{:}\PYG{n}{https}\PYG{p}{:}\PYG{o}{/}\PYG{o}{/}\PYG{n}{proxy}\PYG{p}{:}\PYG{l+m+mi}{89}\PYG{o}{/}\PYG{n}{auth}
 3911 \end{sphinxVerbatim}
 3912 
 3913 URI lookups are enabled by default, and can be disabled by setting
 3914 \sphinxstylestrong{dns\_uri\_lookup} in the {\hyperref[\detokenize{admin/conf_files/krb5_conf:libdefaults}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}libdefaults{]}}}}} section of
 3915 {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}} to False.  When enabled, URI lookups take
 3916 precedence over SRV lookups, falling back to SRV lookups if no URI
 3917 records are found.
 3918 
 3919 
 3920 \section{Database propagation}
 3921 \label{\detokenize{admin/realm_config:database-propagation}}\label{\detokenize{admin/realm_config:db-prop}}
 3922 The Kerberos database resides on the master KDC, and must be
 3923 propagated regularly (usually by a cron job) to the replica KDCs.  In
 3924 deciding how frequently the propagation should happen, you will need
 3925 to balance the amount of time the propagation takes against the
 3926 maximum reasonable amount of time a user should have to wait for a
 3927 password change to take effect.
 3928 
 3929 If the propagation time is longer than this maximum reasonable time
 3930 (e.g., you have a particularly large database, you have a lot of
 3931 replicas, or you experience frequent network delays), you may wish to
 3932 cut down on your propagation delay by performing the propagation in
 3933 parallel.  To do this, have the master KDC propagate the database to
 3934 one set of replicas, and then have each of these replicas propagate
 3935 the database to additional replicas.
 3936 
 3937 See also {\hyperref[\detokenize{admin/database:incr-db-prop}]{\sphinxcrossref{\DUrole{std,std-ref}{Incremental database propagation}}}}
 3938 
 3939 
 3940 \chapter{Database administration}
 3941 \label{\detokenize{admin/database::doc}}\label{\detokenize{admin/database:database-administration}}
 3942 A Kerberos database contains all of a realm’s Kerberos principals,
 3943 their passwords, and other administrative information about each
 3944 principal.  For the most part, you will use the {\hyperref[\detokenize{admin/admin_commands/kdb5_util:kdb5-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_util}}}}
 3945 program to manipulate the Kerberos database as a whole, and the
 3946 {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} program to make changes to the entries in the
 3947 database.  (One notable exception is that users will use the
 3948 \DUrole{xref,std,std-ref}{kpasswd(1)} program to change their own passwords.)  The kadmin
 3949 program has its own command-line interface, to which you type the
 3950 database administrating commands.
 3951 
 3952 {\hyperref[\detokenize{admin/admin_commands/kdb5_util:kdb5-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_util}}}} provides a means to create, delete, load, or dump
 3953 a Kerberos database.  It also contains commands to roll over the
 3954 database master key, and to stash a copy of the key so that the
 3955 {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} and {\hyperref[\detokenize{admin/admin_commands/krb5kdc:krb5kdc-8}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5kdc}}}} daemons can use the database
 3956 without manual input.
 3957 
 3958 {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} provides for the maintenance of Kerberos principals,
 3959 password policies, and service key tables (keytabs).  Normally it
 3960 operates as a network client using Kerberos authentication to
 3961 communicate with {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}}, but there is also a variant, named
 3962 kadmin.local, which directly accesses the Kerberos database on the
 3963 local filesystem (or through LDAP).  kadmin.local is necessary to set
 3964 up enough of the database to be able to use the remote version.
 3965 
 3966 kadmin can authenticate to the admin server using the service
 3967 principal \sphinxcode{kadmin/HOST} (where \sphinxstyleemphasis{HOST} is the hostname of the admin
 3968 server) or \sphinxcode{kadmin/admin}.  If the credentials cache contains a
 3969 ticket for either service principal and the \sphinxstylestrong{-c} ccache option is
 3970 specified, that ticket is used to authenticate to KADM5.  Otherwise,
 3971 the \sphinxstylestrong{-p} and \sphinxstylestrong{-k} options are used to specify the client Kerberos
 3972 principal name used to authenticate.  Once kadmin has determined the
 3973 principal name, it requests a \sphinxcode{kadmin/admin} Kerberos service ticket
 3974 from the KDC, and uses that service ticket to authenticate to KADM5.
 3975 
 3976 See {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} for the available kadmin and kadmin.local
 3977 commands and options.
 3978 
 3979 
 3980 \section{kadmin options}
 3981 \label{\detokenize{admin/database:kadmin-options}}
 3982 You can invoke {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} or kadmin.local with any of the
 3983 following options:
 3984 
 3985 \sphinxstylestrong{kadmin}
 3986 {[}\sphinxstylestrong{-O}\textbar{}\sphinxstylestrong{-N}{]}
 3987 {[}\sphinxstylestrong{-r} \sphinxstyleemphasis{realm}{]}
 3988 {[}\sphinxstylestrong{-p} \sphinxstyleemphasis{principal}{]}
 3989 {[}\sphinxstylestrong{-q} \sphinxstyleemphasis{query}{]}
 3990 {[}{[}\sphinxstylestrong{-c} \sphinxstyleemphasis{cache\_name}{]}\textbar{}{[}\sphinxstylestrong{-k} {[}\sphinxstylestrong{-t} \sphinxstyleemphasis{keytab}{]}{]}\textbar{}\sphinxstylestrong{-n}{]}
 3991 {[}\sphinxstylestrong{-w} \sphinxstyleemphasis{password}{]}
 3992 {[}\sphinxstylestrong{-s} \sphinxstyleemphasis{admin\_server}{[}:\sphinxstyleemphasis{port}{]}{]}
 3993 {[}command args…{]}
 3994 
 3995 \sphinxstylestrong{kadmin.local}
 3996 {[}\sphinxstylestrong{-r} \sphinxstyleemphasis{realm}{]}
 3997 {[}\sphinxstylestrong{-p} \sphinxstyleemphasis{principal}{]}
 3998 {[}\sphinxstylestrong{-q} \sphinxstyleemphasis{query}{]}
 3999 {[}\sphinxstylestrong{-d} \sphinxstyleemphasis{dbname}{]}
 4000 {[}\sphinxstylestrong{-e} \sphinxstyleemphasis{enc}:\sphinxstyleemphasis{salt}{]}
 4001 {[}\sphinxstylestrong{-m}{]}
 4002 {[}\sphinxstylestrong{-x} \sphinxstyleemphasis{db\_args}{]}
 4003 {[}command args…{]}
 4004 
 4005 \sphinxstylestrong{OPTIONS}
 4006 \begin{description}
 4007 \item[{\sphinxstylestrong{-r} \sphinxstyleemphasis{realm}}] \leavevmode
 4008 Use \sphinxstyleemphasis{realm} as the default database realm.
 4009 
 4010 \item[{\sphinxstylestrong{-p} \sphinxstyleemphasis{principal}}] \leavevmode
 4011 Use \sphinxstyleemphasis{principal} to authenticate.  Otherwise, kadmin will append
 4012 \sphinxcode{/admin} to the primary principal name of the default ccache,
 4013 the value of the \sphinxstylestrong{USER} environment variable, or the username as
 4014 obtained with getpwuid, in order of preference.
 4015 
 4016 \item[{\sphinxstylestrong{-k}}] \leavevmode
 4017 Use a keytab to decrypt the KDC response instead of prompting for
 4018 a password.  In this case, the default principal will be
 4019 \sphinxcode{host/hostname}.  If there is no keytab specified with the
 4020 \sphinxstylestrong{-t} option, then the default keytab will be used.
 4021 
 4022 \item[{\sphinxstylestrong{-t} \sphinxstyleemphasis{keytab}}] \leavevmode
 4023 Use \sphinxstyleemphasis{keytab} to decrypt the KDC response.  This can only be used
 4024 with the \sphinxstylestrong{-k} option.
 4025 
 4026 \item[{\sphinxstylestrong{-n}}] \leavevmode
 4027 Requests anonymous processing.  Two types of anonymous principals
 4028 are supported.  For fully anonymous Kerberos, configure PKINIT on
 4029 the KDC and configure \sphinxstylestrong{pkinit\_anchors} in the client’s
 4030 {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}}.  Then use the \sphinxstylestrong{-n} option with a principal
 4031 of the form \sphinxcode{@REALM} (an empty principal name followed by the
 4032 at-sign and a realm name).  If permitted by the KDC, an anonymous
 4033 ticket will be returned.  A second form of anonymous tickets is
 4034 supported; these realm-exposed tickets hide the identity of the
 4035 client but not the client’s realm.  For this mode, use \sphinxcode{kinit
 4036 -n} with a normal principal name.  If supported by the KDC, the
 4037 principal (but not realm) will be replaced by the anonymous
 4038 principal.  As of release 1.8, the MIT Kerberos KDC only supports
 4039 fully anonymous operation.
 4040 
 4041 \item[{\sphinxstylestrong{-c} \sphinxstyleemphasis{credentials\_cache}}] \leavevmode
 4042 Use \sphinxstyleemphasis{credentials\_cache} as the credentials cache.  The
 4043 cache should contain a service ticket for the \sphinxcode{kadmin/ADMINHOST}
 4044 (where \sphinxstyleemphasis{ADMINHOST} is the fully-qualified hostname of the admin
 4045 server) or \sphinxcode{kadmin/admin} service; it can be acquired with the
 4046 \DUrole{xref,std,std-ref}{kinit(1)} program.  If this option is not specified, kadmin
 4047 requests a new service ticket from the KDC, and stores it in its
 4048 own temporary ccache.
 4049 
 4050 \item[{\sphinxstylestrong{-w} \sphinxstyleemphasis{password}}] \leavevmode
 4051 Use \sphinxstyleemphasis{password} instead of prompting for one.  Use this option with
 4052 care, as it may expose the password to other users on the system
 4053 via the process list.
 4054 
 4055 \item[{\sphinxstylestrong{-q} \sphinxstyleemphasis{query}}] \leavevmode
 4056 Perform the specified query and then exit.
 4057 
 4058 \item[{\sphinxstylestrong{-d} \sphinxstyleemphasis{dbname}}] \leavevmode
 4059 Specifies the name of the KDC database.  This option does not
 4060 apply to the LDAP database module.
 4061 
 4062 \item[{\sphinxstylestrong{-s} \sphinxstyleemphasis{admin\_server}{[}:\sphinxstyleemphasis{port}{]}}] \leavevmode
 4063 Specifies the admin server which kadmin should contact.
 4064 
 4065 \item[{\sphinxstylestrong{-m}}] \leavevmode
 4066 If using kadmin.local, prompt for the database master password
 4067 instead of reading it from a stash file.
 4068 
 4069 \item[{\sphinxstylestrong{-e}\sphinxstyleemphasis{enc}:\sphinxstyleemphasis{salt} …”}] \leavevmode
 4070 Sets the keysalt list to be used for any new keys created.  See
 4071 {\hyperref[\detokenize{admin/conf_files/kdc_conf:keysalt-lists}]{\sphinxcrossref{\DUrole{std,std-ref}{Keysalt lists}}}} in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}} for a list of possible
 4072 values.
 4073 
 4074 \item[{\sphinxstylestrong{-O}}] \leavevmode
 4075 Force use of old AUTH\_GSSAPI authentication flavor.
 4076 
 4077 \item[{\sphinxstylestrong{-N}}] \leavevmode
 4078 Prevent fallback to AUTH\_GSSAPI authentication flavor.
 4079 
 4080 \item[{\sphinxstylestrong{-x} \sphinxstyleemphasis{db\_args}}] \leavevmode
 4081 Specifies the database specific arguments.  See the next section
 4082 for supported options.
 4083 
 4084 \end{description}
 4085 
 4086 
 4087 \section{Date Format}
 4088 \label{\detokenize{admin/database:date-format}}
 4089 For the supported date-time formats see \DUrole{xref,std,std-ref}{getdate} section
 4090 in \DUrole{xref,std,std-ref}{datetime}.
 4091 
 4092 
 4093 \section{Principals}
 4094 \label{\detokenize{admin/database:principals}}
 4095 Each entry in the Kerberos database contains a Kerberos principal and
 4096 the attributes and policies associated with that principal.
 4097 
 4098 
 4099 \subsection{Adding, modifying and deleting principals}
 4100 \label{\detokenize{admin/database:add-mod-del-princs}}\label{\detokenize{admin/database:adding-modifying-and-deleting-principals}}
 4101 To add a principal to the database, use the {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}}
 4102 \sphinxstylestrong{add\_principal} command.
 4103 
 4104 To modify attributes of a principal, use the kadmin
 4105 \sphinxstylestrong{modify\_principal} command.
 4106 
 4107 To delete a principal, use the kadmin \sphinxstylestrong{delete\_principal} command.
 4108 
 4109 
 4110 \subsection{add\_principal}
 4111 \label{\detokenize{admin/database:add-principal}}\begin{quote}
 4112 
 4113 \sphinxstylestrong{add\_principal} {[}\sphinxstyleemphasis{options}{]} \sphinxstyleemphasis{newprinc}
 4114 \end{quote}
 4115 
 4116 Creates the principal \sphinxstyleemphasis{newprinc}, prompting twice for a password.  If
 4117 no password policy is specified with the \sphinxstylestrong{-policy} option, and the
 4118 policy named \sphinxcode{default} is assigned to the principal if it exists.
 4119 However, creating a policy named \sphinxcode{default} will not automatically
 4120 assign this policy to previously existing principals.  This policy
 4121 assignment can be suppressed with the \sphinxstylestrong{-clearpolicy} option.
 4122 
 4123 This command requires the \sphinxstylestrong{add} privilege.
 4124 
 4125 Aliases: \sphinxstylestrong{addprinc}, \sphinxstylestrong{ank}
 4126 
 4127 Options:
 4128 \begin{description}
 4129 \item[{\sphinxstylestrong{-expire} \sphinxstyleemphasis{expdate}}] \leavevmode
 4130 (\DUrole{xref,std,std-ref}{getdate} string) The expiration date of the principal.
 4131 
 4132 \item[{\sphinxstylestrong{-pwexpire} \sphinxstyleemphasis{pwexpdate}}] \leavevmode
 4133 (\DUrole{xref,std,std-ref}{getdate} string) The password expiration date.
 4134 
 4135 \item[{\sphinxstylestrong{-maxlife} \sphinxstyleemphasis{maxlife}}] \leavevmode
 4136 (\DUrole{xref,std,std-ref}{duration} or \DUrole{xref,std,std-ref}{getdate} string) The maximum ticket life
 4137 for the principal.
 4138 
 4139 \item[{\sphinxstylestrong{-maxrenewlife} \sphinxstyleemphasis{maxrenewlife}}] \leavevmode
 4140 (\DUrole{xref,std,std-ref}{duration} or \DUrole{xref,std,std-ref}{getdate} string) The maximum renewable
 4141 life of tickets for the principal.
 4142 
 4143 \item[{\sphinxstylestrong{-kvno} \sphinxstyleemphasis{kvno}}] \leavevmode
 4144 The initial key version number.
 4145 
 4146 \item[{\sphinxstylestrong{-policy} \sphinxstyleemphasis{policy}}] \leavevmode
 4147 The password policy used by this principal.  If not specified, the
 4148 policy \sphinxcode{default} is used if it exists (unless \sphinxstylestrong{-clearpolicy}
 4149 is specified).
 4150 
 4151 \item[{\sphinxstylestrong{-clearpolicy}}] \leavevmode
 4152 Prevents any policy from being assigned when \sphinxstylestrong{-policy} is not
 4153 specified.
 4154 
 4155 \item[{\{-\textbar{}+\}\sphinxstylestrong{allow\_postdated}}] \leavevmode
 4156 \sphinxstylestrong{-allow\_postdated} prohibits this principal from obtaining
 4157 postdated tickets.  \sphinxstylestrong{+allow\_postdated} clears this flag.
 4158 
 4159 \item[{\{-\textbar{}+\}\sphinxstylestrong{allow\_forwardable}}] \leavevmode
 4160 \sphinxstylestrong{-allow\_forwardable} prohibits this principal from obtaining
 4161 forwardable tickets.  \sphinxstylestrong{+allow\_forwardable} clears this flag.
 4162 
 4163 \item[{\{-\textbar{}+\}\sphinxstylestrong{allow\_renewable}}] \leavevmode
 4164 \sphinxstylestrong{-allow\_renewable} prohibits this principal from obtaining
 4165 renewable tickets.  \sphinxstylestrong{+allow\_renewable} clears this flag.
 4166 
 4167 \item[{\{-\textbar{}+\}\sphinxstylestrong{allow\_proxiable}}] \leavevmode
 4168 \sphinxstylestrong{-allow\_proxiable} prohibits this principal from obtaining
 4169 proxiable tickets.  \sphinxstylestrong{+allow\_proxiable} clears this flag.
 4170 
 4171 \item[{\{-\textbar{}+\}\sphinxstylestrong{allow\_dup\_skey}}] \leavevmode
 4172 \sphinxstylestrong{-allow\_dup\_skey} disables user-to-user authentication for this
 4173 principal by prohibiting others from obtaining a service ticket
 4174 encrypted in this principal’s TGT session key.
 4175 \sphinxstylestrong{+allow\_dup\_skey} clears this flag.
 4176 
 4177 \item[{\{-\textbar{}+\}\sphinxstylestrong{requires\_preauth}}] \leavevmode
 4178 \sphinxstylestrong{+requires\_preauth} requires this principal to preauthenticate
 4179 before being allowed to kinit.  \sphinxstylestrong{-requires\_preauth} clears this
 4180 flag.  When \sphinxstylestrong{+requires\_preauth} is set on a service principal,
 4181 the KDC will only issue service tickets for that service principal
 4182 if the client’s initial authentication was performed using
 4183 preauthentication.
 4184 
 4185 \item[{\{-\textbar{}+\}\sphinxstylestrong{requires\_hwauth}}] \leavevmode
 4186 \sphinxstylestrong{+requires\_hwauth} requires this principal to preauthenticate
 4187 using a hardware device before being allowed to kinit.
 4188 \sphinxstylestrong{-requires\_hwauth} clears this flag.  When \sphinxstylestrong{+requires\_hwauth} is
 4189 set on a service principal, the KDC will only issue service tickets
 4190 for that service principal if the client’s initial authentication was
 4191 performed using a hardware device to preauthenticate.
 4192 
 4193 \item[{\{-\textbar{}+\}\sphinxstylestrong{ok\_as\_delegate}}] \leavevmode
 4194 \sphinxstylestrong{+ok\_as\_delegate} sets the \sphinxstylestrong{okay as delegate} flag on tickets
 4195 issued with this principal as the service.  Clients may use this
 4196 flag as a hint that credentials should be delegated when
 4197 authenticating to the service.  \sphinxstylestrong{-ok\_as\_delegate} clears this
 4198 flag.
 4199 
 4200 \item[{\{-\textbar{}+\}\sphinxstylestrong{allow\_svr}}] \leavevmode
 4201 \sphinxstylestrong{-allow\_svr} prohibits the issuance of service tickets for this
 4202 principal.  In release 1.17 and later, user-to-user service
 4203 tickets are still allowed unless the \sphinxstylestrong{-allow\_dup\_skey} flag is
 4204 also set.  \sphinxstylestrong{+allow\_svr} clears this flag.
 4205 
 4206 \item[{\{-\textbar{}+\}\sphinxstylestrong{allow\_tgs\_req}}] \leavevmode
 4207 \sphinxstylestrong{-allow\_tgs\_req} specifies that a Ticket-Granting Service (TGS)
 4208 request for a service ticket for this principal is not permitted.
 4209 \sphinxstylestrong{+allow\_tgs\_req} clears this flag.
 4210 
 4211 \item[{\{-\textbar{}+\}\sphinxstylestrong{allow\_tix}}] \leavevmode
 4212 \sphinxstylestrong{-allow\_tix} forbids the issuance of any tickets for this
 4213 principal.  \sphinxstylestrong{+allow\_tix} clears this flag.
 4214 
 4215 \item[{\{-\textbar{}+\}\sphinxstylestrong{needchange}}] \leavevmode
 4216 \sphinxstylestrong{+needchange} forces a password change on the next initial
 4217 authentication to this principal.  \sphinxstylestrong{-needchange} clears this
 4218 flag.
 4219 
 4220 \item[{\{-\textbar{}+\}\sphinxstylestrong{password\_changing\_service}}] \leavevmode
 4221 \sphinxstylestrong{+password\_changing\_service} marks this principal as a password
 4222 change service principal.
 4223 
 4224 \item[{\{-\textbar{}+\}\sphinxstylestrong{ok\_to\_auth\_as\_delegate}}] \leavevmode
 4225 \sphinxstylestrong{+ok\_to\_auth\_as\_delegate} allows this principal to acquire
 4226 forwardable tickets to itself from arbitrary users, for use with
 4227 constrained delegation.
 4228 
 4229 \item[{\{-\textbar{}+\}\sphinxstylestrong{no\_auth\_data\_required}}] \leavevmode
 4230 \sphinxstylestrong{+no\_auth\_data\_required} prevents PAC or AD-SIGNEDPATH data from
 4231 being added to service tickets for the principal.
 4232 
 4233 \item[{\{-\textbar{}+\}\sphinxstylestrong{lockdown\_keys}}] \leavevmode
 4234 \sphinxstylestrong{+lockdown\_keys} prevents keys for this principal from leaving
 4235 the KDC via kadmind.  The chpass and extract operations are denied
 4236 for a principal with this attribute.  The chrand operation is
 4237 allowed, but will not return the new keys.  The delete and rename
 4238 operations are also denied if this attribute is set, in order to
 4239 prevent a malicious administrator from replacing principals like
 4240 krbtgt/* or kadmin/* with new principals without the attribute.
 4241 This attribute can be set via the network protocol, but can only
 4242 be removed using kadmin.local.
 4243 
 4244 \item[{\sphinxstylestrong{-randkey}}] \leavevmode
 4245 Sets the key of the principal to a random value.
 4246 
 4247 \item[{\sphinxstylestrong{-nokey}}] \leavevmode
 4248 Causes the principal to be created with no key.  New in release
 4249 1.12.
 4250 
 4251 \item[{\sphinxstylestrong{-pw} \sphinxstyleemphasis{password}}] \leavevmode
 4252 Sets the password of the principal to the specified string and
 4253 does not prompt for a password.  Note: using this option in a
 4254 shell script may expose the password to other users on the system
 4255 via the process list.
 4256 
 4257 \item[{\sphinxstylestrong{-e} \sphinxstyleemphasis{enc}:\sphinxstyleemphasis{salt},…}] \leavevmode
 4258 Uses the specified keysalt list for setting the keys of the
 4259 principal.  See {\hyperref[\detokenize{admin/conf_files/kdc_conf:keysalt-lists}]{\sphinxcrossref{\DUrole{std,std-ref}{Keysalt lists}}}} in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}} for a
 4260 list of possible values.
 4261 
 4262 \item[{\sphinxstylestrong{-x} \sphinxstyleemphasis{db\_princ\_args}}] \leavevmode
 4263 Indicates database-specific options.  The options for the LDAP
 4264 database module are:
 4265 \begin{description}
 4266 \item[{\sphinxstylestrong{-x dn=}\sphinxstyleemphasis{dn}}] \leavevmode
 4267 Specifies the LDAP object that will contain the Kerberos
 4268 principal being created.
 4269 
 4270 \item[{\sphinxstylestrong{-x linkdn=}\sphinxstyleemphasis{dn}}] \leavevmode
 4271 Specifies the LDAP object to which the newly created Kerberos
 4272 principal object will point.
 4273 
 4274 \item[{\sphinxstylestrong{-x containerdn=}\sphinxstyleemphasis{container\_dn}}] \leavevmode
 4275 Specifies the container object under which the Kerberos
 4276 principal is to be created.
 4277 
 4278 \item[{\sphinxstylestrong{-x tktpolicy=}\sphinxstyleemphasis{policy}}] \leavevmode
 4279 Associates a ticket policy to the Kerberos principal.
 4280 
 4281 \end{description}
 4282 
 4283 \begin{sphinxadmonition}{note}{Note:}\begin{itemize}
 4284 \item {} 
 4285 The \sphinxstylestrong{containerdn} and \sphinxstylestrong{linkdn} options cannot be
 4286 specified with the \sphinxstylestrong{dn} option.
 4287 
 4288 \item {} 
 4289 If the \sphinxstyleemphasis{dn} or \sphinxstyleemphasis{containerdn} options are not specified while
 4290 adding the principal, the principals are created under the
 4291 principal container configured in the realm or the realm
 4292 container.
 4293 
 4294 \item {} 
 4295 \sphinxstyleemphasis{dn} and \sphinxstyleemphasis{containerdn} should be within the subtrees or
 4296 principal container configured in the realm.
 4297 
 4298 \end{itemize}
 4299 \end{sphinxadmonition}
 4300 
 4301 \end{description}
 4302 
 4303 Example:
 4304 
 4305 \fvset{hllines={, ,}}%
 4306 \begin{sphinxVerbatim}[commandchars=\\\{\}]
 4307 \PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{addprinc} \PYG{n