[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = $REALM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 rdns = false
 ticket_lifetime = 24h
 forwardable = yes

[realms]
 $REALM = {
  kdc = $FQDN:88
  admin_server = $FQDN:749
  default_domain = $DOMAIN
  pkinit_anchors = FILE:/etc/ipa/ca.crt
}

[domain_realm]
 .$DOMAIN = $REALM
 $DOMAIN = $REALM

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

[dbmodules]
  $REALM = {
    db_library = kldap
    ldap_servers = ldapi://%2fvar%2frun%2fslapd-$SERVER_ID.socket
    ldap_kerberos_container_dn = cn=kerberos,$SUFFIX
    ldap_kdc_dn = uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX
    ldap_kadmind_dn = uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX
    ldap_service_password_file = /var/kerberos/krb5kdc/ldappwd
  }