diff options
author | Ben Kaduk <kaduk@mit.edu> | 2012-10-16 16:40:20 -0400 |
---|---|---|
committer | Ben Kaduk <kaduk@mit.edu> | 2012-10-16 17:08:08 -0400 |
commit | dd8c4b424d9b48a1eed3be491e5b10f81deb4dec (patch) | |
tree | 34d5ea3e5191c3b49683685b703699fc172ebe7e /src/man/krb5.conf.man | |
parent | e15127e05f2b12bdd39940a1135cc1510e062aff (diff) | |
download | krb5-dd8c4b424d9b48a1eed3be491e5b10f81deb4dec.tar.gz krb5-dd8c4b424d9b48a1eed3be491e5b10f81deb4dec.tar.xz krb5-dd8c4b424d9b48a1eed3be491e5b10f81deb4dec.zip |
Regenerate man pages
Catch up to the RST content updates.
Lots of .sp vertical space macros are removed, and the output engine
spelles "restructuredText" correctly, now.
Diffstat (limited to 'src/man/krb5.conf.man')
-rw-r--r-- | src/man/krb5.conf.man | 285 |
1 files changed, 147 insertions, 138 deletions
diff --git a/src/man/krb5.conf.man b/src/man/krb5.conf.man index cc85bb9ea8..07021eb0df 100644 --- a/src/man/krb5.conf.man +++ b/src/man/krb5.conf.man @@ -28,7 +28,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.\" Man page generated from reStructeredText. +.\" Man page generated from reStructuredText. . .sp The krb5.conf file contains Kerberos configuration information, @@ -169,13 +169,15 @@ Controls plugin module registration T} _ .TE +.sp +Additionally, krb5.conf may include any of the relations described in +\fIkdc.conf(5)\fP, but it is not a recommended practice. .SS [libdefaults] .sp The libdefaults section may contain any of the following relations: .INDENT 0.0 .TP .B \fBallow_weak_crypto\fP -.sp If this flag is set to false, then weak encryption types will be filtered out of the previous three lists (as noted in \fIEncryption_and_salt_types\fP in \fIkdc.conf(5)\fP). The @@ -186,7 +188,6 @@ should set this tag to true until their infrastructure adopts stronger ciphers. .TP .B \fBap_req_checksum_type\fP -.sp An integer which specifies the type of AP\-REQ checksum to use in authenticators. This variable should be unset so the appropriate checksum for the encryption key in use will be used. This can be @@ -195,14 +196,12 @@ See the \fBkdc_req_checksum_type\fP configuration option for the possible values and their meanings. .TP .B \fBcanonicalize\fP -.sp If this flag is set to true, initial ticket requests to the KDC will request canonicalization of the client principal name, and answers with different client principals than the requested principal will be accepted. The default value is false. .TP .B \fBccache_type\fP -.sp This parameter determines the format of credential cache types created by \fIkinit(1)\fP or other programs. The default value is 4, which represents the most current format. Smaller values @@ -210,45 +209,51 @@ can be used for compatibility with very old implementations of Kerberos which interact with credential caches on the same host. .TP .B \fBclockskew\fP -.sp Sets the maximum allowable amount of clockskew in seconds that the library will tolerate before assuming that a Kerberos message is invalid. The default value is 300 seconds, or five minutes. .TP +.B \fBdefault_ccache_name\fP +This relation specifies the name of the default credential cache. +The default is \fB@CCNAME@\fP. This relation is subject to parameter +expansion (see below). +.TP +.B \fBdefault_client_keytab_name\fP +This relation specifies the name of the default keytab for +obtaining client credentials. The default is \fB@CKTNAME@\fP. This +relation is subject to parameter expansion (see below). +.TP .B \fBdefault_keytab_name\fP -.sp This relation specifies the default keytab name to be used by -application servers such as telnetd and rlogind. The default is -\fB/etc/krb5.keytab\fP. +application servers such as sshd. The default is \fB@KTNAME@\fP. This +relation is subject to parameter expansion (see below). .TP .B \fBdefault_realm\fP -.sp Identifies the default Kerberos realm for the client. Set its value to your Kerberos realm. If this value is not set, then a realm must be specified with every Kerberos principal when invoking programs such as \fIkinit(1)\fP. .TP .B \fBdefault_tgs_enctypes\fP -.sp Identifies the supported list of session key encryption types that -should be returned by the KDC. The list may be delimited with -commas or whitespace. See \fIEncryption_and_salt_types\fP in +should be returned by the KDC, in order of preference from +highest to lowest. The list may be delimited with commas or +whitespace. See \fIEncryption_and_salt_types\fP in \fIkdc.conf(5)\fP for a list of the accepted values for this tag. The default value is \fBaes256\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha1\-96 des3\-cbc\-sha1 arcfour\-hmac\-md5 des\-cbc\-crc des\-cbc\-md5 des\-cbc\-md4\fP, but single\-DES encryption types will be implicitly removed from this list if the value of \fBallow_weak_crypto\fP is false. .TP .B \fBdefault_tkt_enctypes\fP -.sp Identifies the supported list of session key encryption types that -should be requested by the client. The format is the same as for +should be requested by the client, in order of preference from +highest to lowest. The format is the same as for default_tgs_enctypes. The default value for this tag is \fBaes256\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha1\-96 des3\-cbc\-sha1 arcfour\-hmac\-md5 des\-cbc\-crc des\-cbc\-md5 des\-cbc\-md4\fP, but single\-DES encryption types will be implicitly removed from this list if the value of \fBallow_weak_crypto\fP is false. .TP .B \fBdns_lookup_kdc\fP -.sp Indicate whether DNS SRV records should be used to locate the KDCs and other servers for a realm, if they are not listed in the krb5.conf information for the realm. (Note that the admin_server @@ -265,7 +270,6 @@ data), and anything the fake KDC sends will not be trusted without verification using some secret that it won\(aqt know. .TP .B \fBextra_addresses\fP -.sp This allows a computer to use multiple local addresses, in order to allow Kerberos to work in a network that uses NATs while still using address\-restricted tickets. The addresses should be in a @@ -273,12 +277,10 @@ comma\-separated list. This option has no effect if \fBnoaddresses\fP is true. .TP .B \fBforwardable\fP -.sp If this flag is true, initial tickets will be forwardable by default, if allowed by the KDC. The default value is false. .TP .B \fBignore_acceptor_hostname\fP -.sp When accepting GSSAPI or krb5 security contexts for host\-based service principals, ignore any hostname passed by the calling application, and allow clients to authenticate to any service @@ -289,7 +291,6 @@ compromise the security of virtual hosting environments. The default value is false. .TP .B \fBk5login_authoritative\fP -.sp If this flag is true, principals must be listed in a local user\(aqs k5login file to be granted login access, if a \fI.k5login(5)\fP file exists. If this flag is false, a principal may still be @@ -298,7 +299,6 @@ file exists but does not list the principal. The default value is true. .TP .B \fBk5login_directory\fP -.sp If set, the library will look for a local user\(aqs k5login file within the named directory, with a filename corresponding to the local username. If not set, the library will look for k5login @@ -307,23 +307,20 @@ For security reasons, .k5login files must be owned by the local user or by root. .TP .B \fBkdc_default_options\fP -.sp Default KDC options (Xored for multiple values) when requesting initial tickets. By default it is set to 0x00000010 (KDC_OPT_RENEWABLE_OK). .TP .B \fBkdc_timesync\fP -.sp -If this flag is true, client machines will compute the difference -between their time and the time returned by the KDC in the -timestamps in the tickets and use this value to correct for an -inaccurate system clock when requesting service tickets or -authenticating to services. This corrective factor is only used -by the Kerberos library; it is not used to change the system -clock. The default value is true. +Accepted values for this relation are 1 or 0. If it is nonzero, +client machines will compute the difference between their time and +the time returned by the KDC in the timestamps in the tickets and +use this value to correct for an inaccurate system clock when +requesting service tickets or authenticating to services. This +corrective factor is only used by the Kerberos library; it is not +used to change the system clock. The default value is 1. .TP .B \fBkdc_req_checksum_type\fP -.sp An integer which specifies the type of checksum to use for the KDC requests, for compatibility with very old KDC implementations. This value is only used for DES keys; other keys use the preferred @@ -391,13 +388,11 @@ _ .TE .TP .B \fBnoaddresses\fP -.sp If this flag is true, requests for initial tickets will not be made with address restrictions set, allowing the tickets to be used across NATs. The default value is true. .TP .B \fBpermitted_enctypes\fP -.sp Identifies all encryption types that are permitted for use in session key encryption. The default value for this tag is \fBaes256\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha1\-96 des3\-cbc\-sha1 arcfour\-hmac\-md5 des\-cbc\-crc des\-cbc\-md5 des\-cbc\-md4\fP, but single\-DES encryption types will be implicitly @@ -405,47 +400,40 @@ removed from this list if the value of \fBallow_weak_crypto\fP is false. .TP .B \fBplugin_base_dir\fP -.sp If set, determines the base directory where krb5 plugins are located. The default value is the \fBkrb5/plugins\fP subdirectory of the krb5 library directory. .TP .B \fBpreferred_preauth_types\fP -.sp This allows you to set the preferred preauthentication types which the client will attempt before others which may be advertised by a KDC. The default value for this setting is "17, 16, 15, 14", which forces libkrb5 to attempt to use PKINIT if it is supported. .TP .B \fBproxiable\fP -.sp If this flag is true, initial tickets will be proxiable by default, if allowed by the KDC. The default value is false. .TP .B \fBrdns\fP -.sp If this flag is true, reverse name lookup will be used in addition to forward name lookup to canonicalizing hostnames for use in service principal names. The default value is true. .TP .B \fBrealm_try_domains\fP -.sp Indicate whether a host\(aqs domain components should be used to determine the Kerberos realm of the host. The value of this variable is an integer: \-1 means not to search, 0 means to try the host\(aqs domain itself, 1 means to also try the domain\(aqs immediate parent, and so forth. The library\(aqs usual mechanism for locating Kerberos realms is used to determine whether a domain is a valid -realm\-\-which may involve consulting DNS if \fBdns_lookup_kdc\fP is +realm, which may involve consulting DNS if \fBdns_lookup_kdc\fP is set. The default is not to search domain components. .TP .B \fBrenew_lifetime\fP -.sp -Sets the default renewable lifetime for initial ticket requests. -The default value is 0. +(\fIduration\fP string.) Sets the default renewable lifetime +for initial ticket requests. The default value is 0. .TP .B \fBsafe_checksum_type\fP -.sp An integer which specifies the type of checksum to use for the KRB\-SAFE requests. By default it is set to 8 (RSA MD5 DES). For compatibility with applications linked against DCE version 1.1 or @@ -455,12 +443,10 @@ with the session key type. See the \fBkdc_req_checksum_type\fP configuration option for the possible values and their meanings. .TP .B \fBticket_lifetime\fP -.sp -Sets the default lifetime for initial ticket requests. The -default value is 1 day. +(\fIduration\fP string.) Sets the default lifetime for initial +ticket requests. The default value is 1 day. .TP .B \fBudp_preference_limit\fP -.sp When sending a message to the KDC, the library will try using TCP before UDP if the size of the message is above \fBudp_preference_limit\fP. If the message is smaller than @@ -469,7 +455,6 @@ Regardless of the size, both protocols will be tried if the first attempt fails. .TP .B \fBverify_ap_req_nofail\fP -.sp If this flag is true, then an attempt to verify initial credentials will fail if the client machine does not have a keytab. The default value is false. @@ -483,14 +468,12 @@ following tags may be specified in the realm\(aqs subsection: .INDENT 0.0 .TP .B \fBadmin_server\fP -.sp Identifies the host where the administration server is running. Typically, this is the master Kerberos server. This tag must be given a value in order to communicate with the \fIkadmind(8)\fP server for the realm. .TP .B \fBauth_to_local\fP -.sp This tag allows you to set a general rule for mapping principal names to local user names. It will be used if there is not an explicit mapping for the principal name that is being @@ -498,7 +481,6 @@ translated. The possible values are: .INDENT 7.0 .TP .B \fBRULE:\fP\fIexp\fP -.sp The local name will be formulated from \fIexp\fP. .sp The format for \fIexp\fP is \fB[\fP\fIn\fP\fB:\fP\fIstring\fP\fB](\fP\fIregexp\fP\fB)s/\fP\fIpattern\fP\fB/\fP\fIreplacement\fP\fB/g\fP. @@ -506,7 +488,7 @@ The integer \fIn\fP indicates how many components the target principal should have. If this matches, then a string will be formed from \fIstring\fP, substituting the realm of the principal for \fB$0\fP and the \fIn\fP\(aqth component of the principal for -\fB$n\fP (e.g. if the principal was \fBjohndoe/admin\fP then +\fB$n\fP (e.g., if the principal was \fBjohndoe/admin\fP then \fB[2:$2$1foo]\fP would result in the string \fBadminjohndoefoo\fP). If this string matches \fIregexp\fP, then the \fBs//[g]\fP substitution command will be run over the @@ -515,7 +497,6 @@ global over the \fIstring\fP, instead of replacing only the first match in the \fIstring\fP. .TP .B \fBDEFAULT\fP -.sp The principal name will be used as the local user name. If the principal has more than one component or is not in the default realm, this rule is not applicable and the conversion @@ -545,20 +526,17 @@ these two rules are any principals \fBjohndoe/*\fP, which will always get the local name \fBguest\fP. .TP .B \fBauth_to_local_names\fP -.sp This subsection allows you to set explicit mappings from principal names to local user names. The tag is the mapping name, and the value is the corresponding local user name. .TP .B \fBdefault_domain\fP -.sp This tag specifies the domain used to expand hostnames when translating Kerberos 4 service principals to Kerberos 5 principals (for example, when converting \fBrcmd.hostname\fP to \fBhost/hostname.domain\fP). .TP .B \fBkdc\fP -.sp The name or address of a host running a KDC for that realm. An optional port number, separated from the hostname by a colon, may be included. If the name or address contains colons (for example, @@ -569,13 +547,11 @@ be given a value in each realm subsection in the configuration file, or there must be DNS SRV records specifying the KDCs. .TP .B \fBkpasswd_server\fP -.sp Points to the server where all the password changes are performed. If there is no such entry, the port 464 on the \fBadmin_server\fP host will be tried. .TP .B \fBmaster_kdc\fP -.sp Identifies the master KDC(s). Currently, this tag is used in only one case: If an attempt to get credentials fails because of an invalid password, the client software will attempt to contact the @@ -584,7 +560,6 @@ the updated database has not been propagated to the slave servers yet. .TP .B \fBv4_instance_convert\fP -.sp This subsection allows the administrator to configure exceptions to the \fBdefault_domain\fP mapping rule. It contains V4 instances (the tag name) which should be translated to some specific @@ -592,7 +567,6 @@ hostname (the tag value) as the second component in a Kerberos V5 principal name. .TP .B \fBv4_realm\fP -.sp This relation is used by the krb524 library routines when converting a V5 principal name to a V4 principal name. It is used when the V4 realm name and the V5 realm name are not the same, but @@ -776,13 +750,10 @@ are overridden by those specified in the \fI\%realms\fP section. .INDENT 3.5 .INDENT 0.0 .IP \(bu 2 -. \fI\%pwqual\fP interface .IP \(bu 2 -. \fI\%kadm5_hook\fP interface .IP \(bu 2 -. \fI\%clpreauth\fP and \fI\%kdcpreauth\fP interfaces .UNINDENT .UNINDENT @@ -798,19 +769,16 @@ All subsections support the same tags: .INDENT 0.0 .TP .B \fBdisable\fP -.sp This tag may have multiple values. If there are values for this tag, then the named modules will be disabled for the pluggable interface. .TP .B \fBenable_only\fP -.sp This tag may have multiple values. If there are values for this tag, then only the named modules will be enabled for the pluggable interface. .TP .B \fBmodule\fP -.sp This tag may have multiple values. Each value is a string of the form \fBmodulename:pathname\fP, which causes the shared object located at \fIpathname\fP to be registered as a dynamic module named @@ -830,12 +798,10 @@ disabled with the disable tag): .INDENT 0.0 .TP .B \fBk5identity\fP -.sp Uses a .k5identity file in the user\(aqs home directory to select a client principal .TP .B \fBrealm\fP -.sp Uses the service realm to guess an appropriate cache from the collection .UNINDENT @@ -847,20 +813,16 @@ changed. The following built\-in modules exist for this interface: .INDENT 0.0 .TP .B \fBdict\fP -.sp Checks against the realm dictionary file .TP .B \fBempty\fP -.sp Rejects empty passwords .TP .B \fBhesiod\fP -.sp Checks against user information stored in Hesiod (only if Kerberos was built with Hesiod support) .TP .B \fBprinc\fP -.sp Checks against components of the principal name .UNINDENT .SS kadm5_hook interface @@ -878,20 +840,16 @@ built\-in modules exist for these interfaces: .INDENT 0.0 .TP .B \fBpkinit\fP -.sp This module implements the PKINIT preauthentication mechanism. .TP .B \fBencrypted_challenge\fP -.sp This module implements the encrypted challenge FAST factor. .TP .B \fBencrypted_timestamp\fP -.sp This module implements the encrypted timestamp mechanism. .UNINDENT .SH PKINIT OPTIONS .IP Note -. The following are PKINIT\-specific options. These values may be specified in [libdefaults] as global defaults, or within a realm\-specific subsection of [libdefaults], or may be @@ -901,7 +859,6 @@ A realm\-specific value overrides, not adds to, a generic .RE .INDENT 0.0 .IP 1. 3 -. realm\-specific subsection of [libdefaults]: .INDENT 3.0 .INDENT 3.5 @@ -910,14 +867,13 @@ realm\-specific subsection of [libdefaults]: .ft C [libdefaults] EXAMPLE.COM = { - pkinit_anchors = FILE\e:/usr/local/example.com.crt + pkinit_anchors = FILE:/usr/local/example.com.crt } .ft P .fi .UNINDENT .UNINDENT .IP 2. 3 -. realm\-specific value in the [realms] section, .INDENT 3.0 .INDENT 3.5 @@ -926,14 +882,13 @@ realm\-specific value in the [realms] section, .ft C [realms] OTHERREALM.ORG = { - pkinit_anchors = FILE\e:/usr/local/otherrealm.org.crt + pkinit_anchors = FILE:/usr/local/otherrealm.org.crt } .ft P .fi .UNINDENT .UNINDENT .IP 3. 3 -. generic value in the [libdefaults] section. .INDENT 3.0 .INDENT 3.5 @@ -941,7 +896,7 @@ generic value in the [libdefaults] section. .nf .ft C [libdefaults] - pkinit_anchors = DIR\e:/usr/local/generic_trusted_cas/ + pkinit_anchors = DIR:/usr/local/generic_trusted_cas/ .ft P .fi .UNINDENT @@ -954,7 +909,6 @@ information for PKINIT is as follows: .INDENT 0.0 .TP .B \fBFILE:\fP\fIfilename\fP[\fB,\fP\fIkeyfilename\fP] -.sp This option has context\-specific behavior. .sp In \fBpkinit_identity\fP or \fBpkinit_identities\fP, \fIfilename\fP @@ -967,7 +921,6 @@ In \fBpkinit_anchors\fP or \fBpkinit_pool\fP, \fIfilename\fP is assumed to be the name of an OpenSSL\-style ca\-bundle file. .TP .B \fBDIR:\fP\fIdirname\fP -.sp This option has context\-specific behavior. .sp In \fBpkinit_identity\fP or \fBpkinit_identities\fP, \fIdirname\fP @@ -991,12 +944,10 @@ but all files in the directory will be examined and if they contain a revocation list (in PEM format), they will be used. .TP .B \fBPKCS12:\fP\fIfilename\fP -.sp \fIfilename\fP is the name of a PKCS #12 format file, containing the user\(aqs certificate and private key. .TP .B \fBPKCS11:\fP[\fBmodule_name=\fP]\fImodname\fP[\fB:slotid=\fP\fIslot\-id\fP][\fB:token=\fP\fItoken\-label\fP][\fB:certid=\fP\fIcert\-id\fP][\fB:certlabel=\fP\fIcert\-label\fP] -.sp All keyword/values are optional. \fImodname\fP specifies the location of a library implementing PKCS #11. If a value is encountered with no keyword, it is assumed to be the \fImodname\fP. If no @@ -1009,7 +960,6 @@ See the \fBpkinit_cert_match\fP configuration option for more ways to select a particular certificate to use for PKINIT. .TP .B \fBENV:\fP\fIenvvar\fP -.sp \fIenvvar\fP specifies the name of an environment variable which has been set to a value conforming to one of the previous values. For example, \fBENV:X509_PROXY\fP, where environment variable @@ -1019,14 +969,12 @@ example, \fBENV:X509_PROXY\fP, where environment variable .INDENT 0.0 .TP .B \fBpkinit_anchors\fP -.sp Specifies the location of trusted anchor (root) certificates which the client trusts to sign KDC certificates. This option may be specified multiple times. These values from the config file are not used if the user specifies X509_anchors on the command line. .TP .B \fBpkinit_cert_match\fP -.sp Specifies matching rules that the client certificate must match before it is used to attempt PKINIT authentication. If a user has multiple certificates available (on a smart card, or via other @@ -1043,7 +991,6 @@ DN values. The syntax of the matching rules is: .INDENT 7.0 .INDENT 3.5 -.sp [\fIrelation\-operator\fP]\fIcomponent\-rule\fP ... .UNINDENT .UNINDENT @@ -1052,13 +999,11 @@ where: .INDENT 7.0 .TP .B \fIrelation\-operator\fP -.sp can be either \fB&&\fP, meaning all component rules must match, or \fB||\fP, meaning only one component rule must match. The default is \fB&&\fP. .TP .B \fIcomponent\-rule\fP -.sp can be one of the following. Note that there is no punctuation or whitespace between component rules. .INDENT 7.0 @@ -1080,16 +1025,12 @@ must be present in the certificate. Extended Key Usage values can be: .INDENT 7.0 .IP \(bu 2 -. pkinit .IP \(bu 2 -. msScLogin .IP \(bu 2 -. clientAuth .IP \(bu 2 -. emailProtection .UNINDENT .sp @@ -1098,10 +1039,8 @@ Usage values. All values in the list must be present in the certificate. Key Usage values can be: .INDENT 7.0 .IP \(bu 2 -. digitalSignature .IP \(bu 2 -. keyEncipherment .UNINDENT .UNINDENT @@ -1121,7 +1060,6 @@ pkinit_cert_match = <EKU>msScLogin,clientAuth<KU>digitalSignature .UNINDENT .TP .B \fBpkinit_eku_checking\fP -.sp This option specifies what Extended Key Usage value the KDC certificate presented to the client must contain. (Note that if the KDC certificate has the pkinit SubjectAlternativeName encoded @@ -1131,30 +1069,25 @@ recognized in the krb5.conf file are: .INDENT 7.0 .TP .B \fBkpKDC\fP -.sp This is the default value and specifies that the KDC must have the id\-pkinit\-KPKdc EKU as defined in \fI\%RFC 4556\fP. .TP .B \fBkpServerAuth\fP -.sp If \fBkpServerAuth\fP is specified, a KDC certificate with the id\-kp\-serverAuth EKU as used by Microsoft will be accepted. .TP .B \fBnone\fP -.sp If \fBnone\fP is specified, then the KDC certificate will not be checked to verify it has an acceptable EKU. The use of this option is not recommended. .UNINDENT .TP .B \fBpkinit_dh_min_bits\fP -.sp Specifies the size of the Diffie\-Hellman key the client will attempt to use. The acceptable values are 1024, 2048, and 4096. The default is 2048. .TP .B \fBpkinit_identities\fP -.sp Specifies the location(s) to be used to find the user\(aqs X.509 identity information. This option may be specified multiple times. Each value is attempted in order until identity @@ -1163,7 +1096,6 @@ these values are not used if the user specifies \fBX509_user_identity\fP on the command line. .TP .B \fBpkinit_kdc_hostname\fP -.sp The presense of this option indicates that the client is willing to accept a KDC certificate with a dNSName SAN (Subject Alternative Name) rather than requiring the id\-pkinit\-san as @@ -1172,18 +1104,15 @@ times. Its value should contain the acceptable hostname for the KDC (as contained in its certificate). .TP .B \fBpkinit_longhorn\fP -.sp If this flag is set to true, we are talking to the Longhorn KDC. .TP .B \fBpkinit_pool\fP -.sp Specifies the location of intermediate certificates which may be used by the client to complete the trust chain between a KDC certificate and a trusted anchor. This option may be specified multiple times. .TP .B \fBpkinit_require_crl_checking\fP -.sp The default certificate verification process will always check the available revocation information to see if a certificate has been revoked. If a match is found for the certificate in a CRL, @@ -1200,24 +1129,130 @@ fails. policy is such that up\-to\-date CRLs must be present for every CA. .TP .B \fBpkinit_revoke\fP -.sp Specifies the location of Certificate Revocation List (CRL) information to be used by the client when verifying the validity of the KDC certificate presented. This option may be specified multiple times. .TP .B \fBpkinit_win2k\fP -.sp This flag specifies whether the target realm is assumed to support only the old, pre\-RFC version of the protocol. The default is false. .TP .B \fBpkinit_win2k_require_binding\fP -.sp If this flag is set to true, it expects that the target KDC is patched to return a reply with a checksum rather than a nonce. The default is false. .UNINDENT +.SH PARAMETER EXPANSION +.sp +Several variables, such as \fBdefault_keytab_name\fP, allow parameters +to be expanded. Valid parameters are: +.INDENT 0.0 +.INDENT 3.5 +.TS +center; +|l|l|. +_ +T{ +%{TEMP} +T} T{ +Temporary directory +T} +_ +T{ +%{uid} +T} T{ +Unix real UID or Windows SID +T} +_ +T{ +%{euid} +T} T{ +Unix effective user ID or Windows SID +T} +_ +T{ +%{USERID} +T} T{ +Same as %{uid} +T} +_ +T{ +%{null} +T} T{ +Empty string +T} +_ +T{ +%{LIBDIR} +T} T{ +Installation library directory +T} +_ +T{ +%{BINDIR} +T} T{ +Installation binary directory +T} +_ +T{ +%{SBINDIR} +T} T{ +Installation admin binary directory +T} +_ +T{ +%{username} +T} T{ +(Unix) Username of effective user ID +T} +_ +T{ +%{APPDATA} +T} T{ +(Windows) Roaming application data for current user +T} +_ +T{ +%{COMMON_APPDATA} +T} T{ +(Windows) Application data for all users +T} +_ +T{ +%{LOCAL_APPDATA} +T} T{ +(Windows) Local application data for current user +T} +_ +T{ +%{SYSTEM} +T} T{ +(Windows) Windows system folder +T} +_ +T{ +%{WINDOWS} +T} T{ +(Windows) Windows folder +T} +_ +T{ +%{USERCONFIG} +T} T{ +(Windows) Per\-user MIT krb5 config file directory +T} +_ +T{ +%{COMMONCONFIG} +T} T{ +(Windows) Common MIT krb5 config file directory +T} +_ +.TE +.UNINDENT +.UNINDENT .SH SAMPLE KRB5.CONF FILE .sp Here is an example of a generic krb5.conf file: @@ -1247,11 +1282,6 @@ Here is an example of a generic krb5.conf file: kdc = kerberos\-1.example.com admin_server = kerberos.example.com } - OPENLDAP.MIT.EDU = { - kdc = kerberos.mit.edu - admin_server = kerberos.mit.edu - database_module = openldap_ldapconf - } [domain_realm] .mit.edu = ATHENA.MIT.EDU @@ -1264,27 +1294,6 @@ Here is an example of a generic krb5.conf file: EXAMPLE.COM = { ATHENA.MIT.EDU = . } - -[logging] - kdc = SYSLOG:INFO - admin_server = FILE=/var/kadm5.log -[dbdefaults] - ldap_kerberos_container_dn = cn=krbcontainer,dc=example,dc=com -[dbmodules] - openldap_ldapconf = { - db_library = kldap - disable_last_success = true - ldap_kerberos_container_dn = cn=krbcontainer,dc=example,dc=com - ldap_kdc_dn = "cn=krbadmin,dc=example,dc=com" - # this object needs to have read rights on - # the realm container and principal subtrees - ldap_kadmind_dn = "cn=krbadmin,dc=example,dc=com" - # this object needs to have read and write rights on - # the realm container and principal subtrees - ldap_service_password_file = /etc/kerberos/service.keyfile - ldap_servers = ldaps://kerberos.mit.edu - ldap_conns_per_server = 5 -} .ft P .fi .UNINDENT @@ -1298,6 +1307,6 @@ syslog(3) .SH AUTHOR MIT .SH COPYRIGHT -2011, MIT +2012, MIT .\" Generated by docutils manpage writer. . |