diff options
Diffstat (limited to 'doc/admin/conf_files/krb5_conf.rst')
-rw-r--r-- | doc/admin/conf_files/krb5_conf.rst | 56 |
1 files changed, 15 insertions, 41 deletions
diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst index 008ca4ce8..5930cf328 100644 --- a/doc/admin/conf_files/krb5_conf.rst +++ b/doc/admin/conf_files/krb5_conf.rst @@ -17,14 +17,11 @@ Structure The krb5.conf file is set up in the style of a Windows INI file. Sections are headed by the section name, in square brackets. Each -section may contain zero or more relations, of the form: - - :: +section may contain zero or more relations, of the form:: foo = bar -or - :: +or:: fubar = { foo = bar @@ -36,8 +33,7 @@ value for the tag. This means that neither the remainder of this configuration file nor any other configuration file will be checked for any other values for this tag. -For example, if you have the following lines: - :: +For example, if you have the following lines:: foo = bar* foo = baz @@ -45,9 +41,7 @@ For example, if you have the following lines: then the second value of ``foo`` (``baz``) would never be read. The krb5.conf file can include other files using either of the -following directives at the beginning of a line: - - :: +following directives at the beginning of a line:: include FILENAME includedir DIRNAME @@ -62,9 +56,7 @@ file must begin with a section header. The krb5.conf file can specify that configuration should be obtained from a loadable module, rather than the file itself, using the following directive at the beginning of a line before any section -headers: - - :: +headers:: module MODULEPATH:RESIDUAL @@ -398,8 +390,7 @@ following tags may be specified in the realm's subsection: default realm, this rule is not applicable and the conversion will fail. - For example: - :: + For example:: [realms] ATHENA.MIT.EDU = { @@ -505,9 +496,7 @@ for that particular host or domain. A host name relation implicitly provides the corresponding domain name relation, unless an explicit domain name relation is provided. The Kerberos realm may be identified either in the realms_ section or using DNS SRV records. -Host names and domain names should be in lower case. For example: - - :: +Host names and domain names should be in lower case. For example:: [domain_realm] crash.mit.edu = TEST.ATHENA.MIT.EDU @@ -563,9 +552,7 @@ For example, ``ANL.GOV``, ``PNL.GOV``, and ``NERSC.GOV`` all wish to use the ``ES.NET`` realm as an intermediate realm. ANL has a sub realm of ``TEST.ANL.GOV`` which will authenticate with ``NERSC.GOV`` but not ``PNL.GOV``. The [capaths] section for ``ANL.GOV`` systems -would look like this: - - :: +would look like this:: [capaths] ANL.GOV = { @@ -588,9 +575,7 @@ would look like this: } The [capaths] section of the configuration file used on ``NERSC.GOV`` -systems would look like this: - - :: +systems would look like this:: [capaths] NERSC.GOV = { @@ -628,8 +613,7 @@ Each tag in the [appdefaults] section names a Kerberos V5 application or an option that is used by some Kerberos V5 application[s]. The value of the tag defines the default behaviors for that application. -For example: - :: +For example:: [appdefaults] telnet = { @@ -851,27 +835,21 @@ PKINIT options A realm-specific value overrides, not adds to, a generic [libdefaults] specification. The search order is: -1. realm-specific subsection of [libdefaults]: - - :: +1. realm-specific subsection of [libdefaults]:: [libdefaults] EXAMPLE.COM = { pkinit_anchors = FILE:/usr/local/example.com.crt } -2. realm-specific value in the [realms] section, - - :: +2. realm-specific value in the [realms] section:: [realms] OTHERREALM.ORG = { pkinit_anchors = FILE:/usr/local/otherrealm.org.crt } -3. generic value in the [libdefaults] section. - - :: +3. generic value in the [libdefaults] section:: [libdefaults] pkinit_anchors = DIR:/usr/local/generic_trusted_cas/ @@ -1004,9 +982,7 @@ PKINIT krb5.conf options * digitalSignature * keyEncipherment - Examples: - - :: + Examples:: pkinit_cert_match = ||<SUBJECT>.*DoE.*<SAN>.*@EXAMPLE.COM pkinit_cert_match = &&<EKU>msScLogin,clientAuth<ISSUER>.*DoE.* @@ -1115,9 +1091,7 @@ Valid parameters are: Sample krb5.conf file --------------------- -Here is an example of a generic krb5.conf file: - - :: +Here is an example of a generic krb5.conf file:: [libdefaults] default_realm = ATHENA.MIT.EDU |