Provided by: krb5-kdc_1.9.1+dfsg-1ubuntu1_i386 bug

NAME

       kdc.conf - Kerberos V5 KDC configuration file

DESCRIPTION

       kdc.conf  specifies  per-realm  configuration  data  to  be used by the
       Kerberos  V5  Authentication  Service  and  Key   Distribution   Center
       (AS/KDC).  This includes database, key and per-realm defaults.

       The  kdc.conf  file  uses the same format as the krb5.conf file.  For a
       basic  description  of  the  syntax,  please  refer  to  the  krb5.conf
       description.

       The following sections are currently used in the kdc.conf file:

       [kdcdefaults]
              Contains  parameters  which control the overall behaviour of the
              KDC.

       [realms]
              Contains  subsections  keyed  by  Kerberos  realm  names   which
              describe per-realm KDC parameters.

KDCDEFAULTS SECTION

       The following relations are defined in the [kdcdefaults] section:

       kdc_ports
              This  relation  lists the ports which the Kerberos server should
              listen on, by default.  This list is a comma separated  list  of
              integers.   If  this  relation is not specified, the compiled-in
              default is usually port 88 and port 750.

       kdc_tcp_ports
              This relation lists the  ports  on  which  the  Kerberos  server
              should  listen  for  TCP connections by default.  This list is a
              comma separated list of  integers.   If  this  relation  is  not
              specified,  the  compiled-in  default  is  not to listen for TCP
              connections at all.

              If you wish to change this (which we do not  recommend,  because
              the current implementation has little protection against denial-
              of-service attacks),  the  standard  port  number  assigned  for
              Kerberos TCP traffic is port 88.

       v4_mode
              This  string specifies how the KDC should respond to Kerberos IV
              packets. Valid values for this relation  are  the  same  as  the
              valid  arguments to the -4 flag to krb5kdc.  If this relation is
              not specified, the compiled-in default of none is used.

REALMS SECTION

       Each tag in the [realms] section of the file names  a  Kerberos  realm.
       The  value  of  the  tag  is  a  subsection where the relations in that
       subsection define KDC parameters for that particular realm.

       For each realm, the following tags may be  specified  in  the  [realms]
       subsection:

       acl_file
              This  string  specifies  the location of the access control list
              (acl) file that kadmin uses to determine  which  principals  are
              allowed  which permissions on the database. The default value is
              /etc/krb5kdc/kadm5.acl.

       admin_keytab
              This string Specifies the  location  of  the  keytab  file  that
              kadmin  uses to authenticate to the database.  The default value
              is /etc/krb5kdc/kadm5.keytab.

       database_name
              This string specifies the location of the Kerberos database  for
              this realm.

       default_principal_expiration
              This  absolute time string specifies the default expiration date
              of principals created in this realm.

       default_principal_flags
              This flag string specifies the default attributes of  principals
              created  in  this  realm.  The format for the string is a comma-
              separated list of flags, with '+' before each flag to be enabled
              and  '-'  before  each  flag to be disabled.  The default is for
              postdateable, forwardable, tgt-based, renewable, proxiable, dup-
              skey,  allow-tickets,  and service to be enabled, and all others
              to be disabled.

              There are a number of possible flags:

              postdateable
                     Enabling  this  flag  allows  the  principal  to   obtain
                     postdateable tickets.

              forwardable
                     Enabling   this  flag  allows  the  principal  to  obtain
                     forwardable tickets.

              tgt-based
                     Enabling this flag allows a principal to  obtain  tickets
                     based  on a ticket-granting-ticket, rather than repeating
                     the authentication process that was used  to  obtain  the
                     TGT.

              renewable
                     Enabling   this  flag  allows  the  principal  to  obtain
                     renewable tickets.

              proxiable
                     Enabling this flag allows the principal to  obtain  proxy
                     tickets.

              dup-skey
                     Enabling  this  flag  allows  the  principal  to obtain a
                     session key for  another  user,  permitting  user-to-user
                     authentication for this principal.

              allow-tickets
                     Enabling  this flag means that the KDC will issue tickets
                     for this  principal.   Disabling  this  flag  essentially
                     deactivates the principal within this realm.

              preauth
                     If  this flag is enabled on a client principal, then that
                     principal is  required  to  preauthenticate  to  the  KDC
                     before  receiving  any  tickets.  On a service principal,
                     enabling this flag means that service  tickets  for  this
                     principal  will only be issued to clients with a TGT that
                     has the preauthenticated ticket set.

              hwauth If this flag is enabled, then the principal  is  required
                     to   preauthenticate   using  a  hardware  device  before
                     receiving any tickets.

              pwchange
                     Enabling this flag forces  a  password  change  for  this
                     principal.

              service
                     Enabling  this  flag  allows the the KDC to issue service
                     tickets for this principal.

              pwservice
                     If this flag is enabled, it marks  this  principal  as  a
                     password  change  service.   This  should only be used in
                     special cases, for example,  if  a  user's  password  has
                     expired,  the  user has to get tickets for that principal
                     to be able to change it without going through the  normal
                     password authentication.

       dict_file
              This  string  location of the dictionary file containing strings
              that are not allowed as passwords.  If this tag is not set or if
              there is no policy assigned to the principal, then no check will
              be done.

       kadmind_port
              This port number specifies the port on which the kadmind  daemon
              is to listen for this realm.

       kpasswd_port
              This  port number specifies the port on which the kadmind daemon
              is to listen for this realm.

       key_stash_file
              This string specifies the location where the master key has been
              stored with kdb5_stash.

       kdc_ports
              This  string  specifies  the  list  of  ports that the KDC is to
              listen to for this realm.  By default, the value of kdc_ports as
              specified in the [kdcdefaults] section is used.

       kdc_tcp_ports
              This  string  specifies  the  list  of  ports that the KDC is to
              listen to for TCP requests for  this  realm.   By  default,  the
              value of kdc_tcp_ports as specified in the [kdcdefaults] section
              is used.

       master_key_name
              This string specifies the name of the principal associated  with
              the master key.  The default value is K/M.

       master_key_type
              This key type string represents the master key's key type.

       max_life
              This  delta  time string specifes the maximum time period that a
              ticket may be valid for in this realm.

       max_renewable_life
              This delta time string specifies the maximum time period that  a
              ticket may be renewed for in this realm.

       iprop_enable
              This  boolean  ("true" or "false") specifies whether incremental
              database propagation is enabled.  The default is "false".

       iprop_master_ulogsize
              This numeric value specifies the maximum number of  log  entries
              to  be  retained for incremental propagation.  The maximum value
              is 2500; default is 1000.

       iprop_slave_poll
              This delta time string specfies how often the  slave  KDC  polls
              for  new updates from the master.  Default is "2m" (that is, two
              minutes).

       supported_enctypes
              list of key:salt strings that  specifies  the  default  key/salt
              combinations of principals for this realm

       reject_bad_transit
              this  boolean  specifies  whether  or  not the list of transited
              realms for cross-realm tickets should  be  checked  against  the
              transit  path  computed  from  the realm names and the [capaths]
              section of its krb5.conf file

FILES

       /etc/krb5kdc/kdc.conf

SEE ALSO

       krb5.conf(5), krb5kdc(8)

                                                                   KDC.CONF(5)