Provided by: krb5-kdc_1.10+dfsg~beta1-2_amd64 bug

NAME

       kdc.conf - Kerberos V5 KDC configuration file

DESCRIPTION

       kdc.conf   specifies   per-realm  configuration  data  to  be  used  by  the  Kerberos  V5
       Authentication Service and Key Distribution Center (AS/KDC).  This includes database,  key
       and per-realm defaults.

       The  kdc.conf file uses the same format as the krb5.conf file.  For a basic description of
       the syntax, please refer to the krb5.conf description.

       The following sections are currently used in the kdc.conf file:

       [kdcdefaults]
              Contains parameters which control the overall behaviour of the KDC.

       [realms]
              Contains subsections keyed by Kerberos realm names  which  describe  per-realm  KDC
              parameters.

KDCDEFAULTS SECTION

       The following relations are defined in the [kdcdefaults] section:

       kdc_ports
              This  relation  lists  the  ports  which  the  Kerberos server should listen on, by
              default.  This list is a comma separated list of integers.  If this relation is not
              specified, the compiled-in default is usually port 88 and port 750.

       kdc_tcp_ports
              This  relation  lists  the ports on which the Kerberos server should listen for TCP
              connections by default.  This list is a comma separated list of integers.  If  this
              relation  is  not  specified,  the  compiled-in  default  is  not to listen for TCP
              connections at all.

              If you wish to change  this  (which  we  do  not  recommend,  because  the  current
              implementation  has  little  protection  against  denial-of-service  attacks),  the
              standard port number assigned for Kerberos TCP traffic is port 88.

       v4_mode
              This string specifies how the KDC should respond  to  Kerberos  IV  packets.  Valid
              values  for  this  relation  are  the same as the valid arguments to the -4 flag to
              krb5kdc.  If this relation is not specified, the compiled-in  default  of  none  is
              used.

REALMS SECTION

       Each tag in the [realms] section of the file names a Kerberos realm.  The value of the tag
       is a subsection where the relations in that subsection  define  KDC  parameters  for  that
       particular realm.

       For each realm, the following tags may be specified in the [realms] subsection:

       acl_file
              This  string  specifies  the  location  of  the access control list (acl) file that
              kadmin uses to determine which principals are  allowed  which  permissions  on  the
              database. The default value is /etc/krb5kdc/kadm5.acl.

       admin_keytab
              This  string  Specifies  the  location  of  the  keytab  file  that  kadmin uses to
              authenticate to the database.  The default value is /etc/krb5kdc/kadm5.keytab.

       database_name
              This string specifies the location of the Kerberos database for this realm.

       default_principal_expiration
              This absolute time string specifies  the  default  expiration  date  of  principals
              created in this realm.

       default_principal_flags
              This  flag  string  specifies  the default attributes of principals created in this
              realm.  The format for the string is a comma-separated  list  of  flags,  with  '+'
              before  each  flag  to  be  enabled  and  '-' before each flag to be disabled.  The
              default is for postdateable, forwardable,  tgt-based,  renewable,  proxiable,  dup-
              skey, allow-tickets, and service to be enabled, and all others to be disabled.

              There are a number of possible flags:

              postdateable
                     Enabling this flag allows the principal to obtain postdateable tickets.

              forwardable
                     Enabling this flag allows the principal to obtain forwardable tickets.

              tgt-based
                     Enabling  this  flag allows a principal to obtain tickets based on a ticket-
                     granting-ticket, rather than repeating the authentication process  that  was
                     used to obtain the TGT.

              renewable
                     Enabling this flag allows the principal to obtain renewable tickets.

              proxiable
                     Enabling this flag allows the principal to obtain proxy tickets.

              dup-skey
                     Enabling  this flag allows the principal to obtain a session key for another
                     user, permitting user-to-user authentication for this principal.

              allow-tickets
                     Enabling this flag means that the KDC will issue tickets for this principal.
                     Disabling this flag essentially deactivates the principal within this realm.

              preauth
                     If  this  flag  is  enabled  on  a  client principal, then that principal is
                     required to preauthenticate to the KDC before receiving any tickets.   On  a
                     service  principal,  enabling  this flag means that service tickets for this
                     principal  will  only  be  issued  to  clients  with  a  TGT  that  has  the
                     preauthenticated ticket set.

              hwauth If  this  flag is enabled, then the principal is required to preauthenticate
                     using a hardware device before receiving any tickets.

              pwchange
                     Enabling this flag forces a password change for this principal.

              service
                     Enabling this flag allows the the KDC to  issue  service  tickets  for  this
                     principal.

              pwservice
                     If  this  flag  is  enabled,  it  marks  this principal as a password change
                     service.  This should only be used in  special  cases,  for  example,  if  a
                     user's  password has expired, the user has to get tickets for that principal
                     to  be  able  to  change  it  without  going  through  the  normal  password
                     authentication.

       dict_file
              This string location of the dictionary file containing strings that are not allowed
              as passwords.  If this tag is not set or if there is  no  policy  assigned  to  the
              principal, then no check will be done.

       kadmind_port
              This  port  number  specifies the port on which the kadmind daemon is to listen for
              this realm.

       kpasswd_port
              This port number specifies the port on which the kadmind daemon is  to  listen  for
              this realm.

       key_stash_file
              This  string  specifies  the  location  where  the  master key has been stored with
              kdb5_stash.

       kdc_ports
              This string specifies the list of ports that the KDC  is  to  listen  to  for  this
              realm.   By  default,  the  value  of  kdc_ports  as specified in the [kdcdefaults]
              section is used.

       kdc_tcp_ports
              This string specifies the list of ports that the  KDC  is  to  listen  to  for  TCP
              requests  for  this  realm.  By default, the value of kdc_tcp_ports as specified in
              the [kdcdefaults] section is used.

       master_key_name
              This string specifies the name of the principal associated  with  the  master  key.
              The default value is K/M.

       master_key_type
              This key type string represents the master key's key type.

       max_life
              This delta time string specifies the maximum time period that a ticket may be valid
              for in this realm.

       max_renewable_life
              This delta time string specifies the maximum time  period  that  a  ticket  may  be
              renewed for in this realm.

       iprop_enable
              This boolean ("true" or "false") specifies whether incremental database propagation
              is enabled.  The default is "false".

       iprop_master_ulogsize
              This numeric value specifies the maximum number of log entries to be  retained  for
              incremental propagation.  The maximum value is 2500; default is 1000.

       iprop_slave_poll
              This delta time string specifies how often the slave KDC polls for new updates from
              the master.  Default is "2m" (that is, two minutes).

       supported_enctypes
              list of key:salt strings  that  specifies  the  default  key/salt  combinations  of
              principals for this realm

       reject_bad_transit
              this  boolean specifies whether or not the list of transited realms for cross-realm
              tickets should be checked against the transit path computed from  the  realm  names
              and the [capaths] section of its krb5.conf file

FILES

       /etc/krb5kdc/kdc.conf

SEE ALSO

       krb5.conf(5), krb5kdc(8)

                                                                                      KDC.CONF(5)