go to  ForumEasy.com   
LdapPro  
 
 
   Home  |  MyForum  |  FAQ  |  Archive    You are not logged in. [Login] or [Register]  
Forum Home » Kerberos & GSS-API » What's inside krb5.conf? -- The [realms] section
Email To Friend  |   Set Alert To This Topic Rewarding Points Availabe: 0 (What's this) New Topic  |   Post Reply
Author Topic: What's inside krb5.conf? -- The [realms] section
eLDAP
member
offline   
 
posts: 107
joined: 08/02/2006
from: Austin, TX
  posted on: 02/10/2010 08:52:22 PM    Edit  |   Quote  |   Report 
What's inside krb5.conf? -- The [realms] section
The [realms] section contains subsections for Kerberos realms, where relation-subsection is the name of a realm. Each subsection contains relations that define the properties for that particular realm. The following relations can be specified in this subsection:

admin_server
Identifies the host where the Kerberos administration daemon (kadmind) is running. Typically, this is the master KDC.

application defaults
Application defaults that are specific to a particular realm can be specified within a [realms] subsection. Realm-specific application defaults override the global defaults specified in the [appdefaults] section.

auth_to_local_realm
For use in the default realm, non-default realms can be equated with the default realm for authenticated name-to-local name mapping.

auth_to_local_names
This subsection allows you to set explicit mappings from principal names to local user names. The tag is the mapping name and the value is the corresponding local user name.

auth_to_local
This tag allows you to set a general rule for mapping principal names to local user names. It will be used if there is not an explicit mapping for the principal name that is being translated.

database_module
Selects the dbmodule section entry to use to access the Kerberos database.

extra_addresses...
This allows a computer to use multiple local addresses, to allow Kerberos to work in a network that uses NATs. The addresses should be in a comma-separated list.

[color]kdc [/color]
The name of a host running a KDC for that realm. An optional port number (separated from the hostname by a colon) can be included.

kpasswd_server
Identifies the host where the Kerberos password-changing server is running. Typically, this is the same as host indicated in the admin_server. If this parameter is omitted, the host in admin_server is used. You can also specify a port number if the server indicated by kpasswd_server runs on a port other than 464 (the default). The format of this parameter is: hostname[:port].

kpasswd_protocol
Identifies the protocol to be used when communicating with the server indicated by kpasswd_server. By default, this parameter is defined to be RPCSEC_GSS, which is the protocol used by Solaris-based administration servers. To be able to change a principal's password stored on non-Solaris Kerberos server, such as Microsoft Active Directory or MIT Kerberos, this value should be SET_CHANGE. This indicates that a non-RPC– based protocol is used to communicate the password change request to the server in the kpasswd_server entry.

udp_preference_limit
When sending a message to the KDC, the library will try using TCP before UDP if the size of the message is above udp_preference_limit. If the message is smaller than udp_preference_limit, then UDP will be tried before TCP. Regardless of the size, both protocols will be tried if the first attempt fails.

verify_ap_req_nofail [true | false]
If true, the local keytab file (/etc/krb5/krb5.keytab) must contain an entry for the local host principal, for example, host/foo.bar.com@FOO.COM. This entry is needed to verify that the TGT requested was issued by the same KDC that issued the key for the host principal. If undefined, the behavior is as if this option were set to true. Setting this value to false leaves the system vulnerable to DNS spoofing attacks. This parameter might be in the [realms] section to set it on a per-realm basis, or it might be in the [libdefaults] section to make it a network-wide setting for all realms.

The parameters “forwardable”, “proxiable”, and “renew_lifetime” as described in the [libdefaults] section (see above) are also valid in the [realms] section.

Notice that kpasswd_server and kpasswd_protocol are realm-specific parameters. Most often, you need to specify them only when using a non-Solaris-based Kerberos server. Otherwise, the change request is sent over RPCSEC_GSS to the Solaris Kerberos administration server.

 Profile | Reply Points Earned: 0
eLDAP
member
offline   
 
posts: 107
joined: 08/02/2006
from: Austin, TX
  posted on: 02/10/2010 08:53:31 PM    Edit  |   Quote  |   Report 
An Example

[realms]
   ATHENA.MIT.EDU = { 
      kdc = kerberos.mit.edu
      kdc = kerberos-1.mit.edu
      kdc = kerberos-2.mit.edu
      admin_server = kerberos.mit.edu
      auth_to_local_realm = KRBDEV.ATHENA.MIT.EDU
   }

   FUBAR.ORG = { 
      kdc = kerberos.fubar.org
      kdc = kerberos-1.fubar.org
      admin_server = kerberos.fubar.org
   }
 Profile | Reply Points Earned: 0

 
Powered by ForumEasy © 2003-2005, All Rights Reserved. | Privacy Policy | Terms of Use
 
Get your own forum today. It's easy and free.