[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Sample kdc.conf

To: heimdal-discuss@sics.se
Subject: Sample kdc.conf
From: Brian May <bam@snoopy.apana.org.au>
Date: Fri, 17 Dec 2004 19:35:06 +1100
Sender: owner-heimdal-discuss@sics.se
User-Agent: Mutt/1.5.6+20040907i

Hello,

I have a bug report against the Debian package that the sample kdc.conf
I supplied was inappropriate for Heimdal.
<URL:http://bugs.debian.org/210575>.

Since I couldn't find any existing sample kdc.conf to use for this
purpose, I have gone through the code and kdc man page and attempted to
create a new sample kdc.conf file.

I also noticed some errors:

* Man page refers to enforce-transited-policy and the source code refers
  to it, but the return value is not assigned to anything:

        krb5_config_get_bool_default(context, NULL, TRUE, "kdc",
             "enforce-transited-policy", NULL);

* I have a suspicion enforce-transited-policy has been replaced with
  transited-policy but transited-policy is not documented.

* man page says default value of check-ticket-addresses is false,
  but my reading of the source code suggests it is true.

* database = { ... } doesn't seem to be documented anywhere.

* Same for logging, key-file, detach, default_keys, and use_v4_salt.

I would appreciate any comments, corrections or improvements.

Thanks.
-- 
Brian May <bam@snoopy.apana.org.au>

[kdc]
logging = FILE:/var/log/heimdal-kdc.log

# key-file = /var/lib/heimdal-kdc/key-file
# detach = boolean
# database = {
#       [realm = string]
#       [dbname = string]
#       [mkey_file = string]
#       [log_file = string]
#       [acl_file = string]
# }
# database = {
#       realm = string
#       ...
# }
# database = {
#       realm = string
#       ...
# }

# Gives an upper limit on the size of the requests that the kdc is
# willing to handle.
# max-request =  integer

# Turn off the requirement for pre-autentication in the initial AS-
# REQ for all principals.  The use of pre-authentication makes it
# more difficult to do offline password attacks.  You might want to
# turn it off if you have clients that don't support pre-authenti-
# cation.  Since the version 4 protocol doesn't support any pre-
# authentication, serving version 4 clients is just about the same
# as not requiring pre-athentication.  The default is to require
# pre-authentication.  Adding the require-preauth per principal is
# a more flexible way of handling this.
# require-preauth = boolean

# Specifies the set of ports the KDC should listen on.  It is given
# as a white-space separated list of services or port numbers.
# ports = 88,750

# The list of addresses to listen for requests on.  By default, the
# kdc will listen on all the locally configured addresses.  If only
# a subset is desired, or the automatic detection fails, this
# option might be used.
# addresses = list of ip addresses

# respond to Kerberos 4 requests
# enable-kerberos4 = false

# respond to Kerberos 4 requests from foreign realms.  This is a
# known security hole and should not be enabled unless you under-
# stand the consequences and are willing to live with them.
# enable-kerberos4-cross-realm = false

# respond to 524 requests
# enable-524 = value of enable-kerberos4

# Makes the kdc listen on port 80 and handle requests encapsulated
# in HTTP.
# enable-http = boolean

# What realm this server should act as when dealing with version 4
# requests.  The database can contain any number of realms, but
# since the version 4 protocol doesn't contain a realm for the
# server, it must be explicitly specified.  The default is whatever
# is returned by krb_get_lrealm().  This option is only availabe if
# the KDC has been compiled with version 4 support.
# v4-realm = string

# Enable kaserver emulation (in case it's compiled in).
# enable-kaserver = false

# Check the addresses in the ticket when processing TGS requests.
# check-ticket-addresses = true

# Permit tickets with no addresses.  This option is only
# relevent when check-ticket-addresses is TRUE.
# allow-null-ticket-addresses = true

# Permit anonymous tickets with no addresses.
# allow-anonymous = boolean

# Always verify the transited policy, ignoring the
# disable-transited-check flag if set in the KDC client request.
# transited-policy = {always-check,allow-per-principal,always-honour-request}

# Encode AS-Rep as TGS-Rep to be bug-compatible with old DCE
# code. The Heimdal clients allow both.
# encode_as_rep_as_tgs_rep = boolean

# How long before password/principal expiration the KDC should
# start sending out warning messages.
# kdc_warn_pwexpire = time

# Specifies the set of ports the KDC should listen on.  It is given
# as a white-space separated list of services or port numbers.
# kdc_ports = 88,750

# [password_quality]
# check_library = LIBRARY
# check_function = FUNCTION
# min_length = value

# [kadmin]
# default_keys = list of strings
# use_v4_salt = boolean

Follow-Ups:
- Re: Sample kdc.conf
  - From: Love <lha@stacken.kth.se>

Prev by Date: Unusual clock-skew issue
Next by Date: Re: Patch to enable account expiration
Prev by thread: Re: Unusual clock-skew issue
Next by thread: Re: Sample kdc.conf
Index(es):
- Date
- Thread