The kdc.conf file contains information that includes the defaults
used when the Kerberos tickets are issued by a KDC. It also contains
the defaults for the Kerberos database, the
acl file, the admin keytab file, et all. The kdc.conf is installed in the /var/adm/krb5/krb5kdc directory.
You can override the default location by setting the environment
variable 'KRB5_KDC_PROFILE'.
The syntax to set the environment variable is as follows:
export KRB5_KDC_PROFILE=<PATH>
The kdc.conf file is setup in the INI file style. The sections is
headed by the section name, in square brackets, [ ]. The sections
in the kdc.conf file are:
The [kdcdefaults] section in the kdc.conf file contains the default values of the KDC. The following
relation is defined in this section:
- kdc_ports
This relation lists the port numbers on which the Kerberos
server should listen to by default. This list is separated by commas
and contains a list of integers. If this relation is not specified,
the default ports are used. Usually the default ports are port 88 and port 750.
The [realms]
section in kdc.conf file contains details of the Kerberos realms.
Each tag in the [realms] section contains a Kerberos realm. The value of the tag
is specified in the subsection, which defines the KDC parameters
for that particular realm. For each realm, the following tags can be
specified in the [realms] subsection:
- acl_file
The location of the access control list (acl) file, which the kadmin uses to determine the permissions of the principal
on the database.
- admin_keytab
The location of the keytab file which the kadmin uses to authenticate the database. The default location
is '/var/adm/krb5/krb5kdc/kadm5.keytab'.
- database_name
The location of the Kerberos database for the realm. The default location is '/var/adm/krb5/krb5kdc/principal'.
- default_principal_expiration
Specifies the default expiration date of the principals
created in the realm.
- default_prinicipal_flags
Specifies the default attributes of the principals
created in the realm.
- dict_file
The location of the dictionary file that contains strings that
are not allowed as passwords.
- kadmin_port
Specifies the port number that the kadmind has to listen to for the realm. The default port number
for kadmind is 749.
- key_stash_file
Specifies the location where the master
key has been stored. The default location is'/var/adm/krb5/krb5kdc/.k5.<Your_Realm_Name>'
- kdc_ports
Specifies the list of ports that the KDC will be
listening to for this realm. By default, the value of the kdc_ports as specified in the [kdcdefaults] section is used.
- master_key_name
Specifies the name of the master key.
- master_key_type
Specifies the master key's key type. The default
key type is 'des-cbc-crc'.
- max_life
Specifies the maximum time period for which a ticket may
be valid in this realm.
- max_renewable_life
Specifies the maximum time period during which a
valid ticket may be renewed in this realm.
- supported_enctypes
Specifies the default key/salt combinations of principals
for this realm. The following encryption types are currently supported:
Printable version
