Each tag in the [realms] section of the file names a Kerberos realm. The value of the tag is a subsection where the relations in that subsection define KDC parameters for that particular realm.
For each realm, the following tags may be specified in the [realms] subsection:
/usr/local/var/krb5kdc/kadm5.acl
.
kadmind4
and v5passwdd
use to authenticate to
the database. The default is /usr/local/var/krb5kdc/kadm5.keytab
.
/usr/local/var/krb5kdc/principal
.
There are a number of possible flags:
kdb5_util stash
). The default is
/usr/local/var/krb5kdc/.k5.
REALM, where REALM is the
Kerberos realm.
kadmin
will have keys of these types. The default value for this tag is
des3-hmac-sha1:normal des-cbc-crc:normal. For lists of possible values, see
Supported Encryption Types and Salts.
true
, false
). If set to true
, the
KDC will check the list of transited realms for cross-realm tickets
against the transit path computed from the realm names and the
capaths
section of its krb5.conf
file; if the path in the
ticket to be issued contains any realms not in the computed path, the
ticket will not be issued, and an error will be returned to the client
instead. If this value is set to false
, such tickets will be
issued anyways, and it will be left up to the application server to
validate the realm transit path.
If the disable-transited-check
flag is set in the incoming
request, this check is not performed at all. Having the
reject_bad_transit
option will cause such ticket requests to be
rejected always.
This transit path checking and config file option currently apply only to TGS requests.
Earlier versions of the MIT release (before 1.2.3) had bugs in the application server support such that the server-side checks may not be performed correctly. We recommend turning this option on, unless you know that all application servers in this realm have been updated to fixed versions of the software, and for whatever reason, you don't want the KDC to do the validation.
This is a per-realm option so that multiple-realm KDCs may control it separately for each realm, in case (for example) one realm has had the software on its application servers updated but another has not.
This option defaults to true
.