[realms]

Each tag in the [realms] section of the file names a Kerberos realm. The value of the tag is a subsection where the relations in that subsection define KDC parameters for that particular realm.

For each realm, the following tags may be specified in the [realms] subsection:

acl_file

(String.) Location of the access control list (acl) file that kadmin uses to determine which principals are allowed which permissions on the database. The default is /usr/local/var/krb5kdc/kadm5.acl.

admin_keytab

(String.) Location of the keytab file that the legacy administration daemons kadmind4 and v5passwdd use to authenticate to the database. The default is /usr/local/var/krb5kdc/kadm5.keytab.

database_name

(String.) Location of the Kerberos database for this realm. The default is
/usr/local/var/krb5kdc/principal.

default_principal_expiration

(Absolute time string.) Specifies the default expiration date of principals created in this realm. The default value for this tag is 0.

default_principal_flags

(Flag string.) Specifies the default attributes of principals created in this realm. The format for this string is a comma-separated list of flags, with '+' before each flag that should be enabled and '-' before each flag that should be disabled. The default is postdateable, forwardable, tgt-based, renewable, proxiable, dup-skey, allow-tickets, and service enabled..

There are a number of possible flags:

postdateable

Enabling this flag allows the principal to obtain postdateable tickets.

forwardable

Enabling this flag allows the principal to obtain forwardable tickets.

tgt-based

Enabling this flag allows a principal to obtain tickets based on a ticket-granting-ticket, rather than repeating the authentication process that was used to obtain the TGT.

renewable

Enabling this flag allows the principal to obtain renewable tickets.

proxiable

Enabling this flag allows the principal to obtain proxy tickets.

dup-skey

Enabling this flag allows the principal to obtain a session key for another user, permitting user-to-user authentication for this principal.

allow-tickets

Enabling this flag means that the KDC will issue tickets for this principal. Disabling this flag essentially deactivates the principal within this realm.

preauth

If this flag is enabled on a client principal, then that principal is required to preauthenticate to the KDC before receiving any tickets. On a service principal, enabling this flag means that service tickets for this principal will only be issued to clients with a TGT that has the preauthenticated ticket set.

hwauth

If this flag is enabled, then the principal is required to preauthenticate using a hardware device before receiving any tickets.

pwchange

Enabling this flag forces a password change for this principal.

service

Enabling this flag allows the the KDC to issue service tickets for this principal.

pwservice

If this flag is enabled, it marks this principal as a password change service. This should only be used in special cases, for example, if a user's password has expired, then the user has to get tickets for that principal without going through the normal password authentication in order to be able to change the password.

dict_file

(String.) Location of the dictionary file containing strings that are not allowed as passwords. If none is specified or if there is no policy assigned to the principal, no dictionary checks of passwords will be performed.

kadmind_port

(Port number.) Specifies the port on which the kadmind daemon is to listen for this realm. The assigned port for kadmind is 749.

kpasswd_port

(Port number.) Specifies the port on which the kpasswd daemon is to listen for this realm. The default is 464.

key_stash_file

(String.) Specifies the location where the master key has been stored (via kdb5_util stash). The default is /usr/local/var/krb5kdc/.k5.REALM, where REALM is the Kerberos realm.

kdc_ports

(String.) Specifies the list of ports that the KDC is to listen to for UDP requests for this realm. By default, the value of kdc_ports as specified in the [kdcdefaults] section is used.

kdc_tcp_ports

(String.) Specifies the list of ports that the KDC is to listen to for TCP requests for this realm. By default, the value of kdc_tcp_ports as specified in the [kdcdefaults] section is used.

master_key_name

(String.) Specifies the name of the principal associated with the master key. The default is K/M.

master_key_type

(Key type string.) Specifies the master key's key type. The default value for this is des3-cbc-sha1. For a list of all possible values, see Supported Encryption Types.

max_life

(Delta time string.) Specifes the maximum time period for which a ticket may be valid in this realm. The default value is 10 hours.

max_renewable_life

(Delta time string.) Specifies the maximum time period during which a valid ticket may be renewed in this realm. The default value is 0.

supported_enctypes

List of key:salt strings. Specifies the default key/salt combinations of principals for this realm. Any principals created through kadmin will have keys of these types. The default value for this tag is des3-hmac-sha1:normal des-cbc-crc:normal. For lists of possible values, see Supported Encryption Types and Salts.

reject_bad_transit

A boolean value (true, false). If set to true, the KDC will check the list of transited realms for cross-realm tickets against the transit path computed from the realm names and the capaths section of its krb5.conf file; if the path in the ticket to be issued contains any realms not in the computed path, the ticket will not be issued, and an error will be returned to the client instead. If this value is set to false, such tickets will be issued anyways, and it will be left up to the application server to validate the realm transit path.

If the disable-transited-check flag is set in the incoming request, this check is not performed at all. Having the reject_bad_transit option will cause such ticket requests to be rejected always.

This transit path checking and config file option currently apply only to TGS requests.

Earlier versions of the MIT release (before 1.2.3) had bugs in the application server support such that the server-side checks may not be performed correctly. We recommend turning this option on, unless you know that all application servers in this realm have been updated to fixed versions of the software, and for whatever reason, you don't want the KDC to do the validation.

This is a per-realm option so that multiple-realm KDCs may control it separately for each realm, in case (for example) one realm has had the software on its application servers updated but another has not.

This option defaults to true.