diff options
Diffstat (limited to 'crypto/krb5/doc/pdf/admin.tex')
| -rw-r--r-- | crypto/krb5/doc/pdf/admin.tex | 1613 |
1 files changed, 914 insertions, 699 deletions
diff --git a/crypto/krb5/doc/pdf/admin.tex b/crypto/krb5/doc/pdf/admin.tex index 8a67a6d0423c..42c2b5ba486e 100644 --- a/crypto/krb5/doc/pdf/admin.tex +++ b/crypto/krb5/doc/pdf/admin.tex @@ -10,6 +10,9 @@ %% let collapsible pdf bookmarks panel have high depth per default \PassOptionsToPackage{bookmarksdepth=5}{hyperref} +\PassOptionsToPackage{booktabs}{sphinx} +\PassOptionsToPackage{colorrows}{sphinx} + \PassOptionsToPackage{warn}{textcomp} \usepackage[utf8]{inputenc} \ifdefined\DeclareUnicodeCharacter @@ -61,13 +64,18 @@ \title{Kerberos Administration Guide} \date{ } -\release{1.21.3} +\release{1.22\sphinxhyphen{}final} \author{MIT} \newcommand{\sphinxlogo}{\vbox{}} \renewcommand{\releasename}{Release} \makeindex \begin{document} +\ifdefined\shorthandoff + \ifnum\catcode`\=\string=\active\shorthandoff{=}\fi + \ifnum\catcode`\"=\active\shorthandoff{"}\fi +\fi + \pagestyle{empty} \sphinxmaketitle \pagestyle{plain} @@ -76,12 +84,16 @@ \phantomsection\label{\detokenize{admin/index::doc}} +\sphinxstepscope + \chapter{Installation guide} \label{\detokenize{admin/install:installation-guide}}\label{\detokenize{admin/install::doc}} \section{Contents} \label{\detokenize{admin/install:contents}} +\sphinxstepscope + \subsection{Installing KDCs} \label{\detokenize{admin/install_kdc:installing-kdcs}}\label{\detokenize{admin/install_kdc::doc}} @@ -754,6 +766,8 @@ If you expect your Kerberos database to become large, you may wish to set up incremental propagation to replica KDCs. See {\hyperref[\detokenize{admin/database:incr-db-prop}]{\sphinxcrossref{\DUrole{std,std-ref}{Incremental database propagation}}}} for details. +\sphinxstepscope + \subsection{Installing and configuring UNIX client machines} \label{\detokenize{admin/install_clients:installing-and-configuring-unix-client-machines}}\label{\detokenize{admin/install_clients::doc}} @@ -820,6 +834,8 @@ are running release 1.7 or later, it is also reasonable to leave this section out on client machines and just define it in the KDC’s krb5.conf. +\sphinxstepscope + \subsection{UNIX Application Servers} \label{\detokenize{admin/install_appl_srv:unix-application-servers}}\label{\detokenize{admin/install_appl_srv::doc}} @@ -920,6 +936,8 @@ Solaris: \sphinxhref{https://docs.oracle.com/cd/E19253-01/816-4557/6maosrjv2/ind \end{enumerate} +\sphinxstepscope + \chapter{Configuration Files} \label{\detokenize{admin/conf_files/index:configuration-files}}\label{\detokenize{admin/conf_files/index::doc}} @@ -936,6 +954,8 @@ KDC database. \section{Contents} \label{\detokenize{admin/conf_files/index:contents}} +\sphinxstepscope + \subsection{krb5.conf} \label{\detokenize{admin/conf_files/krb5_conf:krb5-conf}}\label{\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}}\label{\detokenize{admin/conf_files/krb5_conf::doc}} @@ -978,13 +998,6 @@ or: \end{sphinxVerbatim} \sphinxAtStartPar -Placing a ‘*’ after the closing bracket of a section name indicates -that the section is \sphinxstyleemphasis{final}, meaning that if the same section appears -within a later file specified in \sphinxstylestrong{KRB5\_CONFIG}, it will be ignored. -A subsection can be marked as final by placing a ‘*’ after either the -tag name or the closing brace. - -\sphinxAtStartPar The krb5.conf file can include other files using either of the following directives at the beginning of a line: @@ -1006,6 +1019,17 @@ alphanumeric order; in previous releases, they may be read in any order. \sphinxAtStartPar +Placing a ‘*’ after the closing bracket of a section name indicates +that the section is \sphinxstyleemphasis{final}, meaning that if the same section appears +again later, it will be ignored. A subsection can be marked as final +by placing a ‘*’ after either the tag name or the closing brace. A +relation can be marked as final by placing a ‘*’ after the tag name. +Prior to release 1.22, only sections and subsections can be marked as +final, and the flag only causes values to be ignored if they appear in +later files specified in \sphinxstylestrong{KRB5\_CONFIG}, not if they appear later +within the same file or an included file. + +\sphinxAtStartPar The krb5.conf file can specify that configuration should be obtained from a loadable module, rather than the file itself, using the following directive at the beginning of a line before any section @@ -1029,54 +1053,55 @@ The krb5.conf file may contain the following sections: \begin{savenotes}\sphinxattablestart +\sphinxthistablewithglobalstyle \centering -\begin{tabulary}{\linewidth}[t]{|T|T|} -\hline - +\begin{tabulary}{\linewidth}[t]{TT} +\sphinxtoprule +\sphinxtableatstartofbodyhook \sphinxAtStartPar {\hyperref[\detokenize{admin/conf_files/krb5_conf:libdefaults}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}libdefaults{]}}}}} & \sphinxAtStartPar Settings used by the Kerberos V5 library \\ -\hline +\sphinxhline \sphinxAtStartPar {\hyperref[\detokenize{admin/conf_files/krb5_conf:realms}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}realms{]}}}}} & \sphinxAtStartPar Realm\sphinxhyphen{}specific contact information and settings \\ -\hline +\sphinxhline \sphinxAtStartPar {\hyperref[\detokenize{admin/conf_files/krb5_conf:domain-realm}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}domain\_realm{]}}}}} & \sphinxAtStartPar Maps server hostnames to Kerberos realms \\ -\hline +\sphinxhline \sphinxAtStartPar {\hyperref[\detokenize{admin/conf_files/krb5_conf:capaths}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}capaths{]}}}}} & \sphinxAtStartPar Authentication paths for non\sphinxhyphen{}hierarchical cross\sphinxhyphen{}realm \\ -\hline +\sphinxhline \sphinxAtStartPar {\hyperref[\detokenize{admin/conf_files/krb5_conf:appdefaults}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}appdefaults{]}}}}} & \sphinxAtStartPar Settings used by some Kerberos V5 applications \\ -\hline +\sphinxhline \sphinxAtStartPar {\hyperref[\detokenize{admin/conf_files/krb5_conf:plugins}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}plugins{]}}}}} & \sphinxAtStartPar Controls plugin module registration \\ -\hline +\sphinxbottomrule \end{tabulary} -\par +\sphinxtableafterendhook\par \sphinxattableend\end{savenotes} \sphinxAtStartPar @@ -1089,21 +1114,21 @@ Additionally, krb5.conf may include any of the relations described in \sphinxAtStartPar The libdefaults section may contain any of the following relations: \begin{description} -\item[{\sphinxstylestrong{allow\_des3}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{allow\_des3}} \sphinxAtStartPar Permit the KDC to issue tickets with des3\sphinxhyphen{}cbc\sphinxhyphen{}sha1 session keys. In future releases, this flag will allow des3\sphinxhyphen{}cbc\sphinxhyphen{}sha1 to be used at all. The default value for this tag is false. (Added in release 1.21.) -\item[{\sphinxstylestrong{allow\_rc4}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{allow\_rc4}} \sphinxAtStartPar Permit the KDC to issue tickets with arcfour\sphinxhyphen{}hmac session keys. In future releases, this flag will allow arcfour\sphinxhyphen{}hmac to be used at all. The default value for this tag is false. (Added in release 1.21.) -\item[{\sphinxstylestrong{allow\_weak\_crypto}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{allow\_weak\_crypto}} \sphinxAtStartPar If this flag is set to false, then weak encryption types (as noted in {\hyperref[\detokenize{admin/conf_files/kdc_conf:encryption-types}]{\sphinxcrossref{\DUrole{std,std-ref}{Encryption types}}}} in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}) will be filtered @@ -1111,14 +1136,14 @@ out of the lists \sphinxstylestrong{default\_tgs\_enctypes}, \sphinxstylestrong{default\_tkt\_enctypes}, and \sphinxstylestrong{permitted\_enctypes}. The default value for this tag is false. -\item[{\sphinxstylestrong{canonicalize}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{canonicalize}} \sphinxAtStartPar If this flag is set to true, initial ticket requests to the KDC will request canonicalization of the client principal name, and answers with different client principals than the requested principal will be accepted. The default value is false. -\item[{\sphinxstylestrong{ccache\_type}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{ccache\_type}} \sphinxAtStartPar This parameter determines the format of credential cache types created by \DUrole{xref,std,std-ref}{kinit(1)} or other programs. The default value @@ -1126,7 +1151,7 @@ is 4, which represents the most current format. Smaller values can be used for compatibility with very old implementations of Kerberos which interact with credential caches on the same host. -\item[{\sphinxstylestrong{clockskew}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{clockskew}} \sphinxAtStartPar Sets the maximum allowable amount of clockskew in seconds that the library will tolerate before assuming that a Kerberos message is @@ -1139,39 +1164,39 @@ their expiration time can still be used (and renewed if they are renewable tickets) if they have been expired for a shorter duration than the \sphinxstylestrong{clockskew} setting. -\item[{\sphinxstylestrong{default\_ccache\_name}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{default\_ccache\_name}} \sphinxAtStartPar This relation specifies the name of the default credential cache. The default is {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{DEFCCNAME}}}}. This relation is subject to parameter expansion (see below). New in release 1.11. -\item[{\sphinxstylestrong{default\_client\_keytab\_name}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{default\_client\_keytab\_name}} \sphinxAtStartPar This relation specifies the name of the default keytab for obtaining client credentials. The default is {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{DEFCKTNAME}}}}. This relation is subject to parameter expansion (see below). New in release 1.11. -\item[{\sphinxstylestrong{default\_keytab\_name}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{default\_keytab\_name}} \sphinxAtStartPar This relation specifies the default keytab name to be used by application servers such as sshd. The default is {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{DEFKTNAME}}}}. This relation is subject to parameter expansion (see below). -\item[{\sphinxstylestrong{default\_rcache\_name}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{default\_rcache\_name}} \sphinxAtStartPar This relation specifies the name of the default replay cache. The default is \sphinxcode{\sphinxupquote{dfl:}}. This relation is subject to parameter expansion (see below). New in release 1.18. -\item[{\sphinxstylestrong{default\_realm}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{default\_realm}} \sphinxAtStartPar Identifies the default Kerberos realm for the client. Set its value to your Kerberos realm. If this value is not set, then a realm must be specified with every Kerberos principal when invoking programs such as \DUrole{xref,std,std-ref}{kinit(1)}. -\item[{\sphinxstylestrong{default\_tgs\_enctypes}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{default\_tgs\_enctypes}} \sphinxAtStartPar Identifies the supported list of session key encryption types that the client should request when making a TGS\sphinxhyphen{}REQ, in order of @@ -1189,7 +1214,7 @@ compatibility purposes; stale values of this setting can prevent clients from taking advantage of new stronger enctypes when the libraries are upgraded. -\item[{\sphinxstylestrong{default\_tkt\_enctypes}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{default\_tkt\_enctypes}} \sphinxAtStartPar Identifies the supported list of session key encryption types that the client should request when making an AS\sphinxhyphen{}REQ, in order of @@ -1205,7 +1230,7 @@ compatibility purposes; stale values of this setting can prevent clients from taking advantage of new stronger enctypes when the libraries are upgraded. -\item[{\sphinxstylestrong{dns\_canonicalize\_hostname}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{dns\_canonicalize\_hostname}} \sphinxAtStartPar Indicate whether name lookups will be used to canonicalize hostnames for use in service principal names. Setting this flag @@ -1216,7 +1241,7 @@ in release 1.18), DNS canonicalization will only be performed the server hostname is not found with the original name when requesting credentials. The default value is true. -\item[{\sphinxstylestrong{dns\_lookup\_kdc}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{dns\_lookup\_kdc}} \sphinxAtStartPar Indicate whether DNS SRV records should be used to locate the KDCs and other servers for a realm, if they are not listed in the @@ -1234,7 +1259,14 @@ it (besides the initial ticket request, which has no encrypted data), and anything the fake KDC sends will not be trusted without verification using some secret that it won’t know. -\item[{\sphinxstylestrong{dns\_uri\_lookup}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{dns\_lookup\_realm}} +\sphinxAtStartPar +Indicate whether DNS TXT records should be used to map hostnames +to realm names for hostnames not listed in the {[}domain\_realm{]} +section, and to determine the default realm if \sphinxstylestrong{default\_realm} +is not set. The default value is false. + +\sphinxlineitem{\sphinxstylestrong{dns\_uri\_lookup}} \sphinxAtStartPar Indicate whether DNS URI records should be used to locate the KDCs and other servers for a realm, if they are not listed in the @@ -1242,7 +1274,7 @@ krb5.conf information for the realm. SRV records are used as a fallback if no URI records were found. The default value is true. New in release 1.15. -\item[{\sphinxstylestrong{enforce\_ok\_as\_delegate}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{enforce\_ok\_as\_delegate}} \sphinxAtStartPar If this flag to true, GSSAPI credential delegation will be disabled when the \sphinxcode{\sphinxupquote{ok\sphinxhyphen{}as\sphinxhyphen{}delegate}} flag is not set in the @@ -1250,13 +1282,13 @@ service ticket. If this flag is false, the \sphinxcode{\sphinxupquote{ok\sphinx ticket flag is only enforced when an application specifically requests enforcement. The default value is false. -\item[{\sphinxstylestrong{err\_fmt}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{err\_fmt}} \sphinxAtStartPar This relation allows for custom error message formatting. If a value is set, error messages will be formatted by substituting a normal error message for \%M and an error code for \%C in the value. -\item[{\sphinxstylestrong{extra\_addresses}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{extra\_addresses}} \sphinxAtStartPar This allows a computer to use multiple local addresses, in order to allow Kerberos to work in a network that uses NATs while still @@ -1264,12 +1296,12 @@ using address\sphinxhyphen{}restricted tickets. The addresses should be in a comma\sphinxhyphen{}separated list. This option has no effect if \sphinxstylestrong{noaddresses} is true. -\item[{\sphinxstylestrong{forwardable}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{forwardable}} \sphinxAtStartPar If this flag is true, initial tickets will be forwardable by default, if allowed by the KDC. The default value is false. -\item[{\sphinxstylestrong{ignore\_acceptor\_hostname}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{ignore\_acceptor\_hostname}} \sphinxAtStartPar When accepting GSSAPI or krb5 security contexts for host\sphinxhyphen{}based service principals, ignore any hostname passed by the calling @@ -1280,7 +1312,7 @@ flexibility of server applications on multihomed hosts, but could compromise the security of virtual hosting environments. The default value is false. New in release 1.10. -\item[{\sphinxstylestrong{k5login\_authoritative}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{k5login\_authoritative}} \sphinxAtStartPar If this flag is true, principals must be listed in a local user’s k5login file to be granted login access, if a \DUrole{xref,std,std-ref}{.k5login(5)} @@ -1289,7 +1321,7 @@ granted login access through other mechanisms even if a k5login file exists but does not list the principal. The default value is true. -\item[{\sphinxstylestrong{k5login\_directory}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{k5login\_directory}} \sphinxAtStartPar If set, the library will look for a local user’s k5login file within the named directory, with a filename corresponding to the @@ -1298,14 +1330,14 @@ files in the user’s home directory, with the filename .k5login. For security reasons, .k5login files must be owned by the local user or by root. -\item[{\sphinxstylestrong{kcm\_mach\_service}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{kcm\_mach\_service}} \sphinxAtStartPar On macOS only, determines the name of the bootstrap service used to contact the KCM daemon for the KCM credential cache type. If the value is \sphinxcode{\sphinxupquote{\sphinxhyphen{}}}, Mach RPC will not be used to contact the KCM daemon. The default value is \sphinxcode{\sphinxupquote{org.h5l.kcm}}. -\item[{\sphinxstylestrong{kcm\_socket}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{kcm\_socket}} \sphinxAtStartPar Determines the path to the Unix domain socket used to access the KCM daemon for the KCM credential cache type. If the value is @@ -1313,13 +1345,13 @@ KCM daemon for the KCM credential cache type. If the value is daemon. The default value is \sphinxcode{\sphinxupquote{/var/run/.heim\_org.h5l.kcm\sphinxhyphen{}socket}}. -\item[{\sphinxstylestrong{kdc\_default\_options}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{kdc\_default\_options}} \sphinxAtStartPar Default KDC options (Xored for multiple values) when requesting initial tickets. By default it is set to 0x00000010 (KDC\_OPT\_RENEWABLE\_OK). -\item[{\sphinxstylestrong{kdc\_timesync}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{kdc\_timesync}} \sphinxAtStartPar Accepted values for this relation are 1 or 0. If it is nonzero, client machines will compute the difference between their time and @@ -1329,13 +1361,13 @@ requesting service tickets or authenticating to services. This corrective factor is only used by the Kerberos library; it is not used to change the system clock. The default value is 1. -\item[{\sphinxstylestrong{noaddresses}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{noaddresses}} \sphinxAtStartPar If this flag is true, requests for initial tickets will not be made with address restrictions set, allowing the tickets to be used across NATs. The default value is true. -\item[{\sphinxstylestrong{permitted\_enctypes}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{permitted\_enctypes}} \sphinxAtStartPar Identifies the encryption types that servers will permit for session keys and for ticket and authenticator encryption, ordered @@ -1344,26 +1376,26 @@ this tag also acts as the default value for \sphinxstylestrong{default\_tgs\_enctypes} and \sphinxstylestrong{default\_tkt\_enctypes}. The default value for this tag is \sphinxcode{\sphinxupquote{aes256\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha1\sphinxhyphen{}96 aes128\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha1\sphinxhyphen{}96 aes256\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha384\sphinxhyphen{}192 aes128\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha256\sphinxhyphen{}128 des3\sphinxhyphen{}cbc\sphinxhyphen{}sha1 arcfour\sphinxhyphen{}hmac\sphinxhyphen{}md5 camellia256\sphinxhyphen{}cts\sphinxhyphen{}cmac camellia128\sphinxhyphen{}cts\sphinxhyphen{}cmac}}. -\item[{\sphinxstylestrong{plugin\_base\_dir}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{plugin\_base\_dir}} \sphinxAtStartPar If set, determines the base directory where krb5 plugins are located. The default value is the \sphinxcode{\sphinxupquote{krb5/plugins}} subdirectory of the krb5 library directory. This relation is subject to parameter expansion (see below) in release 1.17 and later. -\item[{\sphinxstylestrong{preferred\_preauth\_types}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{preferred\_preauth\_types}} \sphinxAtStartPar This allows you to set the preferred preauthentication types which the client will attempt before others which may be advertised by a KDC. The default value for this setting is “17, 16, 15, 14”, which forces libkrb5 to attempt to use PKINIT if it is supported. -\item[{\sphinxstylestrong{proxiable}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{proxiable}} \sphinxAtStartPar If this flag is true, initial tickets will be proxiable by default, if allowed by the KDC. The default value is false. -\item[{\sphinxstylestrong{qualify\_shortname}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{qualify\_shortname}} \sphinxAtStartPar If this string is set, it determines the domain suffix for single\sphinxhyphen{}component hostnames when DNS canonicalization is not used @@ -1373,14 +1405,14 @@ search domain of the system’s DNS configuration. To disable qualification of shortnames, set this relation to the empty string with \sphinxcode{\sphinxupquote{qualify\_shortname = ""}}. (New in release 1.18.) -\item[{\sphinxstylestrong{rdns}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{rdns}} \sphinxAtStartPar If this flag is true, reverse name lookup will be used in addition to forward name lookup to canonicalizing hostnames for use in service principal names. If \sphinxstylestrong{dns\_canonicalize\_hostname} is set to false, this flag has no effect. The default value is true. -\item[{\sphinxstylestrong{realm\_try\_domains}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{realm\_try\_domains}} \sphinxAtStartPar Indicate whether a host’s domain components should be used to determine the Kerberos realm of the host. The value of this @@ -1391,12 +1423,22 @@ Kerberos realms is used to determine whether a domain is a valid realm, which may involve consulting DNS if \sphinxstylestrong{dns\_lookup\_kdc} is set. The default is not to search domain components. -\item[{\sphinxstylestrong{renew\_lifetime}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{renew\_lifetime}} \sphinxAtStartPar (\DUrole{xref,std,std-ref}{duration} string.) Sets the default renewable lifetime for initial ticket requests. The default value is 0. -\item[{\sphinxstylestrong{spake\_preauth\_groups}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{request\_timeout}} +\sphinxAtStartPar +(\DUrole{xref,std,std-ref}{duration} string.) Sets the maximum total time for KDC and +password change requests. This timeout does not affect the +intervals between requests, so setting a low timeout may result in +fewer requests being attempted and/or some servers not being +contacted. A value of 0 indicates no specific maximum, in which +case requests will time out if no server responds after several +tries. The default value is 0. (New in release 1.22.) + +\sphinxlineitem{\sphinxstylestrong{spake\_preauth\_groups}} \sphinxAtStartPar A whitespace or comma\sphinxhyphen{}separated list of words which specifies the groups allowed for SPAKE preauthentication. The possible values @@ -1404,52 +1446,53 @@ are: \begin{savenotes}\sphinxattablestart +\sphinxthistablewithglobalstyle \centering -\begin{tabulary}{\linewidth}[t]{|T|T|} -\hline - +\begin{tabulary}{\linewidth}[t]{TT} +\sphinxtoprule +\sphinxtableatstartofbodyhook \sphinxAtStartPar edwards25519 & \sphinxAtStartPar -Edwards25519 curve (\index{RFC@\spxentry{RFC}!RFC 7748@\spxentry{RFC 7748}}\sphinxhref{https://tools.ietf.org/html/rfc7748.html}{\sphinxstylestrong{RFC 7748}}) +Edwards25519 curve (\index{RFC@\spxentry{RFC}!RFC 7748@\spxentry{RFC 7748}}\sphinxhref{https://datatracker.ietf.org/doc/html/rfc7748.html}{\sphinxstylestrong{RFC 7748}}) \\ -\hline +\sphinxhline \sphinxAtStartPar P\sphinxhyphen{}256 & \sphinxAtStartPar -NIST P\sphinxhyphen{}256 curve (\index{RFC@\spxentry{RFC}!RFC 5480@\spxentry{RFC 5480}}\sphinxhref{https://tools.ietf.org/html/rfc5480.html}{\sphinxstylestrong{RFC 5480}}) +NIST P\sphinxhyphen{}256 curve (\index{RFC@\spxentry{RFC}!RFC 5480@\spxentry{RFC 5480}}\sphinxhref{https://datatracker.ietf.org/doc/html/rfc5480.html}{\sphinxstylestrong{RFC 5480}}) \\ -\hline +\sphinxhline \sphinxAtStartPar P\sphinxhyphen{}384 & \sphinxAtStartPar -NIST P\sphinxhyphen{}384 curve (\index{RFC@\spxentry{RFC}!RFC 5480@\spxentry{RFC 5480}}\sphinxhref{https://tools.ietf.org/html/rfc5480.html}{\sphinxstylestrong{RFC 5480}}) +NIST P\sphinxhyphen{}384 curve (\index{RFC@\spxentry{RFC}!RFC 5480@\spxentry{RFC 5480}}\sphinxhref{https://datatracker.ietf.org/doc/html/rfc5480.html}{\sphinxstylestrong{RFC 5480}}) \\ -\hline +\sphinxhline \sphinxAtStartPar P\sphinxhyphen{}521 & \sphinxAtStartPar -NIST P\sphinxhyphen{}521 curve (\index{RFC@\spxentry{RFC}!RFC 5480@\spxentry{RFC 5480}}\sphinxhref{https://tools.ietf.org/html/rfc5480.html}{\sphinxstylestrong{RFC 5480}}) +NIST P\sphinxhyphen{}521 curve (\index{RFC@\spxentry{RFC}!RFC 5480@\spxentry{RFC 5480}}\sphinxhref{https://datatracker.ietf.org/doc/html/rfc5480.html}{\sphinxstylestrong{RFC 5480}}) \\ -\hline +\sphinxbottomrule \end{tabulary} -\par +\sphinxtableafterendhook\par \sphinxattableend\end{savenotes} \sphinxAtStartPar The default value for the client is \sphinxcode{\sphinxupquote{edwards25519}}. The default value for the KDC is empty. New in release 1.17. -\item[{\sphinxstylestrong{ticket\_lifetime}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{ticket\_lifetime}} \sphinxAtStartPar (\DUrole{xref,std,std-ref}{duration} string.) Sets the default lifetime for initial ticket requests. The default value is 1 day. -\item[{\sphinxstylestrong{udp\_preference\_limit}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{udp\_preference\_limit}} \sphinxAtStartPar When sending a message to the KDC, the library will try using TCP before UDP if the size of the message is above @@ -1458,13 +1501,13 @@ before UDP if the size of the message is above Regardless of the size, both protocols will be tried if the first attempt fails. -\item[{\sphinxstylestrong{verify\_ap\_req\_nofail}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{verify\_ap\_req\_nofail}} \sphinxAtStartPar If this flag is true, then an attempt to verify initial credentials will fail if the client machine does not have a keytab. The default value is false. -\item[{\sphinxstylestrong{client\_aware\_channel\_bindings}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{client\_aware\_channel\_bindings}} \sphinxAtStartPar If this flag is true, then all application protocol authentication requests will be flagged to indicate that the application supports @@ -1482,21 +1525,21 @@ realm. The value of the tag is a subsection with relations that define the properties of that particular realm. For each realm, the following tags may be specified in the realm’s subsection: \begin{description} -\item[{\sphinxstylestrong{admin\_server}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{admin\_server}} \sphinxAtStartPar Identifies the host where the administration server is running. Typically, this is the primary Kerberos server. This tag must be given a value in order to communicate with the {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} server for the realm. -\item[{\sphinxstylestrong{auth\_to\_local}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{auth\_to\_local}} \sphinxAtStartPar This tag allows you to set a general rule for mapping principal names to local user names. It will be used if there is not an explicit mapping for the principal name that is being translated. The possible values are: \begin{description} -\item[{\sphinxstylestrong{RULE:}\sphinxstyleemphasis{exp}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{RULE:}\sphinxstyleemphasis{exp}} \sphinxAtStartPar The local name will be formulated from \sphinxstyleemphasis{exp}. @@ -1514,7 +1557,7 @@ string. The optional \sphinxstylestrong{g} will cause the substitution to be global over the \sphinxstyleemphasis{string}, instead of replacing only the first match in the \sphinxstyleemphasis{string}. -\item[{\sphinxstylestrong{DEFAULT}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{DEFAULT}} \sphinxAtStartPar The principal name will be used as the local user name. If the principal has more than one component or is not in the @@ -1545,20 +1588,20 @@ principal with a second component of \sphinxcode{\sphinxupquote{root}}. The exc these two rules are any principals \sphinxcode{\sphinxupquote{johndoe/*}}, which will always get the local name \sphinxcode{\sphinxupquote{guest}}. -\item[{\sphinxstylestrong{auth\_to\_local\_names}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{auth\_to\_local\_names}} \sphinxAtStartPar This subsection allows you to set explicit mappings from principal names to local user names. The tag is the mapping name, and the value is the corresponding local user name. -\item[{\sphinxstylestrong{default\_domain}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{default\_domain}} \sphinxAtStartPar This tag specifies the domain used to expand hostnames when translating Kerberos 4 service principals to Kerberos 5 principals (for example, when converting \sphinxcode{\sphinxupquote{rcmd.hostname}} to \sphinxcode{\sphinxupquote{host/hostname.domain}}). -\item[{\sphinxstylestrong{disable\_encrypted\_timestamp}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{disable\_encrypted\_timestamp}} \sphinxAtStartPar If this flag is true, the client will not perform encrypted timestamp preauthentication if requested by the KDC. Setting this @@ -1569,7 +1612,7 @@ This flag persists across client referrals during initial authentication. This flag does not prevent the KDC from offering encrypted timestamp. New in release 1.17. -\item[{\sphinxstylestrong{http\_anchors}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{http\_anchors}} \sphinxAtStartPar When KDCs and kpasswd servers are accessed through HTTPS proxies, this tag can be used to specify the location of the CA certificate which should be @@ -1603,30 +1646,31 @@ to a value conforming to one of the previous values. For example, \sphinxcode{\sphinxupquote{ENV:X509\_PROXY\_CA}}, where environment variable \sphinxcode{\sphinxupquote{X509\_PROXY\_CA}} has been set to \sphinxcode{\sphinxupquote{FILE:/tmp/my\_proxy.pem}}. -\item[{\sphinxstylestrong{kdc}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{kdc}} \sphinxAtStartPar -The name or address of a host running a KDC for that realm. An -optional port number, separated from the hostname by a colon, may -be included. If the name or address contains colons (for example, -if it is an IPv6 address), enclose it in square brackets to +The name or address of a host running a KDC for the realm, or a +UNIX domain socket path of a locally running KDC. An optional +port number, separated from the hostname by a colon, may be +included. If the name or address contains colons (for example, if +it is an IPv6 address), enclose it in square brackets to distinguish the colon from a port separator. For your computer to be able to communicate with the KDC for each realm, this tag must be given a value in each realm subsection in the configuration file, or there must be DNS SRV records specifying the KDCs. -\item[{\sphinxstylestrong{kpasswd\_server}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{kpasswd\_server}} \sphinxAtStartPar -Points to the server where all the password changes are performed. -If there is no such entry, DNS will be queried (unless forbidden -by \sphinxstylestrong{dns\_lookup\_kdc}). Finally, port 464 on the \sphinxstylestrong{admin\_server} -host will be tried. +The location of the password change server for the realm, using +the same syntax as \sphinxstylestrong{kdc}. If there is no such entry, DNS will +be queried (unless forbidden by \sphinxstylestrong{dns\_lookup\_kdc}). Finally, +port 464 on the \sphinxstylestrong{admin\_server} host will be tried. -\item[{\sphinxstylestrong{master\_kdc}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{master\_kdc}} \sphinxAtStartPar The name for \sphinxstylestrong{primary\_kdc} prior to release 1.19. Its value is used as a fallback if \sphinxstylestrong{primary\_kdc} is not specified. -\item[{\sphinxstylestrong{primary\_kdc}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{primary\_kdc}} \sphinxAtStartPar Identifies the primary KDC(s). Currently, this tag is used in only one case: If an attempt to get credentials fails because of an @@ -1635,7 +1679,12 @@ primary KDC, in case the user’s password has just been changed, and the updated database has not been propagated to the replica servers yet. New in release 1.19. -\item[{\sphinxstylestrong{v4\_instance\_convert}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{sitename}} +\sphinxAtStartPar +Specifies the name of the host’s site for the purpose of DNS\sphinxhyphen{}based +KDC discovery for this realm. New in release 1.22. + +\sphinxlineitem{\sphinxstylestrong{v4\_instance\_convert}} \sphinxAtStartPar This subsection allows the administrator to configure exceptions to the \sphinxstylestrong{default\_domain} mapping rule. It contains V4 instances @@ -1643,7 +1692,7 @@ to the \sphinxstylestrong{default\_domain} mapping rule. It contains V4 instanc hostname (the tag value) as the second component in a Kerberos V5 principal name. -\item[{\sphinxstylestrong{v4\_realm}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{v4\_realm}} \sphinxAtStartPar This relation is used by the krb524 library routines when converting a V5 principal name to a V4 principal name. It is used @@ -1854,19 +1903,19 @@ New in release 1.9. Each pluggable interface corresponds to a subsection of {[}plugins{]}. All subsections support the same tags: \begin{description} -\item[{\sphinxstylestrong{disable}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{disable}} \sphinxAtStartPar This tag may have multiple values. If there are values for this tag, then the named modules will be disabled for the pluggable interface. -\item[{\sphinxstylestrong{enable\_only}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{enable\_only}} \sphinxAtStartPar This tag may have multiple values. If there are values for this tag, then only the named modules will be enabled for the pluggable interface. -\item[{\sphinxstylestrong{module}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{module}} \sphinxAtStartPar This tag may have multiple values. Each value is a string of the form \sphinxcode{\sphinxupquote{modulename:pathname}}, which causes the shared object @@ -1897,17 +1946,17 @@ selection within a cache collection. In addition to any registered dynamic modules, the following built\sphinxhyphen{}in modules exist (and may be disabled with the disable tag): \begin{description} -\item[{\sphinxstylestrong{k5identity}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{k5identity}} \sphinxAtStartPar Uses a .k5identity file in the user’s home directory to select a client principal -\item[{\sphinxstylestrong{realm}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{realm}} \sphinxAtStartPar Uses the service realm to guess an appropriate cache from the collection -\item[{\sphinxstylestrong{hostname}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{hostname}} \sphinxAtStartPar If the service principal is host\sphinxhyphen{}based, uses the service hostname to guess an appropriate cache from the collection @@ -1922,20 +1971,20 @@ The pwqual subsection controls modules for the password quality interface, which is used to reject weak passwords when passwords are changed. The following built\sphinxhyphen{}in modules exist for this interface: \begin{description} -\item[{\sphinxstylestrong{dict}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{dict}} \sphinxAtStartPar Checks against the realm dictionary file -\item[{\sphinxstylestrong{empty}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{empty}} \sphinxAtStartPar Rejects empty passwords -\item[{\sphinxstylestrong{hesiod}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{hesiod}} \sphinxAtStartPar Checks against user information stored in Hesiod (only if Kerberos was built with Hesiod support) -\item[{\sphinxstylestrong{princ}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{princ}} \sphinxAtStartPar Checks against components of the principal name @@ -1960,12 +2009,12 @@ for the kadmin authorization interface, which determines whether a client principal is allowed to perform a kadmin operation. The following built\sphinxhyphen{}in modules exist for this interface: \begin{description} -\item[{\sphinxstylestrong{acl}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{acl}} \sphinxAtStartPar This module reads the {\hyperref[\detokenize{admin/conf_files/kadm5_acl:kadm5-acl-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kadm5.acl}}}} file, and authorizes operations which are allowed according to the rules in the file. -\item[{\sphinxstylestrong{self}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{self}} \sphinxAtStartPar This module authorizes self\sphinxhyphen{}service operations including password changes, creation of new random keys, fetching the client’s @@ -1982,15 +2031,15 @@ The clpreauth and kdcpreauth interfaces allow plugin modules to provide client and KDC preauthentication mechanisms. The following built\sphinxhyphen{}in modules exist for these interfaces: \begin{description} -\item[{\sphinxstylestrong{pkinit}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{pkinit}} \sphinxAtStartPar This module implements the PKINIT preauthentication mechanism. -\item[{\sphinxstylestrong{encrypted\_challenge}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{encrypted\_challenge}} \sphinxAtStartPar This module implements the encrypted challenge FAST factor. -\item[{\sphinxstylestrong{encrypted\_timestamp}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{encrypted\_timestamp}} \sphinxAtStartPar This module implements the encrypted timestamp mechanism. @@ -2005,19 +2054,19 @@ for the host\sphinxhyphen{}to\sphinxhyphen{}realm interface, which affects the l hostnames to realm names and the choice of default realm. The following built\sphinxhyphen{}in modules exist for this interface: \begin{description} -\item[{\sphinxstylestrong{profile}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{profile}} \sphinxAtStartPar This module consults the {[}domain\_realm{]} section of the profile for authoritative host\sphinxhyphen{}to\sphinxhyphen{}realm mappings, and the \sphinxstylestrong{default\_realm} variable for the default realm. -\item[{\sphinxstylestrong{dns}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{dns}} \sphinxAtStartPar This module looks for DNS records for fallback host\sphinxhyphen{}to\sphinxhyphen{}realm mappings and the default realm. It only operates if the \sphinxstylestrong{dns\_lookup\_realm} variable is set to true. -\item[{\sphinxstylestrong{domain}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{domain}} \sphinxAtStartPar This module applies heuristics for fallback host\sphinxhyphen{}to\sphinxhyphen{}realm mappings. It implements the \sphinxstylestrong{realm\_try\_domains} variable, and @@ -2035,33 +2084,33 @@ for the local authorization interface, which affects the relationship between Kerberos principals and local system accounts. The following built\sphinxhyphen{}in modules exist for this interface: \begin{description} -\item[{\sphinxstylestrong{default}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{default}} \sphinxAtStartPar This module implements the \sphinxstylestrong{DEFAULT} type for \sphinxstylestrong{auth\_to\_local} values. -\item[{\sphinxstylestrong{rule}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{rule}} \sphinxAtStartPar This module implements the \sphinxstylestrong{RULE} type for \sphinxstylestrong{auth\_to\_local} values. -\item[{\sphinxstylestrong{names}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{names}} \sphinxAtStartPar This module looks for an \sphinxstylestrong{auth\_to\_local\_names} mapping for the principal name. -\item[{\sphinxstylestrong{auth\_to\_local}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{auth\_to\_local}} \sphinxAtStartPar This module processes \sphinxstylestrong{auth\_to\_local} values in the default realm’s section, and applies the default method if no \sphinxstylestrong{auth\_to\_local} values exist. -\item[{\sphinxstylestrong{k5login}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{k5login}} \sphinxAtStartPar This module authorizes a principal to a local account according to the account’s \DUrole{xref,std,std-ref}{.k5login(5)} file. -\item[{\sphinxstylestrong{an2ln}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{an2ln}} \sphinxAtStartPar This module authorizes a principal to a local account if the principal name maps to the local account name. @@ -2077,20 +2126,20 @@ the certificate authorization interface, which determines whether a certificate is allowed to preauthenticate a user via PKINIT. The following built\sphinxhyphen{}in modules exist for this interface: \begin{description} -\item[{\sphinxstylestrong{pkinit\_san}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{pkinit\_san}} \sphinxAtStartPar This module authorizes the certificate if it contains a PKINIT Subject Alternative Name for the requested client principal, or a Microsoft UPN SAN matching the principal if \sphinxstylestrong{pkinit\_allow\_upn} is set to true for the realm. -\item[{\sphinxstylestrong{pkinit\_eku}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{pkinit\_eku}} \sphinxAtStartPar This module rejects the certificate if it does not contain an Extended Key Usage attribute consistent with the \sphinxstylestrong{pkinit\_eku\_checking} value for the realm. -\item[{\sphinxstylestrong{dbmatch}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{dbmatch}} \sphinxAtStartPar This module authorizes or rejects the certificate according to whether it matches the \sphinxstylestrong{pkinit\_cert\_match} string attribute on @@ -2152,7 +2201,7 @@ generic value in the {[}libdefaults{]} section: The syntax for specifying Public Key identity, trust, and revocation information for PKINIT is as follows: \begin{description} -\item[{\sphinxstylestrong{FILE:}\sphinxstyleemphasis{filename}{[}\sphinxstylestrong{,}\sphinxstyleemphasis{keyfilename}{]}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{FILE:}\sphinxstyleemphasis{filename}{[}\sphinxstylestrong{,}\sphinxstyleemphasis{keyfilename}{]}} \sphinxAtStartPar This option has context\sphinxhyphen{}specific behavior. @@ -2167,7 +2216,7 @@ private key is expected to be in \sphinxstyleemphasis{filename} as well. Otherw In \sphinxstylestrong{pkinit\_anchors} or \sphinxstylestrong{pkinit\_pool}, \sphinxstyleemphasis{filename} is assumed to be the name of an OpenSSL\sphinxhyphen{}style ca\sphinxhyphen{}bundle file. -\item[{\sphinxstylestrong{DIR:}\sphinxstyleemphasis{dirname}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{DIR:}\sphinxstyleemphasis{dirname}} \sphinxAtStartPar This option has context\sphinxhyphen{}specific behavior. @@ -2194,12 +2243,12 @@ named \sphinxcode{\sphinxupquote{hash\sphinxhyphen{}of\sphinxhyphen{}ca\sphinxhy but all files in the directory will be examined and if they contain a revocation list (in PEM format), they will be used. -\item[{\sphinxstylestrong{PKCS12:}\sphinxstyleemphasis{filename}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{PKCS12:}\sphinxstyleemphasis{filename}} \sphinxAtStartPar \sphinxstyleemphasis{filename} is the name of a PKCS \#12 format file, containing the user’s certificate and private key. -\item[{\sphinxstylestrong{PKCS11:}{[}\sphinxstylestrong{module\_name=}{]}\sphinxstyleemphasis{modname}{[}\sphinxstylestrong{:slotid=}\sphinxstyleemphasis{slot\sphinxhyphen{}id}{]}{[}\sphinxstylestrong{:token=}\sphinxstyleemphasis{token\sphinxhyphen{}label}{]}{[}\sphinxstylestrong{:certid=}\sphinxstyleemphasis{cert\sphinxhyphen{}id}{]}{[}\sphinxstylestrong{:certlabel=}\sphinxstyleemphasis{cert\sphinxhyphen{}label}{]}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{PKCS11:}{[}\sphinxstylestrong{module\_name=}{]}\sphinxstyleemphasis{modname}{[}\sphinxstylestrong{:slotid=}\sphinxstyleemphasis{slot\sphinxhyphen{}id}{]}{[}\sphinxstylestrong{:token=}\sphinxstyleemphasis{token\sphinxhyphen{}label}{]}{[}\sphinxstylestrong{:certid=}\sphinxstyleemphasis{cert\sphinxhyphen{}id}{]}{[}\sphinxstylestrong{:certlabel=}\sphinxstyleemphasis{cert\sphinxhyphen{}label}{]}} \sphinxAtStartPar All keyword/values are optional. \sphinxstyleemphasis{modname} specifies the location of a library implementing PKCS \#11. If a value is encountered @@ -2209,10 +2258,12 @@ module\sphinxhyphen{}name is specified, the default is {\hyperref[\detokenize{mi a particular smard card reader or token if there is more than one available. \sphinxcode{\sphinxupquote{certid=}} and/or \sphinxcode{\sphinxupquote{certlabel=}} may be specified to force the selection of a particular certificate on the device. -See the \sphinxstylestrong{pkinit\_cert\_match} configuration option for more ways -to select a particular certificate to use for PKINIT. +Specifier values must not contain colon characters, as colons are +always treated as separators. See the \sphinxstylestrong{pkinit\_cert\_match} +configuration option for more ways to select a particular +certificate to use for PKINIT. -\item[{\sphinxstylestrong{ENV:}\sphinxstyleemphasis{envvar}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{ENV:}\sphinxstyleemphasis{envvar}} \sphinxAtStartPar \sphinxstyleemphasis{envvar} specifies the name of an environment variable which has been set to a value conforming to one of the previous values. For @@ -2224,14 +2275,14 @@ example, \sphinxcode{\sphinxupquote{ENV:X509\_PROXY}}, where environment variabl \paragraph{PKINIT krb5.conf options} \label{\detokenize{admin/conf_files/krb5_conf:pkinit-krb5-conf-options}}\begin{description} -\item[{\sphinxstylestrong{pkinit\_anchors}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{pkinit\_anchors}} \sphinxAtStartPar Specifies the location of trusted anchor (root) certificates which the client trusts to sign KDC certificates. This option may be specified multiple times. These values from the config file are not used if the user specifies X509\_anchors on the command line. -\item[{\sphinxstylestrong{pkinit\_cert\_match}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{pkinit\_cert\_match}} \sphinxAtStartPar Specifies matching rules that the client certificate must match before it is used to attempt PKINIT authentication. If a user has @@ -2243,7 +2294,7 @@ against each rule in order until there is a match of exactly one certificate. \sphinxAtStartPar -The Subject and Issuer comparison strings are the \index{RFC@\spxentry{RFC}!RFC 2253@\spxentry{RFC 2253}}\sphinxhref{https://tools.ietf.org/html/rfc2253.html}{\sphinxstylestrong{RFC 2253}} +The Subject and Issuer comparison strings are the \index{RFC@\spxentry{RFC}!RFC 2253@\spxentry{RFC 2253}}\sphinxhref{https://datatracker.ietf.org/doc/html/rfc2253.html}{\sphinxstylestrong{RFC 2253}} string representations from the certificate Subject DN and Issuer DN values. @@ -2258,13 +2309,13 @@ The syntax of the matching rules is: \sphinxAtStartPar where: \begin{description} -\item[{\sphinxstyleemphasis{relation\sphinxhyphen{}operator}}] \leavevmode +\sphinxlineitem{\sphinxstyleemphasis{relation\sphinxhyphen{}operator}} \sphinxAtStartPar can be either \sphinxcode{\sphinxupquote{\&\&}}, meaning all component rules must match, or \sphinxcode{\sphinxupquote{||}}, meaning only one component rule must match. The default is \sphinxcode{\sphinxupquote{\&\&}}. -\item[{\sphinxstyleemphasis{component\sphinxhyphen{}rule}}] \leavevmode +\sphinxlineitem{\sphinxstyleemphasis{component\sphinxhyphen{}rule}} \sphinxAtStartPar can be one of the following. Note that there is no punctuation or whitespace between component rules. @@ -2329,7 +2380,7 @@ Examples: \PYG{n}{pkinit\PYGZus{}cert\PYGZus{}match} \PYG{o}{=} \PYG{o}{\PYGZlt{}}\PYG{n}{EKU}\PYG{o}{\PYGZgt{}}\PYG{n}{msScLogin}\PYG{p}{,}\PYG{n}{clientAuth}\PYG{o}{\PYGZlt{}}\PYG{n}{KU}\PYG{o}{\PYGZgt{}}\PYG{n}{digitalSignature} \end{sphinxVerbatim} -\item[{\sphinxstylestrong{pkinit\_eku\_checking}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{pkinit\_eku\_checking}} \sphinxAtStartPar This option specifies what Extended Key Usage value the KDC certificate presented to the client must contain. (Note that if @@ -2338,18 +2389,18 @@ as the Kerberos TGS name, EKU checking is not necessary since the issuing CA has certified this as a KDC certificate.) The values recognized in the krb5.conf file are: \begin{description} -\item[{\sphinxstylestrong{kpKDC}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{kpKDC}} \sphinxAtStartPar This is the default value and specifies that the KDC must have -the id\sphinxhyphen{}pkinit\sphinxhyphen{}KPKdc EKU as defined in \index{RFC@\spxentry{RFC}!RFC 4556@\spxentry{RFC 4556}}\sphinxhref{https://tools.ietf.org/html/rfc4556.html}{\sphinxstylestrong{RFC 4556}}. +the id\sphinxhyphen{}pkinit\sphinxhyphen{}KPKdc EKU as defined in \index{RFC@\spxentry{RFC}!RFC 4556@\spxentry{RFC 4556}}\sphinxhref{https://datatracker.ietf.org/doc/html/rfc4556.html}{\sphinxstylestrong{RFC 4556}}. -\item[{\sphinxstylestrong{kpServerAuth}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{kpServerAuth}} \sphinxAtStartPar If \sphinxstylestrong{kpServerAuth} is specified, a KDC certificate with the id\sphinxhyphen{}kp\sphinxhyphen{}serverAuth EKU will be accepted. This key usage value is used in most commercially issued server certificates. -\item[{\sphinxstylestrong{none}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{none}} \sphinxAtStartPar If \sphinxstylestrong{none} is specified, then the KDC certificate will not be checked to verify it has an acceptable EKU. The use of this @@ -2357,13 +2408,14 @@ option is not recommended. \end{description} -\item[{\sphinxstylestrong{pkinit\_dh\_min\_bits}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{pkinit\_dh\_min\_bits}} \sphinxAtStartPar -Specifies the size of the Diffie\sphinxhyphen{}Hellman key the client will -attempt to use. The acceptable values are 1024, 2048, and 4096. -The default is 2048. +Specifies the group of the Diffie\sphinxhyphen{}Hellman key the client will +attempt to use. The acceptable values are 1024, 2048, P\sphinxhyphen{}256, +4096, P\sphinxhyphen{}384, and P\sphinxhyphen{}521. The default is 2048. (P\sphinxhyphen{}256, P\sphinxhyphen{}384, and +P\sphinxhyphen{}521 are new in release 1.22.) -\item[{\sphinxstylestrong{pkinit\_identities}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{pkinit\_identities}} \sphinxAtStartPar Specifies the location(s) to be used to find the user’s X.509 identity information. If this option is specified multiple times, @@ -2371,23 +2423,23 @@ each value is attempted in order until certificates are found. Note that these values are not used if the user specifies \sphinxstylestrong{X509\_user\_identity} on the command line. -\item[{\sphinxstylestrong{pkinit\_kdc\_hostname}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{pkinit\_kdc\_hostname}} \sphinxAtStartPar The presence of this option indicates that the client is willing to accept a KDC certificate with a dNSName SAN (Subject Alternative Name) rather than requiring the id\sphinxhyphen{}pkinit\sphinxhyphen{}san as -defined in \index{RFC@\spxentry{RFC}!RFC 4556@\spxentry{RFC 4556}}\sphinxhref{https://tools.ietf.org/html/rfc4556.html}{\sphinxstylestrong{RFC 4556}}. This option may be specified multiple +defined in \index{RFC@\spxentry{RFC}!RFC 4556@\spxentry{RFC 4556}}\sphinxhref{https://datatracker.ietf.org/doc/html/rfc4556.html}{\sphinxstylestrong{RFC 4556}}. This option may be specified multiple times. Its value should contain the acceptable hostname for the KDC (as contained in its certificate). -\item[{\sphinxstylestrong{pkinit\_pool}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{pkinit\_pool}} \sphinxAtStartPar Specifies the location of intermediate certificates which may be used by the client to complete the trust chain between a KDC certificate and a trusted anchor. This option may be specified multiple times. -\item[{\sphinxstylestrong{pkinit\_require\_crl\_checking}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{pkinit\_require\_crl\_checking}} \sphinxAtStartPar The default certificate verification process will always check the available revocation information to see if a certificate has been @@ -2406,7 +2458,7 @@ fails. \sphinxstylestrong{pkinit\_require\_crl\_checking} should be set to true if the policy is such that up\sphinxhyphen{}to\sphinxhyphen{}date CRLs must be present for every CA. -\item[{\sphinxstylestrong{pkinit\_revoke}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{pkinit\_revoke}} \sphinxAtStartPar Specifies the location of Certificate Revocation List (CRL) information to be used by the client when verifying the validity @@ -2426,124 +2478,125 @@ Valid parameters are: \begin{savenotes}\sphinxattablestart +\sphinxthistablewithglobalstyle \centering -\begin{tabulary}{\linewidth}[t]{|T|T|} -\hline - +\begin{tabulary}{\linewidth}[t]{TT} +\sphinxtoprule +\sphinxtableatstartofbodyhook \sphinxAtStartPar \%\{TEMP\} & \sphinxAtStartPar Temporary directory \\ -\hline +\sphinxhline \sphinxAtStartPar \%\{uid\} & \sphinxAtStartPar Unix real UID or Windows SID \\ -\hline +\sphinxhline \sphinxAtStartPar \%\{euid\} & \sphinxAtStartPar Unix effective user ID or Windows SID \\ -\hline +\sphinxhline \sphinxAtStartPar \%\{USERID\} & \sphinxAtStartPar Same as \%\{uid\} \\ -\hline +\sphinxhline \sphinxAtStartPar \%\{null\} & \sphinxAtStartPar Empty string \\ -\hline +\sphinxhline \sphinxAtStartPar \%\{LIBDIR\} & \sphinxAtStartPar Installation library directory \\ -\hline +\sphinxhline \sphinxAtStartPar \%\{BINDIR\} & \sphinxAtStartPar Installation binary directory \\ -\hline +\sphinxhline \sphinxAtStartPar \%\{SBINDIR\} & \sphinxAtStartPar Installation admin binary directory \\ -\hline +\sphinxhline \sphinxAtStartPar \%\{username\} & \sphinxAtStartPar (Unix) Username of effective user ID \\ -\hline +\sphinxhline \sphinxAtStartPar \%\{APPDATA\} & \sphinxAtStartPar (Windows) Roaming application data for current user \\ -\hline +\sphinxhline \sphinxAtStartPar \%\{COMMON\_APPDATA\} & \sphinxAtStartPar (Windows) Application data for all users \\ -\hline +\sphinxhline \sphinxAtStartPar \%\{LOCAL\_APPDATA\} & \sphinxAtStartPar (Windows) Local application data for current user \\ -\hline +\sphinxhline \sphinxAtStartPar \%\{SYSTEM\} & \sphinxAtStartPar (Windows) Windows system folder \\ -\hline +\sphinxhline \sphinxAtStartPar \%\{WINDOWS\} & \sphinxAtStartPar (Windows) Windows folder \\ -\hline +\sphinxhline \sphinxAtStartPar \%\{USERCONFIG\} & \sphinxAtStartPar (Windows) Per\sphinxhyphen{}user MIT krb5 config file directory \\ -\hline +\sphinxhline \sphinxAtStartPar \%\{COMMONCONFIG\} & \sphinxAtStartPar (Windows) Common MIT krb5 config file directory \\ -\hline +\sphinxbottomrule \end{tabulary} -\par +\sphinxtableafterendhook\par \sphinxattableend\end{savenotes} \end{quote} @@ -2597,6 +2650,8 @@ Here is an example of a generic krb5.conf file: \sphinxAtStartPar syslog(3) +\sphinxstepscope + \subsection{kdc.conf} \label{\detokenize{admin/conf_files/kdc_conf:kdc-conf}}\label{\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}}\label{\detokenize{admin/conf_files/kdc_conf::doc}} @@ -2632,47 +2687,48 @@ The kdc.conf file may contain the following sections: \begin{savenotes}\sphinxattablestart +\sphinxthistablewithglobalstyle \centering -\begin{tabulary}{\linewidth}[t]{|T|T|} -\hline - +\begin{tabulary}{\linewidth}[t]{TT} +\sphinxtoprule +\sphinxtableatstartofbodyhook \sphinxAtStartPar {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdcdefaults}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}kdcdefaults{]}}}}} & \sphinxAtStartPar Default values for KDC behavior \\ -\hline +\sphinxhline \sphinxAtStartPar {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-realms}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}realms{]}}}}} & \sphinxAtStartPar Realm\sphinxhyphen{}specific database configuration and settings \\ -\hline +\sphinxhline \sphinxAtStartPar {\hyperref[\detokenize{admin/conf_files/kdc_conf:dbdefaults}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}dbdefaults{]}}}}} & \sphinxAtStartPar Default database settings \\ -\hline +\sphinxhline \sphinxAtStartPar {\hyperref[\detokenize{admin/conf_files/kdc_conf:dbmodules}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}dbmodules{]}}}}} & \sphinxAtStartPar Per\sphinxhyphen{}database settings \\ -\hline +\sphinxhline \sphinxAtStartPar {\hyperref[\detokenize{admin/conf_files/kdc_conf:logging}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}logging{]}}}}} & \sphinxAtStartPar Controls how Kerberos daemons perform logging \\ -\hline +\sphinxbottomrule \end{tabulary} -\par +\sphinxtableafterendhook\par \sphinxattableend\end{savenotes} @@ -2717,18 +2773,18 @@ the definitions of these relations. \sphinxAtStartPar The following {[}kdcdefaults{]} variables have no per\sphinxhyphen{}realm equivalent: \begin{description} -\item[{\sphinxstylestrong{kdc\_max\_dgram\_reply\_size}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{kdc\_max\_dgram\_reply\_size}} \sphinxAtStartPar Specifies the maximum packet size that can be sent over UDP. The default value is 4096 bytes. -\item[{\sphinxstylestrong{kdc\_tcp\_listen\_backlog}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{kdc\_tcp\_listen\_backlog}} \sphinxAtStartPar (Integer.) Set the size of the listen queue length for the KDC daemon. The value may be limited by OS settings. The default value is 5. -\item[{\sphinxstylestrong{spake\_preauth\_kdc\_challenge}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{spake\_preauth\_kdc\_challenge}} \sphinxAtStartPar (String.) Specifies the group for a SPAKE optimistic challenge. See the \sphinxstylestrong{spake\_preauth\_groups} variable in {\hyperref[\detokenize{admin/conf_files/krb5_conf:libdefaults}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}libdefaults{]}}}}} @@ -2756,7 +2812,7 @@ to define one parameter for the ATHENA.MIT.EDU realm: \sphinxAtStartPar The following tags may be specified in a {[}realms{]} subsection: \begin{description} -\item[{\sphinxstylestrong{acl\_file}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{acl\_file}} \sphinxAtStartPar (String.) Location of the access control list file that {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} uses to determine which principals are allowed @@ -2765,7 +2821,7 @@ ACL file, set this relation to the empty string with \sphinxcode{\sphinxupquote{ ""}}. The default value is {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LOCALSTATEDIR}}}}\sphinxcode{\sphinxupquote{/krb5kdc}}\sphinxcode{\sphinxupquote{/kadm5.acl}}. For more information on Kerberos ACL file see {\hyperref[\detokenize{admin/conf_files/kadm5_acl:kadm5-acl-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kadm5.acl}}}}. -\item[{\sphinxstylestrong{database\_module}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{database\_module}} \sphinxAtStartPar (String.) This relation indicates the name of the configuration section under {\hyperref[\detokenize{admin/conf_files/kdc_conf:dbmodules}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}dbmodules{]}}}}} for database\sphinxhyphen{}specific parameters @@ -2773,20 +2829,20 @@ used by the loadable database library. The default value is the realm name. If this configuration section does not exist, default values will be used for all database parameters. -\item[{\sphinxstylestrong{database\_name}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{database\_name}} \sphinxAtStartPar (String, deprecated.) This relation specifies the location of the Kerberos database for this realm, if the DB2 module is being used and the {\hyperref[\detokenize{admin/conf_files/kdc_conf:dbmodules}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}dbmodules{]}}}}} configuration section does not specify a database name. The default value is {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LOCALSTATEDIR}}}}\sphinxcode{\sphinxupquote{/krb5kdc}}\sphinxcode{\sphinxupquote{/principal}}. -\item[{\sphinxstylestrong{default\_principal\_expiration}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{default\_principal\_expiration}} \sphinxAtStartPar (\DUrole{xref,std,std-ref}{abstime} string.) Specifies the default expiration date of principals created in this realm. The default value is 0, which means no expiration date. -\item[{\sphinxstylestrong{default\_principal\_flags}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{default\_principal\_flags}} \sphinxAtStartPar (Flag string.) Specifies the default attributes of principals created in this realm. The format for this string is a @@ -2799,49 +2855,49 @@ disabled. The \sphinxstylestrong{postdateable}, \sphinxstylestrong{forwardable} \sphinxAtStartPar There are a number of possible flags: \begin{description} -\item[{\sphinxstylestrong{allow\sphinxhyphen{}tickets}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{allow\sphinxhyphen{}tickets}} \sphinxAtStartPar Enabling this flag means that the KDC will issue tickets for this principal. Disabling this flag essentially deactivates the principal within this realm. -\item[{\sphinxstylestrong{dup\sphinxhyphen{}skey}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{dup\sphinxhyphen{}skey}} \sphinxAtStartPar Enabling this flag allows the KDC to issue user\sphinxhyphen{}to\sphinxhyphen{}user service tickets for this principal. -\item[{\sphinxstylestrong{forwardable}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{forwardable}} \sphinxAtStartPar Enabling this flag allows the principal to obtain forwardable tickets. -\item[{\sphinxstylestrong{hwauth}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{hwauth}} \sphinxAtStartPar If this flag is enabled, then the principal is required to preauthenticate using a hardware device before receiving any tickets. -\item[{\sphinxstylestrong{no\sphinxhyphen{}auth\sphinxhyphen{}data\sphinxhyphen{}required}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{no\sphinxhyphen{}auth\sphinxhyphen{}data\sphinxhyphen{}required}} \sphinxAtStartPar Enabling this flag prevents PAC or AD\sphinxhyphen{}SIGNEDPATH data from being added to service tickets for the principal. -\item[{\sphinxstylestrong{ok\sphinxhyphen{}as\sphinxhyphen{}delegate}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{ok\sphinxhyphen{}as\sphinxhyphen{}delegate}} \sphinxAtStartPar If this flag is enabled, it hints the client that credentials can and should be delegated when authenticating to the service. -\item[{\sphinxstylestrong{ok\sphinxhyphen{}to\sphinxhyphen{}auth\sphinxhyphen{}as\sphinxhyphen{}delegate}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{ok\sphinxhyphen{}to\sphinxhyphen{}auth\sphinxhyphen{}as\sphinxhyphen{}delegate}} \sphinxAtStartPar Enabling this flag allows the principal to use S4USelf tickets. -\item[{\sphinxstylestrong{postdateable}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{postdateable}} \sphinxAtStartPar Enabling this flag allows the principal to obtain postdateable tickets. -\item[{\sphinxstylestrong{preauth}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{preauth}} \sphinxAtStartPar If this flag is enabled on a client principal, then that principal is required to preauthenticate to the KDC before @@ -2850,17 +2906,17 @@ flag means that service tickets for this principal will only be issued to clients with a TGT that has the preauthenticated bit set. -\item[{\sphinxstylestrong{proxiable}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{proxiable}} \sphinxAtStartPar Enabling this flag allows the principal to obtain proxy tickets. -\item[{\sphinxstylestrong{pwchange}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{pwchange}} \sphinxAtStartPar Enabling this flag forces a password change for this principal. -\item[{\sphinxstylestrong{pwservice}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{pwservice}} \sphinxAtStartPar If this flag is enabled, it marks this principal as a password change service. This should only be used in special cases, @@ -2869,19 +2925,19 @@ has to get tickets for that principal without going through the normal password authentication in order to be able to change the password. -\item[{\sphinxstylestrong{renewable}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{renewable}} \sphinxAtStartPar Enabling this flag allows the principal to obtain renewable tickets. -\item[{\sphinxstylestrong{service}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{service}} \sphinxAtStartPar Enabling this flag allows the the KDC to issue service tickets for this principal. In release 1.17 and later, user\sphinxhyphen{}to\sphinxhyphen{}user service tickets are still allowed if the \sphinxstylestrong{dup\sphinxhyphen{}skey} flag is set. -\item[{\sphinxstylestrong{tgt\sphinxhyphen{}based}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{tgt\sphinxhyphen{}based}} \sphinxAtStartPar Enabling this flag allows a principal to obtain tickets based on a ticket\sphinxhyphen{}granting\sphinxhyphen{}ticket, rather than repeating the @@ -2889,7 +2945,7 @@ authentication process that was used to obtain the TGT. \end{description} -\item[{\sphinxstylestrong{dict\_file}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{dict\_file}} \sphinxAtStartPar (String.) Location of the dictionary file containing strings that are not allowed as passwords. The file should contain one string @@ -2897,55 +2953,55 @@ per line, with no additional whitespace. If none is specified or if there is no policy assigned to the principal, no dictionary checks of passwords will be performed. -\item[{\sphinxstylestrong{disable\_pac}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{disable\_pac}} \sphinxAtStartPar (Boolean value.) If true, the KDC will not issue PACs for this realm, and S4U2Self and S4U2Proxy operations will be disabled. The default is false, which will permit the KDC to issue PACs. New in release 1.20. -\item[{\sphinxstylestrong{encrypted\_challenge\_indicator}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{encrypted\_challenge\_indicator}} \sphinxAtStartPar (String.) Specifies the authentication indicator value that the KDC asserts into tickets obtained using FAST encrypted challenge pre\sphinxhyphen{}authentication. New in 1.16. -\item[{\sphinxstylestrong{host\_based\_services}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{host\_based\_services}} \sphinxAtStartPar (Whitespace\sphinxhyphen{} or comma\sphinxhyphen{}separated list.) Lists services which will get host\sphinxhyphen{}based referral processing even if the server principal is not marked as host\sphinxhyphen{}based by the client. -\item[{\sphinxstylestrong{iprop\_enable}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{iprop\_enable}} \sphinxAtStartPar (Boolean value.) Specifies whether incremental database propagation is enabled. The default value is false. -\item[{\sphinxstylestrong{iprop\_ulogsize}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{iprop\_ulogsize}} \sphinxAtStartPar (Integer.) Specifies the maximum number of log entries to be retained for incremental propagation. The default value is 1000. Prior to release 1.11, the maximum value was 2500. New in release 1.19. -\item[{\sphinxstylestrong{iprop\_master\_ulogsize}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{iprop\_master\_ulogsize}} \sphinxAtStartPar The name for \sphinxstylestrong{iprop\_ulogsize} prior to release 1.19. Its value is used as a fallback if \sphinxstylestrong{iprop\_ulogsize} is not specified. -\item[{\sphinxstylestrong{iprop\_replica\_poll}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{iprop\_replica\_poll}} \sphinxAtStartPar (Delta time string.) Specifies how often the replica KDC polls for new updates from the primary. The default value is \sphinxcode{\sphinxupquote{2m}} (that is, two minutes). New in release 1.17. -\item[{\sphinxstylestrong{iprop\_slave\_poll}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{iprop\_slave\_poll}} \sphinxAtStartPar (Delta time string.) The name for \sphinxstylestrong{iprop\_replica\_poll} prior to release 1.17. Its value is used as a fallback if \sphinxstylestrong{iprop\_replica\_poll} is not specified. -\item[{\sphinxstylestrong{iprop\_listen}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{iprop\_listen}} \sphinxAtStartPar (Whitespace\sphinxhyphen{} or comma\sphinxhyphen{}separated list.) Specifies the iprop RPC listening addresses and/or ports for the {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} daemon. @@ -2958,7 +3014,7 @@ default (when \sphinxstylestrong{iprop\_enable} is true) is to bind to the wildc address at the port specified in \sphinxstylestrong{iprop\_port}. New in release 1.15. -\item[{\sphinxstylestrong{iprop\_port}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{iprop\_port}} \sphinxAtStartPar (Port number.) Specifies the port number to be used for incremental propagation. When \sphinxstylestrong{iprop\_enable} is true, this @@ -2968,14 +3024,14 @@ configuration file, as there is no default port number. Port numbers specified in \sphinxstylestrong{iprop\_listen} entries will override this port number for the {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} daemon. -\item[{\sphinxstylestrong{iprop\_resync\_timeout}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{iprop\_resync\_timeout}} \sphinxAtStartPar (Delta time string.) Specifies the amount of time to wait for a full propagation to complete. This is optional in configuration files, and is used by replica KDCs only. The default value is 5 minutes (\sphinxcode{\sphinxupquote{5m}}). New in release 1.11. -\item[{\sphinxstylestrong{iprop\_logfile}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{iprop\_logfile}} \sphinxAtStartPar (File name.) Specifies where the update log file for the realm database is to be stored. The default is to use the @@ -2987,45 +3043,49 @@ back end is being used, or the file name is specified in the \sphinxstylestrong{database\_name} is used. Determination of the \sphinxstylestrong{iprop\_logfile} default value will not use values from the {[}dbmodules{]} section.) -\item[{\sphinxstylestrong{kadmind\_listen}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{kadmind\_listen}} \sphinxAtStartPar (Whitespace\sphinxhyphen{} or comma\sphinxhyphen{}separated list.) Specifies the kadmin RPC listening addresses and/or ports for the {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} daemon. -Each entry may be an interface address, a port number, or an -address and port number separated by a colon. If the address -contains colons, enclose it in square brackets. If no address is -specified, the wildcard address is used. If kadmind fails to bind -to any of the specified addresses, it will fail to start. The -default is to bind to the wildcard address at the port specified -in \sphinxstylestrong{kadmind\_port}, or the standard kadmin port (749). New in -release 1.15. - -\item[{\sphinxstylestrong{kadmind\_port}}] \leavevmode +Each entry may be an interface address, a port number, an address +and port number separated by a colon, or a UNIX domain socket +pathname. If the address contains colons, enclose it in square +brackets. If no address is specified, the wildcard address is +used. To disable listening for kadmin RPC connections, set this +relation to the empty string with \sphinxcode{\sphinxupquote{kadmind\_listen = ""}}. If +kadmind fails to bind to any of the specified addresses, it will +fail to start. The default is to bind to the wildcard address at +the port specified in \sphinxstylestrong{kadmind\_port}, or the standard kadmin +port (749). New in release 1.15. + +\sphinxlineitem{\sphinxstylestrong{kadmind\_port}} \sphinxAtStartPar (Port number.) Specifies the port on which the {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} daemon is to listen for this realm. Port numbers specified in \sphinxstylestrong{kadmind\_listen} entries will override this port number. The assigned port for kadmind is 749, which is used by default. -\item[{\sphinxstylestrong{key\_stash\_file}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{key\_stash\_file}} \sphinxAtStartPar (String.) Specifies the location where the master key has been stored (via kdb5\_util stash). The default is {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LOCALSTATEDIR}}}}\sphinxcode{\sphinxupquote{/krb5kdc}}\sphinxcode{\sphinxupquote{/.k5.REALM}}, where \sphinxstyleemphasis{REALM} is the Kerberos realm. -\item[{\sphinxstylestrong{kdc\_listen}}] \leavevmode -\sphinxAtStartPar -(Whitespace\sphinxhyphen{} or comma\sphinxhyphen{}separated list.) Specifies the UDP -listening addresses and/or ports for the {\hyperref[\detokenize{admin/admin_commands/krb5kdc:krb5kdc-8}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5kdc}}}} daemon. -Each entry may be an interface address, a port number, or an -address and port number separated by a colon. If the address -contains colons, enclose it in square brackets. If no address is -specified, the wildcard address is used. If no port is specified, -the standard port (88) is used. If the KDC daemon fails to bind -to any of the specified addresses, it will fail to start. The -default is to bind to the wildcard address on the standard port. -New in release 1.15. +\sphinxlineitem{\sphinxstylestrong{kdc\_listen}} +\sphinxAtStartPar +(Whitespace\sphinxhyphen{} or comma\sphinxhyphen{}separated list.) Specifies the listening +addresses and/or ports for the {\hyperref[\detokenize{admin/admin_commands/krb5kdc:krb5kdc-8}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5kdc}}}} daemon. Each +entry may be an interface address, a port number, an address and +port number separated by a colon, or a UNIX domain socket +pathname. If the address contains colons, enclose it in square +brackets. If no address is specified, the wildcard address is +used. If no port is specified, the standard port (88) is used. +To disable listening on UDP, set this relation to the empty string +with \sphinxcode{\sphinxupquote{kdc\_listen = ""}}. If the KDC daemon fails to bind to any +of the specified addresses, it will fail to start. The default is +to bind to the wildcard address on the standard port. New in +release 1.15. -\item[{\sphinxstylestrong{kdc\_ports}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{kdc\_ports}} \sphinxAtStartPar (Whitespace\sphinxhyphen{} or comma\sphinxhyphen{}separated list, deprecated.) Prior to release 1.15, this relation lists the ports for the @@ -3033,21 +3093,16 @@ release 1.15, this relation lists the ports for the release 1.15 and later, it has the same meaning as \sphinxstylestrong{kdc\_listen} if that relation is not defined. -\item[{\sphinxstylestrong{kdc\_tcp\_listen}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{kdc\_tcp\_listen}} \sphinxAtStartPar (Whitespace\sphinxhyphen{} or comma\sphinxhyphen{}separated list.) Specifies the TCP listening addresses and/or ports for the {\hyperref[\detokenize{admin/admin_commands/krb5kdc:krb5kdc-8}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5kdc}}}} daemon. -Each entry may be an interface address, a port number, or an -address and port number separated by a colon. If the address -contains colons, enclose it in square brackets. If no address is -specified, the wildcard address is used. If no port is specified, -the standard port (88) is used. To disable listening on TCP, set -this relation to the empty string with \sphinxcode{\sphinxupquote{kdc\_tcp\_listen = ""}}. -If the KDC daemon fails to bind to any of the specified addresses, -it will fail to start. The default is to bind to the wildcard -address on the standard port. New in release 1.15. +The syntax is identical to that of \sphinxstylestrong{kdc\_listen}. To disable +listening on TCP, set this relation to the empty string with +\sphinxcode{\sphinxupquote{kdc\_tcp\_listen = ""}}. The default is to bind to the same +addresses and ports as for UDP. New in release 1.15. -\item[{\sphinxstylestrong{kdc\_tcp\_ports}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{kdc\_tcp\_ports}} \sphinxAtStartPar (Whitespace\sphinxhyphen{} or comma\sphinxhyphen{}separated list, deprecated.) Prior to release 1.15, this relation lists the ports for the @@ -3055,19 +3110,22 @@ release 1.15, this relation lists the ports for the release 1.15 and later, it has the same meaning as \sphinxstylestrong{kdc\_tcp\_listen} if that relation is not defined. -\item[{\sphinxstylestrong{kpasswd\_listen}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{kpasswd\_listen}} \sphinxAtStartPar -(Comma\sphinxhyphen{}separated list.) Specifies the kpasswd listening addresses -and/or ports for the {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} daemon. Each entry may be -an interface address, a port number, or an address and port number -separated by a colon. If the address contains colons, enclose it -in square brackets. If no address is specified, the wildcard -address is used. If kadmind fails to bind to any of the specified -addresses, it will fail to start. The default is to bind to the -wildcard address at the port specified in \sphinxstylestrong{kpasswd\_port}, or the -standard kpasswd port (464). New in release 1.15. +(Comma\sphinxhyphen{}separated list.) Specifies the kpasswd listening +addresses and/or ports for the {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} daemon. Each +entry may be an interface address, a port number, an address and +port number separated by a colon, or a UNIX domain socket +pathname. If the address contains colons, enclose it in square +brackets. If no address is specified, the wildcard address is +used. To disable listening for kpasswd requests, set this +relation to the empty string with \sphinxcode{\sphinxupquote{kpasswd\_listen = ""}}. If +kadmind fails to bind to any of the specified addresses, it will +fail to start. The default is to bind to the wildcard address at +the port specified in \sphinxstylestrong{kpasswd\_port}, or the standard kpasswd +port (464). New in release 1.15. -\item[{\sphinxstylestrong{kpasswd\_port}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{kpasswd\_port}} \sphinxAtStartPar (Port number.) Specifies the port on which the {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} daemon is to listen for password change requests for this realm. @@ -3075,30 +3133,30 @@ Port numbers specified in \sphinxstylestrong{kpasswd\_listen} entries will overr this port number. The assigned port for password change requests is 464, which is used by default. -\item[{\sphinxstylestrong{master\_key\_name}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{master\_key\_name}} \sphinxAtStartPar (String.) Specifies the name of the principal associated with the master key. The default is \sphinxcode{\sphinxupquote{K/M}}. -\item[{\sphinxstylestrong{master\_key\_type}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{master\_key\_type}} \sphinxAtStartPar (Key type string.) Specifies the master key’s key type. The default value for this is \sphinxcode{\sphinxupquote{aes256\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha1\sphinxhyphen{}96}}. For a list of all possible values, see {\hyperref[\detokenize{admin/conf_files/kdc_conf:encryption-types}]{\sphinxcrossref{\DUrole{std,std-ref}{Encryption types}}}}. -\item[{\sphinxstylestrong{max\_life}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{max\_life}} \sphinxAtStartPar (\DUrole{xref,std,std-ref}{duration} string.) Specifies the maximum time period for which a ticket may be valid in this realm. The default value is 24 hours. -\item[{\sphinxstylestrong{max\_renewable\_life}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{max\_renewable\_life}} \sphinxAtStartPar (\DUrole{xref,std,std-ref}{duration} string.) Specifies the maximum time period during which a valid ticket may be renewed in this realm. The default value is 0. -\item[{\sphinxstylestrong{no\_host\_referral}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{no\_host\_referral}} \sphinxAtStartPar (Whitespace\sphinxhyphen{} or comma\sphinxhyphen{}separated list.) Lists services to block from getting host\sphinxhyphen{}based referral processing, even if the client @@ -3106,7 +3164,7 @@ marks the server principal as host\sphinxhyphen{}based or the service is also listed in \sphinxstylestrong{host\_based\_services}. \sphinxcode{\sphinxupquote{no\_host\_referral = *}} will disable referral processing altogether. -\item[{\sphinxstylestrong{reject\_bad\_transit}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{reject\_bad\_transit}} \sphinxAtStartPar (Boolean value.) If set to true, the KDC will check the list of transited realms for cross\sphinxhyphen{}realm tickets against the transit path @@ -3131,7 +3189,7 @@ only to TGS requests. \sphinxAtStartPar The default value is true. -\item[{\sphinxstylestrong{restrict\_anonymous\_to\_tgt}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{restrict\_anonymous\_to\_tgt}} \sphinxAtStartPar (Boolean value.) If set to true, the KDC will reject ticket requests from anonymous principals to service principals other @@ -3140,14 +3198,14 @@ anonymous PKINIT to be enabled for use as FAST armor tickets without allowing anonymous authentication to services. The default value is false. New in release 1.9. -\item[{\sphinxstylestrong{spake\_preauth\_indicator}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{spake\_preauth\_indicator}} \sphinxAtStartPar (String.) Specifies an authentication indicator value that the KDC asserts into tickets obtained using SPAKE pre\sphinxhyphen{}authentication. The default is not to add any indicators. This option may be specified multiple times. New in release 1.17. -\item[{\sphinxstylestrong{supported\_enctypes}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{supported\_enctypes}} \sphinxAtStartPar (List of \sphinxstyleemphasis{key}:\sphinxstyleemphasis{salt} strings.) Specifies the default key/salt combinations of principals for this realm. Any principals created @@ -3240,18 +3298,18 @@ define one database parameter for the ATHENA.MIT.EDU realm: \sphinxAtStartPar The following tags may be specified in a {[}dbmodules{]} subsection: \begin{description} -\item[{\sphinxstylestrong{database\_name}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{database\_name}} \sphinxAtStartPar This DB2\sphinxhyphen{}specific tag indicates the location of the database in the filesystem. The default is {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LOCALSTATEDIR}}}}\sphinxcode{\sphinxupquote{/krb5kdc}}\sphinxcode{\sphinxupquote{/principal}}. -\item[{\sphinxstylestrong{db\_library}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{db\_library}} \sphinxAtStartPar This tag indicates the name of the loadable database module. The value should be \sphinxcode{\sphinxupquote{db2}} for the DB2 module, \sphinxcode{\sphinxupquote{klmdb}} for the LMDB module, or \sphinxcode{\sphinxupquote{kldap}} for the LDAP module. -\item[{\sphinxstylestrong{disable\_last\_success}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{disable\_last\_success}} \sphinxAtStartPar If set to \sphinxcode{\sphinxupquote{true}}, suppresses KDC updates to the “Last successful authentication” field of principal entries requiring @@ -3260,7 +3318,7 @@ preauthentication. Setting this flag may improve performance. update the “Last successful authentication” field.). First introduced in release 1.9. -\item[{\sphinxstylestrong{disable\_lockout}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{disable\_lockout}} \sphinxAtStartPar If set to \sphinxcode{\sphinxupquote{true}}, suppresses KDC updates to the “Last failed authentication” and “Failed password attempts” fields of principal @@ -3268,12 +3326,12 @@ entries requiring preauthentication. Setting this flag may improve performance, but also disables account lockout. First introduced in release 1.9. -\item[{\sphinxstylestrong{ldap\_conns\_per\_server}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{ldap\_conns\_per\_server}} \sphinxAtStartPar This LDAP\sphinxhyphen{}specific tag indicates the number of connections to be maintained per LDAP server. -\item[{\sphinxstylestrong{ldap\_kdc\_dn} and \sphinxstylestrong{ldap\_kadmind\_dn}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{ldap\_kdc\_dn} and \sphinxstylestrong{ldap\_kadmind\_dn}} \sphinxAtStartPar These LDAP\sphinxhyphen{}specific tags indicate the default DN for binding to the LDAP server. The {\hyperref[\detokenize{admin/admin_commands/krb5kdc:krb5kdc-8}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5kdc}}}} daemon uses @@ -3286,13 +3344,13 @@ which case it only needs to have rights to read the Kerberos data. These tags are ignored if a SASL mechanism is set with \sphinxstylestrong{ldap\_kdc\_sasl\_mech} or \sphinxstylestrong{ldap\_kadmind\_sasl\_mech}. -\item[{\sphinxstylestrong{ldap\_kdc\_sasl\_mech} and \sphinxstylestrong{ldap\_kadmind\_sasl\_mech}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{ldap\_kdc\_sasl\_mech} and \sphinxstylestrong{ldap\_kadmind\_sasl\_mech}} \sphinxAtStartPar These LDAP\sphinxhyphen{}specific tags specify the SASL mechanism (such as \sphinxcode{\sphinxupquote{EXTERNAL}}) to use when binding to the LDAP server. New in release 1.13. -\item[{\sphinxstylestrong{ldap\_kdc\_sasl\_authcid} and \sphinxstylestrong{ldap\_kadmind\_sasl\_authcid}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{ldap\_kdc\_sasl\_authcid} and \sphinxstylestrong{ldap\_kadmind\_sasl\_authcid}} \sphinxAtStartPar These LDAP\sphinxhyphen{}specific tags specify the SASL authentication identity to use when binding to the LDAP server. Not all SASL mechanisms @@ -3302,24 +3360,24 @@ tags also determine the name within the \sphinxstylestrong{ldap\_service\_password\_file} where the secret is stashed. New in release 1.13. -\item[{\sphinxstylestrong{ldap\_kdc\_sasl\_authzid} and \sphinxstylestrong{ldap\_kadmind\_sasl\_authzid}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{ldap\_kdc\_sasl\_authzid} and \sphinxstylestrong{ldap\_kadmind\_sasl\_authzid}} \sphinxAtStartPar These LDAP\sphinxhyphen{}specific tags specify the SASL authorization identity to use when binding to the LDAP server. In most circumstances they do not need to be specified. New in release 1.13. -\item[{\sphinxstylestrong{ldap\_kdc\_sasl\_realm} and \sphinxstylestrong{ldap\_kadmind\_sasl\_realm}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{ldap\_kdc\_sasl\_realm} and \sphinxstylestrong{ldap\_kadmind\_sasl\_realm}} \sphinxAtStartPar These LDAP\sphinxhyphen{}specific tags specify the SASL realm to use when binding to the LDAP server. In most circumstances they do not need to be set. New in release 1.13. -\item[{\sphinxstylestrong{ldap\_kerberos\_container\_dn}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{ldap\_kerberos\_container\_dn}} \sphinxAtStartPar This LDAP\sphinxhyphen{}specific tag indicates the DN of the container object where the realm objects will be located. -\item[{\sphinxstylestrong{ldap\_servers}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{ldap\_servers}} \sphinxAtStartPar This LDAP\sphinxhyphen{}specific tag indicates the list of LDAP servers that the Kerberos servers can connect to. The list of LDAP servers is @@ -3327,7 +3385,7 @@ whitespace\sphinxhyphen{}separated. The LDAP server is specified by a LDAP URI. It is recommended to use \sphinxcode{\sphinxupquote{ldapi:}} or \sphinxcode{\sphinxupquote{ldaps:}} URLs to connect to the LDAP server. -\item[{\sphinxstylestrong{ldap\_service\_password\_file}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{ldap\_service\_password\_file}} \sphinxAtStartPar This LDAP\sphinxhyphen{}specific tag indicates the file containing the stashed passwords (created by \sphinxcode{\sphinxupquote{kdb5\_ldap\_util stashsrvpw}}) for the @@ -3335,20 +3393,20 @@ passwords (created by \sphinxcode{\sphinxupquote{kdb5\_ldap\_util stashsrvpw}}) \sphinxstylestrong{ldap\_kdc\_sasl\_authcid} or \sphinxstylestrong{ldap\_kadmind\_sasl\_authcid} names for SASL authentication. This file must be kept secure. -\item[{\sphinxstylestrong{mapsize}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{mapsize}} \sphinxAtStartPar This LMDB\sphinxhyphen{}specific tag indicates the maximum size of the two database environments in megabytes. The default value is 128. Increase this value to address “Environment mapsize limit reached” errors. New in release 1.17. -\item[{\sphinxstylestrong{max\_readers}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{max\_readers}} \sphinxAtStartPar This LMDB\sphinxhyphen{}specific tag indicates the maximum number of concurrent reading processes for the databases. The default value is 128. New in release 1.17. -\item[{\sphinxstylestrong{nosync}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{nosync}} \sphinxAtStartPar This LMDB\sphinxhyphen{}specific tag can be set to improve the throughput of kadmind and other administrative agents, at the expense of @@ -3356,7 +3414,7 @@ durability (recent database changes may not survive a power outage or other sudden reboot). It does not affect the throughput of the KDC. The default value is false. New in release 1.17. -\item[{\sphinxstylestrong{unlockiter}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{unlockiter}} \sphinxAtStartPar If set to \sphinxcode{\sphinxupquote{true}}, this DB2\sphinxhyphen{}specific tag causes iteration operations to release the database lock while processing each @@ -3370,7 +3428,7 @@ are in progress. First introduced in release 1.13. The following tag may be specified directly in the {[}dbmodules{]} section to control where database modules are loaded from: \begin{description} -\item[{\sphinxstylestrong{db\_module\_dir}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{db\_module\_dir}} \sphinxAtStartPar This tag controls where the plugin system looks for database modules. The value should be an absolute path. @@ -3385,20 +3443,20 @@ The {[}logging{]} section indicates how {\hyperref[\detokenize{admin/admin_comma {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} perform logging. It may contain the following relations: \begin{description} -\item[{\sphinxstylestrong{admin\_server}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{admin\_server}} \sphinxAtStartPar Specifies how {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} performs logging. -\item[{\sphinxstylestrong{kdc}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{kdc}} \sphinxAtStartPar Specifies how {\hyperref[\detokenize{admin/admin_commands/krb5kdc:krb5kdc-8}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5kdc}}}} performs logging. -\item[{\sphinxstylestrong{default}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{default}} \sphinxAtStartPar Specifies how either daemon performs logging in the absence of relations specific to the daemon. -\item[{\sphinxstylestrong{debug}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{debug}} \sphinxAtStartPar (Boolean value.) Specifies whether debugging messages are included in log outputs other than SYSLOG. Debugging messages are @@ -3411,28 +3469,28 @@ release 1.15. \sphinxAtStartPar Logging specifications may have the following forms: \begin{description} -\item[{\sphinxstylestrong{FILE=}\sphinxstyleemphasis{filename} or \sphinxstylestrong{FILE:}\sphinxstyleemphasis{filename}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{FILE=}\sphinxstyleemphasis{filename} or \sphinxstylestrong{FILE:}\sphinxstyleemphasis{filename}} \sphinxAtStartPar This value causes the daemon’s logging messages to go to the \sphinxstyleemphasis{filename}. If the \sphinxcode{\sphinxupquote{=}} form is used, the file is overwritten. If the \sphinxcode{\sphinxupquote{:}} form is used, the file is appended to. -\item[{\sphinxstylestrong{STDERR}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{STDERR}} \sphinxAtStartPar This value causes the daemon’s logging messages to go to its standard error stream. -\item[{\sphinxstylestrong{CONSOLE}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{CONSOLE}} \sphinxAtStartPar This value causes the daemon’s logging messages to go to the console, if the system supports it. -\item[{\sphinxstylestrong{DEVICE=}\sphinxstyleemphasis{\textless{}devicename\textgreater{}}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{DEVICE=}\sphinxstyleemphasis{\textless{}devicename\textgreater{}}} \sphinxAtStartPar This causes the daemon’s logging messages to go to the specified device. -\item[{\sphinxstylestrong{SYSLOG}{[}\sphinxstylestrong{:}\sphinxstyleemphasis{severity}{[}\sphinxstylestrong{:}\sphinxstyleemphasis{facility}{]}{]}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{SYSLOG}{[}\sphinxstylestrong{:}\sphinxstyleemphasis{severity}{[}\sphinxstylestrong{:}\sphinxstyleemphasis{facility}{]}{]}} \sphinxAtStartPar This causes the daemon’s logging messages to go to the system log. @@ -3481,14 +3539,14 @@ One Time Password request to a RADIUS server. \sphinxAtStartPar For each token type, the following tags may be specified: \begin{description} -\item[{\sphinxstylestrong{server}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{server}} \sphinxAtStartPar This is the server to send the RADIUS request to. It can be a hostname with optional port, an ip address with optional port, or a Unix domain socket address. The default is {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LOCALSTATEDIR}}}}\sphinxcode{\sphinxupquote{/krb5kdc}}\sphinxcode{\sphinxupquote{/\textless{}name\textgreater{}.socket}}. -\item[{\sphinxstylestrong{secret}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{secret}} \sphinxAtStartPar This tag indicates a filename (which may be relative to {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LOCALSTATEDIR}}}}\sphinxcode{\sphinxupquote{/krb5kdc}}) containing the secret used to encrypt the RADIUS packets. The @@ -3498,25 +3556,25 @@ the value of \sphinxstylestrong{server} is a Unix domain socket address, this ta is optional, and an empty secret will be used if it is not specified. Otherwise, this tag is required. -\item[{\sphinxstylestrong{timeout}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{timeout}} \sphinxAtStartPar An integer which specifies the time in seconds during which the KDC should attempt to contact the RADIUS server. This tag is the total time across all retries and should be less than the time which an OTP value remains valid for. The default is 5 seconds. -\item[{\sphinxstylestrong{retries}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{retries}} \sphinxAtStartPar This tag specifies the number of retries to make to the RADIUS server. The default is 3 retries (4 tries). -\item[{\sphinxstylestrong{strip\_realm}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{strip\_realm}} \sphinxAtStartPar If this tag is \sphinxcode{\sphinxupquote{true}}, the principal without the realm will be passed to the RADIUS server. Otherwise, the realm will be included. The default value is \sphinxcode{\sphinxupquote{true}}. -\item[{\sphinxstylestrong{indicator}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{indicator}} \sphinxAtStartPar This tag specifies an authentication indicator to be included in the ticket if this token type is used to authenticate. This @@ -3591,19 +3649,22 @@ For information about the syntax of some of these options, see {\hyperref[\detokenize{admin/conf_files/krb5_conf:pkinit-identity}]{\sphinxcrossref{\DUrole{std,std-ref}{Specifying PKINIT identity information}}}} in {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}}. \begin{description} -\item[{\sphinxstylestrong{pkinit\_anchors}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{pkinit\_anchors}} \sphinxAtStartPar Specifies the location of trusted anchor (root) certificates which the KDC trusts to sign client certificates. This option is required if pkinit is to be supported by the KDC. This option may be specified multiple times. -\item[{\sphinxstylestrong{pkinit\_dh\_min\_bits}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{pkinit\_dh\_min\_bits}} \sphinxAtStartPar -Specifies the minimum number of bits the KDC is willing to accept -for a client’s Diffie\sphinxhyphen{}Hellman key. The default is 2048. +Specifies the minimum strength of Diffie\sphinxhyphen{}Hellman group the KDC is +willing to accept for key exchange. Valid values in order of +increasing strength are 1024, 2048, P\sphinxhyphen{}256, 4096, P\sphinxhyphen{}384, and P\sphinxhyphen{}521. +The default is 2048. (P\sphinxhyphen{}256, P\sphinxhyphen{}384, and P\sphinxhyphen{}521 are new in release +1.22.) -\item[{\sphinxstylestrong{pkinit\_allow\_upn}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{pkinit\_allow\_upn}} \sphinxAtStartPar Specifies that the KDC is willing to accept client certificates with the Microsoft UserPrincipalName (UPN) Subject Alternative @@ -3613,28 +3674,28 @@ is false. \sphinxAtStartPar Without this option, the KDC will only accept certificates with -the id\sphinxhyphen{}pkinit\sphinxhyphen{}san as defined in \index{RFC@\spxentry{RFC}!RFC 4556@\spxentry{RFC 4556}}\sphinxhref{https://tools.ietf.org/html/rfc4556.html}{\sphinxstylestrong{RFC 4556}}. There is currently +the id\sphinxhyphen{}pkinit\sphinxhyphen{}san as defined in \index{RFC@\spxentry{RFC}!RFC 4556@\spxentry{RFC 4556}}\sphinxhref{https://datatracker.ietf.org/doc/html/rfc4556.html}{\sphinxstylestrong{RFC 4556}}. There is currently no option to disable SAN checking in the KDC. -\item[{\sphinxstylestrong{pkinit\_eku\_checking}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{pkinit\_eku\_checking}} \sphinxAtStartPar This option specifies what Extended Key Usage (EKU) values the KDC is willing to accept in client certificates. The values recognized in the kdc.conf file are: \begin{description} -\item[{\sphinxstylestrong{kpClientAuth}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{kpClientAuth}} \sphinxAtStartPar This is the default value and specifies that client certificates must have the id\sphinxhyphen{}pkinit\sphinxhyphen{}KPClientAuth EKU as -defined in \index{RFC@\spxentry{RFC}!RFC 4556@\spxentry{RFC 4556}}\sphinxhref{https://tools.ietf.org/html/rfc4556.html}{\sphinxstylestrong{RFC 4556}}. +defined in \index{RFC@\spxentry{RFC}!RFC 4556@\spxentry{RFC 4556}}\sphinxhref{https://datatracker.ietf.org/doc/html/rfc4556.html}{\sphinxstylestrong{RFC 4556}}. -\item[{\sphinxstylestrong{scLogin}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{scLogin}} \sphinxAtStartPar If scLogin is specified, client certificates with the Microsoft Smart Card Login EKU (id\sphinxhyphen{}ms\sphinxhyphen{}kp\sphinxhyphen{}sc\sphinxhyphen{}logon) will be accepted. -\item[{\sphinxstylestrong{none}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{none}} \sphinxAtStartPar If none is specified, then client certificates will not be checked to verify they have an acceptable EKU. The use of @@ -3642,31 +3703,31 @@ this option is not recommended. \end{description} -\item[{\sphinxstylestrong{pkinit\_identity}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{pkinit\_identity}} \sphinxAtStartPar Specifies the location of the KDC’s X.509 identity information. This option is required if pkinit is to be supported by the KDC. -\item[{\sphinxstylestrong{pkinit\_indicator}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{pkinit\_indicator}} \sphinxAtStartPar Specifies an authentication indicator to include in the ticket if pkinit is used to authenticate. This option may be specified multiple times. (New in release 1.14.) -\item[{\sphinxstylestrong{pkinit\_pool}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{pkinit\_pool}} \sphinxAtStartPar Specifies the location of intermediate certificates which may be used by the KDC to complete the trust chain between a client’s certificate and a trusted anchor. This option may be specified multiple times. -\item[{\sphinxstylestrong{pkinit\_revoke}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{pkinit\_revoke}} \sphinxAtStartPar Specifies the location of Certificate Revocation List (CRL) information to be used by the KDC when verifying the validity of client certificates. This option may be specified multiple times. -\item[{\sphinxstylestrong{pkinit\_require\_crl\_checking}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{pkinit\_require\_crl\_checking}} \sphinxAtStartPar The default certificate verification process will always check the available revocation information to see if a certificate has been @@ -3685,7 +3746,7 @@ fails. \sphinxstylestrong{pkinit\_require\_crl\_checking} should be set to true if the policy is such that up\sphinxhyphen{}to\sphinxhyphen{}date CRLs must be present for every CA. -\item[{\sphinxstylestrong{pkinit\_require\_freshness}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{pkinit\_require\_freshness}} \sphinxAtStartPar Specifies whether to require clients to include a freshness token in PKINIT requests. The default value is false. (New in release @@ -3704,110 +3765,111 @@ compatibility but not recommended for use. \begin{savenotes}\sphinxattablestart +\sphinxthistablewithglobalstyle \centering -\begin{tabulary}{\linewidth}[t]{|T|T|} -\hline - +\begin{tabulary}{\linewidth}[t]{TT} +\sphinxtoprule +\sphinxtableatstartofbodyhook \sphinxAtStartPar des3\sphinxhyphen{}cbc\sphinxhyphen{}raw & \sphinxAtStartPar Triple DES cbc mode raw (weak) \\ -\hline +\sphinxhline \sphinxAtStartPar des3\sphinxhyphen{}cbc\sphinxhyphen{}sha1 des3\sphinxhyphen{}hmac\sphinxhyphen{}sha1 des3\sphinxhyphen{}cbc\sphinxhyphen{}sha1\sphinxhyphen{}kd & \sphinxAtStartPar Triple DES cbc mode with HMAC/sha1 (deprecated) \\ -\hline +\sphinxhline \sphinxAtStartPar aes256\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha1\sphinxhyphen{}96 aes256\sphinxhyphen{}cts aes256\sphinxhyphen{}sha1 & \sphinxAtStartPar AES\sphinxhyphen{}256 CTS mode with 96\sphinxhyphen{}bit SHA\sphinxhyphen{}1 HMAC \\ -\hline +\sphinxhline \sphinxAtStartPar aes128\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha1\sphinxhyphen{}96 aes128\sphinxhyphen{}cts aes128\sphinxhyphen{}sha1 & \sphinxAtStartPar AES\sphinxhyphen{}128 CTS mode with 96\sphinxhyphen{}bit SHA\sphinxhyphen{}1 HMAC \\ -\hline +\sphinxhline \sphinxAtStartPar aes256\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha384\sphinxhyphen{}192 aes256\sphinxhyphen{}sha2 & \sphinxAtStartPar AES\sphinxhyphen{}256 CTS mode with 192\sphinxhyphen{}bit SHA\sphinxhyphen{}384 HMAC \\ -\hline +\sphinxhline \sphinxAtStartPar aes128\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha256\sphinxhyphen{}128 aes128\sphinxhyphen{}sha2 & \sphinxAtStartPar AES\sphinxhyphen{}128 CTS mode with 128\sphinxhyphen{}bit SHA\sphinxhyphen{}256 HMAC \\ -\hline +\sphinxhline \sphinxAtStartPar arcfour\sphinxhyphen{}hmac rc4\sphinxhyphen{}hmac arcfour\sphinxhyphen{}hmac\sphinxhyphen{}md5 & \sphinxAtStartPar RC4 with HMAC/MD5 (deprecated) \\ -\hline +\sphinxhline \sphinxAtStartPar arcfour\sphinxhyphen{}hmac\sphinxhyphen{}exp rc4\sphinxhyphen{}hmac\sphinxhyphen{}exp arcfour\sphinxhyphen{}hmac\sphinxhyphen{}md5\sphinxhyphen{}exp & \sphinxAtStartPar Exportable RC4 with HMAC/MD5 (weak) \\ -\hline +\sphinxhline \sphinxAtStartPar camellia256\sphinxhyphen{}cts\sphinxhyphen{}cmac camellia256\sphinxhyphen{}cts & \sphinxAtStartPar Camellia\sphinxhyphen{}256 CTS mode with CMAC \\ -\hline +\sphinxhline \sphinxAtStartPar camellia128\sphinxhyphen{}cts\sphinxhyphen{}cmac camellia128\sphinxhyphen{}cts & \sphinxAtStartPar Camellia\sphinxhyphen{}128 CTS mode with CMAC \\ -\hline +\sphinxhline \sphinxAtStartPar des3 & \sphinxAtStartPar The triple DES family: des3\sphinxhyphen{}cbc\sphinxhyphen{}sha1 \\ -\hline +\sphinxhline \sphinxAtStartPar aes & \sphinxAtStartPar The AES family: aes256\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha1\sphinxhyphen{}96, aes128\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha1\sphinxhyphen{}96, aes256\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha384\sphinxhyphen{}192, and aes128\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha256\sphinxhyphen{}128 \\ -\hline +\sphinxhline \sphinxAtStartPar rc4 & \sphinxAtStartPar The RC4 family: arcfour\sphinxhyphen{}hmac \\ -\hline +\sphinxhline \sphinxAtStartPar camellia & \sphinxAtStartPar The Camellia family: camellia256\sphinxhyphen{}cts\sphinxhyphen{}cmac and camellia128\sphinxhyphen{}cts\sphinxhyphen{}cmac \\ -\hline +\sphinxbottomrule \end{tabulary} -\par +\sphinxtableafterendhook\par \sphinxattableend\end{savenotes} \sphinxAtStartPar @@ -3862,40 +3924,41 @@ follows: \begin{savenotes}\sphinxattablestart +\sphinxthistablewithglobalstyle \centering -\begin{tabulary}{\linewidth}[t]{|T|T|} -\hline - +\begin{tabulary}{\linewidth}[t]{TT} +\sphinxtoprule +\sphinxtableatstartofbodyhook \sphinxAtStartPar normal & \sphinxAtStartPar default for Kerberos Version 5 \\ -\hline +\sphinxhline \sphinxAtStartPar norealm & \sphinxAtStartPar same as the default, without using realm information \\ -\hline +\sphinxhline \sphinxAtStartPar onlyrealm & \sphinxAtStartPar uses only realm information as the salt \\ -\hline +\sphinxhline \sphinxAtStartPar special & \sphinxAtStartPar generate a random salt \\ -\hline +\sphinxbottomrule \end{tabulary} -\par +\sphinxtableafterendhook\par \sphinxattableend\end{savenotes} @@ -3953,6 +4016,8 @@ Here’s an example of a kdc.conf file: \sphinxAtStartPar {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}}, {\hyperref[\detokenize{admin/admin_commands/krb5kdc:krb5kdc-8}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5kdc}}}}, {\hyperref[\detokenize{admin/conf_files/kadm5_acl:kadm5-acl-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kadm5.acl}}}} +\sphinxstepscope + \subsection{kadm5.acl} \label{\detokenize{admin/conf_files/kadm5_acl:kadm5-acl}}\label{\detokenize{admin/conf_files/kadm5_acl:kadm5-acl-5}}\label{\detokenize{admin/conf_files/kadm5_acl::doc}} @@ -3987,7 +4052,7 @@ Line order in the ACL file is important. The first matching entry will control access for an actor principal on a target principal. \end{sphinxadmonition} \begin{description} -\item[{\sphinxstyleemphasis{principal}}] \leavevmode +\sphinxlineitem{\sphinxstyleemphasis{principal}} \sphinxAtStartPar (Partially or fully qualified Kerberos principal name.) Specifies the principal whose permissions are to be set. @@ -3996,7 +4061,7 @@ the principal whose permissions are to be set. Each component of the name may be wildcarded using the \sphinxcode{\sphinxupquote{*}} character. -\item[{\sphinxstyleemphasis{permissions}}] \leavevmode +\sphinxlineitem{\sphinxstyleemphasis{permissions}} \sphinxAtStartPar Specifies what operations may or may not be performed by a \sphinxstyleemphasis{principal} matching a particular entry. This is a string of one or @@ -4007,89 +4072,90 @@ is permitted. \begin{savenotes}\sphinxattablestart +\sphinxthistablewithglobalstyle \centering -\begin{tabulary}{\linewidth}[t]{|T|T|} -\hline - +\begin{tabulary}{\linewidth}[t]{TT} +\sphinxtoprule +\sphinxtableatstartofbodyhook \sphinxAtStartPar a & \sphinxAtStartPar {[}Dis{]}allows the addition of principals or policies \\ -\hline +\sphinxhline \sphinxAtStartPar c & \sphinxAtStartPar {[}Dis{]}allows the changing of passwords for principals \\ -\hline +\sphinxhline \sphinxAtStartPar d & \sphinxAtStartPar {[}Dis{]}allows the deletion of principals or policies \\ -\hline +\sphinxhline \sphinxAtStartPar e & \sphinxAtStartPar {[}Dis{]}allows the extraction of principal keys \\ -\hline +\sphinxhline \sphinxAtStartPar i & \sphinxAtStartPar {[}Dis{]}allows inquiries about principals or policies \\ -\hline +\sphinxhline \sphinxAtStartPar l & \sphinxAtStartPar {[}Dis{]}allows the listing of all principals or policies \\ -\hline +\sphinxhline \sphinxAtStartPar m & \sphinxAtStartPar {[}Dis{]}allows the modification of principals or policies \\ -\hline +\sphinxhline \sphinxAtStartPar p & \sphinxAtStartPar {[}Dis{]}allows the propagation of the principal database (used in {\hyperref[\detokenize{admin/database:incr-db-prop}]{\sphinxcrossref{\DUrole{std,std-ref}{Incremental database propagation}}}}) \\ -\hline +\sphinxhline \sphinxAtStartPar s & \sphinxAtStartPar {[}Dis{]}allows the explicit setting of the key for a principal \\ -\hline +\sphinxhline \sphinxAtStartPar x & \sphinxAtStartPar Short for admcilsp. All privileges (except \sphinxcode{\sphinxupquote{e}}) \\ -\hline +\sphinxhline \sphinxAtStartPar * & \sphinxAtStartPar Same as x. \\ -\hline +\sphinxbottomrule \end{tabulary} -\par +\sphinxtableafterendhook\par \sphinxattableend\end{savenotes} \end{description} @@ -4106,7 +4172,7 @@ key extraction from specific principals regardless of the granted privilege. \end{sphinxadmonition} \begin{description} -\item[{\sphinxstyleemphasis{target\_principal}}] \leavevmode +\sphinxlineitem{\sphinxstyleemphasis{target\_principal}} \sphinxAtStartPar (Optional. Partially or fully qualified Kerberos principal name.) Specifies the principal on which \sphinxstyleemphasis{permissions} may be applied. @@ -4118,26 +4184,26 @@ character. in which \sphinxcode{\sphinxupquote{*number}} matches the corresponding wildcard in \sphinxstyleemphasis{principal}. -\item[{\sphinxstyleemphasis{restrictions}}] \leavevmode +\sphinxlineitem{\sphinxstyleemphasis{restrictions}} \sphinxAtStartPar (Optional) A string of flags. Allowed restrictions are: \begin{quote} \begin{description} -\item[{\{+|\sphinxhyphen{}\}\sphinxstyleemphasis{flagname}}] \leavevmode +\sphinxlineitem{\{+|\sphinxhyphen{}\}\sphinxstyleemphasis{flagname}} \sphinxAtStartPar flag is forced to the indicated value. The permissible flags are the same as those for the \sphinxstylestrong{default\_principal\_flags} variable in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}. -\item[{\sphinxstyleemphasis{\sphinxhyphen{}clearpolicy}}] \leavevmode +\sphinxlineitem{\sphinxstyleemphasis{\sphinxhyphen{}clearpolicy}} \sphinxAtStartPar policy is forced to be empty. -\item[{\sphinxstyleemphasis{\sphinxhyphen{}policy pol}}] \leavevmode +\sphinxlineitem{\sphinxstyleemphasis{\sphinxhyphen{}policy pol}} \sphinxAtStartPar policy is forced to be \sphinxstyleemphasis{pol}. -\item[{\sphinxhyphen{}\{\sphinxstyleemphasis{expire, pwexpire, maxlife, maxrenewlife}\} \sphinxstyleemphasis{time}}] \leavevmode +\sphinxlineitem{\sphinxhyphen{}\{\sphinxstyleemphasis{expire, pwexpire, maxlife, maxrenewlife}\} \sphinxstyleemphasis{time}} \sphinxAtStartPar (\DUrole{xref,std,std-ref}{getdate} string) associated value will be forced to MIN(\sphinxstyleemphasis{time}, requested value). @@ -4226,6 +4292,8 @@ To operate without an ACL file, set the \sphinxstyleemphasis{acl\_file} variable \sphinxAtStartPar {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}, {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} +\sphinxstepscope + \chapter{Realm configuration decisions} \label{\detokenize{admin/realm_config:realm-configuration-decisions}}\label{\detokenize{admin/realm_config::doc}} @@ -4403,26 +4471,26 @@ rather than having to change hostnames. \sphinxAtStartPar As of MIT krb5 1.4, clients can locate a realm’s KDCs through DNS -using SRV records (\index{RFC@\spxentry{RFC}!RFC 2782@\spxentry{RFC 2782}}\sphinxhref{https://tools.ietf.org/html/rfc2782.html}{\sphinxstylestrong{RFC 2782}}), assuming the Kerberos realm name is +using SRV records (\index{RFC@\spxentry{RFC}!RFC 2782@\spxentry{RFC 2782}}\sphinxhref{https://datatracker.ietf.org/doc/html/rfc2782.html}{\sphinxstylestrong{RFC 2782}}), assuming the Kerberos realm name is also a DNS domain name. These records indicate the hostname and port number to contact for that service, optionally with weighting and prioritization. The domain name used in the SRV record name is the realm name. Several different Kerberos\sphinxhyphen{}related service names are used: \begin{description} -\item[{\_kerberos.\_udp}] \leavevmode +\sphinxlineitem{\_kerberos.\_udp} \sphinxAtStartPar This is for contacting any KDC by UDP. This entry will be used the most often. Normally you should list port 88 on each of your KDCs. -\item[{\_kerberos.\_tcp}] \leavevmode +\sphinxlineitem{\_kerberos.\_tcp} \sphinxAtStartPar This is for contacting any KDC by TCP. Normally you should use port 88. This entry should be omitted if the KDC does not listen on TCP ports, as was the default prior to release 1.13. -\item[{\_kerberos\sphinxhyphen{}master.\_udp}] \leavevmode +\sphinxlineitem{\_kerberos\sphinxhyphen{}master.\_udp} \sphinxAtStartPar This entry should refer to those KDCs, if any, that will immediately see password changes to the Kerberos database. If a @@ -4435,26 +4503,26 @@ If you have only one KDC, or for whatever reason there is no accessible KDC that would get database changes faster than the others, you do not need to define this entry. -\item[{\_kerberos\sphinxhyphen{}adm.\_tcp}] \leavevmode +\sphinxlineitem{\_kerberos\sphinxhyphen{}adm.\_tcp} \sphinxAtStartPar This should list port 749 on your primary KDC. Support for it is not complete at this time, but it will eventually be used by the {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} program and related utilities. For now, you will also need the \sphinxstylestrong{admin\_server} variable in {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}}. -\item[{\_kerberos\sphinxhyphen{}master.\_tcp}] \leavevmode +\sphinxlineitem{\_kerberos\sphinxhyphen{}master.\_tcp} \sphinxAtStartPar The corresponding TCP port for \_kerberos\sphinxhyphen{}master.\_udp, assuming the primary KDC listens on a TCP port. -\item[{\_kpasswd.\_udp}] \leavevmode +\sphinxlineitem{\_kpasswd.\_udp} \sphinxAtStartPar This entry should list port 464 on your primary KDC. It is used when a user changes her password. If this entry is not defined but a \_kerberos\sphinxhyphen{}adm.\_tcp entry is defined, the client will use the \_kerberos\sphinxhyphen{}adm.\_tcp entry with the port number changed to 464. -\item[{\_kpasswd.\_tcp}] \leavevmode +\sphinxlineitem{\_kpasswd.\_tcp} \sphinxAtStartPar The corresponding TCP port for \_kpasswd.\_udp. @@ -4487,12 +4555,20 @@ using the \sphinxstylestrong{kdc}, \sphinxstylestrong{master\_kdc}, \sphinxstyle explicit server locations, providing SRV records will still benefit unconfigured clients, and be useful for other sites. +\sphinxAtStartPar +Clients can be configured with the \sphinxstylestrong{sitename} realm variable (new in +release 1.22). If a site name is set, the client first attempts SRV +record lookups with “.*sitename*.\_sites” inserted after the service +and protocol name and before the Kerberos realm. Site\sphinxhyphen{}specific +records may indicate servers more proximal to the client, allowing for +faster access. + \section{KDC Discovery} \label{\detokenize{admin/realm_config:kdc-discovery}}\label{\detokenize{admin/realm_config:id1}} \sphinxAtStartPar As of MIT krb5 1.15, clients can also locate KDCs in DNS through URI -records (\index{RFC@\spxentry{RFC}!RFC 7553@\spxentry{RFC 7553}}\sphinxhref{https://tools.ietf.org/html/rfc7553.html}{\sphinxstylestrong{RFC 7553}}). Limitations with the SRV record format may +records (\index{RFC@\spxentry{RFC}!RFC 7553@\spxentry{RFC 7553}}\sphinxhref{https://datatracker.ietf.org/doc/html/rfc7553.html}{\sphinxstylestrong{RFC 7553}}). Limitations with the SRV record format may result in extra DNS queries in situations where a client must failover to other transport types, or find a primary server. The URI record can convey more information about a realm’s KDCs with a single query. @@ -4562,6 +4638,10 @@ URI lookups are enabled by default, and can be disabled by setting precedence over SRV lookups, falling back to SRV lookups if no URI records are found. +\sphinxAtStartPar +The \sphinxstylestrong{sitename} variable in the {\hyperref[\detokenize{admin/conf_files/krb5_conf:realms}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}realms{]}}}}} section of +{\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}} applies to URI lookups as well as SRV lookups. + \section{Database propagation} \label{\detokenize{admin/realm_config:database-propagation}}\label{\detokenize{admin/realm_config:db-prop}} @@ -4585,6 +4665,8 @@ the database to additional replicas. \sphinxAtStartPar See also {\hyperref[\detokenize{admin/database:incr-db-prop}]{\sphinxcrossref{\DUrole{std,std-ref}{Incremental database propagation}}}} +\sphinxstepscope + \chapter{Database administration} \label{\detokenize{admin/database:database-administration}}\label{\detokenize{admin/database::doc}} @@ -4702,6 +4784,11 @@ To view the attributes of a principal, use the kadmin\textasciigrave{} To generate a listing of principals, use the kadmin \sphinxstylestrong{list\_principals} command. +\sphinxAtStartPar +To give a principal additional names, use the kadmin \sphinxstylestrong{add\_alias} +command to create aliases to the principal (new in release 1.22). +Aliases can be removed with the \sphinxstylestrong{delete\_principal} command. + \section{Policies} \label{\detokenize{admin/database:policies}}\label{\detokenize{admin/database:id2}} @@ -5198,10 +5285,11 @@ data in the KDC config file (See {\hyperref[\detokenize{admin/conf_files/kdc_con \begin{savenotes}\sphinxattablestart +\sphinxthistablewithglobalstyle \centering -\begin{tabulary}{\linewidth}[t]{|T|T|T|} -\hline - +\begin{tabulary}{\linewidth}[t]{TTT} +\sphinxtoprule +\sphinxtableatstartofbodyhook \sphinxAtStartPar iprop\_enable & @@ -5211,7 +5299,7 @@ iprop\_enable \sphinxAtStartPar If \sphinxstyleemphasis{true}, then incremental propagation is enabled, and (as noted below) normal kprop propagation is disabled. The default is \sphinxstyleemphasis{false}. \\ -\hline +\sphinxhline \sphinxAtStartPar iprop\_master\_ulogsize & @@ -5221,7 +5309,7 @@ iprop\_master\_ulogsize \sphinxAtStartPar Indicates the number of entries that should be retained in the update log. The default is 1000; the maximum number is 2500. \\ -\hline +\sphinxhline \sphinxAtStartPar iprop\_replica\_poll & @@ -5231,7 +5319,7 @@ iprop\_replica\_poll \sphinxAtStartPar Indicates how often the replica should poll the primary KDC for changes to the database. The default is two minutes. \\ -\hline +\sphinxhline \sphinxAtStartPar iprop\_port & @@ -5241,7 +5329,7 @@ iprop\_port \sphinxAtStartPar Specifies the port number to be used for incremental propagation. This is required in both primary and replica configuration files. \\ -\hline +\sphinxhline \sphinxAtStartPar iprop\_resync\_timeout & @@ -5251,7 +5339,7 @@ iprop\_resync\_timeout \sphinxAtStartPar Specifies the number of seconds to wait for a full propagation to complete. This is optional on replica configurations. Defaults to 300 seconds (5 minutes). \\ -\hline +\sphinxhline \sphinxAtStartPar iprop\_logfile & @@ -5261,9 +5349,9 @@ iprop\_logfile \sphinxAtStartPar Specifies where the update log file for the realm database is to be stored. The default is to use the \sphinxstyleemphasis{database\_name} entry from the realms section of the config file {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}, with \sphinxstyleemphasis{.ulog} appended. (NOTE: If database\_name isn’t specified in the realms section, perhaps because the LDAP database back end is being used, or the file name is specified in the \sphinxstyleemphasis{dbmodules} section, then the hard\sphinxhyphen{}coded default for \sphinxstyleemphasis{database\_name} is used. Determination of the \sphinxstyleemphasis{iprop\_logfile} default value will not use values from the \sphinxstyleemphasis{dbmodules} section.) \\ -\hline +\sphinxbottomrule \end{tabulary} -\par +\sphinxtableafterendhook\par \sphinxattableend\end{savenotes} \sphinxAtStartPar @@ -5356,6 +5444,8 @@ implementation, the pathname for the update log is specified in the config file, and the per\sphinxhyphen{}replica dump files are stored in {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LOCALSTATEDIR}}}}\sphinxcode{\sphinxupquote{/krb5kdc}}\sphinxcode{\sphinxupquote{/replica\_datatrans\_hostname}}. +\sphinxstepscope + \chapter{Database types} \label{\detokenize{admin/dbtypes:database-types}}\label{\detokenize{admin/dbtypes:dbtypes}}\label{\detokenize{admin/dbtypes::doc}} @@ -5549,6 +5639,8 @@ requests. The kldap module does not support explicit locking with the {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} \sphinxstylestrong{lock} command. +\sphinxstepscope + \chapter{Account lockout} \label{\detokenize{admin/lockout:account-lockout}}\label{\detokenize{admin/lockout:lockout}}\label{\detokenize{admin/lockout::doc}} @@ -5741,6 +5833,8 @@ special setup is required. For the LDAP module, the KDC DN must be granted write access to the principal objects. If the KDC DN has only read access, account lockout will not function. +\sphinxstepscope + \chapter{Configuring Kerberos with OpenLDAP back\sphinxhyphen{}end} \label{\detokenize{admin/conf_ldap:configuring-kerberos-with-openldap-back-end}}\label{\detokenize{admin/conf_ldap:conf-ldap}}\label{\detokenize{admin/conf_ldap::doc}}\begin{enumerate} @@ -5892,9 +5986,10 @@ details. \sphinxAtStartPar With the LDAP back end it is possible to provide aliases for principal -entries. Currently we provide no administrative utilities for -creating aliases, so it must be done by direct manipulation of the -LDAP entries. +entries. Beginning in release 1.22, aliases can be added with the +kadmin \sphinxstylestrong{add\_alias} command, but it is also possible (in release 1.7 +or later) to provide aliases through direct manipulation of the LDAP +entries. \sphinxAtStartPar An entry with aliases contains multiple values of the @@ -5913,6 +6008,8 @@ service principals; for client principals, an explicit flag is often required (e.g., \sphinxcode{\sphinxupquote{kinit \sphinxhyphen{}C}}) and canonicalization is only performed for initial ticket requests. +\sphinxstepscope + \chapter{Application servers} \label{\detokenize{admin/appl_servers:application-servers}}\label{\detokenize{admin/appl_servers::doc}} @@ -6113,6 +6210,8 @@ the \sphinxcode{\sphinxupquote{krb5\_prop}} service on port 754 (tcp). The book \sphinxstyleemphasis{UNIX System Security}, by David Curry, is a good starting point for learning to configure firewalls. +\sphinxstepscope + \chapter{Host configuration} \label{\detokenize{admin/host_config:host-configuration}}\label{\detokenize{admin/host_config::doc}} @@ -6387,6 +6486,8 @@ where \sphinxstyleemphasis{PATHNAME} is a path to the module shared object or DL \sphinxstyleemphasis{STRING} is a string to provide to the module. The module will then take over, and the rest of krb5.conf will be ignored. +\sphinxstepscope + \chapter{Backups of secure hosts} \label{\detokenize{admin/backup_host:backups-of-secure-hosts}}\label{\detokenize{admin/backup_host::doc}} @@ -6423,6 +6524,8 @@ transmission across your network.) Then if your database becomes corrupted, you can load the most recent dump onto the primary KDC. (See {\hyperref[\detokenize{admin/database:restore-from-dump}]{\sphinxcrossref{\DUrole{std,std-ref}{Dumping and loading a Kerberos database}}}}.) +\sphinxstepscope + \chapter{PKINIT configuration} \label{\detokenize{admin/pkinit:pkinit-configuration}}\label{\detokenize{admin/pkinit:pkinit}}\label{\detokenize{admin/pkinit::doc}} @@ -6846,6 +6949,8 @@ clients authenticating anonymously), set the test that this option is in effect, run \sphinxcode{\sphinxupquote{kinit \sphinxhyphen{}X disable\_freshness}} and verify that authentication is unsuccessful. +\sphinxstepscope + \chapter{OTP Preauthentication} \label{\detokenize{admin/otp:otp-preauthentication}}\label{\detokenize{admin/otp:otp-preauth}}\label{\detokenize{admin/otp::doc}} @@ -6931,10 +7036,10 @@ format: \begin{sphinxVerbatim}[commandchars=\\\{\}] [\PYGZob{} - \PYGZdq{}type\PYGZdq{}: \PYG{n+nt}{\PYGZlt{}string}\PYG{n+nt}{\PYGZgt{}}, - \PYGZdq{}username\PYGZdq{}: \PYG{n+nt}{\PYGZlt{}string}\PYG{n+nt}{\PYGZgt{}}, - \PYGZdq{}indicators\PYGZdq{}: [\PYG{n+nt}{\PYGZlt{}string}\PYG{n+nt}{\PYGZgt{}}, ...] - \PYGZcb{}, ...] +\PYG{+w}{ }\PYGZdq{}type\PYGZdq{}:\PYG{+w}{ }\PYG{n+nt}{\PYGZlt{}string}\PYG{n+nt}{\PYGZgt{}}, +\PYG{+w}{ }\PYGZdq{}username\PYGZdq{}:\PYG{+w}{ }\PYG{n+nt}{\PYGZlt{}string}\PYG{n+nt}{\PYGZgt{}}, +\PYG{+w}{ }\PYGZdq{}indicators\PYGZdq{}:\PYG{+w}{ }[\PYG{n+nt}{\PYGZlt{}string}\PYG{n+nt}{\PYGZgt{}},\PYG{+w}{ }...] +\PYG{+w}{ }\PYGZcb{},\PYG{+w}{ }...] \end{sphinxVerbatim} \sphinxAtStartPar @@ -6961,6 +7066,8 @@ FAST is required for OTP to work. \end{enumerate} +\sphinxstepscope + \chapter{SPAKE Preauthentication} \label{\detokenize{admin/spake:spake-preauthentication}}\label{\detokenize{admin/spake:spake}}\label{\detokenize{admin/spake::doc}} @@ -7030,6 +7137,8 @@ initial authentication requests that do not result in SPAKE preauthentication, but will save work when SPAKE preauthentication is used. +\sphinxstepscope + \chapter{Addressing dictionary attack risks} \label{\detokenize{admin/dictionary:addressing-dictionary-attack-risks}}\label{\detokenize{admin/dictionary:dictionary}}\label{\detokenize{admin/dictionary::doc}} @@ -7140,6 +7249,8 @@ If {\hyperref[\detokenize{admin/pkinit:pkinit}]{\sphinxcrossref{\DUrole{std,std- initial authentication, the principal’s long\sphinxhyphen{}term keys are not used and dictionary attacks are usually not a concern. +\sphinxstepscope + \chapter{Principal names and DNS} \label{\detokenize{admin/princ_dns:principal-names-and-dns}}\label{\detokenize{admin/princ_dns::doc}} @@ -7276,6 +7387,8 @@ canonicalize service principal names, even if \sphinxstylestrong{rdns} is set to add \sphinxcode{\sphinxupquote{SASL\_NOCANON on}} to \sphinxcode{\sphinxupquote{ldap.conf}}, or set the \sphinxcode{\sphinxupquote{LDAPSASL\_NOCANON}} environment variable. +\sphinxstepscope + \chapter{Encryption types} \label{\detokenize{admin/enctypes:encryption-types}}\label{\detokenize{admin/enctypes:enctypes}}\label{\detokenize{admin/enctypes::doc}} @@ -7370,7 +7483,7 @@ a service principal. The following \sphinxcode{\sphinxupquote{{[}libdefaults{]}}} settings in {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}} will affect how enctypes are chosen. \begin{description} -\item[{\sphinxstylestrong{allow\_weak\_crypto}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{allow\_weak\_crypto}} \sphinxAtStartPar defaults to \sphinxstyleemphasis{false} starting with krb5\sphinxhyphen{}1.8. When \sphinxstyleemphasis{false}, removes weak enctypes from \sphinxstylestrong{permitted\_enctypes}, @@ -7379,7 +7492,7 @@ set this to \sphinxstyleemphasis{true} unless the use of weak enctypes is an acceptable risk for your environment and the weak enctypes are required for backward compatibility. -\item[{\sphinxstylestrong{allow\_des3}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{allow\_des3}} \sphinxAtStartPar was added in release 1.21 and defaults to \sphinxstyleemphasis{false}. Unless this flag is set to \sphinxstyleemphasis{true}, the KDC will not issue tickets with @@ -7387,7 +7500,7 @@ des3\sphinxhyphen{}cbc\sphinxhyphen{}sha1 session keys. In a future release, th control whether des3\sphinxhyphen{}cbc\sphinxhyphen{}sha1 is permitted in similar fashion to weak enctypes. -\item[{\sphinxstylestrong{allow\_rc4}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{allow\_rc4}} \sphinxAtStartPar was added in release 1.21 and defaults to \sphinxstyleemphasis{false}. Unless this flag is set to \sphinxstyleemphasis{true}, the KDC will not issue tickets with @@ -7395,7 +7508,7 @@ arcfour\sphinxhyphen{}hmac session keys. In a future release, this flag will control whether arcfour\sphinxhyphen{}hmac is permitted in similar fashion to weak enctypes. -\item[{\sphinxstylestrong{permitted\_enctypes}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{permitted\_enctypes}} \sphinxAtStartPar controls the set of enctypes that a service will permit for session keys and for ticket and authenticator encryption. The KDC @@ -7404,7 +7517,7 @@ keys of non\sphinxhyphen{}permitted enctypes. Starting in release 1.18, this setting also acts as the default for \sphinxstylestrong{default\_tkt\_enctypes} and \sphinxstylestrong{default\_tgs\_enctypes}. -\item[{\sphinxstylestrong{default\_tkt\_enctypes}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{default\_tkt\_enctypes}} \sphinxAtStartPar controls the default set of enctypes that the Kerberos client library requests when making an AS\sphinxhyphen{}REQ. Do not set this unless @@ -7412,7 +7525,7 @@ required for specific backward compatibility purposes; stale values of this setting can prevent clients from taking advantage of new stronger enctypes when the libraries are upgraded. -\item[{\sphinxstylestrong{default\_tgs\_enctypes}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{default\_tgs\_enctypes}} \sphinxAtStartPar controls the default set of enctypes that the Kerberos client library requests when making a TGS\sphinxhyphen{}REQ. Do not set this unless @@ -7426,7 +7539,7 @@ of new stronger enctypes when the libraries are upgraded. The following per\sphinxhyphen{}realm setting in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}} affects the generation of long\sphinxhyphen{}term keys. \begin{description} -\item[{\sphinxstylestrong{supported\_enctypes}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{supported\_enctypes}} \sphinxAtStartPar controls the default set of enctype\sphinxhyphen{}salttype pairs that {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} will use for generating long\sphinxhyphen{}term keys, either randomly or from @@ -7442,9 +7555,10 @@ See {\hyperref[\detokenize{admin/conf_files/kdc_conf:encryption-types}]{\sphinxc \begin{savenotes}\sphinxattablestart +\sphinxthistablewithglobalstyle \centering -\begin{tabulary}{\linewidth}[t]{|T|T|T|T|} -\hline +\begin{tabulary}{\linewidth}[t]{TTTT} +\sphinxtoprule \sphinxstyletheadfamily \sphinxAtStartPar enctype @@ -7458,7 +7572,8 @@ krb5 \sphinxAtStartPar Windows \\ -\hline +\sphinxmidrule +\sphinxtableatstartofbodyhook \sphinxAtStartPar des\sphinxhyphen{}cbc\sphinxhyphen{}crc & @@ -7471,7 +7586,7 @@ weak \sphinxAtStartPar \textgreater{}=2000 \\ -\hline +\sphinxhline \sphinxAtStartPar des\sphinxhyphen{}cbc\sphinxhyphen{}md4 & @@ -7484,7 +7599,7 @@ weak \sphinxAtStartPar ? \\ -\hline +\sphinxhline \sphinxAtStartPar des\sphinxhyphen{}cbc\sphinxhyphen{}md5 & @@ -7497,7 +7612,7 @@ weak \sphinxAtStartPar \textgreater{}=2000 \\ -\hline +\sphinxhline \sphinxAtStartPar des3\sphinxhyphen{}cbc\sphinxhyphen{}sha1 & @@ -7510,7 +7625,7 @@ deprecated \sphinxAtStartPar none \\ -\hline +\sphinxhline \sphinxAtStartPar arcfour\sphinxhyphen{}hmac & @@ -7523,7 +7638,7 @@ deprecated \sphinxAtStartPar \textgreater{}=2000 \\ -\hline +\sphinxhline \sphinxAtStartPar arcfour\sphinxhyphen{}hmac\sphinxhyphen{}exp & @@ -7536,7 +7651,7 @@ weak \sphinxAtStartPar \textgreater{}=2000 \\ -\hline +\sphinxhline \sphinxAtStartPar aes128\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha1\sphinxhyphen{}96 && @@ -7546,7 +7661,7 @@ aes128\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha1\sphinxhyphen{}96 \sphinxAtStartPar \textgreater{}=Vista \\ -\hline +\sphinxhline \sphinxAtStartPar aes256\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha1\sphinxhyphen{}96 && @@ -7556,7 +7671,7 @@ aes256\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha1\sphinxhyphen{}96 \sphinxAtStartPar \textgreater{}=Vista \\ -\hline +\sphinxhline \sphinxAtStartPar aes128\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha256\sphinxhyphen{}128 && @@ -7566,7 +7681,7 @@ aes128\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha256\sphinxhyphen{}1 \sphinxAtStartPar none \\ -\hline +\sphinxhline \sphinxAtStartPar aes256\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha384\sphinxhyphen{}192 && @@ -7576,7 +7691,7 @@ aes256\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha384\sphinxhyphen{}1 \sphinxAtStartPar none \\ -\hline +\sphinxhline \sphinxAtStartPar camellia128\sphinxhyphen{}cts\sphinxhyphen{}cmac && @@ -7586,7 +7701,7 @@ camellia128\sphinxhyphen{}cts\sphinxhyphen{}cmac \sphinxAtStartPar none \\ -\hline +\sphinxhline \sphinxAtStartPar camellia256\sphinxhyphen{}cts\sphinxhyphen{}cmac && @@ -7596,9 +7711,9 @@ camellia256\sphinxhyphen{}cts\sphinxhyphen{}cmac \sphinxAtStartPar none \\ -\hline +\sphinxbottomrule \end{tabulary} -\par +\sphinxtableafterendhook\par \sphinxattableend\end{savenotes} \sphinxAtStartPar @@ -7676,6 +7791,8 @@ example, setting \sphinxstylestrong{permitted\_enctypes} to \sphinxcode{\sphinxu cause any database keys of the triple\sphinxhyphen{}DES and RC4 encryption types to be ignored. +\sphinxstepscope + \chapter{HTTPS proxy configuration} \label{\detokenize{admin/https:https-proxy-configuration}}\label{\detokenize{admin/https:https}}\label{\detokenize{admin/https::doc}} @@ -7733,6 +7850,8 @@ of HTTPS URLs for the proxy server: If the proxy and client are properly configured, client commands such as \sphinxcode{\sphinxupquote{kinit}}, \sphinxcode{\sphinxupquote{kvno}}, and \sphinxcode{\sphinxupquote{kpasswd}} should all function normally. +\sphinxstepscope + \chapter{Authentication indicators} \label{\detokenize{admin/auth_indicator:authentication-indicators}}\label{\detokenize{admin/auth_indicator:auth-indicator}}\label{\detokenize{admin/auth_indicator::doc}} @@ -7805,9 +7924,13 @@ GSSAPI server applications can inspect authentication indicators through the \DUrole{xref,std,std-ref}{auth\sphinxhyphen{}indicators} name attribute. +\sphinxstepscope + \chapter{Administration programs} \label{\detokenize{admin/admin_commands/index:administration-programs}}\label{\detokenize{admin/admin_commands/index::doc}} +\sphinxstepscope + \section{kadmin} \label{\detokenize{admin/admin_commands/kadmin_local:kadmin}}\label{\detokenize{admin/admin_commands/kadmin_local:kadmin-1}}\label{\detokenize{admin/admin_commands/kadmin_local::doc}} @@ -7870,30 +7993,30 @@ kadmin.local can be run on any host which can access the LDAP server. \subsection{OPTIONS} \label{\detokenize{admin/admin_commands/kadmin_local:options}}\phantomsection\label{\detokenize{admin/admin_commands/kadmin_local:kadmin-options}}\begin{description} -\item[{\sphinxstylestrong{\sphinxhyphen{}r} \sphinxstyleemphasis{realm}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}r} \sphinxstyleemphasis{realm}} \sphinxAtStartPar Use \sphinxstyleemphasis{realm} as the default database realm. -\item[{\sphinxstylestrong{\sphinxhyphen{}p} \sphinxstyleemphasis{principal}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}p} \sphinxstyleemphasis{principal}} \sphinxAtStartPar Use \sphinxstyleemphasis{principal} to authenticate. Otherwise, kadmin will append \sphinxcode{\sphinxupquote{/admin}} to the primary principal name of the default ccache, the value of the \sphinxstylestrong{USER} environment variable, or the username as obtained with getpwuid, in order of preference. -\item[{\sphinxstylestrong{\sphinxhyphen{}k}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}k}} \sphinxAtStartPar Use a keytab to decrypt the KDC response instead of prompting for a password. In this case, the default principal will be \sphinxcode{\sphinxupquote{host/hostname}}. If there is no keytab specified with the \sphinxstylestrong{\sphinxhyphen{}t} option, then the default keytab will be used. -\item[{\sphinxstylestrong{\sphinxhyphen{}t} \sphinxstyleemphasis{keytab}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}t} \sphinxstyleemphasis{keytab}} \sphinxAtStartPar Use \sphinxstyleemphasis{keytab} to decrypt the KDC response. This can only be used with the \sphinxstylestrong{\sphinxhyphen{}k} option. -\item[{\sphinxstylestrong{\sphinxhyphen{}n}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}n}} \sphinxAtStartPar Requests anonymous processing. Two types of anonymous principals are supported. For fully anonymous Kerberos, configure PKINIT on @@ -7909,7 +8032,7 @@ principal (but not realm) will be replaced by the anonymous principal. As of release 1.8, the MIT Kerberos KDC only supports fully anonymous operation. -\item[{\sphinxstylestrong{\sphinxhyphen{}c} \sphinxstyleemphasis{credentials\_cache}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}c} \sphinxstyleemphasis{credentials\_cache}} \sphinxAtStartPar Use \sphinxstyleemphasis{credentials\_cache} as the credentials cache. The cache should contain a service ticket for the \sphinxcode{\sphinxupquote{kadmin/admin}} or @@ -7919,45 +8042,45 @@ hostname of the admin server) service; it can be acquired with the requests a new service ticket from the KDC, and stores it in its own temporary ccache. -\item[{\sphinxstylestrong{\sphinxhyphen{}w} \sphinxstyleemphasis{password}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}w} \sphinxstyleemphasis{password}} \sphinxAtStartPar Use \sphinxstyleemphasis{password} instead of prompting for one. Use this option with care, as it may expose the password to other users on the system via the process list. -\item[{\sphinxstylestrong{\sphinxhyphen{}q} \sphinxstyleemphasis{query}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}q} \sphinxstyleemphasis{query}} \sphinxAtStartPar Perform the specified query and then exit. -\item[{\sphinxstylestrong{\sphinxhyphen{}d} \sphinxstyleemphasis{dbname}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}d} \sphinxstyleemphasis{dbname}} \sphinxAtStartPar Specifies the name of the KDC database. This option does not apply to the LDAP database module. -\item[{\sphinxstylestrong{\sphinxhyphen{}s} \sphinxstyleemphasis{admin\_server}{[}:\sphinxstyleemphasis{port}{]}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}s} \sphinxstyleemphasis{admin\_server}{[}:\sphinxstyleemphasis{port}{]}} \sphinxAtStartPar Specifies the admin server which kadmin should contact. -\item[{\sphinxstylestrong{\sphinxhyphen{}m}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}m}} \sphinxAtStartPar If using kadmin.local, prompt for the database master password instead of reading it from a stash file. -\item[{\sphinxstylestrong{\sphinxhyphen{}e} “\sphinxstyleemphasis{enc}:\sphinxstyleemphasis{salt} …”}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}e} “\sphinxstyleemphasis{enc}:\sphinxstyleemphasis{salt} …”} \sphinxAtStartPar Sets the keysalt list to be used for any new keys created. See {\hyperref[\detokenize{admin/conf_files/kdc_conf:keysalt-lists}]{\sphinxcrossref{\DUrole{std,std-ref}{Keysalt lists}}}} in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}} for a list of possible values. -\item[{\sphinxstylestrong{\sphinxhyphen{}O}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}O}} \sphinxAtStartPar Force use of old AUTH\_GSSAPI authentication flavor. -\item[{\sphinxstylestrong{\sphinxhyphen{}N}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}N}} \sphinxAtStartPar Prevent fallback to AUTH\_GSSAPI authentication flavor. -\item[{\sphinxstylestrong{\sphinxhyphen{}x} \sphinxstyleemphasis{db\_args}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}x} \sphinxstyleemphasis{db\_args}} \sphinxAtStartPar Specifies the database specific arguments. See the next section for supported options. @@ -8005,11 +8128,11 @@ Database options can be used to override database\sphinxhyphen{}specific default Supported options for the DB2 module are: \begin{quote} \begin{description} -\item[{\sphinxstylestrong{\sphinxhyphen{}x dbname=}*filename*}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}x dbname=}*filename*} \sphinxAtStartPar Specifies the base filename of the DB2 database. -\item[{\sphinxstylestrong{\sphinxhyphen{}x lockiter}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}x lockiter}} \sphinxAtStartPar Make iteration operations hold the lock for the duration of the entire operation, rather than temporarily releasing the @@ -8018,7 +8141,7 @@ behavior, but this option exists to allow command line override of a {[}dbmodules{]} setting. First introduced in release 1.13. -\item[{\sphinxstylestrong{\sphinxhyphen{}x unlockiter}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}x unlockiter}} \sphinxAtStartPar Make iteration operations unlock the database for each principal, instead of holding the lock for the duration of the @@ -8031,15 +8154,15 @@ entire operation. First introduced in release 1.13. Supported options for the LDAP module are: \begin{quote} \begin{description} -\item[{\sphinxstylestrong{\sphinxhyphen{}x host=}\sphinxstyleemphasis{ldapuri}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}x host=}\sphinxstyleemphasis{ldapuri}} \sphinxAtStartPar Specifies the LDAP server to connect to by a LDAP URI. -\item[{\sphinxstylestrong{\sphinxhyphen{}x binddn=}\sphinxstyleemphasis{bind\_dn}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}x binddn=}\sphinxstyleemphasis{bind\_dn}} \sphinxAtStartPar Specifies the DN used to bind to the LDAP server. -\item[{\sphinxstylestrong{\sphinxhyphen{}x bindpwd=}\sphinxstyleemphasis{password}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}x bindpwd=}\sphinxstyleemphasis{password}} \sphinxAtStartPar Specifies the password or SASL secret used to bind to the LDAP server. Using this option may expose the password to other @@ -8047,30 +8170,30 @@ users on the system via the process list; to avoid this, instead stash the password using the \sphinxstylestrong{stashsrvpw} command of {\hyperref[\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_ldap\_util}}}}. -\item[{\sphinxstylestrong{\sphinxhyphen{}x sasl\_mech=}\sphinxstyleemphasis{mechanism}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}x sasl\_mech=}\sphinxstyleemphasis{mechanism}} \sphinxAtStartPar Specifies the SASL mechanism used to bind to the LDAP server. The bind DN is ignored if a SASL mechanism is used. New in release 1.13. -\item[{\sphinxstylestrong{\sphinxhyphen{}x sasl\_authcid=}\sphinxstyleemphasis{name}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}x sasl\_authcid=}\sphinxstyleemphasis{name}} \sphinxAtStartPar Specifies the authentication name used when binding to the LDAP server with a SASL mechanism, if the mechanism requires one. New in release 1.13. -\item[{\sphinxstylestrong{\sphinxhyphen{}x sasl\_authzid=}\sphinxstyleemphasis{name}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}x sasl\_authzid=}\sphinxstyleemphasis{name}} \sphinxAtStartPar Specifies the authorization name used when binding to the LDAP server with a SASL mechanism. New in release 1.13. -\item[{\sphinxstylestrong{\sphinxhyphen{}x sasl\_realm=}\sphinxstyleemphasis{realm}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}x sasl\_realm=}\sphinxstyleemphasis{realm}} \sphinxAtStartPar Specifies the realm used when binding to the LDAP server with a SASL mechanism, if the mechanism uses one. New in release 1.13. -\item[{\sphinxstylestrong{\sphinxhyphen{}x debug=}\sphinxstyleemphasis{level}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}x debug=}\sphinxstyleemphasis{level}} \sphinxAtStartPar sets the OpenLDAP client library debug level. \sphinxstyleemphasis{level} is an integer to be interpreted by the library. Debugging messages @@ -8112,67 +8235,67 @@ Aliases: \sphinxstylestrong{addprinc}, \sphinxstylestrong{ank} \sphinxAtStartPar Options: \begin{description} -\item[{\sphinxstylestrong{\sphinxhyphen{}expire} \sphinxstyleemphasis{expdate}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}expire} \sphinxstyleemphasis{expdate}} \sphinxAtStartPar (\DUrole{xref,std,std-ref}{getdate} string) The expiration date of the principal. -\item[{\sphinxstylestrong{\sphinxhyphen{}pwexpire} \sphinxstyleemphasis{pwexpdate}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}pwexpire} \sphinxstyleemphasis{pwexpdate}} \sphinxAtStartPar (\DUrole{xref,std,std-ref}{getdate} string) The password expiration date. -\item[{\sphinxstylestrong{\sphinxhyphen{}maxlife} \sphinxstyleemphasis{maxlife}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}maxlife} \sphinxstyleemphasis{maxlife}} \sphinxAtStartPar (\DUrole{xref,std,std-ref}{duration} or \DUrole{xref,std,std-ref}{getdate} string) The maximum ticket life for the principal. -\item[{\sphinxstylestrong{\sphinxhyphen{}maxrenewlife} \sphinxstyleemphasis{maxrenewlife}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}maxrenewlife} \sphinxstyleemphasis{maxrenewlife}} \sphinxAtStartPar (\DUrole{xref,std,std-ref}{duration} or \DUrole{xref,std,std-ref}{getdate} string) The maximum renewable life of tickets for the principal. -\item[{\sphinxstylestrong{\sphinxhyphen{}kvno} \sphinxstyleemphasis{kvno}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}kvno} \sphinxstyleemphasis{kvno}} \sphinxAtStartPar The initial key version number. -\item[{\sphinxstylestrong{\sphinxhyphen{}policy} \sphinxstyleemphasis{policy}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}policy} \sphinxstyleemphasis{policy}} \sphinxAtStartPar The password policy used by this principal. If not specified, the policy \sphinxcode{\sphinxupquote{default}} is used if it exists (unless \sphinxstylestrong{\sphinxhyphen{}clearpolicy} is specified). -\item[{\sphinxstylestrong{\sphinxhyphen{}clearpolicy}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}clearpolicy}} \sphinxAtStartPar Prevents any policy from being assigned when \sphinxstylestrong{\sphinxhyphen{}policy} is not specified. -\item[{\{\sphinxhyphen{}|+\}\sphinxstylestrong{allow\_postdated}}] \leavevmode +\sphinxlineitem{\{\sphinxhyphen{}|+\}\sphinxstylestrong{allow\_postdated}} \sphinxAtStartPar \sphinxstylestrong{\sphinxhyphen{}allow\_postdated} prohibits this principal from obtaining postdated tickets. \sphinxstylestrong{+allow\_postdated} clears this flag. -\item[{\{\sphinxhyphen{}|+\}\sphinxstylestrong{allow\_forwardable}}] \leavevmode +\sphinxlineitem{\{\sphinxhyphen{}|+\}\sphinxstylestrong{allow\_forwardable}} \sphinxAtStartPar \sphinxstylestrong{\sphinxhyphen{}allow\_forwardable} prohibits this principal from obtaining forwardable tickets. \sphinxstylestrong{+allow\_forwardable} clears this flag. -\item[{\{\sphinxhyphen{}|+\}\sphinxstylestrong{allow\_renewable}}] \leavevmode +\sphinxlineitem{\{\sphinxhyphen{}|+\}\sphinxstylestrong{allow\_renewable}} \sphinxAtStartPar \sphinxstylestrong{\sphinxhyphen{}allow\_renewable} prohibits this principal from obtaining renewable tickets. \sphinxstylestrong{+allow\_renewable} clears this flag. -\item[{\{\sphinxhyphen{}|+\}\sphinxstylestrong{allow\_proxiable}}] \leavevmode +\sphinxlineitem{\{\sphinxhyphen{}|+\}\sphinxstylestrong{allow\_proxiable}} \sphinxAtStartPar \sphinxstylestrong{\sphinxhyphen{}allow\_proxiable} prohibits this principal from obtaining proxiable tickets. \sphinxstylestrong{+allow\_proxiable} clears this flag. -\item[{\{\sphinxhyphen{}|+\}\sphinxstylestrong{allow\_dup\_skey}}] \leavevmode +\sphinxlineitem{\{\sphinxhyphen{}|+\}\sphinxstylestrong{allow\_dup\_skey}} \sphinxAtStartPar \sphinxstylestrong{\sphinxhyphen{}allow\_dup\_skey} disables user\sphinxhyphen{}to\sphinxhyphen{}user authentication for this principal by prohibiting others from obtaining a service ticket encrypted in this principal’s TGT session key. \sphinxstylestrong{+allow\_dup\_skey} clears this flag. -\item[{\{\sphinxhyphen{}|+\}\sphinxstylestrong{requires\_preauth}}] \leavevmode +\sphinxlineitem{\{\sphinxhyphen{}|+\}\sphinxstylestrong{requires\_preauth}} \sphinxAtStartPar \sphinxstylestrong{+requires\_preauth} requires this principal to preauthenticate before being allowed to kinit. \sphinxstylestrong{\sphinxhyphen{}requires\_preauth} clears this @@ -8181,7 +8304,7 @@ the KDC will only issue service tickets for that service principal if the client’s initial authentication was performed using preauthentication. -\item[{\{\sphinxhyphen{}|+\}\sphinxstylestrong{requires\_hwauth}}] \leavevmode +\sphinxlineitem{\{\sphinxhyphen{}|+\}\sphinxstylestrong{requires\_hwauth}} \sphinxAtStartPar \sphinxstylestrong{+requires\_hwauth} requires this principal to preauthenticate using a hardware device before being allowed to kinit. @@ -8190,7 +8313,7 @@ set on a service principal, the KDC will only issue service tickets for that service principal if the client’s initial authentication was performed using a hardware device to preauthenticate. -\item[{\{\sphinxhyphen{}|+\}\sphinxstylestrong{ok\_as\_delegate}}] \leavevmode +\sphinxlineitem{\{\sphinxhyphen{}|+\}\sphinxstylestrong{ok\_as\_delegate}} \sphinxAtStartPar \sphinxstylestrong{+ok\_as\_delegate} sets the \sphinxstylestrong{okay as delegate} flag on tickets issued with this principal as the service. Clients may use this @@ -8198,47 +8321,47 @@ flag as a hint that credentials should be delegated when authenticating to the service. \sphinxstylestrong{\sphinxhyphen{}ok\_as\_delegate} clears this flag. -\item[{\{\sphinxhyphen{}|+\}\sphinxstylestrong{allow\_svr}}] \leavevmode +\sphinxlineitem{\{\sphinxhyphen{}|+\}\sphinxstylestrong{allow\_svr}} \sphinxAtStartPar \sphinxstylestrong{\sphinxhyphen{}allow\_svr} prohibits the issuance of service tickets for this principal. In release 1.17 and later, user\sphinxhyphen{}to\sphinxhyphen{}user service tickets are still allowed unless the \sphinxstylestrong{\sphinxhyphen{}allow\_dup\_skey} flag is also set. \sphinxstylestrong{+allow\_svr} clears this flag. -\item[{\{\sphinxhyphen{}|+\}\sphinxstylestrong{allow\_tgs\_req}}] \leavevmode +\sphinxlineitem{\{\sphinxhyphen{}|+\}\sphinxstylestrong{allow\_tgs\_req}} \sphinxAtStartPar \sphinxstylestrong{\sphinxhyphen{}allow\_tgs\_req} specifies that a Ticket\sphinxhyphen{}Granting Service (TGS) request for a service ticket for this principal is not permitted. \sphinxstylestrong{+allow\_tgs\_req} clears this flag. -\item[{\{\sphinxhyphen{}|+\}\sphinxstylestrong{allow\_tix}}] \leavevmode +\sphinxlineitem{\{\sphinxhyphen{}|+\}\sphinxstylestrong{allow\_tix}} \sphinxAtStartPar \sphinxstylestrong{\sphinxhyphen{}allow\_tix} forbids the issuance of any tickets for this principal. \sphinxstylestrong{+allow\_tix} clears this flag. -\item[{\{\sphinxhyphen{}|+\}\sphinxstylestrong{needchange}}] \leavevmode +\sphinxlineitem{\{\sphinxhyphen{}|+\}\sphinxstylestrong{needchange}} \sphinxAtStartPar \sphinxstylestrong{+needchange} forces a password change on the next initial authentication to this principal. \sphinxstylestrong{\sphinxhyphen{}needchange} clears this flag. -\item[{\{\sphinxhyphen{}|+\}\sphinxstylestrong{password\_changing\_service}}] \leavevmode +\sphinxlineitem{\{\sphinxhyphen{}|+\}\sphinxstylestrong{password\_changing\_service}} \sphinxAtStartPar \sphinxstylestrong{+password\_changing\_service} marks this principal as a password change service principal. -\item[{\{\sphinxhyphen{}|+\}\sphinxstylestrong{ok\_to\_auth\_as\_delegate}}] \leavevmode +\sphinxlineitem{\{\sphinxhyphen{}|+\}\sphinxstylestrong{ok\_to\_auth\_as\_delegate}} \sphinxAtStartPar \sphinxstylestrong{+ok\_to\_auth\_as\_delegate} allows this principal to acquire forwardable tickets to itself from arbitrary users, for use with constrained delegation. -\item[{\{\sphinxhyphen{}|+\}\sphinxstylestrong{no\_auth\_data\_required}}] \leavevmode +\sphinxlineitem{\{\sphinxhyphen{}|+\}\sphinxstylestrong{no\_auth\_data\_required}} \sphinxAtStartPar \sphinxstylestrong{+no\_auth\_data\_required} prevents PAC or AD\sphinxhyphen{}SIGNEDPATH data from being added to service tickets for the principal. -\item[{\{\sphinxhyphen{}|+\}\sphinxstylestrong{lockdown\_keys}}] \leavevmode +\sphinxlineitem{\{\sphinxhyphen{}|+\}\sphinxstylestrong{lockdown\_keys}} \sphinxAtStartPar \sphinxstylestrong{+lockdown\_keys} prevents keys for this principal from leaving the KDC via kadmind. The chpass and extract operations are denied @@ -8250,49 +8373,49 @@ krbtgt/* or kadmin/* with new principals without the attribute. This attribute can be set via the network protocol, but can only be removed using kadmin.local. -\item[{\sphinxstylestrong{\sphinxhyphen{}randkey}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}randkey}} \sphinxAtStartPar Sets the key of the principal to a random value. -\item[{\sphinxstylestrong{\sphinxhyphen{}nokey}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}nokey}} \sphinxAtStartPar Causes the principal to be created with no key. New in release 1.12. -\item[{\sphinxstylestrong{\sphinxhyphen{}pw} \sphinxstyleemphasis{password}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}pw} \sphinxstyleemphasis{password}} \sphinxAtStartPar Sets the password of the principal to the specified string and does not prompt for a password. Note: using this option in a shell script may expose the password to other users on the system via the process list. -\item[{\sphinxstylestrong{\sphinxhyphen{}e} \sphinxstyleemphasis{enc}:\sphinxstyleemphasis{salt},…}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}e} \sphinxstyleemphasis{enc}:\sphinxstyleemphasis{salt},…} \sphinxAtStartPar Uses the specified keysalt list for setting the keys of the principal. See {\hyperref[\detokenize{admin/conf_files/kdc_conf:keysalt-lists}]{\sphinxcrossref{\DUrole{std,std-ref}{Keysalt lists}}}} in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}} for a list of possible values. -\item[{\sphinxstylestrong{\sphinxhyphen{}x} \sphinxstyleemphasis{db\_princ\_args}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}x} \sphinxstyleemphasis{db\_princ\_args}} \sphinxAtStartPar Indicates database\sphinxhyphen{}specific options. The options for the LDAP database module are: \begin{description} -\item[{\sphinxstylestrong{\sphinxhyphen{}x dn=}\sphinxstyleemphasis{dn}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}x dn=}\sphinxstyleemphasis{dn}} \sphinxAtStartPar Specifies the LDAP object that will contain the Kerberos principal being created. -\item[{\sphinxstylestrong{\sphinxhyphen{}x linkdn=}\sphinxstyleemphasis{dn}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}x linkdn=}\sphinxstyleemphasis{dn}} \sphinxAtStartPar Specifies the LDAP object to which the newly created Kerberos principal object will point. -\item[{\sphinxstylestrong{\sphinxhyphen{}x containerdn=}\sphinxstyleemphasis{container\_dn}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}x containerdn=}\sphinxstyleemphasis{container\_dn}} \sphinxAtStartPar Specifies the container object under which the Kerberos principal is to be created. -\item[{\sphinxstylestrong{\sphinxhyphen{}x tktpolicy=}\sphinxstyleemphasis{policy}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}x tktpolicy=}\sphinxstyleemphasis{policy}} \sphinxAtStartPar Associates a ticket policy to the Kerberos principal. @@ -8357,7 +8480,7 @@ Alias: \sphinxstylestrong{modprinc} \sphinxAtStartPar Options (in addition to the \sphinxstylestrong{addprinc} options): \begin{description} -\item[{\sphinxstylestrong{\sphinxhyphen{}unlock}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}unlock}} \sphinxAtStartPar Unlocks a locked principal (one which has received too many failed authentication attempts without enough time between them according @@ -8385,16 +8508,39 @@ This command requires the \sphinxstylestrong{add} and \sphinxstylestrong{delete} Alias: \sphinxstylestrong{renprinc} +\subsubsection{add\_alias} +\label{\detokenize{admin/admin_commands/kadmin_local:add-alias}}\label{\detokenize{admin/admin_commands/kadmin_local:id4}}\begin{quote} + +\sphinxAtStartPar +\sphinxstylestrong{add\_alias} \sphinxstyleemphasis{alias\_princ} \sphinxstyleemphasis{target\_princ} +\end{quote} + +\sphinxAtStartPar +Create an alias \sphinxstyleemphasis{alias\_princ} pointing to \sphinxstyleemphasis{target\_princ}. Aliases may +be chained (that is, \sphinxstyleemphasis{target\_princ} may itself be an alias) up to a +depth of 10. + +\sphinxAtStartPar +This command requires the \sphinxstylestrong{add} privilege for \sphinxstyleemphasis{alias\_princ} and the +\sphinxstylestrong{modify} privilege for \sphinxstyleemphasis{target\_princ}. + +\sphinxAtStartPar +(New in release 1.22.) + +\sphinxAtStartPar +Aliases: \sphinxstylestrong{alias} + + \subsubsection{delete\_principal} -\label{\detokenize{admin/admin_commands/kadmin_local:delete-principal}}\label{\detokenize{admin/admin_commands/kadmin_local:id4}}\begin{quote} +\label{\detokenize{admin/admin_commands/kadmin_local:delete-principal}}\label{\detokenize{admin/admin_commands/kadmin_local:id5}}\begin{quote} \sphinxAtStartPar \sphinxstylestrong{delete\_principal} {[}\sphinxstylestrong{\sphinxhyphen{}force}{]} \sphinxstyleemphasis{principal} \end{quote} \sphinxAtStartPar -Deletes the specified \sphinxstyleemphasis{principal} from the database. This command -prompts for deletion, unless the \sphinxstylestrong{\sphinxhyphen{}force} option is given. +Deletes the specified \sphinxstyleemphasis{principal} or alias from the database. This +command prompts for deletion, unless the \sphinxstylestrong{\sphinxhyphen{}force} option is given. \sphinxAtStartPar This command requires the \sphinxstylestrong{delete} privilege. @@ -8404,7 +8550,7 @@ Alias: \sphinxstylestrong{delprinc} \subsubsection{change\_password} -\label{\detokenize{admin/admin_commands/kadmin_local:change-password}}\label{\detokenize{admin/admin_commands/kadmin_local:id5}}\begin{quote} +\label{\detokenize{admin/admin_commands/kadmin_local:change-password}}\label{\detokenize{admin/admin_commands/kadmin_local:id6}}\begin{quote} \sphinxAtStartPar \sphinxstylestrong{change\_password} {[}\sphinxstyleemphasis{options}{]} \sphinxstyleemphasis{principal} @@ -8425,23 +8571,23 @@ Alias: \sphinxstylestrong{cpw} \sphinxAtStartPar The following options are available: \begin{description} -\item[{\sphinxstylestrong{\sphinxhyphen{}randkey}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}randkey}} \sphinxAtStartPar Sets the key of the principal to a random value. -\item[{\sphinxstylestrong{\sphinxhyphen{}pw} \sphinxstyleemphasis{password}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}pw} \sphinxstyleemphasis{password}} \sphinxAtStartPar Set the password to the specified string. Using this option in a script may expose the password to other users on the system via the process list. -\item[{\sphinxstylestrong{\sphinxhyphen{}e} \sphinxstyleemphasis{enc}:\sphinxstyleemphasis{salt},…}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}e} \sphinxstyleemphasis{enc}:\sphinxstyleemphasis{salt},…} \sphinxAtStartPar Uses the specified keysalt list for setting the keys of the principal. See {\hyperref[\detokenize{admin/conf_files/kdc_conf:keysalt-lists}]{\sphinxcrossref{\DUrole{std,std-ref}{Keysalt lists}}}} in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}} for a list of possible values. -\item[{\sphinxstylestrong{\sphinxhyphen{}keepold}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}keepold}} \sphinxAtStartPar Keeps the existing keys in the database. This flag is usually not necessary except perhaps for \sphinxcode{\sphinxupquote{krbtgt}} principals. @@ -8461,7 +8607,7 @@ Example: \subsubsection{purgekeys} -\label{\detokenize{admin/admin_commands/kadmin_local:purgekeys}}\label{\detokenize{admin/admin_commands/kadmin_local:id6}}\begin{quote} +\label{\detokenize{admin/admin_commands/kadmin_local:purgekeys}}\label{\detokenize{admin/admin_commands/kadmin_local:id7}}\begin{quote} \sphinxAtStartPar \sphinxstylestrong{purgekeys} {[}\sphinxstylestrong{\sphinxhyphen{}all}|\sphinxstylestrong{\sphinxhyphen{}keepkvno} \sphinxstyleemphasis{oldest\_kvno\_to\_keep}{]} \sphinxstyleemphasis{principal} @@ -8479,7 +8625,7 @@ This command requires the \sphinxstylestrong{modify} privilege. \subsubsection{get\_principal} -\label{\detokenize{admin/admin_commands/kadmin_local:get-principal}}\label{\detokenize{admin/admin_commands/kadmin_local:id7}}\begin{quote} +\label{\detokenize{admin/admin_commands/kadmin_local:get-principal}}\label{\detokenize{admin/admin_commands/kadmin_local:id8}}\begin{quote} \sphinxAtStartPar \sphinxstylestrong{get\_principal} {[}\sphinxstylestrong{\sphinxhyphen{}terse}{]} \sphinxstyleemphasis{principal} @@ -8526,7 +8672,7 @@ Examples: \subsubsection{list\_principals} -\label{\detokenize{admin/admin_commands/kadmin_local:list-principals}}\label{\detokenize{admin/admin_commands/kadmin_local:id8}}\begin{quote} +\label{\detokenize{admin/admin_commands/kadmin_local:list-principals}}\label{\detokenize{admin/admin_commands/kadmin_local:id9}}\begin{quote} \sphinxAtStartPar \sphinxstylestrong{list\_principals} {[}\sphinxstyleemphasis{expression}{]} @@ -8561,7 +8707,7 @@ Example: \subsubsection{get\_strings} -\label{\detokenize{admin/admin_commands/kadmin_local:get-strings}}\label{\detokenize{admin/admin_commands/kadmin_local:id9}}\begin{quote} +\label{\detokenize{admin/admin_commands/kadmin_local:get-strings}}\label{\detokenize{admin/admin_commands/kadmin_local:id10}}\begin{quote} \sphinxAtStartPar \sphinxstylestrong{get\_strings} \sphinxstyleemphasis{principal} @@ -8578,7 +8724,7 @@ Alias: \sphinxstylestrong{getstrs} \subsubsection{set\_string} -\label{\detokenize{admin/admin_commands/kadmin_local:set-string}}\label{\detokenize{admin/admin_commands/kadmin_local:id10}}\begin{quote} +\label{\detokenize{admin/admin_commands/kadmin_local:set-string}}\label{\detokenize{admin/admin_commands/kadmin_local:id11}}\begin{quote} \sphinxAtStartPar \sphinxstylestrong{set\_string} \sphinxstyleemphasis{principal} \sphinxstyleemphasis{name} \sphinxstyleemphasis{value} @@ -8590,27 +8736,27 @@ supply per\sphinxhyphen{}principal configuration to the KDC and some KDC plugin modules. The following string attribute names are recognized by the KDC: \begin{description} -\item[{\sphinxstylestrong{require\_auth}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{require\_auth}} \sphinxAtStartPar Specifies an authentication indicator which is required to authenticate to the principal as a service. Multiple indicators can be specified, separated by spaces; in this case any of the specified indicators will be accepted. (New in release 1.14.) -\item[{\sphinxstylestrong{session\_enctypes}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{session\_enctypes}} \sphinxAtStartPar Specifies the encryption types supported for session keys when the principal is authenticated to as a server. See {\hyperref[\detokenize{admin/conf_files/kdc_conf:encryption-types}]{\sphinxcrossref{\DUrole{std,std-ref}{Encryption types}}}} in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}} for a list of the accepted values. -\item[{\sphinxstylestrong{otp}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{otp}} \sphinxAtStartPar Enables One Time Passwords (OTP) preauthentication for a client \sphinxstyleemphasis{principal}. The \sphinxstyleemphasis{value} is a JSON string representing an array of objects, each having optional \sphinxcode{\sphinxupquote{type}} and \sphinxcode{\sphinxupquote{username}} fields. -\item[{\sphinxstylestrong{pkinit\_cert\_match}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{pkinit\_cert\_match}} \sphinxAtStartPar Specifies a matching expression that defines the certificate attributes required for the client certificate used by the @@ -8618,7 +8764,7 @@ principal during PKINIT authentication. The matching expression is in the same format as those used by the \sphinxstylestrong{pkinit\_cert\_match} option in {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}}. (New in release 1.16.) -\item[{\sphinxstylestrong{pac\_privsvr\_enctype}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{pac\_privsvr\_enctype}} \sphinxAtStartPar Forces the encryption type of the PAC KDC checksum buffers to the specified encryption type for tickets issued to this server, by @@ -8646,7 +8792,7 @@ Example: \subsubsection{del\_string} -\label{\detokenize{admin/admin_commands/kadmin_local:del-string}}\label{\detokenize{admin/admin_commands/kadmin_local:id11}}\begin{quote} +\label{\detokenize{admin/admin_commands/kadmin_local:del-string}}\label{\detokenize{admin/admin_commands/kadmin_local:id12}}\begin{quote} \sphinxAtStartPar \sphinxstylestrong{del\_string} \sphinxstyleemphasis{principal} \sphinxstyleemphasis{key} @@ -8663,7 +8809,7 @@ Alias: \sphinxstylestrong{delstr} \subsubsection{add\_policy} -\label{\detokenize{admin/admin_commands/kadmin_local:add-policy}}\label{\detokenize{admin/admin_commands/kadmin_local:id12}}\begin{quote} +\label{\detokenize{admin/admin_commands/kadmin_local:add-policy}}\label{\detokenize{admin/admin_commands/kadmin_local:id13}}\begin{quote} \sphinxAtStartPar \sphinxstylestrong{add\_policy} {[}\sphinxstyleemphasis{options}{]} \sphinxstyleemphasis{policy} @@ -8681,34 +8827,34 @@ Alias: \sphinxstylestrong{addpol} \sphinxAtStartPar The following options are available: \begin{description} -\item[{\sphinxstylestrong{\sphinxhyphen{}maxlife} \sphinxstyleemphasis{time}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}maxlife} \sphinxstyleemphasis{time}} \sphinxAtStartPar (\DUrole{xref,std,std-ref}{duration} or \DUrole{xref,std,std-ref}{getdate} string) Sets the maximum lifetime of a password. -\item[{\sphinxstylestrong{\sphinxhyphen{}minlife} \sphinxstyleemphasis{time}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}minlife} \sphinxstyleemphasis{time}} \sphinxAtStartPar (\DUrole{xref,std,std-ref}{duration} or \DUrole{xref,std,std-ref}{getdate} string) Sets the minimum lifetime of a password. -\item[{\sphinxstylestrong{\sphinxhyphen{}minlength} \sphinxstyleemphasis{length}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}minlength} \sphinxstyleemphasis{length}} \sphinxAtStartPar Sets the minimum length of a password. -\item[{\sphinxstylestrong{\sphinxhyphen{}minclasses} \sphinxstyleemphasis{number}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}minclasses} \sphinxstyleemphasis{number}} \sphinxAtStartPar Sets the minimum number of character classes required in a password. The five character classes are lower case, upper case, numbers, punctuation, and whitespace/unprintable characters. -\item[{\sphinxstylestrong{\sphinxhyphen{}history} \sphinxstyleemphasis{number}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}history} \sphinxstyleemphasis{number}} \sphinxAtStartPar Sets the number of past keys kept for a principal. This option is not supported with the LDAP KDC database module. \end{description} \phantomsection\label{\detokenize{admin/admin_commands/kadmin_local:policy-maxfailure}}\begin{description} -\item[{\sphinxstylestrong{\sphinxhyphen{}maxfailure} \sphinxstyleemphasis{maxnumber}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}maxfailure} \sphinxstyleemphasis{maxnumber}} \sphinxAtStartPar Sets the number of authentication failures before the principal is locked. Authentication failures are only tracked for principals @@ -8718,7 +8864,7 @@ resets to 0 after a successful attempt to authenticate. A \end{description} \phantomsection\label{\detokenize{admin/admin_commands/kadmin_local:policy-failurecountinterval}}\begin{description} -\item[{\sphinxstylestrong{\sphinxhyphen{}failurecountinterval} \sphinxstyleemphasis{failuretime}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}failurecountinterval} \sphinxstyleemphasis{failuretime}} \sphinxAtStartPar (\DUrole{xref,std,std-ref}{duration} or \DUrole{xref,std,std-ref}{getdate} string) Sets the allowable time between authentication failures. If an authentication failure @@ -8728,7 +8874,7 @@ failure, the number of authentication failures is reset to 1. A \end{description} \phantomsection\label{\detokenize{admin/admin_commands/kadmin_local:policy-lockoutduration}}\begin{description} -\item[{\sphinxstylestrong{\sphinxhyphen{}lockoutduration} \sphinxstyleemphasis{lockouttime}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}lockoutduration} \sphinxstyleemphasis{lockouttime}} \sphinxAtStartPar (\DUrole{xref,std,std-ref}{duration} or \DUrole{xref,std,std-ref}{getdate} string) Sets the duration for which the principal is locked from authenticating if too many @@ -8737,7 +8883,7 @@ interval elapsing. A duration of 0 (the default) means the principal remains locked out until it is administratively unlocked with \sphinxcode{\sphinxupquote{modprinc \sphinxhyphen{}unlock}}. -\item[{\sphinxstylestrong{\sphinxhyphen{}allowedkeysalts}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}allowedkeysalts}} \sphinxAtStartPar Specifies the key/salt tuples supported for long\sphinxhyphen{}term keys when setting or changing a principal’s password/keys. See @@ -8758,7 +8904,7 @@ Example: \subsubsection{modify\_policy} -\label{\detokenize{admin/admin_commands/kadmin_local:modify-policy}}\label{\detokenize{admin/admin_commands/kadmin_local:id13}}\begin{quote} +\label{\detokenize{admin/admin_commands/kadmin_local:modify-policy}}\label{\detokenize{admin/admin_commands/kadmin_local:id14}}\begin{quote} \sphinxAtStartPar \sphinxstylestrong{modify\_policy} {[}\sphinxstyleemphasis{options}{]} \sphinxstyleemphasis{policy} @@ -8776,7 +8922,7 @@ Alias: \sphinxstylestrong{modpol} \subsubsection{delete\_policy} -\label{\detokenize{admin/admin_commands/kadmin_local:delete-policy}}\label{\detokenize{admin/admin_commands/kadmin_local:id14}}\begin{quote} +\label{\detokenize{admin/admin_commands/kadmin_local:delete-policy}}\label{\detokenize{admin/admin_commands/kadmin_local:id15}}\begin{quote} \sphinxAtStartPar \sphinxstylestrong{delete\_policy} {[}\sphinxstylestrong{\sphinxhyphen{}force}{]} \sphinxstyleemphasis{policy} @@ -8805,7 +8951,7 @@ kadmin: \subsubsection{get\_policy} -\label{\detokenize{admin/admin_commands/kadmin_local:get-policy}}\label{\detokenize{admin/admin_commands/kadmin_local:id15}}\begin{quote} +\label{\detokenize{admin/admin_commands/kadmin_local:get-policy}}\label{\detokenize{admin/admin_commands/kadmin_local:id16}}\begin{quote} \sphinxAtStartPar \sphinxstylestrong{get\_policy} {[} \sphinxstylestrong{\sphinxhyphen{}terse} {]} \sphinxstyleemphasis{policy} @@ -8847,7 +8993,7 @@ meaningful. \subsubsection{list\_policies} -\label{\detokenize{admin/admin_commands/kadmin_local:list-policies}}\label{\detokenize{admin/admin_commands/kadmin_local:id16}}\begin{quote} +\label{\detokenize{admin/admin_commands/kadmin_local:list-policies}}\label{\detokenize{admin/admin_commands/kadmin_local:id17}}\begin{quote} \sphinxAtStartPar \sphinxstylestrong{list\_policies} {[}\sphinxstyleemphasis{expression}{]} @@ -8884,7 +9030,7 @@ Examples: \subsubsection{ktadd} -\label{\detokenize{admin/admin_commands/kadmin_local:ktadd}}\label{\detokenize{admin/admin_commands/kadmin_local:id17}}\begin{quote} +\label{\detokenize{admin/admin_commands/kadmin_local:ktadd}}\label{\detokenize{admin/admin_commands/kadmin_local:id18}}\begin{quote} \begin{DUlineblock}{0em} \item[] \sphinxstylestrong{ktadd} {[}options{]} \sphinxstyleemphasis{principal} @@ -8905,22 +9051,22 @@ With the \sphinxstylestrong{\sphinxhyphen{}glob} form, it also requires the \sph \sphinxAtStartPar The options are: \begin{description} -\item[{\sphinxstylestrong{\sphinxhyphen{}k{[}eytab{]}} \sphinxstyleemphasis{keytab}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}k{[}eytab{]}} \sphinxstyleemphasis{keytab}} \sphinxAtStartPar Use \sphinxstyleemphasis{keytab} as the keytab file. Otherwise, the default keytab is used. -\item[{\sphinxstylestrong{\sphinxhyphen{}e} \sphinxstyleemphasis{enc}:\sphinxstyleemphasis{salt},…}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}e} \sphinxstyleemphasis{enc}:\sphinxstyleemphasis{salt},…} \sphinxAtStartPar Uses the specified keysalt list for setting the new keys of the principal. See {\hyperref[\detokenize{admin/conf_files/kdc_conf:keysalt-lists}]{\sphinxcrossref{\DUrole{std,std-ref}{Keysalt lists}}}} in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}} for a list of possible values. -\item[{\sphinxstylestrong{\sphinxhyphen{}q}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}q}} \sphinxAtStartPar Display less verbose information. -\item[{\sphinxstylestrong{\sphinxhyphen{}norandkey}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}norandkey}} \sphinxAtStartPar Do not randomize the keys. The keys and their version numbers stay unchanged. This option cannot be specified in combination with the @@ -8949,7 +9095,7 @@ Example: \subsubsection{ktremove} -\label{\detokenize{admin/admin_commands/kadmin_local:ktremove}}\label{\detokenize{admin/admin_commands/kadmin_local:id18}}\begin{quote} +\label{\detokenize{admin/admin_commands/kadmin_local:ktremove}}\label{\detokenize{admin/admin_commands/kadmin_local:id19}}\begin{quote} \sphinxAtStartPar \sphinxstylestrong{ktremove} {[}options{]} \sphinxstyleemphasis{principal} {[}\sphinxstyleemphasis{kvno} | \sphinxstyleemphasis{all} | \sphinxstyleemphasis{old}{]} @@ -8969,12 +9115,12 @@ kvno match that integer are removed. \sphinxAtStartPar The options are: \begin{description} -\item[{\sphinxstylestrong{\sphinxhyphen{}k{[}eytab{]}} \sphinxstyleemphasis{keytab}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}k{[}eytab{]}} \sphinxstyleemphasis{keytab}} \sphinxAtStartPar Use \sphinxstyleemphasis{keytab} as the keytab file. Otherwise, the default keytab is used. -\item[{\sphinxstylestrong{\sphinxhyphen{}q}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}q}} \sphinxAtStartPar Display less verbose information. @@ -9044,6 +9190,8 @@ variables. \sphinxAtStartPar \DUrole{xref,std,std-ref}{kpasswd(1)}, {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}}, \DUrole{xref,std,std-ref}{kerberos(7)} +\sphinxstepscope + \section{kadmind} \label{\detokenize{admin/admin_commands/kadmind:kadmind}}\label{\detokenize{admin/admin_commands/kadmind:kadmind-8}}\label{\detokenize{admin/admin_commands/kadmind::doc}} @@ -9079,7 +9227,7 @@ remote requests from programs such as {\hyperref[\detokenize{admin/admin_command kadmind requires a number of configuration files to be set up in order for it to work: \begin{description} -\item[{{\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}}] \leavevmode +\sphinxlineitem{{\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}} \sphinxAtStartPar The KDC configuration file contains configuration information for the KDC and admin servers. kadmind uses settings in this file to @@ -9087,7 +9235,7 @@ locate the Kerberos database, and is also affected by the \sphinxstylestrong{acl\_file}, \sphinxstylestrong{dict\_file}, \sphinxstylestrong{kadmind\_port}, and iprop\sphinxhyphen{}related settings. -\item[{{\hyperref[\detokenize{admin/conf_files/kadm5_acl:kadm5-acl-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kadm5.acl}}}}}] \leavevmode +\sphinxlineitem{{\hyperref[\detokenize{admin/conf_files/kadm5_acl:kadm5-acl-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kadm5.acl}}}}} \sphinxAtStartPar kadmind’s ACL (access control list) tells it which principals are allowed to perform administration actions. The pathname to the @@ -9114,65 +9262,65 @@ registered into the datebase. \subsection{OPTIONS} \label{\detokenize{admin/admin_commands/kadmind:options}}\begin{description} -\item[{\sphinxstylestrong{\sphinxhyphen{}r} \sphinxstyleemphasis{realm}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}r} \sphinxstyleemphasis{realm}} \sphinxAtStartPar specifies the realm that kadmind will serve; if it is not specified, the default realm of the host is used. -\item[{\sphinxstylestrong{\sphinxhyphen{}m}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}m}} \sphinxAtStartPar causes the master database password to be fetched from the keyboard (before the server puts itself in the background, if not invoked with the \sphinxstylestrong{\sphinxhyphen{}nofork} option) rather than from a file on disk. -\item[{\sphinxstylestrong{\sphinxhyphen{}nofork}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}nofork}} \sphinxAtStartPar causes the server to remain in the foreground and remain associated to the terminal. -\item[{\sphinxstylestrong{\sphinxhyphen{}proponly}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}proponly}} \sphinxAtStartPar causes the server to only listen and respond to Kerberos replica incremental propagation polling requests. This option can be used to set up a hierarchical propagation topology where a replica KDC provides incremental updates to other Kerberos replicas. -\item[{\sphinxstylestrong{\sphinxhyphen{}port} \sphinxstyleemphasis{port\sphinxhyphen{}number}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}port} \sphinxstyleemphasis{port\sphinxhyphen{}number}} \sphinxAtStartPar specifies the port on which the administration server listens for connections. The default port is determined by the \sphinxstylestrong{kadmind\_port} configuration variable in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}. -\item[{\sphinxstylestrong{\sphinxhyphen{}P} \sphinxstyleemphasis{pid\_file}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}P} \sphinxstyleemphasis{pid\_file}} \sphinxAtStartPar specifies the file to which the PID of kadmind process should be written after it starts up. This file can be used to identify whether kadmind is still running and to allow init scripts to stop the correct process. -\item[{\sphinxstylestrong{\sphinxhyphen{}p} \sphinxstyleemphasis{kdb5\_util\_path}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}p} \sphinxstyleemphasis{kdb5\_util\_path}} \sphinxAtStartPar specifies the path to the kdb5\_util command to use when dumping the KDB in response to full resync requests when iprop is enabled. -\item[{\sphinxstylestrong{\sphinxhyphen{}K} \sphinxstyleemphasis{kprop\_path}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}K} \sphinxstyleemphasis{kprop\_path}} \sphinxAtStartPar specifies the path to the kprop command to use to send full dumps to replicas in response to full resync requests. -\item[{\sphinxstylestrong{\sphinxhyphen{}k} \sphinxstyleemphasis{kprop\_port}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}k} \sphinxstyleemphasis{kprop\_port}} \sphinxAtStartPar specifies the port by which the kprop process that is spawned by kadmind connects to the replica kpropd, in order to transfer the dump file during an iprop full resync request. -\item[{\sphinxstylestrong{\sphinxhyphen{}F} \sphinxstyleemphasis{dump\_file}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}F} \sphinxstyleemphasis{dump\_file}} \sphinxAtStartPar specifies the file path to be used for dumping the KDB in response to full resync requests when iprop is enabled. -\item[{\sphinxstylestrong{\sphinxhyphen{}x} \sphinxstyleemphasis{db\_args}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}x} \sphinxstyleemphasis{db\_args}} \sphinxAtStartPar specifies database\sphinxhyphen{}specific arguments. See {\hyperref[\detokenize{admin/admin_commands/kadmin_local:dboptions}]{\sphinxcrossref{\DUrole{std,std-ref}{Database Options}}}} in {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} for supported arguments. @@ -9185,6 +9333,15 @@ specifies database\sphinxhyphen{}specific arguments. See {\hyperref[\detokenize See \DUrole{xref,std,std-ref}{kerberos(7)} for a description of Kerberos environment variables. +\sphinxAtStartPar +As of release 1.22, kadmind supports systemd socket activation via the +LISTEN\_PID and LISTEN\_FDS environment variables. Sockets provided by +the caller must correspond to configured listener addresses (via the +\sphinxstylestrong{kadmind\_listen} or \sphinxstylestrong{kpasswd\_listen} variables or equivalents) or +they will be ignored. Any configured listener addresses that do not +correspond to caller\sphinxhyphen{}provided sockets will be ignored if socket +activation is used. + \subsection{SEE ALSO} \label{\detokenize{admin/admin_commands/kadmind:see-also}} @@ -9192,6 +9349,8 @@ variables. \DUrole{xref,std,std-ref}{kpasswd(1)}, {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}}, {\hyperref[\detokenize{admin/admin_commands/kdb5_util:kdb5-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_util}}}}, {\hyperref[\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_ldap\_util}}}}, {\hyperref[\detokenize{admin/conf_files/kadm5_acl:kadm5-acl-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kadm5.acl}}}}, \DUrole{xref,std,std-ref}{kerberos(7)} +\sphinxstepscope + \section{kdb5\_util} \label{\detokenize{admin/admin_commands/kdb5_util:kdb5-util}}\label{\detokenize{admin/admin_commands/kdb5_util:kdb5-util-8}}\label{\detokenize{admin/admin_commands/kdb5_util::doc}} @@ -9233,52 +9392,52 @@ commands. \subsection{COMMAND\sphinxhyphen{}LINE OPTIONS} \label{\detokenize{admin/admin_commands/kdb5_util:command-line-options}}\phantomsection\label{\detokenize{admin/admin_commands/kdb5_util:kdb5-util-options}}\begin{description} -\item[{\sphinxstylestrong{\sphinxhyphen{}r} \sphinxstyleemphasis{realm}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}r} \sphinxstyleemphasis{realm}} \sphinxAtStartPar specifies the Kerberos realm of the database. -\item[{\sphinxstylestrong{\sphinxhyphen{}d} \sphinxstyleemphasis{dbname}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}d} \sphinxstyleemphasis{dbname}} \sphinxAtStartPar specifies the name under which the principal database is stored; by default the database is that listed in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}. The password policy database and lock files are also derived from this value. -\item[{\sphinxstylestrong{\sphinxhyphen{}k} \sphinxstyleemphasis{mkeytype}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}k} \sphinxstyleemphasis{mkeytype}} \sphinxAtStartPar specifies the key type of the master key in the database. The default is given by the \sphinxstylestrong{master\_key\_type} variable in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}. -\item[{\sphinxstylestrong{\sphinxhyphen{}kv} \sphinxstyleemphasis{mkeyVNO}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}kv} \sphinxstyleemphasis{mkeyVNO}} \sphinxAtStartPar Specifies the version number of the master key in the database; the default is 1. Note that 0 is not allowed. -\item[{\sphinxstylestrong{\sphinxhyphen{}M} \sphinxstyleemphasis{mkeyname}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}M} \sphinxstyleemphasis{mkeyname}} \sphinxAtStartPar principal name for the master key in the database. If not specified, the name is determined by the \sphinxstylestrong{master\_key\_name} variable in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}. -\item[{\sphinxstylestrong{\sphinxhyphen{}m}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}m}} \sphinxAtStartPar specifies that the master database password should be read from the keyboard rather than fetched from a file on disk. -\item[{\sphinxstylestrong{\sphinxhyphen{}sf} \sphinxstyleemphasis{stash\_file}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}sf} \sphinxstyleemphasis{stash\_file}} \sphinxAtStartPar specifies the stash filename of the master database password. If not specified, the filename is determined by the \sphinxstylestrong{key\_stash\_file} variable in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}. -\item[{\sphinxstylestrong{\sphinxhyphen{}P} \sphinxstyleemphasis{password}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}P} \sphinxstyleemphasis{password}} \sphinxAtStartPar specifies the master database password. Using this option may expose the password to other users on the system via the process list. -\item[{\sphinxstylestrong{\sphinxhyphen{}x} \sphinxstyleemphasis{db\_args}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}x} \sphinxstyleemphasis{db\_args}} \sphinxAtStartPar specifies database\sphinxhyphen{}specific options. See {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} for supported options. @@ -9345,47 +9504,47 @@ default, the database is dumped in current format, “kdb5\_util load\_dump version 7”. If filename is not specified, or is the string “\sphinxhyphen{}”, the dump is sent to standard output. Options: \begin{description} -\item[{\sphinxstylestrong{\sphinxhyphen{}b7}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}b7}} \sphinxAtStartPar causes the dump to be in the Kerberos 5 Beta 7 format (“kdb5\_util load\_dump version 4”). This was the dump format produced on releases prior to 1.2.2. -\item[{\sphinxstylestrong{\sphinxhyphen{}r13}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}r13}} \sphinxAtStartPar causes the dump to be in the Kerberos 5 1.3 format (“kdb5\_util load\_dump version 5”). This was the dump format produced on releases prior to 1.8. -\item[{\sphinxstylestrong{\sphinxhyphen{}r18}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}r18}} \sphinxAtStartPar causes the dump to be in the Kerberos 5 1.8 format (“kdb5\_util load\_dump version 6”). This was the dump format produced on releases prior to 1.11. -\item[{\sphinxstylestrong{\sphinxhyphen{}verbose}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}verbose}} \sphinxAtStartPar causes the name of each principal and policy to be printed as it is dumped. -\item[{\sphinxstylestrong{\sphinxhyphen{}mkey\_convert}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}mkey\_convert}} \sphinxAtStartPar prompts for a new master key. This new master key will be used to re\sphinxhyphen{}encrypt principal key data in the dumpfile. The principal keys themselves will not be changed. -\item[{\sphinxstylestrong{\sphinxhyphen{}new\_mkey\_file} \sphinxstyleemphasis{mkey\_file}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}new\_mkey\_file} \sphinxstyleemphasis{mkey\_file}} \sphinxAtStartPar the filename of a stash file. The master key in this stash file will be used to re\sphinxhyphen{}encrypt the key data in the dumpfile. The key data in the database will not be changed. -\item[{\sphinxstylestrong{\sphinxhyphen{}rev}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}rev}} \sphinxAtStartPar dumps in reverse order. This may recover principals that do not dump normally, in cases where database corruption has occurred. -\item[{\sphinxstylestrong{\sphinxhyphen{}recurse}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}recurse}} \sphinxAtStartPar causes the dump to walk the database recursively (btree only). This may recover principals that do not dump normally, in cases @@ -9424,25 +9583,25 @@ database module, the \sphinxstylestrong{\sphinxhyphen{}update} flag is required. \sphinxAtStartPar Options: \begin{description} -\item[{\sphinxstylestrong{\sphinxhyphen{}b7}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}b7}} \sphinxAtStartPar requires the database to be in the Kerberos 5 Beta 7 format (“kdb5\_util load\_dump version 4”). This was the dump format produced on releases prior to 1.2.2. -\item[{\sphinxstylestrong{\sphinxhyphen{}r13}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}r13}} \sphinxAtStartPar requires the database to be in Kerberos 5 1.3 format (“kdb5\_util load\_dump version 5”). This was the dump format produced on releases prior to 1.8. -\item[{\sphinxstylestrong{\sphinxhyphen{}r18}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}r18}} \sphinxAtStartPar requires the database to be in Kerberos 5 1.8 format (“kdb5\_util load\_dump version 6”). This was the dump format produced on releases prior to 1.11. -\item[{\sphinxstylestrong{\sphinxhyphen{}hash}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}hash}} \sphinxAtStartPar stores the database in hash format, if using the DB2 database type. If this option is not specified, the database will be @@ -9450,12 +9609,12 @@ stored in btree format. This option is not recommended, as databases stored in hash format are known to corrupt data and lose principals. -\item[{\sphinxstylestrong{\sphinxhyphen{}verbose}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}verbose}} \sphinxAtStartPar causes the name of each principal and policy to be printed as it is dumped. -\item[{\sphinxstylestrong{\sphinxhyphen{}update}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}update}} \sphinxAtStartPar records from the dump file are added to or updated in the existing database. Otherwise, a new database is created containing only @@ -9548,16 +9707,16 @@ Delete master keys from the master key principal that are not used to protect any principals. This command can be used to remove old master keys all principal keys are protected by a newer master key. \begin{description} -\item[{\sphinxstylestrong{\sphinxhyphen{}f}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}f}} \sphinxAtStartPar does not prompt for confirmation. -\item[{\sphinxstylestrong{\sphinxhyphen{}n}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}n}} \sphinxAtStartPar performs a dry run, showing master keys that would be purged, but not actually purging any keys. -\item[{\sphinxstylestrong{\sphinxhyphen{}v}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}v}} \sphinxAtStartPar gives more verbose output. @@ -9607,27 +9766,27 @@ below). \sphinxAtStartPar Options: \begin{description} -\item[{\sphinxstylestrong{\sphinxhyphen{}H}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}H}} \sphinxAtStartPar suppress writing the field names in a header line -\item[{\sphinxstylestrong{\sphinxhyphen{}c}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}c}} \sphinxAtStartPar use comma separated values (CSV) format, with minimal quoting, instead of the default tab\sphinxhyphen{}separated (unquoted, unescaped) format -\item[{\sphinxstylestrong{\sphinxhyphen{}e}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}e}} \sphinxAtStartPar write empty hexadecimal string fields as empty fields instead of as “\sphinxhyphen{}1”. -\item[{\sphinxstylestrong{\sphinxhyphen{}n}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}n}} \sphinxAtStartPar produce numeric output for fields that normally have symbolic output, such as enctypes and flag names. Also requests output of time stamps as decimal POSIX time\_t values. -\item[{\sphinxstylestrong{\sphinxhyphen{}o} \sphinxstyleemphasis{outfile}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}o} \sphinxstyleemphasis{outfile}} \sphinxAtStartPar write the dump to the specified output file instead of to standard output @@ -9637,47 +9796,61 @@ output \sphinxAtStartPar Dump types: \begin{description} -\item[{\sphinxstylestrong{keydata}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{alias}} +\sphinxAtStartPar +principal alias information +\begin{description} +\sphinxlineitem{\sphinxstylestrong{aliasname}} +\sphinxAtStartPar +the name of the alias + +\sphinxlineitem{\sphinxstylestrong{targetname}} +\sphinxAtStartPar +the target of the alias + +\end{description} + +\sphinxlineitem{\sphinxstylestrong{keydata}} \sphinxAtStartPar principal encryption key information, including actual key data (which is still encrypted in the master key) \begin{description} -\item[{\sphinxstylestrong{name}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{name}} \sphinxAtStartPar principal name -\item[{\sphinxstylestrong{keyindex}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{keyindex}} \sphinxAtStartPar index of this key in the principal’s key list -\item[{\sphinxstylestrong{kvno}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{kvno}} \sphinxAtStartPar key version number -\item[{\sphinxstylestrong{enctype}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{enctype}} \sphinxAtStartPar encryption type -\item[{\sphinxstylestrong{key}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{key}} \sphinxAtStartPar key data as a hexadecimal string -\item[{\sphinxstylestrong{salttype}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{salttype}} \sphinxAtStartPar salt type -\item[{\sphinxstylestrong{salt}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{salt}} \sphinxAtStartPar salt data as a hexadecimal string \end{description} -\item[{\sphinxstylestrong{keyinfo}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{keyinfo}} \sphinxAtStartPar principal encryption key information (as in \sphinxstylestrong{keydata} above), excluding actual key data -\item[{\sphinxstylestrong{princ\_flags}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{princ\_flags}} \sphinxAtStartPar principal boolean attributes. Flag names print as hexadecimal numbers if the \sphinxstylestrong{\sphinxhyphen{}n} option is specified, and all flag positions @@ -9686,118 +9859,118 @@ is not specified, print all known flag names for each principal, but only print hexadecimal flag names if the corresponding flag is set. \begin{description} -\item[{\sphinxstylestrong{name}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{name}} \sphinxAtStartPar principal name -\item[{\sphinxstylestrong{flag}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{flag}} \sphinxAtStartPar flag name -\item[{\sphinxstylestrong{value}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{value}} \sphinxAtStartPar boolean value (0 for clear, or 1 for set) \end{description} -\item[{\sphinxstylestrong{princ\_lockout}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{princ\_lockout}} \sphinxAtStartPar state information used for tracking repeated password failures \begin{description} -\item[{\sphinxstylestrong{name}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{name}} \sphinxAtStartPar principal name -\item[{\sphinxstylestrong{last\_success}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{last\_success}} \sphinxAtStartPar time stamp of most recent successful authentication -\item[{\sphinxstylestrong{last\_failed}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{last\_failed}} \sphinxAtStartPar time stamp of most recent failed authentication -\item[{\sphinxstylestrong{fail\_count}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{fail\_count}} \sphinxAtStartPar count of failed attempts \end{description} -\item[{\sphinxstylestrong{princ\_meta}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{princ\_meta}} \sphinxAtStartPar principal metadata \begin{description} -\item[{\sphinxstylestrong{name}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{name}} \sphinxAtStartPar principal name -\item[{\sphinxstylestrong{modby}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{modby}} \sphinxAtStartPar name of last principal to modify this principal -\item[{\sphinxstylestrong{modtime}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{modtime}} \sphinxAtStartPar timestamp of last modification -\item[{\sphinxstylestrong{lastpwd}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{lastpwd}} \sphinxAtStartPar timestamp of last password change -\item[{\sphinxstylestrong{policy}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{policy}} \sphinxAtStartPar policy object name -\item[{\sphinxstylestrong{mkvno}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{mkvno}} \sphinxAtStartPar key version number of the master key that encrypts this principal’s key data -\item[{\sphinxstylestrong{hist\_kvno}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{hist\_kvno}} \sphinxAtStartPar key version number of the history key that encrypts the key history data for this principal \end{description} -\item[{\sphinxstylestrong{princ\_stringattrs}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{princ\_stringattrs}} \sphinxAtStartPar string attributes (key/value pairs) \begin{description} -\item[{\sphinxstylestrong{name}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{name}} \sphinxAtStartPar principal name -\item[{\sphinxstylestrong{key}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{key}} \sphinxAtStartPar attribute name -\item[{\sphinxstylestrong{value}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{value}} \sphinxAtStartPar attribute value \end{description} -\item[{\sphinxstylestrong{princ\_tktpolicy}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{princ\_tktpolicy}} \sphinxAtStartPar per\sphinxhyphen{}principal ticket policy data, including maximum ticket lifetimes \begin{description} -\item[{\sphinxstylestrong{name}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{name}} \sphinxAtStartPar principal name -\item[{\sphinxstylestrong{expiration}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{expiration}} \sphinxAtStartPar principal expiration date -\item[{\sphinxstylestrong{pw\_expiration}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{pw\_expiration}} \sphinxAtStartPar password expiration date -\item[{\sphinxstylestrong{max\_life}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{max\_life}} \sphinxAtStartPar maximum ticket lifetime -\item[{\sphinxstylestrong{max\_renew\_life}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{max\_renew\_life}} \sphinxAtStartPar maximum renewable ticket lifetime @@ -9838,6 +10011,8 @@ variables. \sphinxAtStartPar {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}}, \DUrole{xref,std,std-ref}{kerberos(7)} +\sphinxstepscope + \section{kdb5\_ldap\_util} \label{\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util}}\label{\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-8}}\label{\detokenize{admin/admin_commands/kdb5_ldap_util::doc}} @@ -9861,21 +10036,21 @@ services and ticket policies. \subsection{COMMAND\sphinxhyphen{}LINE OPTIONS} \label{\detokenize{admin/admin_commands/kdb5_ldap_util:command-line-options}}\phantomsection\label{\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-options}}\begin{description} -\item[{\sphinxstylestrong{\sphinxhyphen{}r} \sphinxstyleemphasis{realm}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}r} \sphinxstyleemphasis{realm}} \sphinxAtStartPar Specifies the realm to be operated on. -\item[{\sphinxstylestrong{\sphinxhyphen{}D} \sphinxstyleemphasis{user\_dn}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}D} \sphinxstyleemphasis{user\_dn}} \sphinxAtStartPar Specifies the Distinguished Name (DN) of the user who has sufficient rights to perform the operation on the LDAP server. -\item[{\sphinxstylestrong{\sphinxhyphen{}w} \sphinxstyleemphasis{passwd}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}w} \sphinxstyleemphasis{passwd}} \sphinxAtStartPar Specifies the password of \sphinxstyleemphasis{user\_dn}. This option is not recommended. -\item[{\sphinxstylestrong{\sphinxhyphen{}H} \sphinxstyleemphasis{ldapuri}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}H} \sphinxstyleemphasis{ldapuri}} \sphinxAtStartPar Specifies the URI of the LDAP server. @@ -9912,71 +10087,71 @@ parameters in {\hyperref[\detokenize{admin/conf_files/kdc_conf:dbdefaults}]{\sph \sphinxAtStartPar Creates realm in directory. Options: \begin{description} -\item[{\sphinxstylestrong{\sphinxhyphen{}subtrees} \sphinxstyleemphasis{subtree\_dn\_list}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}subtrees} \sphinxstyleemphasis{subtree\_dn\_list}} \sphinxAtStartPar Specifies the list of subtrees containing the principals of a realm. The list contains the DNs of the subtree objects separated by colon (\sphinxcode{\sphinxupquote{:}}). -\item[{\sphinxstylestrong{\sphinxhyphen{}sscope} \sphinxstyleemphasis{search\_scope}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}sscope} \sphinxstyleemphasis{search\_scope}} \sphinxAtStartPar Specifies the scope for searching the principals under the subtree. The possible values are 1 or one (one level), 2 or sub (subtrees). -\item[{\sphinxstylestrong{\sphinxhyphen{}containerref} \sphinxstyleemphasis{container\_reference\_dn}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}containerref} \sphinxstyleemphasis{container\_reference\_dn}} \sphinxAtStartPar Specifies the DN of the container object in which the principals of a realm will be created. If the container reference is not configured for a realm, the principals will be created in the realm container. -\item[{\sphinxstylestrong{\sphinxhyphen{}k} \sphinxstyleemphasis{mkeytype}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}k} \sphinxstyleemphasis{mkeytype}} \sphinxAtStartPar Specifies the key type of the master key in the database. The default is given by the \sphinxstylestrong{master\_key\_type} variable in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}. -\item[{\sphinxstylestrong{\sphinxhyphen{}kv} \sphinxstyleemphasis{mkeyVNO}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}kv} \sphinxstyleemphasis{mkeyVNO}} \sphinxAtStartPar Specifies the version number of the master key in the database; the default is 1. Note that 0 is not allowed. -\item[{\sphinxstylestrong{\sphinxhyphen{}M} \sphinxstyleemphasis{mkeyname}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}M} \sphinxstyleemphasis{mkeyname}} \sphinxAtStartPar Specifies the principal name for the master key in the database. If not specified, the name is determined by the \sphinxstylestrong{master\_key\_name} variable in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}. -\item[{\sphinxstylestrong{\sphinxhyphen{}m}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}m}} \sphinxAtStartPar Specifies that the master database password should be read from the TTY rather than fetched from a file on the disk. -\item[{\sphinxstylestrong{\sphinxhyphen{}P} \sphinxstyleemphasis{password}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}P} \sphinxstyleemphasis{password}} \sphinxAtStartPar Specifies the master database password. This option is not recommended. -\item[{\sphinxstylestrong{\sphinxhyphen{}sf} \sphinxstyleemphasis{stashfilename}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}sf} \sphinxstyleemphasis{stashfilename}} \sphinxAtStartPar Specifies the stash file of the master database password. -\item[{\sphinxstylestrong{\sphinxhyphen{}s}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}s}} \sphinxAtStartPar Specifies that the stash file is to be created. -\item[{\sphinxstylestrong{\sphinxhyphen{}maxtktlife} \sphinxstyleemphasis{max\_ticket\_life}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}maxtktlife} \sphinxstyleemphasis{max\_ticket\_life}} \sphinxAtStartPar (\DUrole{xref,std,std-ref}{getdate} string) Specifies maximum ticket life for principals in this realm. -\item[{\sphinxstylestrong{\sphinxhyphen{}maxrenewlife} \sphinxstyleemphasis{max\_renewable\_ticket\_life}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}maxrenewlife} \sphinxstyleemphasis{max\_renewable\_ticket\_life}} \sphinxAtStartPar (\DUrole{xref,std,std-ref}{getdate} string) Specifies maximum renewable life of tickets for principals in this realm. -\item[{\sphinxstyleemphasis{ticket\_flags}}] \leavevmode +\sphinxlineitem{\sphinxstyleemphasis{ticket\_flags}} \sphinxAtStartPar Specifies global ticket flags for the realm. Allowable flags are documented in the description of the \sphinxstylestrong{add\_principal} command in @@ -10015,34 +10190,34 @@ Example: \sphinxAtStartPar Modifies the attributes of a realm. Options: \begin{description} -\item[{\sphinxstylestrong{\sphinxhyphen{}subtrees} \sphinxstyleemphasis{subtree\_dn\_list}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}subtrees} \sphinxstyleemphasis{subtree\_dn\_list}} \sphinxAtStartPar Specifies the list of subtrees containing the principals of a realm. The list contains the DNs of the subtree objects separated by colon (\sphinxcode{\sphinxupquote{:}}). This list replaces the existing list. -\item[{\sphinxstylestrong{\sphinxhyphen{}sscope} \sphinxstyleemphasis{search\_scope}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}sscope} \sphinxstyleemphasis{search\_scope}} \sphinxAtStartPar Specifies the scope for searching the principals under the subtrees. The possible values are 1 or one (one level), 2 or sub (subtrees). -\item[{\sphinxstylestrong{\sphinxhyphen{}containerref} \sphinxstyleemphasis{container\_reference\_dn} Specifies the DN of the}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}containerref} \sphinxstyleemphasis{container\_reference\_dn} Specifies the DN of the} \sphinxAtStartPar container object in which the principals of a realm will be created. -\item[{\sphinxstylestrong{\sphinxhyphen{}maxtktlife} \sphinxstyleemphasis{max\_ticket\_life}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}maxtktlife} \sphinxstyleemphasis{max\_ticket\_life}} \sphinxAtStartPar (\DUrole{xref,std,std-ref}{getdate} string) Specifies maximum ticket life for principals in this realm. -\item[{\sphinxstylestrong{\sphinxhyphen{}maxrenewlife} \sphinxstyleemphasis{max\_renewable\_ticket\_life}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}maxrenewlife} \sphinxstyleemphasis{max\_renewable\_ticket\_life}} \sphinxAtStartPar (\DUrole{xref,std,std-ref}{getdate} string) Specifies maximum renewable life of tickets for principals in this realm. -\item[{\sphinxstyleemphasis{ticket\_flags}}] \leavevmode +\sphinxlineitem{\sphinxstyleemphasis{ticket\_flags}} \sphinxAtStartPar Specifies global ticket flags for the realm. Allowable flags are documented in the description of the \sphinxstylestrong{add\_principal} command in @@ -10098,7 +10273,7 @@ Example: \sphinxAtStartPar Destroys an existing realm. Options: \begin{description} -\item[{\sphinxstylestrong{\sphinxhyphen{}f}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}f}} \sphinxAtStartPar If specified, will not prompt the user for confirmation. @@ -10156,12 +10331,12 @@ Allows an administrator to store the password for service object in a file so that KDC and Administration server can use it to authenticate to the LDAP server. Options: \begin{description} -\item[{\sphinxstylestrong{\sphinxhyphen{}f} \sphinxstyleemphasis{filename}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}f} \sphinxstyleemphasis{filename}} \sphinxAtStartPar Specifies the complete path of the service password file. By default, \sphinxcode{\sphinxupquote{/usr/local/var/service\_passwd}} is used. -\item[{\sphinxstyleemphasis{name}}] \leavevmode +\sphinxlineitem{\sphinxstyleemphasis{name}} \sphinxAtStartPar Specifies the name of the object whose password is to be stored. If {\hyperref[\detokenize{admin/admin_commands/krb5kdc:krb5kdc-8}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5kdc}}}} or {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} are configured for @@ -10199,24 +10374,24 @@ Example: \sphinxAtStartPar Creates a ticket policy in the directory. Options: \begin{description} -\item[{\sphinxstylestrong{\sphinxhyphen{}maxtktlife} \sphinxstyleemphasis{max\_ticket\_life}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}maxtktlife} \sphinxstyleemphasis{max\_ticket\_life}} \sphinxAtStartPar (\DUrole{xref,std,std-ref}{getdate} string) Specifies maximum ticket life for principals. -\item[{\sphinxstylestrong{\sphinxhyphen{}maxrenewlife} \sphinxstyleemphasis{max\_renewable\_ticket\_life}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}maxrenewlife} \sphinxstyleemphasis{max\_renewable\_ticket\_life}} \sphinxAtStartPar (\DUrole{xref,std,std-ref}{getdate} string) Specifies maximum renewable life of tickets for principals. -\item[{\sphinxstyleemphasis{ticket\_flags}}] \leavevmode +\sphinxlineitem{\sphinxstyleemphasis{ticket\_flags}} \sphinxAtStartPar Specifies the ticket flags. If this option is not specified, by default, no restriction will be set by the policy. Allowable flags are documented in the description of the \sphinxstylestrong{add\_principal} command in {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}}. -\item[{\sphinxstyleemphasis{policy\_name}}] \leavevmode +\sphinxlineitem{\sphinxstyleemphasis{policy\_name}} \sphinxAtStartPar Specifies the name of the ticket policy. @@ -10298,12 +10473,12 @@ Example: \sphinxAtStartPar Destroys an existing ticket policy. Options: \begin{description} -\item[{\sphinxstylestrong{\sphinxhyphen{}force}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}force}} \sphinxAtStartPar Forces the deletion of the policy object. If not specified, the user will be prompted for confirmation before deleting the policy. -\item[{\sphinxstyleemphasis{policy\_name}}] \leavevmode +\sphinxlineitem{\sphinxstyleemphasis{policy\_name}} \sphinxAtStartPar Specifies the name of the ticket policy. @@ -10357,6 +10532,8 @@ variables. \sphinxAtStartPar {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}}, \DUrole{xref,std,std-ref}{kerberos(7)} +\sphinxstepscope + \section{krb5kdc} \label{\detokenize{admin/admin_commands/krb5kdc:krb5kdc}}\label{\detokenize{admin/admin_commands/krb5kdc:krb5kdc-8}}\label{\detokenize{admin/admin_commands/krb5kdc::doc}} @@ -10479,6 +10656,14 @@ description for further details. See \DUrole{xref,std,std-ref}{kerberos(7)} for a description of Kerberos environment variables. +\sphinxAtStartPar +As of release 1.22, krb5kdc supports systemd socket activation via the +LISTEN\_PID and LISTEN\_FDS environment variables. Sockets provided by +the caller must correspond to configured listener addresses (via the +\sphinxstylestrong{kdc\_listen} variable or equivalent) or they will be ignored. Any +configured listener addresses that do not correspond to +caller\sphinxhyphen{}provided sockets will be ignored if socket activation is used. + \subsection{SEE ALSO} \label{\detokenize{admin/admin_commands/krb5kdc:see-also}} @@ -10486,6 +10671,8 @@ variables. {\hyperref[\detokenize{admin/admin_commands/kdb5_util:kdb5-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_util}}}}, {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}, {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}}, {\hyperref[\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_ldap\_util}}}}, \DUrole{xref,std,std-ref}{kerberos(7)} +\sphinxstepscope + \section{kprop} \label{\detokenize{admin/admin_commands/kprop:kprop}}\label{\detokenize{admin/admin_commands/kprop:kprop-8}}\label{\detokenize{admin/admin_commands/kprop::doc}} @@ -10513,26 +10700,26 @@ specified by \sphinxstyleemphasis{replica\_host}. The dump file must be created \subsection{OPTIONS} \label{\detokenize{admin/admin_commands/kprop:options}}\begin{description} -\item[{\sphinxstylestrong{\sphinxhyphen{}r} \sphinxstyleemphasis{realm}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}r} \sphinxstyleemphasis{realm}} \sphinxAtStartPar Specifies the realm of the primary server. -\item[{\sphinxstylestrong{\sphinxhyphen{}f} \sphinxstyleemphasis{file}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}f} \sphinxstyleemphasis{file}} \sphinxAtStartPar Specifies the filename where the dumped principal database file is to be found; by default the dumped database file is normally {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LOCALSTATEDIR}}}}\sphinxcode{\sphinxupquote{/krb5kdc}}\sphinxcode{\sphinxupquote{/replica\_datatrans}}. -\item[{\sphinxstylestrong{\sphinxhyphen{}P} \sphinxstyleemphasis{port}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}P} \sphinxstyleemphasis{port}} \sphinxAtStartPar Specifies the port to use to contact the {\hyperref[\detokenize{admin/admin_commands/kpropd:kpropd-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kpropd}}}} server on the remote host. -\item[{\sphinxstylestrong{\sphinxhyphen{}d}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}d}} \sphinxAtStartPar Prints debugging information. -\item[{\sphinxstylestrong{\sphinxhyphen{}s} \sphinxstyleemphasis{keytab}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}s} \sphinxstyleemphasis{keytab}} \sphinxAtStartPar Specifies the location of the keytab file. @@ -10552,6 +10739,8 @@ variables. {\hyperref[\detokenize{admin/admin_commands/kpropd:kpropd-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kpropd}}}}, {\hyperref[\detokenize{admin/admin_commands/kdb5_util:kdb5-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_util}}}}, {\hyperref[\detokenize{admin/admin_commands/krb5kdc:krb5kdc-8}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5kdc}}}}, \DUrole{xref,std,std-ref}{kerberos(7)} +\sphinxstepscope + \section{kpropd} \label{\detokenize{admin/admin_commands/kpropd:kpropd}}\label{\detokenize{admin/admin_commands/kpropd:kpropd-8}}\label{\detokenize{admin/admin_commands/kpropd::doc}} @@ -10630,61 +10819,61 @@ enabled. \subsection{OPTIONS} \label{\detokenize{admin/admin_commands/kpropd:options}}\begin{description} -\item[{\sphinxstylestrong{\sphinxhyphen{}r} \sphinxstyleemphasis{realm}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}r} \sphinxstyleemphasis{realm}} \sphinxAtStartPar Specifies the realm of the primary server. -\item[{\sphinxstylestrong{\sphinxhyphen{}A} \sphinxstyleemphasis{admin\_server}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}A} \sphinxstyleemphasis{admin\_server}} \sphinxAtStartPar Specifies the server to be contacted for incremental updates; by default, the primary admin server is contacted. -\item[{\sphinxstylestrong{\sphinxhyphen{}f} \sphinxstyleemphasis{file}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}f} \sphinxstyleemphasis{file}} \sphinxAtStartPar Specifies the filename where the dumped principal database file is to be stored; by default the dumped database file is {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LOCALSTATEDIR}}}}\sphinxcode{\sphinxupquote{/krb5kdc}}\sphinxcode{\sphinxupquote{/from\_master}}. -\item[{\sphinxstylestrong{\sphinxhyphen{}F} \sphinxstyleemphasis{kerberos\_db}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}F} \sphinxstyleemphasis{kerberos\_db}} \sphinxAtStartPar Path to the Kerberos database file, if not the default. -\item[{\sphinxstylestrong{\sphinxhyphen{}p}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}p}} \sphinxAtStartPar Allows the user to specify the pathname to the {\hyperref[\detokenize{admin/admin_commands/kdb5_util:kdb5-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_util}}}} program; by default the pathname used is {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{SBINDIR}}}}\sphinxcode{\sphinxupquote{/kdb5\_util}}. -\item[{\sphinxstylestrong{\sphinxhyphen{}D}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}D}} \sphinxAtStartPar In this mode, kpropd will not detach itself from the current job and run in the background. Instead, it will run in the foreground. -\item[{\sphinxstylestrong{\sphinxhyphen{}d}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}d}} \sphinxAtStartPar Turn on debug mode. kpropd will print out debugging messages during the database propogation and will run in the foreground (implies \sphinxstylestrong{\sphinxhyphen{}D}). -\item[{\sphinxstylestrong{\sphinxhyphen{}P}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}P}} \sphinxAtStartPar Allow for an alternate port number for kpropd to listen on. This is only useful in combination with the \sphinxstylestrong{\sphinxhyphen{}S} option. -\item[{\sphinxstylestrong{\sphinxhyphen{}a} \sphinxstyleemphasis{acl\_file}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}a} \sphinxstyleemphasis{acl\_file}} \sphinxAtStartPar Allows the user to specify the path to the kpropd.acl file; by default the path used is {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LOCALSTATEDIR}}}}\sphinxcode{\sphinxupquote{/krb5kdc}}\sphinxcode{\sphinxupquote{/kpropd.acl}}. -\item[{\sphinxstylestrong{\textendash{}pid\sphinxhyphen{}file}=\sphinxstyleemphasis{pid\_file}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\textendash{}pid\sphinxhyphen{}file}=\sphinxstyleemphasis{pid\_file}} \sphinxAtStartPar In standalone mode, write the process ID of the daemon into \sphinxstyleemphasis{pid\_file}. -\item[{\sphinxstylestrong{\sphinxhyphen{}s} \sphinxstyleemphasis{keytab\_file}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}s} \sphinxstyleemphasis{keytab\_file}} \sphinxAtStartPar Path to a keytab to use for acquiring acceptor credentials. -\item[{\sphinxstylestrong{\sphinxhyphen{}x} \sphinxstyleemphasis{db\_args}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}x} \sphinxstyleemphasis{db\_args}} \sphinxAtStartPar Database\sphinxhyphen{}specific arguments. See {\hyperref[\detokenize{admin/admin_commands/kadmin_local:dboptions}]{\sphinxcrossref{\DUrole{std,std-ref}{Database Options}}}} in {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} for supported arguments. @@ -10693,7 +10882,7 @@ Database\sphinxhyphen{}specific arguments. See {\hyperref[\detokenize{admin/adm \subsection{FILES} \label{\detokenize{admin/admin_commands/kpropd:files}}\begin{description} -\item[{kpropd.acl}] \leavevmode +\sphinxlineitem{kpropd.acl} \sphinxAtStartPar Access file for kpropd; the default location is \sphinxcode{\sphinxupquote{/usr/local/var/krb5kdc/kpropd.acl}}. Each entry is a line @@ -10716,6 +10905,8 @@ variables. {\hyperref[\detokenize{admin/admin_commands/kprop:kprop-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kprop}}}}, {\hyperref[\detokenize{admin/admin_commands/kdb5_util:kdb5-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_util}}}}, {\hyperref[\detokenize{admin/admin_commands/krb5kdc:krb5kdc-8}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5kdc}}}}, \DUrole{xref,std,std-ref}{kerberos(7)}, inetd(8) +\sphinxstepscope + \section{kproplog} \label{\detokenize{admin/admin_commands/kproplog:kproplog}}\label{\detokenize{admin/admin_commands/kproplog:kproplog-8}}\label{\detokenize{admin/admin_commands/kproplog::doc}} @@ -10754,26 +10945,26 @@ last update received and the associated time stamp of the last update. \subsection{OPTIONS} \label{\detokenize{admin/admin_commands/kproplog:options}}\begin{description} -\item[{\sphinxstylestrong{\sphinxhyphen{}R}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}R}} \sphinxAtStartPar Reset the update log. This forces full resynchronization. If used on a replica then that replica will request a full resync. If used on the primary then all replicas will request full resyncs. -\item[{\sphinxstylestrong{\sphinxhyphen{}h}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}h}} \sphinxAtStartPar Display a summary of the update log. This information includes the database version number, state of the database, the number of updates in the log, the time stamp of the first and last update, and the version number of the first and last update entry. -\item[{\sphinxstylestrong{\sphinxhyphen{}e} \sphinxstyleemphasis{num}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}e} \sphinxstyleemphasis{num}} \sphinxAtStartPar Display the last \sphinxstyleemphasis{num} update entries in the log. This is useful when debugging synchronization between KDC servers. -\item[{\sphinxstylestrong{\sphinxhyphen{}v}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}v}} \sphinxAtStartPar Display individual attributes per update. An example of the output generated for one entry: @@ -10810,6 +11001,8 @@ variables. \sphinxAtStartPar {\hyperref[\detokenize{admin/admin_commands/kpropd:kpropd-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kpropd}}}}, \DUrole{xref,std,std-ref}{kerberos(7)} +\sphinxstepscope + \section{ktutil} \label{\detokenize{admin/admin_commands/ktutil:ktutil}}\label{\detokenize{admin/admin_commands/ktutil:ktutil-1}}\label{\detokenize{admin/admin_commands/ktutil::doc}} @@ -10979,6 +11172,8 @@ variables. \sphinxAtStartPar {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}}, {\hyperref[\detokenize{admin/admin_commands/kdb5_util:kdb5-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_util}}}}, \DUrole{xref,std,std-ref}{kerberos(7)} +\sphinxstepscope + \section{k5srvutil} \label{\detokenize{admin/admin_commands/k5srvutil:k5srvutil}}\label{\detokenize{admin/admin_commands/k5srvutil:k5srvutil-1}}\label{\detokenize{admin/admin_commands/k5srvutil::doc}} @@ -11002,12 +11197,12 @@ or to delete non\sphinxhyphen{}current keys from a keytab. \sphinxAtStartPar \sphinxstyleemphasis{operation} must be one of the following: \begin{description} -\item[{\sphinxstylestrong{list}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{list}} \sphinxAtStartPar Lists the keys in a keytab, showing version number and principal name. -\item[{\sphinxstylestrong{change}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{change}} \sphinxAtStartPar Uses the kadmin protocol to update the keys in the Kerberos database to new randomly\sphinxhyphen{}generated keys, and updates the keys in @@ -11022,7 +11217,7 @@ option. Old keys are retained in the keytab so that existing tickets continue to work, but \sphinxstylestrong{delold} should be used after such tickets expire, to prevent attacks against the old keys. -\item[{\sphinxstylestrong{delold}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{delold}} \sphinxAtStartPar Deletes keys that are not the most recent version from the keytab. This operation should be used some time after a change operation @@ -11030,7 +11225,7 @@ to remove old keys, after existing tickets issued for the service have expired. If the \sphinxstylestrong{\sphinxhyphen{}i} flag is given, then k5srvutil will prompt for confirmation for each principal. -\item[{\sphinxstylestrong{delete}}] \leavevmode +\sphinxlineitem{\sphinxstylestrong{delete}} \sphinxAtStartPar Deletes particular keys in the keytab, interactively prompting for each key. @@ -11058,6 +11253,8 @@ variables. \sphinxAtStartPar {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}}, {\hyperref[\detokenize{admin/admin_commands/ktutil:ktutil-1}]{\sphinxcrossref{\DUrole{std,std-ref}{ktutil}}}}, \DUrole{xref,std,std-ref}{kerberos(7)} +\sphinxstepscope + \section{sserver} \label{\detokenize{admin/admin_commands/sserver:sserver}}\label{\detokenize{admin/admin_commands/sserver:sserver-8}}\label{\detokenize{admin/admin_commands/sserver::doc}} @@ -11209,6 +11406,8 @@ variables. \sphinxAtStartPar \DUrole{xref,std,std-ref}{sclient(1)}, \DUrole{xref,std,std-ref}{kerberos(7)}, services(5), inetd(8) +\sphinxstepscope + \chapter{MIT Kerberos defaults} \label{\detokenize{mitK5defaults:mit-kerberos-defaults}}\label{\detokenize{mitK5defaults:mitk5defaults}}\label{\detokenize{mitK5defaults::doc}} @@ -11217,9 +11416,10 @@ variables. \label{\detokenize{mitK5defaults:general-defaults}} \begin{savenotes}\sphinxattablestart +\sphinxthistablewithglobalstyle \centering -\begin{tabulary}{\linewidth}[t]{|T|T|T|} -\hline +\begin{tabulary}{\linewidth}[t]{TTT} +\sphinxtoprule \sphinxstyletheadfamily \sphinxAtStartPar Description @@ -11230,7 +11430,8 @@ Default \sphinxAtStartPar Environment \\ -\hline +\sphinxmidrule +\sphinxtableatstartofbodyhook \sphinxAtStartPar \DUrole{xref,std,std-ref}{keytab\_definition} file & @@ -11240,7 +11441,7 @@ Environment \sphinxAtStartPar \sphinxstylestrong{KRB5\_KTNAME} \\ -\hline +\sphinxhline \sphinxAtStartPar Client \DUrole{xref,std,std-ref}{keytab\_definition} file & @@ -11250,7 +11451,7 @@ Client \DUrole{xref,std,std-ref}{keytab\_definition} file \sphinxAtStartPar \sphinxstylestrong{KRB5\_CLIENT\_KTNAME} \\ -\hline +\sphinxhline \sphinxAtStartPar Kerberos config file {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}} & @@ -11260,7 +11461,7 @@ Kerberos config file {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf \sphinxAtStartPar \sphinxstylestrong{KRB5\_CONFIG} \\ -\hline +\sphinxhline \sphinxAtStartPar KDC config file {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}} & @@ -11270,7 +11471,7 @@ KDC config file {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\s \sphinxAtStartPar \sphinxstylestrong{KRB5\_KDC\_PROFILE} \\ -\hline +\sphinxhline \sphinxAtStartPar GSS mechanism config file & @@ -11280,42 +11481,42 @@ GSS mechanism config file \sphinxAtStartPar \sphinxstylestrong{GSS\_MECH\_CONFIG} \\ -\hline +\sphinxhline \sphinxAtStartPar KDC database path (DB2) & \sphinxAtStartPar {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LOCALSTATEDIR}}}}\sphinxcode{\sphinxupquote{/krb5kdc}}\sphinxcode{\sphinxupquote{/principal}} &\\ -\hline +\sphinxhline \sphinxAtStartPar Master key \DUrole{xref,std,std-ref}{stash\_definition} & \sphinxAtStartPar {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LOCALSTATEDIR}}}}\sphinxcode{\sphinxupquote{/krb5kdc}}\sphinxcode{\sphinxupquote{/.k5.}}\sphinxstyleemphasis{realm} &\\ -\hline +\sphinxhline \sphinxAtStartPar Admin server ACL file {\hyperref[\detokenize{admin/conf_files/kadm5_acl:kadm5-acl-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kadm5.acl}}}} & \sphinxAtStartPar {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LOCALSTATEDIR}}}}\sphinxcode{\sphinxupquote{/krb5kdc}}\sphinxcode{\sphinxupquote{/kadm5.acl}} &\\ -\hline +\sphinxhline \sphinxAtStartPar OTP socket directory & \sphinxAtStartPar {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{RUNSTATEDIR}}}}\sphinxcode{\sphinxupquote{/krb5kdc}} &\\ -\hline +\sphinxhline \sphinxAtStartPar Plugin base directory & \sphinxAtStartPar {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LIBDIR}}}}\sphinxcode{\sphinxupquote{/krb5/plugins}} &\\ -\hline +\sphinxhline \sphinxAtStartPar \DUrole{xref,std,std-ref}{rcache\_definition} directory & @@ -11325,51 +11526,51 @@ Plugin base directory \sphinxAtStartPar \sphinxstylestrong{KRB5RCACHEDIR} \\ -\hline +\sphinxhline \sphinxAtStartPar Master key default enctype & \sphinxAtStartPar \sphinxcode{\sphinxupquote{aes256\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha1\sphinxhyphen{}96}} &\\ -\hline +\sphinxhline \sphinxAtStartPar Default {\hyperref[\detokenize{admin/conf_files/kdc_conf:keysalt-lists}]{\sphinxcrossref{\DUrole{std,std-ref}{keysalt list}}}} & \sphinxAtStartPar \sphinxcode{\sphinxupquote{aes256\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha1\sphinxhyphen{}96:normal aes128\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha1\sphinxhyphen{}96:normal}} &\\ -\hline +\sphinxhline \sphinxAtStartPar Permitted enctypes & \sphinxAtStartPar \sphinxcode{\sphinxupquote{aes256\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha1\sphinxhyphen{}96 aes128\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha1\sphinxhyphen{}96 aes256\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha384\sphinxhyphen{}192 aes128\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha256\sphinxhyphen{}128 des3\sphinxhyphen{}cbc\sphinxhyphen{}sha1 arcfour\sphinxhyphen{}hmac\sphinxhyphen{}md5 camellia256\sphinxhyphen{}cts\sphinxhyphen{}cmac camellia128\sphinxhyphen{}cts\sphinxhyphen{}cmac}} &\\ -\hline +\sphinxhline \sphinxAtStartPar KDC default port & \sphinxAtStartPar 88 &\\ -\hline +\sphinxhline \sphinxAtStartPar Admin server port & \sphinxAtStartPar 749 &\\ -\hline +\sphinxhline \sphinxAtStartPar Password change port & \sphinxAtStartPar 464 &\\ -\hline +\sphinxbottomrule \end{tabulary} -\par +\sphinxtableafterendhook\par \sphinxattableend\end{savenotes} @@ -11381,9 +11582,10 @@ This table shows defaults used by the {\hyperref[\detokenize{admin/admin_command \begin{savenotes}\sphinxattablestart +\sphinxthistablewithglobalstyle \centering -\begin{tabulary}{\linewidth}[t]{|T|T|T|} -\hline +\begin{tabulary}{\linewidth}[t]{TTT} +\sphinxtoprule \sphinxstyletheadfamily \sphinxAtStartPar Description @@ -11394,42 +11596,43 @@ Default \sphinxAtStartPar Environment \\ -\hline +\sphinxmidrule +\sphinxtableatstartofbodyhook \sphinxAtStartPar kprop database dump file & \sphinxAtStartPar {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LOCALSTATEDIR}}}}\sphinxcode{\sphinxupquote{/krb5kdc}}\sphinxcode{\sphinxupquote{/replica\_datatrans}} &\\ -\hline +\sphinxhline \sphinxAtStartPar kpropd temporary dump file & \sphinxAtStartPar {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LOCALSTATEDIR}}}}\sphinxcode{\sphinxupquote{/krb5kdc}}\sphinxcode{\sphinxupquote{/from\_master}} &\\ -\hline +\sphinxhline \sphinxAtStartPar kdb5\_util location & \sphinxAtStartPar {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{SBINDIR}}}}\sphinxcode{\sphinxupquote{/kdb5\_util}} &\\ -\hline +\sphinxhline \sphinxAtStartPar kprop location & \sphinxAtStartPar {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{SBINDIR}}}}\sphinxcode{\sphinxupquote{/kprop}} &\\ -\hline +\sphinxhline \sphinxAtStartPar kpropd ACL file & \sphinxAtStartPar {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LOCALSTATEDIR}}}}\sphinxcode{\sphinxupquote{/krb5kdc}}\sphinxcode{\sphinxupquote{/kpropd.acl}} &\\ -\hline +\sphinxhline \sphinxAtStartPar kprop port & @@ -11439,9 +11642,9 @@ kprop port \sphinxAtStartPar KPROP\_PORT \\ -\hline +\sphinxbottomrule \end{tabulary} -\par +\sphinxtableafterendhook\par \sphinxattableend\end{savenotes} @@ -11456,9 +11659,10 @@ operating system’s filesystem layout. \begin{savenotes}\sphinxattablestart +\sphinxthistablewithglobalstyle \centering -\begin{tabulary}{\linewidth}[t]{|T|T|T|T|} -\hline +\begin{tabulary}{\linewidth}[t]{TTTT} +\sphinxtoprule \sphinxstyletheadfamily \sphinxAtStartPar Description @@ -11472,7 +11676,8 @@ Custom build path \sphinxAtStartPar Typical OS path \\ -\hline +\sphinxmidrule +\sphinxtableatstartofbodyhook \sphinxAtStartPar User programs & @@ -11485,7 +11690,7 @@ BINDIR \sphinxAtStartPar \sphinxcode{\sphinxupquote{/usr/bin}} \\ -\hline +\sphinxhline \sphinxAtStartPar Libraries and plugins & @@ -11498,7 +11703,7 @@ LIBDIR \sphinxAtStartPar \sphinxcode{\sphinxupquote{/usr/lib}} \\ -\hline +\sphinxhline \sphinxAtStartPar Parent of KDC state dir & @@ -11511,7 +11716,7 @@ LOCALSTATEDIR \sphinxAtStartPar \sphinxcode{\sphinxupquote{/var}} \\ -\hline +\sphinxhline \sphinxAtStartPar Parent of KDC runtime dir & @@ -11524,7 +11729,7 @@ RUNSTATEDIR \sphinxAtStartPar \sphinxcode{\sphinxupquote{/run}} \\ -\hline +\sphinxhline \sphinxAtStartPar Administrative programs & @@ -11537,7 +11742,7 @@ SBINDIR \sphinxAtStartPar \sphinxcode{\sphinxupquote{/usr/sbin}} \\ -\hline +\sphinxhline \sphinxAtStartPar Alternate krb5.conf dir & @@ -11550,7 +11755,7 @@ SYSCONFDIR \sphinxAtStartPar \sphinxcode{\sphinxupquote{/etc}} \\ -\hline +\sphinxhline \sphinxAtStartPar Default ccache name & @@ -11563,7 +11768,7 @@ DEFCCNAME \sphinxAtStartPar \sphinxcode{\sphinxupquote{FILE:/tmp/krb5cc\_\%\{uid\}}} \\ -\hline +\sphinxhline \sphinxAtStartPar Default keytab name & @@ -11576,7 +11781,7 @@ DEFKTNAME \sphinxAtStartPar \sphinxcode{\sphinxupquote{FILE:/etc/krb5.keytab}} \\ -\hline +\sphinxhline \sphinxAtStartPar Default PKCS11 module & @@ -11589,9 +11794,9 @@ PKCS11\_MODNAME \sphinxAtStartPar \sphinxcode{\sphinxupquote{opensc\sphinxhyphen{}pkcs11.so}} \\ -\hline +\sphinxbottomrule \end{tabulary} -\par +\sphinxtableafterendhook\par \sphinxattableend\end{savenotes} \sphinxAtStartPar @@ -11600,12 +11805,16 @@ The default client keytab name (DEFCKTNAME) typically defaults to build. A native build will typically use a path which will vary according to the operating system’s layout of \sphinxcode{\sphinxupquote{/var}}. +\sphinxstepscope + \chapter{Environment variables} \label{\detokenize{admin/env_variables:environment-variables}}\label{\detokenize{admin/env_variables::doc}} \sphinxAtStartPar This content has moved to \DUrole{xref,std,std-ref}{kerberos(7)}. +\sphinxstepscope + \chapter{Troubleshooting} \label{\detokenize{admin/troubleshoot:troubleshooting}}\label{\detokenize{admin/troubleshoot:troubleshoot}}\label{\detokenize{admin/troubleshoot::doc}} @@ -11761,9 +11970,13 @@ The replica has a keytab file in the default location containing a \end{enumerate} +\sphinxstepscope + \chapter{Advanced topics} \label{\detokenize{admin/advanced/index:advanced-topics}}\label{\detokenize{admin/advanced/index::doc}} +\sphinxstepscope + \section{Retiring DES} \label{\detokenize{admin/advanced/retiring-des:retiring-des}}\label{\detokenize{admin/advanced/retiring-des:id1}}\label{\detokenize{admin/advanced/retiring-des::doc}} @@ -11773,7 +11986,7 @@ the Data Encryption Standard (DES) as a block cipher for encryption. While it was considered secure at the time, advancements in computational ability have rendered DES vulnerable to brute force attacks on its 56\sphinxhyphen{}bit keyspace. As such, it is now considered insecure and should not be -used (\index{RFC@\spxentry{RFC}!RFC 6649@\spxentry{RFC 6649}}\sphinxhref{https://tools.ietf.org/html/rfc6649.html}{\sphinxstylestrong{RFC 6649}}). +used (\index{RFC@\spxentry{RFC}!RFC 6649@\spxentry{RFC 6649}}\sphinxhref{https://datatracker.ietf.org/doc/html/rfc6649.html}{\sphinxstylestrong{RFC 6649}}). \subsection{History} @@ -12231,6 +12444,8 @@ desired. Using {\hyperref[\detokenize{admin/admin_commands/kdb5_util:kdb5-util- and activated for use on new key material, and the existing entries converted to the new master key. +\sphinxstepscope + \chapter{Various links} \label{\detokenize{admin/various_envs:various-links}}\label{\detokenize{admin/various_envs::doc}} |