path: root/crypto/krb5/doc/pdf/admin.tex

%% Generated by Sphinx.
\def\sphinxdocclass{report}
\documentclass[letterpaper,10pt,english]{sphinxmanual}
\ifdefined\pdfpxdimen
   \let\sphinxpxdimen\pdfpxdimen\else\newdimen\sphinxpxdimen
\fi \sphinxpxdimen=.75bp\relax
\ifdefined\pdfimageresolution
    \pdfimageresolution= \numexpr \dimexpr1in\relax/\sphinxpxdimen\relax
\fi
%% let collapsible pdf bookmarks panel have high depth per default
\PassOptionsToPackage{bookmarksdepth=5}{hyperref}

\PassOptionsToPackage{booktabs}{sphinx}
\PassOptionsToPackage{colorrows}{sphinx}

\PassOptionsToPackage{warn}{textcomp}
\usepackage[utf8]{inputenc}
\ifdefined\DeclareUnicodeCharacter
% support both utf8 and utf8x syntaxes
  \ifdefined\DeclareUnicodeCharacterAsOptional
    \def\sphinxDUC#1{\DeclareUnicodeCharacter{"#1}}
  \else
    \let\sphinxDUC\DeclareUnicodeCharacter
  \fi
  \sphinxDUC{00A0}{\nobreakspace}
  \sphinxDUC{2500}{\sphinxunichar{2500}}
  \sphinxDUC{2502}{\sphinxunichar{2502}}
  \sphinxDUC{2514}{\sphinxunichar{2514}}
  \sphinxDUC{251C}{\sphinxunichar{251C}}
  \sphinxDUC{2572}{\textbackslash}
\fi
\usepackage{cmap}
\usepackage[T1]{fontenc}
\usepackage{amsmath,amssymb,amstext}
\usepackage{babel}



\usepackage{tgtermes}
\usepackage{tgheros}
\renewcommand{\ttdefault}{txtt}



\usepackage[Bjarne]{fncychap}
\usepackage{sphinx}

\fvset{fontsize=auto}
\usepackage{geometry}


% Include hyperref last.
\usepackage{hyperref}
% Fix anchor placement for figures with captions.
\usepackage{hypcap}% it must be loaded after hyperref.
% Set up styles of URL: it should be placed after hyperref.
\urlstyle{same}


\usepackage{sphinxmessages}
\setcounter{tocdepth}{0}



\title{Kerberos Administration Guide}
\date{ }
\release{1.22\sphinxhyphen{}final}
\author{MIT}
\newcommand{\sphinxlogo}{\vbox{}}
\renewcommand{\releasename}{Release}
\makeindex
\begin{document}

\ifdefined\shorthandoff
  \ifnum\catcode`\=\string=\active\shorthandoff{=}\fi
  \ifnum\catcode`\"=\active\shorthandoff{"}\fi
\fi

\pagestyle{empty}
\sphinxmaketitle
\pagestyle{plain}
\sphinxtableofcontents
\pagestyle{normal}
\phantomsection\label{\detokenize{admin/index::doc}}


\sphinxstepscope


\chapter{Installation guide}
\label{\detokenize{admin/install:installation-guide}}\label{\detokenize{admin/install::doc}}

\section{Contents}
\label{\detokenize{admin/install:contents}}
\sphinxstepscope


\subsection{Installing KDCs}
\label{\detokenize{admin/install_kdc:installing-kdcs}}\label{\detokenize{admin/install_kdc::doc}}
\sphinxAtStartPar
When setting up Kerberos in a production environment, it is best to
have multiple replica KDCs alongside with a primary KDC to ensure the
continued availability of the Kerberized services.  Each KDC contains
a copy of the Kerberos database.  The primary KDC contains the
writable copy of the realm database, which it replicates to the
replica KDCs at regular intervals.  All database changes (such as
password changes) are made on the primary KDC.  Replica KDCs provide
Kerberos ticket\sphinxhyphen{}granting services, but not database administration,
when the primary KDC is unavailable.  MIT recommends that you install
all of your KDCs to be able to function as either the primary or one
of the replicas.  This will enable you to easily switch your primary
KDC with one of the replicas if necessary (see
{\hyperref[\detokenize{admin/install_kdc:switch-primary-replica}]{\sphinxcrossref{\DUrole{std,std-ref}{Switching primary and replica KDCs}}}}).  This installation procedure is based
on that recommendation.

\begin{sphinxadmonition}{warning}{Warning:}\begin{itemize}
\item {} 
\sphinxAtStartPar
The Kerberos system relies on the availability of correct time
information.  Ensure that the primary and all replica KDCs have
properly synchronized clocks.

\item {} 
\sphinxAtStartPar
It is best to install and run KDCs on secured and dedicated
hardware with limited access.  If your KDC is also a file
server, FTP server, Web server, or even just a client machine,
someone who obtained root access through a security hole in any
of those areas could potentially gain access to the Kerberos
database.

\end{itemize}
\end{sphinxadmonition}


\subsubsection{Install and configure the primary KDC}
\label{\detokenize{admin/install_kdc:install-and-configure-the-primary-kdc}}
\sphinxAtStartPar
Install Kerberos either from the OS\sphinxhyphen{}provided packages or from the
source (See \DUrole{xref,std,std-ref}{do\_build}).

\begin{sphinxadmonition}{note}{Note:}
\sphinxAtStartPar
For the purpose of this document we will use the following
names:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{kerberos}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}    \PYG{o}{\PYGZhy{}} \PYG{n}{primary} \PYG{n}{KDC}
\PYG{n}{kerberos}\PYG{o}{\PYGZhy{}}\PYG{l+m+mf}{1.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}  \PYG{o}{\PYGZhy{}} \PYG{n}{replica} \PYG{n}{KDC}
\PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}      \PYG{o}{\PYGZhy{}} \PYG{n}{realm} \PYG{n}{name}
\PYG{o}{.}\PYG{n}{k5}\PYG{o}{.}\PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}  \PYG{o}{\PYGZhy{}} \PYG{n}{stash} \PYG{n}{file}
\PYG{n}{admin}\PYG{o}{/}\PYG{n}{admin}         \PYG{o}{\PYGZhy{}} \PYG{n}{admin} \PYG{n}{principal}
\end{sphinxVerbatim}

\sphinxAtStartPar
See {\hyperref[\detokenize{mitK5defaults:mitk5defaults}]{\sphinxcrossref{\DUrole{std,std-ref}{MIT Kerberos defaults}}}} for the default names and locations
of the relevant to this topic files.  Adjust the names and
paths to your system environment.
\end{sphinxadmonition}


\subsubsection{Edit KDC configuration files}
\label{\detokenize{admin/install_kdc:edit-kdc-configuration-files}}
\sphinxAtStartPar
Modify the configuration files, {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}} and
{\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}, to reflect the correct information (such as
domain\sphinxhyphen{}realm mappings and Kerberos servers names) for your realm.
(See {\hyperref[\detokenize{mitK5defaults:mitk5defaults}]{\sphinxcrossref{\DUrole{std,std-ref}{MIT Kerberos defaults}}}} for the recommended default locations for
these files).

\sphinxAtStartPar
Most of the tags in the configuration have default values that will
work well for most sites.  There are some tags in the
{\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}} file whose values must be specified, and this
section will explain those.

\sphinxAtStartPar
If the locations for these configuration files differs from the
default ones, set \sphinxstylestrong{KRB5\_CONFIG} and \sphinxstylestrong{KRB5\_KDC\_PROFILE} environment
variables to point to the krb5.conf and kdc.conf respectively.  For
example:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{export} \PYG{n}{KRB5\PYGZus{}CONFIG}\PYG{o}{=}\PYG{o}{/}\PYG{n}{yourdir}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{conf}
\PYG{n}{export} \PYG{n}{KRB5\PYGZus{}KDC\PYGZus{}PROFILE}\PYG{o}{=}\PYG{o}{/}\PYG{n}{yourdir}\PYG{o}{/}\PYG{n}{kdc}\PYG{o}{.}\PYG{n}{conf}
\end{sphinxVerbatim}


\paragraph{krb5.conf}
\label{\detokenize{admin/install_kdc:krb5-conf}}
\sphinxAtStartPar
If you are not using DNS TXT records (see {\hyperref[\detokenize{admin/realm_config:mapping-hostnames}]{\sphinxcrossref{\DUrole{std,std-ref}{Mapping hostnames onto Kerberos realms}}}}),
you must specify the \sphinxstylestrong{default\_realm} in the {\hyperref[\detokenize{admin/conf_files/krb5_conf:libdefaults}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}libdefaults{]}}}}}
section.  If you are not using DNS URI or SRV records (see
{\hyperref[\detokenize{admin/realm_config:kdc-hostnames}]{\sphinxcrossref{\DUrole{std,std-ref}{Hostnames for KDCs}}}} and {\hyperref[\detokenize{admin/realm_config:kdc-discovery}]{\sphinxcrossref{\DUrole{std,std-ref}{KDC Discovery}}}}), you must include the
\sphinxstylestrong{kdc} tag for each \sphinxstyleemphasis{realm} in the {\hyperref[\detokenize{admin/conf_files/krb5_conf:realms}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}realms{]}}}}} section.  To
communicate with the kadmin server in each realm, the \sphinxstylestrong{admin\_server}
tag must be set in the
{\hyperref[\detokenize{admin/conf_files/krb5_conf:realms}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}realms{]}}}}} section.

\sphinxAtStartPar
An example krb5.conf file:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{p}{[}\PYG{n}{libdefaults}\PYG{p}{]}
    \PYG{n}{default\PYGZus{}realm} \PYG{o}{=} \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}

\PYG{p}{[}\PYG{n}{realms}\PYG{p}{]}
    \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{o}{=} \PYG{p}{\PYGZob{}}
        \PYG{n}{kdc} \PYG{o}{=} \PYG{n}{kerberos}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}
        \PYG{n}{kdc} \PYG{o}{=} \PYG{n}{kerberos}\PYG{o}{\PYGZhy{}}\PYG{l+m+mf}{1.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}
        \PYG{n}{admin\PYGZus{}server} \PYG{o}{=} \PYG{n}{kerberos}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}
    \PYG{p}{\PYGZcb{}}
\end{sphinxVerbatim}


\paragraph{kdc.conf}
\label{\detokenize{admin/install_kdc:kdc-conf}}
\sphinxAtStartPar
The kdc.conf file can be used to control the listening ports of the
KDC and kadmind, as well as realm\sphinxhyphen{}specific defaults, the database type
and location, and logging.

\sphinxAtStartPar
An example kdc.conf file:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{p}{[}\PYG{n}{kdcdefaults}\PYG{p}{]}
    \PYG{n}{kdc\PYGZus{}listen} \PYG{o}{=} \PYG{l+m+mi}{88}
    \PYG{n}{kdc\PYGZus{}tcp\PYGZus{}listen} \PYG{o}{=} \PYG{l+m+mi}{88}

\PYG{p}{[}\PYG{n}{realms}\PYG{p}{]}
    \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{o}{=} \PYG{p}{\PYGZob{}}
        \PYG{n}{kadmind\PYGZus{}port} \PYG{o}{=} \PYG{l+m+mi}{749}
        \PYG{n}{max\PYGZus{}life} \PYG{o}{=} \PYG{l+m+mi}{12}\PYG{n}{h} \PYG{l+m+mi}{0}\PYG{n}{m} \PYG{l+m+mi}{0}\PYG{n}{s}
        \PYG{n}{max\PYGZus{}renewable\PYGZus{}life} \PYG{o}{=} \PYG{l+m+mi}{7}\PYG{n}{d} \PYG{l+m+mi}{0}\PYG{n}{h} \PYG{l+m+mi}{0}\PYG{n}{m} \PYG{l+m+mi}{0}\PYG{n}{s}
        \PYG{n}{master\PYGZus{}key\PYGZus{}type} \PYG{o}{=} \PYG{n}{aes256}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}
        \PYG{n}{supported\PYGZus{}enctypes} \PYG{o}{=} \PYG{n}{aes256}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{p}{:}\PYG{n}{normal} \PYG{n}{aes128}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{p}{:}\PYG{n}{normal}
        \PYG{c+c1}{\PYGZsh{} If the default location does not suit your setup,}
        \PYG{c+c1}{\PYGZsh{} explicitly configure the following values:}
        \PYG{c+c1}{\PYGZsh{}    database\PYGZus{}name = /var/krb5kdc/principal}
        \PYG{c+c1}{\PYGZsh{}    key\PYGZus{}stash\PYGZus{}file = /var/krb5kdc/.k5.ATHENA.MIT.EDU}
        \PYG{c+c1}{\PYGZsh{}    acl\PYGZus{}file = /var/krb5kdc/kadm5.acl}
    \PYG{p}{\PYGZcb{}}

\PYG{p}{[}\PYG{n}{logging}\PYG{p}{]}
    \PYG{c+c1}{\PYGZsh{} By default, the KDC and kadmind will log output using}
    \PYG{c+c1}{\PYGZsh{} syslog.  You can instead send log output to files like this:}
    \PYG{n}{kdc} \PYG{o}{=} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{var}\PYG{o}{/}\PYG{n}{log}\PYG{o}{/}\PYG{n}{krb5kdc}\PYG{o}{.}\PYG{n}{log}
    \PYG{n}{admin\PYGZus{}server} \PYG{o}{=} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{var}\PYG{o}{/}\PYG{n}{log}\PYG{o}{/}\PYG{n}{kadmin}\PYG{o}{.}\PYG{n}{log}
    \PYG{n}{default} \PYG{o}{=} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{var}\PYG{o}{/}\PYG{n}{log}\PYG{o}{/}\PYG{n}{krb5lib}\PYG{o}{.}\PYG{n}{log}
\end{sphinxVerbatim}

\sphinxAtStartPar
Replace \sphinxcode{\sphinxupquote{ATHENA.MIT.EDU}} and \sphinxcode{\sphinxupquote{kerberos.mit.edu}} with the name of
your Kerberos realm and server respectively.

\begin{sphinxadmonition}{note}{Note:}
\sphinxAtStartPar
You have to have write permission on the target directories
(these directories must exist) used by \sphinxstylestrong{database\_name},
\sphinxstylestrong{key\_stash\_file}, and \sphinxstylestrong{acl\_file}.
\end{sphinxadmonition}


\subsubsection{Create the KDC database}
\label{\detokenize{admin/install_kdc:create-the-kdc-database}}\label{\detokenize{admin/install_kdc:create-db}}
\sphinxAtStartPar
You will use the {\hyperref[\detokenize{admin/admin_commands/kdb5_util:kdb5-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_util}}}} command on the primary KDC to
create the Kerberos database and the optional \DUrole{xref,std,std-ref}{stash\_definition}.

\begin{sphinxadmonition}{note}{Note:}
\sphinxAtStartPar
If you choose not to install a stash file, the KDC will
prompt you for the master key each time it starts up.  This
means that the KDC will not be able to start automatically,
such as after a system reboot.
\end{sphinxadmonition}

\sphinxAtStartPar
{\hyperref[\detokenize{admin/admin_commands/kdb5_util:kdb5-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_util}}}} will prompt you for the master password for the
Kerberos database.  This password can be any string.  A good password
is one you can remember, but that no one else can guess.  Examples of
bad passwords are words that can be found in a dictionary, any common
or popular name, especially a famous person (or cartoon character),
your username in any form (e.g., forward, backward, repeated twice,
etc.), and any of the sample passwords that appear in this manual.
One example of a password which might be good if it did not appear in
this manual is “MITiys4K5!”, which represents the sentence “MIT is
your source for Kerberos 5!”  (It’s the first letter of each word,
substituting the numeral “4” for the word “for”, and includes the
punctuation mark at the end.)

\sphinxAtStartPar
The following is an example of how to create a Kerberos database and
stash file on the primary KDC, using the {\hyperref[\detokenize{admin/admin_commands/kdb5_util:kdb5-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_util}}}} command.
Replace \sphinxcode{\sphinxupquote{ATHENA.MIT.EDU}} with the name of your Kerberos realm:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{kdb5\PYGZus{}util} \PYG{n}{create} \PYG{o}{\PYGZhy{}}\PYG{n}{r} \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{o}{\PYGZhy{}}\PYG{n}{s}

\PYG{n}{Initializing} \PYG{n}{database} \PYG{l+s+s1}{\PYGZsq{}}\PYG{l+s+s1}{/usr/local/var/krb5kdc/principal}\PYG{l+s+s1}{\PYGZsq{}} \PYG{k}{for} \PYG{n}{realm} \PYG{l+s+s1}{\PYGZsq{}}\PYG{l+s+s1}{ATHENA.MIT.EDU}\PYG{l+s+s1}{\PYGZsq{}}\PYG{p}{,}
\PYG{n}{master} \PYG{n}{key} \PYG{n}{name} \PYG{l+s+s1}{\PYGZsq{}}\PYG{l+s+s1}{K/M@ATHENA.MIT.EDU}\PYG{l+s+s1}{\PYGZsq{}}
\PYG{n}{You} \PYG{n}{will} \PYG{n}{be} \PYG{n}{prompted} \PYG{k}{for} \PYG{n}{the} \PYG{n}{database} \PYG{n}{Master} \PYG{n}{Password}\PYG{o}{.}
\PYG{n}{It} \PYG{o+ow}{is} \PYG{n}{important} \PYG{n}{that} \PYG{n}{you} \PYG{n}{NOT} \PYG{n}{FORGET} \PYG{n}{this} \PYG{n}{password}\PYG{o}{.}
\PYG{n}{Enter} \PYG{n}{KDC} \PYG{n}{database} \PYG{n}{master} \PYG{n}{key}\PYG{p}{:}  \PYG{o}{\PYGZlt{}}\PYG{o}{=} \PYG{n}{Type} \PYG{n}{the} \PYG{n}{master} \PYG{n}{password}\PYG{o}{.}
\PYG{n}{Re}\PYG{o}{\PYGZhy{}}\PYG{n}{enter} \PYG{n}{KDC} \PYG{n}{database} \PYG{n}{master} \PYG{n}{key} \PYG{n}{to} \PYG{n}{verify}\PYG{p}{:}  \PYG{o}{\PYGZlt{}}\PYG{o}{=} \PYG{n}{Type} \PYG{n}{it} \PYG{n}{again}\PYG{o}{.}
\PYG{n}{shell}\PYG{o}{\PYGZpc{}}
\end{sphinxVerbatim}

\sphinxAtStartPar
This will create five files in {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LOCALSTATEDIR}}}}\sphinxcode{\sphinxupquote{/krb5kdc}} (or at the locations specified
in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}):
\begin{itemize}
\item {} 
\sphinxAtStartPar
two Kerberos database files, \sphinxcode{\sphinxupquote{principal}}, and \sphinxcode{\sphinxupquote{principal.ok}}

\item {} 
\sphinxAtStartPar
the Kerberos administrative database file, \sphinxcode{\sphinxupquote{principal.kadm5}}

\item {} 
\sphinxAtStartPar
the administrative database lock file, \sphinxcode{\sphinxupquote{principal.kadm5.lock}}

\item {} 
\sphinxAtStartPar
the stash file, in this example \sphinxcode{\sphinxupquote{.k5.ATHENA.MIT.EDU}}.  If you do
not want a stash file, run the above command without the \sphinxstylestrong{\sphinxhyphen{}s}
option.

\end{itemize}

\sphinxAtStartPar
For more information on administrating Kerberos database see
{\hyperref[\detokenize{admin/database:db-operations}]{\sphinxcrossref{\DUrole{std,std-ref}{Operations on the Kerberos database}}}}.


\subsubsection{Add administrators to the ACL file}
\label{\detokenize{admin/install_kdc:add-administrators-to-the-acl-file}}\label{\detokenize{admin/install_kdc:admin-acl}}
\sphinxAtStartPar
Next, you need create an Access Control List (ACL) file and put the
Kerberos principal of at least one of the administrators into it.
This file is used by the {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} daemon to control which
principals may view and make privileged modifications to the Kerberos
database files.  The ACL filename is determined by the \sphinxstylestrong{acl\_file}
variable in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}; the default is {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LOCALSTATEDIR}}}}\sphinxcode{\sphinxupquote{/krb5kdc}}\sphinxcode{\sphinxupquote{/kadm5.acl}}.

\sphinxAtStartPar
For more information on Kerberos ACL file see {\hyperref[\detokenize{admin/conf_files/kadm5_acl:kadm5-acl-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kadm5.acl}}}}.


\subsubsection{Add administrators to the Kerberos database}
\label{\detokenize{admin/install_kdc:add-administrators-to-the-kerberos-database}}\label{\detokenize{admin/install_kdc:addadmin-kdb}}
\sphinxAtStartPar
Next you need to add administrative principals (i.e., principals who
are allowed to administer Kerberos database) to the Kerberos database.
You \sphinxstyleemphasis{must} add at least one principal now to allow communication
between the Kerberos administration daemon kadmind and the kadmin
program over the network for further administration.  To do this, use
the kadmin.local utility on the primary KDC.  kadmin.local is designed
to be run on the primary KDC host without using Kerberos
authentication to an admin server; instead, it must have read and
write access to the Kerberos database on the local filesystem.

\sphinxAtStartPar
The administrative principals you create should be the ones you added
to the ACL file (see {\hyperref[\detokenize{admin/install_kdc:admin-acl}]{\sphinxcrossref{\DUrole{std,std-ref}{Add administrators to the ACL file}}}}).

\sphinxAtStartPar
In the following example, the administrative principal \sphinxcode{\sphinxupquote{admin/admin}}
is created:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{kadmin}\PYG{o}{.}\PYG{n}{local}

\PYG{n}{kadmin}\PYG{o}{.}\PYG{n}{local}\PYG{p}{:} \PYG{n}{addprinc} \PYG{n}{admin}\PYG{o}{/}\PYG{n}{admin}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}

\PYG{n}{No} \PYG{n}{policy} \PYG{n}{specified} \PYG{k}{for} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{admin/admin@ATHENA.MIT.EDU}\PYG{l+s+s2}{\PYGZdq{}}\PYG{p}{;}
\PYG{n}{assigning} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{default}\PYG{l+s+s2}{\PYGZdq{}}\PYG{o}{.}
\PYG{n}{Enter} \PYG{n}{password} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{admin}\PYG{o}{/}\PYG{n}{admin}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}\PYG{p}{:}  \PYG{o}{\PYGZlt{}}\PYG{o}{=} \PYG{n}{Enter} \PYG{n}{a} \PYG{n}{password}\PYG{o}{.}
\PYG{n}{Re}\PYG{o}{\PYGZhy{}}\PYG{n}{enter} \PYG{n}{password} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{admin}\PYG{o}{/}\PYG{n}{admin}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}\PYG{p}{:}  \PYG{o}{\PYGZlt{}}\PYG{o}{=} \PYG{n}{Type} \PYG{n}{it} \PYG{n}{again}\PYG{o}{.}
\PYG{n}{Principal} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{admin/admin@ATHENA.MIT.EDU}\PYG{l+s+s2}{\PYGZdq{}} \PYG{n}{created}\PYG{o}{.}
\PYG{n}{kadmin}\PYG{o}{.}\PYG{n}{local}\PYG{p}{:}
\end{sphinxVerbatim}


\subsubsection{Start the Kerberos daemons on the primary KDC}
\label{\detokenize{admin/install_kdc:start-the-kerberos-daemons-on-the-primary-kdc}}\label{\detokenize{admin/install_kdc:start-kdc-daemons}}
\sphinxAtStartPar
At this point, you are ready to start the Kerberos KDC
({\hyperref[\detokenize{admin/admin_commands/krb5kdc:krb5kdc-8}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5kdc}}}}) and administrative daemons on the primary KDC.  To
do so, type:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{krb5kdc}
\PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{kadmind}
\end{sphinxVerbatim}

\sphinxAtStartPar
Each server daemon will fork and run in the background.

\begin{sphinxadmonition}{note}{Note:}
\sphinxAtStartPar
Assuming you want these daemons to start up automatically at
boot time, you can add them to the KDC’s \sphinxcode{\sphinxupquote{/etc/rc}} or
\sphinxcode{\sphinxupquote{/etc/inittab}} file.  You need to have a
\DUrole{xref,std,std-ref}{stash\_definition} in order to do this.
\end{sphinxadmonition}

\sphinxAtStartPar
You can verify that they started properly by checking for their
startup messages in the logging locations you defined in
{\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}} (see {\hyperref[\detokenize{admin/conf_files/kdc_conf:logging}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}logging{]}}}}}).  For example:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{tail} \PYG{o}{/}\PYG{n}{var}\PYG{o}{/}\PYG{n}{log}\PYG{o}{/}\PYG{n}{krb5kdc}\PYG{o}{.}\PYG{n}{log}
\PYG{n}{Dec} \PYG{l+m+mi}{02} \PYG{l+m+mi}{12}\PYG{p}{:}\PYG{l+m+mi}{35}\PYG{p}{:}\PYG{l+m+mi}{47} \PYG{n}{beeblebrox} \PYG{n}{krb5kdc}\PYG{p}{[}\PYG{l+m+mi}{3187}\PYG{p}{]}\PYG{p}{(}\PYG{n}{info}\PYG{p}{)}\PYG{p}{:} \PYG{n}{commencing} \PYG{n}{operation}
\PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{tail} \PYG{o}{/}\PYG{n}{var}\PYG{o}{/}\PYG{n}{log}\PYG{o}{/}\PYG{n}{kadmin}\PYG{o}{.}\PYG{n}{log}
\PYG{n}{Dec} \PYG{l+m+mi}{02} \PYG{l+m+mi}{12}\PYG{p}{:}\PYG{l+m+mi}{35}\PYG{p}{:}\PYG{l+m+mi}{52} \PYG{n}{beeblebrox} \PYG{n}{kadmind}\PYG{p}{[}\PYG{l+m+mi}{3189}\PYG{p}{]}\PYG{p}{(}\PYG{n}{info}\PYG{p}{)}\PYG{p}{:} \PYG{n}{starting}
\end{sphinxVerbatim}

\sphinxAtStartPar
Any errors the daemons encounter while starting will also be listed in
the logging output.

\sphinxAtStartPar
As an additional verification, check if \DUrole{xref,std,std-ref}{kinit(1)} succeeds
against the principals that you have created on the previous step
({\hyperref[\detokenize{admin/install_kdc:addadmin-kdb}]{\sphinxcrossref{\DUrole{std,std-ref}{Add administrators to the Kerberos database}}}}).  Run:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{kinit} \PYG{n}{admin}\PYG{o}{/}\PYG{n}{admin}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}
\end{sphinxVerbatim}


\subsubsection{Install the replica KDCs}
\label{\detokenize{admin/install_kdc:install-the-replica-kdcs}}
\sphinxAtStartPar
You are now ready to start configuring the replica KDCs.

\begin{sphinxadmonition}{note}{Note:}
\sphinxAtStartPar
Assuming you are setting the KDCs up so that you can easily
switch the primary KDC with one of the replicas, you should
perform each of these steps on the primary KDC as well as
the replica KDCs, unless these instructions specify
otherwise.
\end{sphinxadmonition}


\paragraph{Create host keytabs for replica KDCs}
\label{\detokenize{admin/install_kdc:create-host-keytabs-for-replica-kdcs}}\label{\detokenize{admin/install_kdc:replica-host-key}}
\sphinxAtStartPar
Each KDC needs a \sphinxcode{\sphinxupquote{host}} key in the Kerberos database.  These keys
are used for mutual authentication when propagating the database dump
file from the primary KDC to the secondary KDC servers.

\sphinxAtStartPar
On the primary KDC, connect to administrative interface and create the
host principal for each of the KDCs’ \sphinxcode{\sphinxupquote{host}} services.  For example,
if the primary KDC were called \sphinxcode{\sphinxupquote{kerberos.mit.edu}}, and you had a
replica KDC named \sphinxcode{\sphinxupquote{kerberos\sphinxhyphen{}1.mit.edu}}, you would type the
following:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{kadmin}
\PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{addprinc} \PYG{o}{\PYGZhy{}}\PYG{n}{randkey} \PYG{n}{host}\PYG{o}{/}\PYG{n}{kerberos}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}
\PYG{n}{No} \PYG{n}{policy} \PYG{n}{specified} \PYG{k}{for} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{host/kerberos.mit.edu@ATHENA.MIT.EDU}\PYG{l+s+s2}{\PYGZdq{}}\PYG{p}{;} \PYG{n}{assigning} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{default}\PYG{l+s+s2}{\PYGZdq{}}
\PYG{n}{Principal} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{host/kerberos.mit.edu@ATHENA.MIT.EDU}\PYG{l+s+s2}{\PYGZdq{}} \PYG{n}{created}\PYG{o}{.}

\PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{addprinc} \PYG{o}{\PYGZhy{}}\PYG{n}{randkey} \PYG{n}{host}\PYG{o}{/}\PYG{n}{kerberos}\PYG{o}{\PYGZhy{}}\PYG{l+m+mf}{1.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}
\PYG{n}{No} \PYG{n}{policy} \PYG{n}{specified} \PYG{k}{for} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{host/kerberos\PYGZhy{}1.mit.edu@ATHENA.MIT.EDU}\PYG{l+s+s2}{\PYGZdq{}}\PYG{p}{;} \PYG{n}{assigning} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{default}\PYG{l+s+s2}{\PYGZdq{}}
\PYG{n}{Principal} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{host/kerberos\PYGZhy{}1.mit.edu@ATHENA.MIT.EDU}\PYG{l+s+s2}{\PYGZdq{}} \PYG{n}{created}\PYG{o}{.}
\end{sphinxVerbatim}

\sphinxAtStartPar
It is not strictly necessary to have the primary KDC server in the
Kerberos database, but it can be handy if you want to be able to swap
the primary KDC with one of the replicas.

\sphinxAtStartPar
Next, extract \sphinxcode{\sphinxupquote{host}} random keys for all participating KDCs and
store them in each host’s default keytab file.  Ideally, you should
extract each keytab locally on its own KDC.  If this is not feasible,
you should use an encrypted session to send them across the network.
To extract a keytab directly on a replica KDC called
\sphinxcode{\sphinxupquote{kerberos\sphinxhyphen{}1.mit.edu}}, you would execute the following command:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{ktadd} \PYG{n}{host}\PYG{o}{/}\PYG{n}{kerberos}\PYG{o}{\PYGZhy{}}\PYG{l+m+mf}{1.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}
\PYG{n}{Entry} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{host}\PYG{o}{/}\PYG{n}{kerberos}\PYG{o}{\PYGZhy{}}\PYG{l+m+mf}{1.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{k}{with} \PYG{n}{kvno} \PYG{l+m+mi}{2}\PYG{p}{,} \PYG{n}{encryption}
    \PYG{n+nb}{type} \PYG{n}{aes256}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{96} \PYG{n}{added} \PYG{n}{to} \PYG{n}{keytab} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab}\PYG{o}{.}
\PYG{n}{Entry} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{host}\PYG{o}{/}\PYG{n}{kerberos}\PYG{o}{\PYGZhy{}}\PYG{l+m+mf}{1.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{k}{with} \PYG{n}{kvno} \PYG{l+m+mi}{2}\PYG{p}{,} \PYG{n}{encryption}
    \PYG{n+nb}{type} \PYG{n}{aes128}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{96} \PYG{n}{added} \PYG{n}{to} \PYG{n}{keytab} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab}\PYG{o}{.}
\PYG{n}{Entry} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{host}\PYG{o}{/}\PYG{n}{kerberos}\PYG{o}{\PYGZhy{}}\PYG{l+m+mf}{1.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{k}{with} \PYG{n}{kvno} \PYG{l+m+mi}{2}\PYG{p}{,} \PYG{n}{encryption}
    \PYG{n+nb}{type} \PYG{n}{aes256}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha384}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{192} \PYG{n}{added} \PYG{n}{to} \PYG{n}{keytab} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab}\PYG{o}{.}
\PYG{n}{Entry} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{host}\PYG{o}{/}\PYG{n}{kerberos}\PYG{o}{\PYGZhy{}}\PYG{l+m+mf}{1.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{k}{with} \PYG{n}{kvno} \PYG{l+m+mi}{2}\PYG{p}{,} \PYG{n}{encryption}
    \PYG{n+nb}{type} \PYG{n}{arcfour}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac} \PYG{n}{added} \PYG{n}{to} \PYG{n}{keytab} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab}\PYG{o}{.}
\end{sphinxVerbatim}

\sphinxAtStartPar
If you are instead extracting a keytab for the replica KDC called
\sphinxcode{\sphinxupquote{kerberos\sphinxhyphen{}1.mit.edu}} on the primary KDC, you should use a dedicated
temporary keytab file for that machine’s keytab:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{ktadd} \PYG{o}{\PYGZhy{}}\PYG{n}{k} \PYG{o}{/}\PYG{n}{tmp}\PYG{o}{/}\PYG{n}{kerberos}\PYG{o}{\PYGZhy{}}\PYG{l+m+mf}{1.}\PYG{n}{keytab} \PYG{n}{host}\PYG{o}{/}\PYG{n}{kerberos}\PYG{o}{\PYGZhy{}}\PYG{l+m+mf}{1.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}
\PYG{n}{Entry} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{host}\PYG{o}{/}\PYG{n}{kerberos}\PYG{o}{\PYGZhy{}}\PYG{l+m+mf}{1.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{k}{with} \PYG{n}{kvno} \PYG{l+m+mi}{2}\PYG{p}{,} \PYG{n}{encryption}
    \PYG{n+nb}{type} \PYG{n}{aes256}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{96} \PYG{n}{added} \PYG{n}{to} \PYG{n}{keytab} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab}\PYG{o}{.}
\PYG{n}{Entry} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{host}\PYG{o}{/}\PYG{n}{kerberos}\PYG{o}{\PYGZhy{}}\PYG{l+m+mf}{1.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{k}{with} \PYG{n}{kvno} \PYG{l+m+mi}{2}\PYG{p}{,} \PYG{n}{encryption}
    \PYG{n+nb}{type} \PYG{n}{aes128}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{96} \PYG{n}{added} \PYG{n}{to} \PYG{n}{keytab} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab}\PYG{o}{.}
\end{sphinxVerbatim}

\sphinxAtStartPar
The file \sphinxcode{\sphinxupquote{/tmp/kerberos\sphinxhyphen{}1.keytab}} can then be installed as
\sphinxcode{\sphinxupquote{/etc/krb5.keytab}} on the host \sphinxcode{\sphinxupquote{kerberos\sphinxhyphen{}1.mit.edu}}.


\paragraph{Configure replica KDCs}
\label{\detokenize{admin/install_kdc:configure-replica-kdcs}}
\sphinxAtStartPar
Database propagation copies the contents of the primary’s database,
but does not propagate configuration files, stash files, or the kadm5
ACL file.  The following files must be copied by hand to each replica
(see {\hyperref[\detokenize{mitK5defaults:mitk5defaults}]{\sphinxcrossref{\DUrole{std,std-ref}{MIT Kerberos defaults}}}} for the default locations for these files):
\begin{itemize}
\item {} 
\sphinxAtStartPar
krb5.conf

\item {} 
\sphinxAtStartPar
kdc.conf

\item {} 
\sphinxAtStartPar
kadm5.acl

\item {} 
\sphinxAtStartPar
master key stash file

\end{itemize}

\sphinxAtStartPar
Move the copied files into their appropriate directories, exactly as
on the primary KDC.  kadm5.acl is only needed to allow a replica to
swap with the primary KDC.

\sphinxAtStartPar
The database is propagated from the primary KDC to the replica KDCs
via the {\hyperref[\detokenize{admin/admin_commands/kpropd:kpropd-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kpropd}}}} daemon.  You must explicitly specify the
principals which are allowed to provide Kerberos dump updates on the
replica machine with a new database.  Create a file named kpropd.acl
in the KDC state directory containing the \sphinxcode{\sphinxupquote{host}} principals for each
of the KDCs:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{host}\PYG{o}{/}\PYG{n}{kerberos}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}
\PYG{n}{host}\PYG{o}{/}\PYG{n}{kerberos}\PYG{o}{\PYGZhy{}}\PYG{l+m+mf}{1.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}
\end{sphinxVerbatim}

\begin{sphinxadmonition}{note}{Note:}
\sphinxAtStartPar
If you expect that the primary and replica KDCs will be
switched at some point of time, list the host principals
from all participating KDC servers in kpropd.acl files on
all of the KDCs.  Otherwise, you only need to list the
primary KDC’s host principal in the kpropd.acl files of the
replica KDCs.
\end{sphinxadmonition}

\sphinxAtStartPar
Then, add the following line to \sphinxcode{\sphinxupquote{/etc/inetd.conf}} on each KDC
(adjust the path to kpropd):

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{krb5\PYGZus{}prop} \PYG{n}{stream} \PYG{n}{tcp} \PYG{n}{nowait} \PYG{n}{root} \PYG{o}{/}\PYG{n}{usr}\PYG{o}{/}\PYG{n}{local}\PYG{o}{/}\PYG{n}{sbin}\PYG{o}{/}\PYG{n}{kpropd} \PYG{n}{kpropd}
\end{sphinxVerbatim}

\sphinxAtStartPar
You also need to add the following line to \sphinxcode{\sphinxupquote{/etc/services}} on each
KDC, if it is not already present (assuming that the default port is
used):

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{krb5\PYGZus{}prop}       \PYG{l+m+mi}{754}\PYG{o}{/}\PYG{n}{tcp}               \PYG{c+c1}{\PYGZsh{} Kerberos replica propagation}
\end{sphinxVerbatim}

\sphinxAtStartPar
Restart inetd daemon.

\sphinxAtStartPar
Alternatively, start {\hyperref[\detokenize{admin/admin_commands/kpropd:kpropd-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kpropd}}}} as a stand\sphinxhyphen{}alone daemon.  This is
required when incremental propagation is enabled.

\sphinxAtStartPar
Now that the replica KDC is able to accept database propagation,
you’ll need to propagate the database from the primary server.

\sphinxAtStartPar
NOTE: Do not start the replica KDC yet; you still do not have a copy
of the primary’s database.


\paragraph{Propagate the database to each replica KDC}
\label{\detokenize{admin/install_kdc:propagate-the-database-to-each-replica-kdc}}\label{\detokenize{admin/install_kdc:kprop-to-replicas}}
\sphinxAtStartPar
First, create a dump file of the database on the primary KDC, as
follows:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{kdb5\PYGZus{}util} \PYG{n}{dump} \PYG{o}{/}\PYG{n}{usr}\PYG{o}{/}\PYG{n}{local}\PYG{o}{/}\PYG{n}{var}\PYG{o}{/}\PYG{n}{krb5kdc}\PYG{o}{/}\PYG{n}{replica\PYGZus{}datatrans}
\end{sphinxVerbatim}

\sphinxAtStartPar
Then, manually propagate the database to each replica KDC, as in the
following example:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{kprop} \PYG{o}{\PYGZhy{}}\PYG{n}{f} \PYG{o}{/}\PYG{n}{usr}\PYG{o}{/}\PYG{n}{local}\PYG{o}{/}\PYG{n}{var}\PYG{o}{/}\PYG{n}{krb5kdc}\PYG{o}{/}\PYG{n}{replica\PYGZus{}datatrans} \PYG{n}{kerberos}\PYG{o}{\PYGZhy{}}\PYG{l+m+mf}{1.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}

\PYG{n}{Database} \PYG{n}{propagation} \PYG{n}{to} \PYG{n}{kerberos}\PYG{o}{\PYGZhy{}}\PYG{l+m+mf}{1.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}\PYG{p}{:} \PYG{n}{SUCCEEDED}
\end{sphinxVerbatim}

\sphinxAtStartPar
You will need a script to dump and propagate the database. The
following is an example of a Bourne shell script that will do this.

\begin{sphinxadmonition}{note}{Note:}
\sphinxAtStartPar
Remember that you need to replace \sphinxcode{\sphinxupquote{/usr/local/var/krb5kdc}}
with the name of the KDC state directory.
\end{sphinxadmonition}

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYGZsh{}!/bin/sh

kdclist = \PYGZdq{}kerberos\PYGZhy{}1.mit.edu kerberos\PYGZhy{}2.mit.edu\PYGZdq{}

kdb5\PYGZus{}util dump /usr/local/var/krb5kdc/replica\PYGZus{}datatrans

for kdc in \PYGZdl{}kdclist
do
    kprop \PYGZhy{}f /usr/local/var/krb5kdc/replica\PYGZus{}datatrans \PYGZdl{}kdc
done
\end{sphinxVerbatim}

\sphinxAtStartPar
You will need to set up a cron job to run this script at the intervals
you decided on earlier (see {\hyperref[\detokenize{admin/realm_config:db-prop}]{\sphinxcrossref{\DUrole{std,std-ref}{Database propagation}}}}).

\sphinxAtStartPar
Now that the replica KDC has a copy of the Kerberos database, you can
start the krb5kdc daemon:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{krb5kdc}
\end{sphinxVerbatim}

\sphinxAtStartPar
As with the primary KDC, you will probably want to add this command to
the KDCs’ \sphinxcode{\sphinxupquote{/etc/rc}} or \sphinxcode{\sphinxupquote{/etc/inittab}} files, so they will start
the krb5kdc daemon automatically at boot time.


\subparagraph{Propagation failed?}
\label{\detokenize{admin/install_kdc:propagation-failed}}
\sphinxAtStartPar
You may encounter the following error messages. For a more detailed
discussion on possible causes and solutions click on the error link
to be redirected to {\hyperref[\detokenize{admin/troubleshoot:troubleshoot}]{\sphinxcrossref{\DUrole{std,std-ref}{Troubleshooting}}}} section.
\begin{enumerate}
\sphinxsetlistlabels{\arabic}{enumi}{enumii}{}{.}%
\item {} 
\sphinxAtStartPar
{\hyperref[\detokenize{admin/troubleshoot:kprop-no-route}]{\sphinxcrossref{\DUrole{std,std-ref}{kprop: No route to host while connecting to server}}}}

\item {} 
\sphinxAtStartPar
{\hyperref[\detokenize{admin/troubleshoot:kprop-con-refused}]{\sphinxcrossref{\DUrole{std,std-ref}{kprop: Connection refused while connecting to server}}}}

\item {} 
\sphinxAtStartPar
{\hyperref[\detokenize{admin/troubleshoot:kprop-sendauth-exchange}]{\sphinxcrossref{\DUrole{std,std-ref}{kprop: Server rejected authentication (during sendauth exchange) while authenticating to server}}}}

\end{enumerate}


\subsubsection{Add Kerberos principals to the database}
\label{\detokenize{admin/install_kdc:add-kerberos-principals-to-the-database}}
\sphinxAtStartPar
Once your KDCs are set up and running, you are ready to use
{\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} to load principals for your users, hosts, and other
services into the Kerberos database.  This procedure is described
fully in {\hyperref[\detokenize{admin/database:principals}]{\sphinxcrossref{\DUrole{std,std-ref}{Principals}}}}.

\sphinxAtStartPar
You may occasionally want to use one of your replica KDCs as the
primary.  This might happen if you are upgrading the primary KDC, or
if your primary KDC has a disk crash.  See the following section for
the instructions.


\subsubsection{Switching primary and replica KDCs}
\label{\detokenize{admin/install_kdc:switching-primary-and-replica-kdcs}}\label{\detokenize{admin/install_kdc:switch-primary-replica}}
\sphinxAtStartPar
You may occasionally want to use one of your replica KDCs as the
primary.  This might happen if you are upgrading the primary KDC, or
if your primary KDC has a disk crash.

\sphinxAtStartPar
Assuming you have configured all of your KDCs to be able to function
as either the primary KDC or a replica KDC (as this document
recommends), all you need to do to make the changeover is:

\sphinxAtStartPar
If the primary KDC is still running, do the following on the \sphinxstyleemphasis{old}
primary KDC:
\begin{enumerate}
\sphinxsetlistlabels{\arabic}{enumi}{enumii}{}{.}%
\item {} 
\sphinxAtStartPar
Kill the kadmind process.

\item {} 
\sphinxAtStartPar
Disable the cron job that propagates the database.

\item {} 
\sphinxAtStartPar
Run your database propagation script manually, to ensure that the
replicas all have the latest copy of the database (see
{\hyperref[\detokenize{admin/install_kdc:kprop-to-replicas}]{\sphinxcrossref{\DUrole{std,std-ref}{Propagate the database to each replica KDC}}}}).

\end{enumerate}

\sphinxAtStartPar
On the \sphinxstyleemphasis{new} primary KDC:
\begin{enumerate}
\sphinxsetlistlabels{\arabic}{enumi}{enumii}{}{.}%
\item {} 
\sphinxAtStartPar
Start the {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} daemon (see {\hyperref[\detokenize{admin/install_kdc:start-kdc-daemons}]{\sphinxcrossref{\DUrole{std,std-ref}{Start the Kerberos daemons on the primary KDC}}}}).

\item {} 
\sphinxAtStartPar
Set up the cron job to propagate the database (see
{\hyperref[\detokenize{admin/install_kdc:kprop-to-replicas}]{\sphinxcrossref{\DUrole{std,std-ref}{Propagate the database to each replica KDC}}}}).

\item {} 
\sphinxAtStartPar
Switch the CNAMEs of the old and new primary KDCs.  If you can’t do
this, you’ll need to change the {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}} file on every
client machine in your Kerberos realm.

\end{enumerate}


\subsubsection{Incremental database propagation}
\label{\detokenize{admin/install_kdc:incremental-database-propagation}}
\sphinxAtStartPar
If you expect your Kerberos database to become large, you may wish to
set up incremental propagation to replica KDCs.  See
{\hyperref[\detokenize{admin/database:incr-db-prop}]{\sphinxcrossref{\DUrole{std,std-ref}{Incremental database propagation}}}} for details.

\sphinxstepscope


\subsection{Installing and configuring UNIX client machines}
\label{\detokenize{admin/install_clients:installing-and-configuring-unix-client-machines}}\label{\detokenize{admin/install_clients::doc}}
\sphinxAtStartPar
The Kerberized client programs include \DUrole{xref,std,std-ref}{kinit(1)},
\DUrole{xref,std,std-ref}{klist(1)}, \DUrole{xref,std,std-ref}{kdestroy(1)}, and \DUrole{xref,std,std-ref}{kpasswd(1)}.  All of
these programs are in the directory {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{BINDIR}}}}.

\sphinxAtStartPar
You can often integrate Kerberos with the login system on client
machines, typically through the use of PAM.  The details vary by
operating system, and should be covered in your operating system’s
documentation.  If you do this, you will need to make sure your users
know to use their Kerberos passwords when they log in.

\sphinxAtStartPar
You will also need to educate your users to use the ticket management
programs kinit, klist, and kdestroy.  If you do not have Kerberos
password changing integrated into the native password program (again,
typically through PAM), you will need to educate users to use kpasswd
in place of its non\sphinxhyphen{}Kerberos counterparts passwd.


\subsubsection{Client machine configuration files}
\label{\detokenize{admin/install_clients:client-machine-configuration-files}}
\sphinxAtStartPar
Each machine running Kerberos should have a {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}} file.
At a minimum, it should define a \sphinxstylestrong{default\_realm} setting in
{\hyperref[\detokenize{admin/conf_files/krb5_conf:libdefaults}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}libdefaults{]}}}}}.  If you are not using DNS SRV records
({\hyperref[\detokenize{admin/realm_config:kdc-hostnames}]{\sphinxcrossref{\DUrole{std,std-ref}{Hostnames for KDCs}}}}) or URI records ({\hyperref[\detokenize{admin/realm_config:kdc-discovery}]{\sphinxcrossref{\DUrole{std,std-ref}{KDC Discovery}}}}), it must
also contain a {\hyperref[\detokenize{admin/conf_files/krb5_conf:realms}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}realms{]}}}}} section containing information for your
realm’s KDCs.

\sphinxAtStartPar
Consider setting \sphinxstylestrong{rdns} to false in order to reduce your dependence
on precisely correct DNS information for service hostnames.  Turning
this flag off means that service hostnames will be canonicalized
through forward name resolution (which adds your domain name to
unqualified hostnames, and resolves CNAME records in DNS), but not
through reverse address lookup.  The default value of this flag is
true for historical reasons only.

\sphinxAtStartPar
If you anticipate users frequently logging into remote hosts
(e.g., using ssh) using forwardable credentials, consider setting
\sphinxstylestrong{forwardable} to true so that users obtain forwardable tickets by
default.  Otherwise users will need to use \sphinxcode{\sphinxupquote{kinit \sphinxhyphen{}f}} to get
forwardable tickets.

\sphinxAtStartPar
Consider adjusting the \sphinxstylestrong{ticket\_lifetime} setting to match the likely
length of sessions for your users.  For instance, if most of your
users will be logging in for an eight\sphinxhyphen{}hour workday, you could set the
default to ten hours so that tickets obtained in the morning expire
shortly after the end of the workday.  Users can still manually
request longer tickets when necessary, up to the maximum allowed by
each user’s principal record on the KDC.

\sphinxAtStartPar
If a client host may access services in different realms, it may be
useful to define a {\hyperref[\detokenize{admin/conf_files/krb5_conf:domain-realm}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}domain\_realm{]}}}}} mapping so that clients know
which hosts belong to which realms.  However, if your clients and KDC
are running release 1.7 or later, it is also reasonable to leave this
section out on client machines and just define it in the KDC’s
krb5.conf.

\sphinxstepscope


\subsection{UNIX Application Servers}
\label{\detokenize{admin/install_appl_srv:unix-application-servers}}\label{\detokenize{admin/install_appl_srv::doc}}
\sphinxAtStartPar
An application server is a host that provides one or more services
over the network.  Application servers can be “secure” or “insecure.”
A “secure” host is set up to require authentication from every client
connecting to it.  An “insecure” host will still provide Kerberos
authentication, but will also allow unauthenticated clients to
connect.

\sphinxAtStartPar
If you have Kerberos V5 installed on all of your client machines, MIT
recommends that you make your hosts secure, to take advantage of the
security that Kerberos authentication affords.  However, if you have
some clients that do not have Kerberos V5 installed, you can run an
insecure server, and still take advantage of Kerberos V5’s single
sign\sphinxhyphen{}on capability.


\subsubsection{The keytab file}
\label{\detokenize{admin/install_appl_srv:the-keytab-file}}\label{\detokenize{admin/install_appl_srv:keytab-file}}
\sphinxAtStartPar
All Kerberos server machines need a keytab file to authenticate to the
KDC.  By default on UNIX\sphinxhyphen{}like systems this file is named {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{DEFKTNAME}}}}.
The keytab file is an local copy of the host’s key.  The keytab file
is a potential point of entry for a break\sphinxhyphen{}in, and if compromised,
would allow unrestricted access to its host.  The keytab file should
be readable only by root, and should exist only on the machine’s local
disk.  The file should not be part of any backup of the machine,
unless access to the backup data is secured as tightly as access to
the machine’s root password.

\sphinxAtStartPar
In order to generate a keytab for a host, the host must have a
principal in the Kerberos database.  The procedure for adding hosts to
the database is described fully in {\hyperref[\detokenize{admin/database:principals}]{\sphinxcrossref{\DUrole{std,std-ref}{Principals}}}}.  (See
{\hyperref[\detokenize{admin/install_kdc:replica-host-key}]{\sphinxcrossref{\DUrole{std,std-ref}{Create host keytabs for replica KDCs}}}} for a brief description.)  The keytab is
generated by running {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} and issuing the {\hyperref[\detokenize{admin/admin_commands/kadmin_local:ktadd}]{\sphinxcrossref{\DUrole{std,std-ref}{ktadd}}}}
command.

\sphinxAtStartPar
For example, to generate a keytab file to allow the host
\sphinxcode{\sphinxupquote{trillium.mit.edu}} to authenticate for the services host, ftp, and
pop, the administrator \sphinxcode{\sphinxupquote{joeadmin}} would issue the command (on
\sphinxcode{\sphinxupquote{trillium.mit.edu}}):

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{trillium}\PYG{o}{\PYGZpc{}} \PYG{n}{kadmin}
\PYG{n}{Authenticating} \PYG{k}{as} \PYG{n}{principal} \PYG{n}{root}\PYG{o}{/}\PYG{n}{admin}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{k}{with} \PYG{n}{password}\PYG{o}{.}
\PYG{n}{Password} \PYG{k}{for} \PYG{n}{root}\PYG{o}{/}\PYG{n}{admin}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}\PYG{p}{:}
\PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{ktadd} \PYG{n}{host}\PYG{o}{/}\PYG{n}{trillium}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{n}{ftp}\PYG{o}{/}\PYG{n}{trillium}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{n}{pop}\PYG{o}{/}\PYG{n}{trillium}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}
\PYG{n}{Entry} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{host}\PYG{o}{/}\PYG{n}{trillium}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{k}{with} \PYG{n}{kvno} \PYG{l+m+mi}{3}\PYG{p}{,} \PYG{n}{encryption} \PYG{n+nb}{type} \PYG{n}{aes256}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha384}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{192} \PYG{n}{added} \PYG{n}{to} \PYG{n}{keytab} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab}\PYG{o}{.}
\PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{Entry} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{ftp}\PYG{o}{/}\PYG{n}{trillium}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{k}{with} \PYG{n}{kvno} \PYG{l+m+mi}{3}\PYG{p}{,} \PYG{n}{encryption} \PYG{n+nb}{type} \PYG{n}{aes256}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha384}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{192} \PYG{n}{added} \PYG{n}{to} \PYG{n}{keytab} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab}\PYG{o}{.}
\PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{Entry} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{pop}\PYG{o}{/}\PYG{n}{trillium}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{k}{with} \PYG{n}{kvno} \PYG{l+m+mi}{3}\PYG{p}{,} \PYG{n}{encryption} \PYG{n+nb}{type} \PYG{n}{aes256}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha384}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{192} \PYG{n}{added} \PYG{n}{to} \PYG{n}{keytab} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab}\PYG{o}{.}
\PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{quit}
\PYG{n}{trillium}\PYG{o}{\PYGZpc{}}
\end{sphinxVerbatim}

\sphinxAtStartPar
If you generate the keytab file on another host, you need to get a
copy of the keytab file onto the destination host (\sphinxcode{\sphinxupquote{trillium}}, in
the above example) without sending it unencrypted over the network.


\subsubsection{Some advice about secure hosts}
\label{\detokenize{admin/install_appl_srv:some-advice-about-secure-hosts}}
\sphinxAtStartPar
Kerberos V5 can protect your host from certain types of break\sphinxhyphen{}ins, but
it is possible to install Kerberos V5 and still leave your host
vulnerable to attack.  Obviously an installation guide is not the
place to try to include an exhaustive list of countermeasures for
every possible attack, but it is worth noting some of the larger holes
and how to close them.

\sphinxAtStartPar
We recommend that backups of secure machines exclude the keytab file
({\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{DEFKTNAME}}}}).  If this is not possible, the backups should at least be
done locally, rather than over a network, and the backup tapes should
be physically secured.

\sphinxAtStartPar
The keytab file and any programs run by root, including the Kerberos
V5 binaries, should be kept on local disk.  The keytab file should be
readable only by root.


\section{Additional references}
\label{\detokenize{admin/install:additional-references}}\begin{enumerate}
\sphinxsetlistlabels{\arabic}{enumi}{enumii}{}{.}%
\item {} 
\sphinxAtStartPar
Debian: \sphinxhref{http://techpubs.spinlocksolutions.com/dklar/kerberos.html}{Setting up MIT Kerberos 5}

\item {} 
\sphinxAtStartPar
Solaris: \sphinxhref{https://docs.oracle.com/cd/E19253-01/816-4557/6maosrjv2/index.html}{Configuring the Kerberos Service}

\end{enumerate}

\sphinxstepscope


\chapter{Configuration Files}
\label{\detokenize{admin/conf_files/index:configuration-files}}\label{\detokenize{admin/conf_files/index::doc}}
\sphinxAtStartPar
Kerberos uses configuration files to allow administrators to specify
settings on a per\sphinxhyphen{}machine basis.  {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}} applies to all
applications using the Kerboros library, on clients and servers.
For KDC\sphinxhyphen{}specific applications, additional settings can be specified in
{\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}; the two files are merged into a configuration profile
used by applications accessing the KDC database directly.  {\hyperref[\detokenize{admin/conf_files/kadm5_acl:kadm5-acl-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kadm5.acl}}}}
is also only used on the KDC, it controls permissions for modifying the
KDC database.


\section{Contents}
\label{\detokenize{admin/conf_files/index:contents}}
\sphinxstepscope


\subsection{krb5.conf}
\label{\detokenize{admin/conf_files/krb5_conf:krb5-conf}}\label{\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}}\label{\detokenize{admin/conf_files/krb5_conf::doc}}
\sphinxAtStartPar
The krb5.conf file contains Kerberos configuration information,
including the locations of KDCs and admin servers for the Kerberos
realms of interest, defaults for the current realm and for Kerberos
applications, and mappings of hostnames onto Kerberos realms.
Normally, you should install your krb5.conf file in the directory
\sphinxcode{\sphinxupquote{/etc}}.  You can override the default location by setting the
environment variable \sphinxstylestrong{KRB5\_CONFIG}.  Multiple colon\sphinxhyphen{}separated
filenames may be specified in \sphinxstylestrong{KRB5\_CONFIG}; all files which are
present will be read.  Starting in release 1.14, directory names can
also be specified in \sphinxstylestrong{KRB5\_CONFIG}; all files within the directory
whose names consist solely of alphanumeric characters, dashes, or
underscores will be read.


\subsubsection{Structure}
\label{\detokenize{admin/conf_files/krb5_conf:structure}}
\sphinxAtStartPar
The krb5.conf file is set up in the style of a Windows INI file.
Lines beginning with ‘\#’ or ‘;’ (possibly after initial whitespace)
are ignored as comments.  Sections are headed by the section name, in
square brackets.  Each section may contain zero or more relations, of
the form:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{foo} \PYG{o}{=} \PYG{n}{bar}
\end{sphinxVerbatim}

\sphinxAtStartPar
or:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{fubar} \PYG{o}{=} \PYG{p}{\PYGZob{}}
    \PYG{n}{foo} \PYG{o}{=} \PYG{n}{bar}
    \PYG{n}{baz} \PYG{o}{=} \PYG{n}{quux}
\PYG{p}{\PYGZcb{}}
\end{sphinxVerbatim}

\sphinxAtStartPar
The krb5.conf file can include other files using either of the
following directives at the beginning of a line:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{include} \PYG{n}{FILENAME}
\PYG{n}{includedir} \PYG{n}{DIRNAME}
\end{sphinxVerbatim}

\sphinxAtStartPar
\sphinxstyleemphasis{FILENAME} or \sphinxstyleemphasis{DIRNAME} should be an absolute path. The named file or
directory must exist and be readable.  Including a directory includes
all files within the directory whose names consist solely of
alphanumeric characters, dashes, or underscores.  Starting in release
1.15, files with names ending in “.conf” are also included, unless the
name begins with “.”.  Included profile files are syntactically
independent of their parents, so each included file must begin with a
section header.  Starting in release 1.17, files are read in
alphanumeric order; in previous releases, they may be read in any
order.

\sphinxAtStartPar
Placing a ‘*’ after the closing bracket of a section name indicates
that the section is \sphinxstyleemphasis{final}, meaning that if the same section appears
again later, it will be ignored.  A subsection can be marked as final
by placing a ‘*’ after either the tag name or the closing brace.  A
relation can be marked as final by placing a ‘*’ after the tag name.
Prior to release 1.22, only sections and subsections can be marked as
final, and the flag only causes values to be ignored if they appear in
later files specified in \sphinxstylestrong{KRB5\_CONFIG}, not if they appear later
within the same file or an included file.

\sphinxAtStartPar
The krb5.conf file can specify that configuration should be obtained
from a loadable module, rather than the file itself, using the
following directive at the beginning of a line before any section
headers:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{module} \PYG{n}{MODULEPATH}\PYG{p}{:}\PYG{n}{RESIDUAL}
\end{sphinxVerbatim}

\sphinxAtStartPar
\sphinxstyleemphasis{MODULEPATH} may be relative to the library path of the krb5
installation, or it may be an absolute path.  \sphinxstyleemphasis{RESIDUAL} is provided
to the module at initialization time.  If krb5.conf uses a module
directive, {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}} should also use one if it exists.


\subsubsection{Sections}
\label{\detokenize{admin/conf_files/krb5_conf:sections}}
\sphinxAtStartPar
The krb5.conf file may contain the following sections:


\begin{savenotes}\sphinxattablestart
\sphinxthistablewithglobalstyle
\centering
\begin{tabulary}{\linewidth}[t]{TT}
\sphinxtoprule
\sphinxtableatstartofbodyhook
\sphinxAtStartPar
{\hyperref[\detokenize{admin/conf_files/krb5_conf:libdefaults}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}libdefaults{]}}}}}
&
\sphinxAtStartPar
Settings used by the Kerberos V5 library
\\
\sphinxhline
\sphinxAtStartPar
{\hyperref[\detokenize{admin/conf_files/krb5_conf:realms}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}realms{]}}}}}
&
\sphinxAtStartPar
Realm\sphinxhyphen{}specific contact information and settings
\\
\sphinxhline
\sphinxAtStartPar
{\hyperref[\detokenize{admin/conf_files/krb5_conf:domain-realm}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}domain\_realm{]}}}}}
&
\sphinxAtStartPar
Maps server hostnames to Kerberos realms
\\
\sphinxhline
\sphinxAtStartPar
{\hyperref[\detokenize{admin/conf_files/krb5_conf:capaths}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}capaths{]}}}}}
&
\sphinxAtStartPar
Authentication paths for non\sphinxhyphen{}hierarchical cross\sphinxhyphen{}realm
\\
\sphinxhline
\sphinxAtStartPar
{\hyperref[\detokenize{admin/conf_files/krb5_conf:appdefaults}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}appdefaults{]}}}}}
&
\sphinxAtStartPar
Settings used by some Kerberos V5 applications
\\
\sphinxhline
\sphinxAtStartPar
{\hyperref[\detokenize{admin/conf_files/krb5_conf:plugins}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}plugins{]}}}}}
&
\sphinxAtStartPar
Controls plugin module registration
\\
\sphinxbottomrule
\end{tabulary}
\sphinxtableafterendhook\par
\sphinxattableend\end{savenotes}

\sphinxAtStartPar
Additionally, krb5.conf may include any of the relations described in
{\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}, but it is not a recommended practice.


\paragraph{{[}libdefaults{]}}
\label{\detokenize{admin/conf_files/krb5_conf:libdefaults}}\label{\detokenize{admin/conf_files/krb5_conf:id1}}
\sphinxAtStartPar
The libdefaults section may contain any of the following relations:
\begin{description}
\sphinxlineitem{\sphinxstylestrong{allow\_des3}}
\sphinxAtStartPar
Permit the KDC to issue tickets with des3\sphinxhyphen{}cbc\sphinxhyphen{}sha1 session keys.
In future releases, this flag will allow des3\sphinxhyphen{}cbc\sphinxhyphen{}sha1 to be used
at all.  The default value for this tag is false.  (Added in
release 1.21.)

\sphinxlineitem{\sphinxstylestrong{allow\_rc4}}
\sphinxAtStartPar
Permit the KDC to issue tickets with arcfour\sphinxhyphen{}hmac session keys.
In future releases, this flag will allow arcfour\sphinxhyphen{}hmac to be used
at all.  The default value for this tag is false.  (Added in
release 1.21.)

\sphinxlineitem{\sphinxstylestrong{allow\_weak\_crypto}}
\sphinxAtStartPar
If this flag is set to false, then weak encryption types (as noted
in {\hyperref[\detokenize{admin/conf_files/kdc_conf:encryption-types}]{\sphinxcrossref{\DUrole{std,std-ref}{Encryption types}}}} in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}) will be filtered
out of the lists \sphinxstylestrong{default\_tgs\_enctypes},
\sphinxstylestrong{default\_tkt\_enctypes}, and \sphinxstylestrong{permitted\_enctypes}.  The default
value for this tag is false.

\sphinxlineitem{\sphinxstylestrong{canonicalize}}
\sphinxAtStartPar
If this flag is set to true, initial ticket requests to the KDC
will request canonicalization of the client principal name, and
answers with different client principals than the requested
principal will be accepted.  The default value is false.

\sphinxlineitem{\sphinxstylestrong{ccache\_type}}
\sphinxAtStartPar
This parameter determines the format of credential cache types
created by \DUrole{xref,std,std-ref}{kinit(1)} or other programs.  The default value
is 4, which represents the most current format.  Smaller values
can be used for compatibility with very old implementations of
Kerberos which interact with credential caches on the same host.

\sphinxlineitem{\sphinxstylestrong{clockskew}}
\sphinxAtStartPar
Sets the maximum allowable amount of clockskew in seconds that the
library will tolerate before assuming that a Kerberos message is
invalid.  The default value is 300 seconds, or five minutes.

\sphinxAtStartPar
The clockskew setting is also used when evaluating ticket start
and expiration times.  For example, tickets that have reached
their expiration time can still be used (and renewed if they are
renewable tickets) if they have been expired for a shorter
duration than the \sphinxstylestrong{clockskew} setting.

\sphinxlineitem{\sphinxstylestrong{default\_ccache\_name}}
\sphinxAtStartPar
This relation specifies the name of the default credential cache.
The default is {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{DEFCCNAME}}}}.  This relation is subject to parameter
expansion (see below).  New in release 1.11.

\sphinxlineitem{\sphinxstylestrong{default\_client\_keytab\_name}}
\sphinxAtStartPar
This relation specifies the name of the default keytab for
obtaining client credentials.  The default is {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{DEFCKTNAME}}}}.  This
relation is subject to parameter expansion (see below).
New in release 1.11.

\sphinxlineitem{\sphinxstylestrong{default\_keytab\_name}}
\sphinxAtStartPar
This relation specifies the default keytab name to be used by
application servers such as sshd.  The default is {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{DEFKTNAME}}}}.  This
relation is subject to parameter expansion (see below).

\sphinxlineitem{\sphinxstylestrong{default\_rcache\_name}}
\sphinxAtStartPar
This relation specifies the name of the default replay cache.
The default is \sphinxcode{\sphinxupquote{dfl:}}.  This relation is subject to parameter
expansion (see below).  New in release 1.18.

\sphinxlineitem{\sphinxstylestrong{default\_realm}}
\sphinxAtStartPar
Identifies the default Kerberos realm for the client.  Set its
value to your Kerberos realm.  If this value is not set, then a
realm must be specified with every Kerberos principal when
invoking programs such as \DUrole{xref,std,std-ref}{kinit(1)}.

\sphinxlineitem{\sphinxstylestrong{default\_tgs\_enctypes}}
\sphinxAtStartPar
Identifies the supported list of session key encryption types that
the client should request when making a TGS\sphinxhyphen{}REQ, in order of
preference from highest to lowest.  The list may be delimited with
commas or whitespace.  See {\hyperref[\detokenize{admin/conf_files/kdc_conf:encryption-types}]{\sphinxcrossref{\DUrole{std,std-ref}{Encryption types}}}} in
{\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}} for a list of the accepted values for this tag.
Starting in release 1.18, the default value is the value of
\sphinxstylestrong{permitted\_enctypes}.  For previous releases or if
\sphinxstylestrong{permitted\_enctypes} is not set, the default value is
\sphinxcode{\sphinxupquote{aes256\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha1\sphinxhyphen{}96 aes128\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha1\sphinxhyphen{}96 aes256\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha384\sphinxhyphen{}192 aes128\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha256\sphinxhyphen{}128 des3\sphinxhyphen{}cbc\sphinxhyphen{}sha1 arcfour\sphinxhyphen{}hmac\sphinxhyphen{}md5 camellia256\sphinxhyphen{}cts\sphinxhyphen{}cmac camellia128\sphinxhyphen{}cts\sphinxhyphen{}cmac}}.

\sphinxAtStartPar
Do not set this unless required for specific backward
compatibility purposes; stale values of this setting can prevent
clients from taking advantage of new stronger enctypes when the
libraries are upgraded.

\sphinxlineitem{\sphinxstylestrong{default\_tkt\_enctypes}}
\sphinxAtStartPar
Identifies the supported list of session key encryption types that
the client should request when making an AS\sphinxhyphen{}REQ, in order of
preference from highest to lowest.  The format is the same as for
default\_tgs\_enctypes.  Starting in release 1.18, the default
value is the value of \sphinxstylestrong{permitted\_enctypes}.  For previous
releases or if \sphinxstylestrong{permitted\_enctypes} is not set, the default
value is \sphinxcode{\sphinxupquote{aes256\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha1\sphinxhyphen{}96 aes128\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha1\sphinxhyphen{}96 aes256\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha384\sphinxhyphen{}192 aes128\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha256\sphinxhyphen{}128 des3\sphinxhyphen{}cbc\sphinxhyphen{}sha1 arcfour\sphinxhyphen{}hmac\sphinxhyphen{}md5 camellia256\sphinxhyphen{}cts\sphinxhyphen{}cmac camellia128\sphinxhyphen{}cts\sphinxhyphen{}cmac}}.

\sphinxAtStartPar
Do not set this unless required for specific backward
compatibility purposes; stale values of this setting can prevent
clients from taking advantage of new stronger enctypes when the
libraries are upgraded.

\sphinxlineitem{\sphinxstylestrong{dns\_canonicalize\_hostname}}
\sphinxAtStartPar
Indicate whether name lookups will be used to canonicalize
hostnames for use in service principal names.  Setting this flag
to false can improve security by reducing reliance on DNS, but
means that short hostnames will not be canonicalized to
fully\sphinxhyphen{}qualified hostnames.  If this option is set to \sphinxcode{\sphinxupquote{fallback}} (new
in release 1.18), DNS canonicalization will only be performed the
server hostname is not found with the original name when
requesting credentials.  The default value is true.

\sphinxlineitem{\sphinxstylestrong{dns\_lookup\_kdc}}
\sphinxAtStartPar
Indicate whether DNS SRV records should be used to locate the KDCs
and other servers for a realm, if they are not listed in the
krb5.conf information for the realm.  (Note that the admin\_server
entry must be in the krb5.conf realm information in order to
contact kadmind, because the DNS implementation for kadmin is
incomplete.)

\sphinxAtStartPar
Enabling this option does open up a type of denial\sphinxhyphen{}of\sphinxhyphen{}service
attack, if someone spoofs the DNS records and redirects you to
another server.  However, it’s no worse than a denial of service,
because that fake KDC will be unable to decode anything you send
it (besides the initial ticket request, which has no encrypted
data), and anything the fake KDC sends will not be trusted without
verification using some secret that it won’t know.

\sphinxlineitem{\sphinxstylestrong{dns\_lookup\_realm}}
\sphinxAtStartPar
Indicate whether DNS TXT records should be used to map hostnames
to realm names for hostnames not listed in the {[}domain\_realm{]}
section, and to determine the default realm if \sphinxstylestrong{default\_realm}
is not set.  The default value is false.

\sphinxlineitem{\sphinxstylestrong{dns\_uri\_lookup}}
\sphinxAtStartPar
Indicate whether DNS URI records should be used to locate the KDCs
and other servers for a realm, if they are not listed in the
krb5.conf information for the realm.  SRV records are used as a
fallback if no URI records were found.  The default value is true.
New in release 1.15.

\sphinxlineitem{\sphinxstylestrong{enforce\_ok\_as\_delegate}}
\sphinxAtStartPar
If this flag to true, GSSAPI credential delegation will be
disabled when the \sphinxcode{\sphinxupquote{ok\sphinxhyphen{}as\sphinxhyphen{}delegate}} flag is not set in the
service ticket.  If this flag is false, the \sphinxcode{\sphinxupquote{ok\sphinxhyphen{}as\sphinxhyphen{}delegate}}
ticket flag is only enforced when an application specifically
requests enforcement.  The default value is false.

\sphinxlineitem{\sphinxstylestrong{err\_fmt}}
\sphinxAtStartPar
This relation allows for custom error message formatting.  If a
value is set, error messages will be formatted by substituting a
normal error message for \%M and an error code for \%C in the value.

\sphinxlineitem{\sphinxstylestrong{extra\_addresses}}
\sphinxAtStartPar
This allows a computer to use multiple local addresses, in order
to allow Kerberos to work in a network that uses NATs while still
using address\sphinxhyphen{}restricted tickets.  The addresses should be in a
comma\sphinxhyphen{}separated list.  This option has no effect if
\sphinxstylestrong{noaddresses} is true.

\sphinxlineitem{\sphinxstylestrong{forwardable}}
\sphinxAtStartPar
If this flag is true, initial tickets will be forwardable by
default, if allowed by the KDC.  The default value is false.

\sphinxlineitem{\sphinxstylestrong{ignore\_acceptor\_hostname}}
\sphinxAtStartPar
When accepting GSSAPI or krb5 security contexts for host\sphinxhyphen{}based
service principals, ignore any hostname passed by the calling
application, and allow clients to authenticate to any service
principal in the keytab matching the service name and realm name
(if given).  This option can improve the administrative
flexibility of server applications on multihomed hosts, but could
compromise the security of virtual hosting environments.  The
default value is false.  New in release 1.10.

\sphinxlineitem{\sphinxstylestrong{k5login\_authoritative}}
\sphinxAtStartPar
If this flag is true, principals must be listed in a local user’s
k5login file to be granted login access, if a \DUrole{xref,std,std-ref}{.k5login(5)}
file exists.  If this flag is false, a principal may still be
granted login access through other mechanisms even if a k5login
file exists but does not list the principal.  The default value is
true.

\sphinxlineitem{\sphinxstylestrong{k5login\_directory}}
\sphinxAtStartPar
If set, the library will look for a local user’s k5login file
within the named directory, with a filename corresponding to the
local username.  If not set, the library will look for k5login
files in the user’s home directory, with the filename .k5login.
For security reasons, .k5login files must be owned by
the local user or by root.

\sphinxlineitem{\sphinxstylestrong{kcm\_mach\_service}}
\sphinxAtStartPar
On macOS only, determines the name of the bootstrap service used to
contact the KCM daemon for the KCM credential cache type.  If the
value is \sphinxcode{\sphinxupquote{\sphinxhyphen{}}}, Mach RPC will not be used to contact the KCM
daemon.  The default value is \sphinxcode{\sphinxupquote{org.h5l.kcm}}.

\sphinxlineitem{\sphinxstylestrong{kcm\_socket}}
\sphinxAtStartPar
Determines the path to the Unix domain socket used to access the
KCM daemon for the KCM credential cache type.  If the value is
\sphinxcode{\sphinxupquote{\sphinxhyphen{}}}, Unix domain sockets will not be used to contact the KCM
daemon.  The default value is
\sphinxcode{\sphinxupquote{/var/run/.heim\_org.h5l.kcm\sphinxhyphen{}socket}}.

\sphinxlineitem{\sphinxstylestrong{kdc\_default\_options}}
\sphinxAtStartPar
Default KDC options (Xored for multiple values) when requesting
initial tickets.  By default it is set to 0x00000010
(KDC\_OPT\_RENEWABLE\_OK).

\sphinxlineitem{\sphinxstylestrong{kdc\_timesync}}
\sphinxAtStartPar
Accepted values for this relation are 1 or 0.  If it is nonzero,
client machines will compute the difference between their time and
the time returned by the KDC in the timestamps in the tickets and
use this value to correct for an inaccurate system clock when
requesting service tickets or authenticating to services.  This
corrective factor is only used by the Kerberos library; it is not
used to change the system clock.  The default value is 1.

\sphinxlineitem{\sphinxstylestrong{noaddresses}}
\sphinxAtStartPar
If this flag is true, requests for initial tickets will not be
made with address restrictions set, allowing the tickets to be
used across NATs.  The default value is true.

\sphinxlineitem{\sphinxstylestrong{permitted\_enctypes}}
\sphinxAtStartPar
Identifies the encryption types that servers will permit for
session keys and for ticket and authenticator encryption, ordered
by preference from highest to lowest.  Starting in release 1.18,
this tag also acts as the default value for
\sphinxstylestrong{default\_tgs\_enctypes} and \sphinxstylestrong{default\_tkt\_enctypes}.  The
default value for this tag is \sphinxcode{\sphinxupquote{aes256\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha1\sphinxhyphen{}96 aes128\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha1\sphinxhyphen{}96 aes256\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha384\sphinxhyphen{}192 aes128\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha256\sphinxhyphen{}128 des3\sphinxhyphen{}cbc\sphinxhyphen{}sha1 arcfour\sphinxhyphen{}hmac\sphinxhyphen{}md5 camellia256\sphinxhyphen{}cts\sphinxhyphen{}cmac camellia128\sphinxhyphen{}cts\sphinxhyphen{}cmac}}.

\sphinxlineitem{\sphinxstylestrong{plugin\_base\_dir}}
\sphinxAtStartPar
If set, determines the base directory where krb5 plugins are
located.  The default value is the \sphinxcode{\sphinxupquote{krb5/plugins}} subdirectory
of the krb5 library directory.  This relation is subject to
parameter expansion (see below) in release 1.17 and later.

\sphinxlineitem{\sphinxstylestrong{preferred\_preauth\_types}}
\sphinxAtStartPar
This allows you to set the preferred preauthentication types which
the client will attempt before others which may be advertised by a
KDC.  The default value for this setting is “17, 16, 15, 14”,
which forces libkrb5 to attempt to use PKINIT if it is supported.

\sphinxlineitem{\sphinxstylestrong{proxiable}}
\sphinxAtStartPar
If this flag is true, initial tickets will be proxiable by
default, if allowed by the KDC.  The default value is false.

\sphinxlineitem{\sphinxstylestrong{qualify\_shortname}}
\sphinxAtStartPar
If this string is set, it determines the domain suffix for
single\sphinxhyphen{}component hostnames when DNS canonicalization is not used
(either because \sphinxstylestrong{dns\_canonicalize\_hostname} is false or because
forward canonicalization failed).  The default value is the first
search domain of the system’s DNS configuration.  To disable
qualification of shortnames, set this relation to the empty string
with \sphinxcode{\sphinxupquote{qualify\_shortname = ""}}.  (New in release 1.18.)

\sphinxlineitem{\sphinxstylestrong{rdns}}
\sphinxAtStartPar
If this flag is true, reverse name lookup will be used in addition
to forward name lookup to canonicalizing hostnames for use in
service principal names.  If \sphinxstylestrong{dns\_canonicalize\_hostname} is set
to false, this flag has no effect.  The default value is true.

\sphinxlineitem{\sphinxstylestrong{realm\_try\_domains}}
\sphinxAtStartPar
Indicate whether a host’s domain components should be used to
determine the Kerberos realm of the host.  The value of this
variable is an integer: \sphinxhyphen{}1 means not to search, 0 means to try the
host’s domain itself, 1 means to also try the domain’s immediate
parent, and so forth.  The library’s usual mechanism for locating
Kerberos realms is used to determine whether a domain is a valid
realm, which may involve consulting DNS if \sphinxstylestrong{dns\_lookup\_kdc} is
set.  The default is not to search domain components.

\sphinxlineitem{\sphinxstylestrong{renew\_lifetime}}
\sphinxAtStartPar
(\DUrole{xref,std,std-ref}{duration} string.)  Sets the default renewable lifetime
for initial ticket requests.  The default value is 0.

\sphinxlineitem{\sphinxstylestrong{request\_timeout}}
\sphinxAtStartPar
(\DUrole{xref,std,std-ref}{duration} string.)  Sets the maximum total time for KDC and
password change requests.  This timeout does not affect the
intervals between requests, so setting a low timeout may result in
fewer requests being attempted and/or some servers not being
contacted.  A value of 0 indicates no specific maximum, in which
case requests will time out if no server responds after several
tries.  The default value is 0.  (New in release 1.22.)

\sphinxlineitem{\sphinxstylestrong{spake\_preauth\_groups}}
\sphinxAtStartPar
A whitespace or comma\sphinxhyphen{}separated list of words which specifies the
groups allowed for SPAKE preauthentication.  The possible values
are:


\begin{savenotes}\sphinxattablestart
\sphinxthistablewithglobalstyle
\centering
\begin{tabulary}{\linewidth}[t]{TT}
\sphinxtoprule
\sphinxtableatstartofbodyhook
\sphinxAtStartPar
edwards25519
&
\sphinxAtStartPar
Edwards25519 curve (\index{RFC@\spxentry{RFC}!RFC 7748@\spxentry{RFC 7748}}\sphinxhref{https://datatracker.ietf.org/doc/html/rfc7748.html}{\sphinxstylestrong{RFC 7748}})
\\
\sphinxhline
\sphinxAtStartPar
P\sphinxhyphen{}256
&
\sphinxAtStartPar
NIST P\sphinxhyphen{}256 curve (\index{RFC@\spxentry{RFC}!RFC 5480@\spxentry{RFC 5480}}\sphinxhref{https://datatracker.ietf.org/doc/html/rfc5480.html}{\sphinxstylestrong{RFC 5480}})
\\
\sphinxhline
\sphinxAtStartPar
P\sphinxhyphen{}384
&
\sphinxAtStartPar
NIST P\sphinxhyphen{}384 curve (\index{RFC@\spxentry{RFC}!RFC 5480@\spxentry{RFC 5480}}\sphinxhref{https://datatracker.ietf.org/doc/html/rfc5480.html}{\sphinxstylestrong{RFC 5480}})
\\
\sphinxhline
\sphinxAtStartPar
P\sphinxhyphen{}521
&
\sphinxAtStartPar
NIST P\sphinxhyphen{}521 curve (\index{RFC@\spxentry{RFC}!RFC 5480@\spxentry{RFC 5480}}\sphinxhref{https://datatracker.ietf.org/doc/html/rfc5480.html}{\sphinxstylestrong{RFC 5480}})
\\
\sphinxbottomrule
\end{tabulary}
\sphinxtableafterendhook\par
\sphinxattableend\end{savenotes}

\sphinxAtStartPar
The default value for the client is \sphinxcode{\sphinxupquote{edwards25519}}.  The default
value for the KDC is empty.  New in release 1.17.

\sphinxlineitem{\sphinxstylestrong{ticket\_lifetime}}
\sphinxAtStartPar
(\DUrole{xref,std,std-ref}{duration} string.)  Sets the default lifetime for initial
ticket requests.  The default value is 1 day.

\sphinxlineitem{\sphinxstylestrong{udp\_preference\_limit}}
\sphinxAtStartPar
When sending a message to the KDC, the library will try using TCP
before UDP if the size of the message is above
\sphinxstylestrong{udp\_preference\_limit}.  If the message is smaller than
\sphinxstylestrong{udp\_preference\_limit}, then UDP will be tried before TCP.
Regardless of the size, both protocols will be tried if the first
attempt fails.

\sphinxlineitem{\sphinxstylestrong{verify\_ap\_req\_nofail}}
\sphinxAtStartPar
If this flag is true, then an attempt to verify initial
credentials will fail if the client machine does not have a
keytab.  The default value is false.

\sphinxlineitem{\sphinxstylestrong{client\_aware\_channel\_bindings}}
\sphinxAtStartPar
If this flag is true, then all application protocol authentication
requests will be flagged to indicate that the application supports
channel bindings when operating over a secure channel.  The
default value is false.

\end{description}


\paragraph{{[}realms{]}}
\label{\detokenize{admin/conf_files/krb5_conf:realms}}\label{\detokenize{admin/conf_files/krb5_conf:id2}}
\sphinxAtStartPar
Each tag in the {[}realms{]} section of the file is the name of a Kerberos
realm.  The value of the tag is a subsection with relations that
define the properties of that particular realm.  For each realm, the
following tags may be specified in the realm’s subsection:
\begin{description}
\sphinxlineitem{\sphinxstylestrong{admin\_server}}
\sphinxAtStartPar
Identifies the host where the administration server is running.
Typically, this is the primary Kerberos server.  This tag must be
given a value in order to communicate with the {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}}
server for the realm.

\sphinxlineitem{\sphinxstylestrong{auth\_to\_local}}
\sphinxAtStartPar
This tag allows you to set a general rule for mapping principal
names to local user names.  It will be used if there is not an
explicit mapping for the principal name that is being
translated. The possible values are:
\begin{description}
\sphinxlineitem{\sphinxstylestrong{RULE:}\sphinxstyleemphasis{exp}}
\sphinxAtStartPar
The local name will be formulated from \sphinxstyleemphasis{exp}.

\sphinxAtStartPar
The format for \sphinxstyleemphasis{exp} is \sphinxstylestrong{{[}}\sphinxstyleemphasis{n}\sphinxstylestrong{:}\sphinxstyleemphasis{string}\sphinxstylestrong{{]}(}\sphinxstyleemphasis{regexp}\sphinxstylestrong{)s/}\sphinxstyleemphasis{pattern}\sphinxstylestrong{/}\sphinxstyleemphasis{replacement}\sphinxstylestrong{/g}.
The integer \sphinxstyleemphasis{n} indicates how many components the target
principal should have.  If this matches, then a string will be
formed from \sphinxstyleemphasis{string}, substituting the realm of the principal
for \sphinxcode{\sphinxupquote{\$0}} and the \sphinxstyleemphasis{n}’th component of the principal for
\sphinxcode{\sphinxupquote{\$n}} (e.g., if the principal was \sphinxcode{\sphinxupquote{johndoe/admin}} then
\sphinxcode{\sphinxupquote{{[}2:\$2\$1foo{]}}} would result in the string
\sphinxcode{\sphinxupquote{adminjohndoefoo}}).  If this string matches \sphinxstyleemphasis{regexp}, then
the \sphinxcode{\sphinxupquote{s//{[}g{]}}} substitution command will be run over the
string.  The optional \sphinxstylestrong{g} will cause the substitution to be
global over the \sphinxstyleemphasis{string}, instead of replacing only the first
match in the \sphinxstyleemphasis{string}.

\sphinxlineitem{\sphinxstylestrong{DEFAULT}}
\sphinxAtStartPar
The principal name will be used as the local user name.  If
the principal has more than one component or is not in the
default realm, this rule is not applicable and the conversion
will fail.

\end{description}

\sphinxAtStartPar
For example:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
[realms]
    ATHENA.MIT.EDU = \PYGZob{}
        auth\PYGZus{}to\PYGZus{}local = RULE:[2:\PYGZdl{}1](johndoe)s/\PYGZca{}.*\PYGZdl{}/guest/
        auth\PYGZus{}to\PYGZus{}local = RULE:[2:\PYGZdl{}1;\PYGZdl{}2](\PYGZca{}.*;admin\PYGZdl{})s/;admin\PYGZdl{}//
        auth\PYGZus{}to\PYGZus{}local = RULE:[2:\PYGZdl{}2](\PYGZca{}.*;root)s/\PYGZca{}.*\PYGZdl{}/root/
        auth\PYGZus{}to\PYGZus{}local = DEFAULT
    \PYGZcb{}
\end{sphinxVerbatim}

\sphinxAtStartPar
would result in any principal without \sphinxcode{\sphinxupquote{root}} or \sphinxcode{\sphinxupquote{admin}} as the
second component to be translated with the default rule.  A
principal with a second component of \sphinxcode{\sphinxupquote{admin}} will become its
first component.  \sphinxcode{\sphinxupquote{root}} will be used as the local name for any
principal with a second component of \sphinxcode{\sphinxupquote{root}}.  The exception to
these two rules are any principals \sphinxcode{\sphinxupquote{johndoe/*}}, which will
always get the local name \sphinxcode{\sphinxupquote{guest}}.

\sphinxlineitem{\sphinxstylestrong{auth\_to\_local\_names}}
\sphinxAtStartPar
This subsection allows you to set explicit mappings from principal
names to local user names.  The tag is the mapping name, and the
value is the corresponding local user name.

\sphinxlineitem{\sphinxstylestrong{default\_domain}}
\sphinxAtStartPar
This tag specifies the domain used to expand hostnames when
translating Kerberos 4 service principals to Kerberos 5 principals
(for example, when converting \sphinxcode{\sphinxupquote{rcmd.hostname}} to
\sphinxcode{\sphinxupquote{host/hostname.domain}}).

\sphinxlineitem{\sphinxstylestrong{disable\_encrypted\_timestamp}}
\sphinxAtStartPar
If this flag is true, the client will not perform encrypted
timestamp preauthentication if requested by the KDC.  Setting this
flag can help to prevent dictionary attacks by active attackers,
if the realm’s KDCs support SPAKE preauthentication or if initial
authentication always uses another mechanism or always uses FAST.
This flag persists across client referrals during initial
authentication.  This flag does not prevent the KDC from offering
encrypted timestamp.  New in release 1.17.

\sphinxlineitem{\sphinxstylestrong{http\_anchors}}
\sphinxAtStartPar
When KDCs and kpasswd servers are accessed through HTTPS proxies, this tag
can be used to specify the location of the CA certificate which should be
trusted to issue the certificate for a proxy server.  If left unspecified,
the system\sphinxhyphen{}wide default set of CA certificates is used.

\sphinxAtStartPar
The syntax for values is similar to that of values for the
\sphinxstylestrong{pkinit\_anchors} tag:

\sphinxAtStartPar
\sphinxstylestrong{FILE:} \sphinxstyleemphasis{filename}

\sphinxAtStartPar
\sphinxstyleemphasis{filename} is assumed to be the name of an OpenSSL\sphinxhyphen{}style ca\sphinxhyphen{}bundle file.

\sphinxAtStartPar
\sphinxstylestrong{DIR:} \sphinxstyleemphasis{dirname}

\sphinxAtStartPar
\sphinxstyleemphasis{dirname} is assumed to be an directory which contains CA certificates.
All files in the directory will be examined; if they contain certificates
(in PEM format), they will be used.

\sphinxAtStartPar
\sphinxstylestrong{ENV:} \sphinxstyleemphasis{envvar}

\sphinxAtStartPar
\sphinxstyleemphasis{envvar} specifies the name of an environment variable which has been set
to a value conforming to one of the previous values.  For example,
\sphinxcode{\sphinxupquote{ENV:X509\_PROXY\_CA}}, where environment variable \sphinxcode{\sphinxupquote{X509\_PROXY\_CA}} has
been set to \sphinxcode{\sphinxupquote{FILE:/tmp/my\_proxy.pem}}.

\sphinxlineitem{\sphinxstylestrong{kdc}}
\sphinxAtStartPar
The name or address of a host running a KDC for the realm, or a
UNIX domain socket path of a locally running KDC.  An optional
port number, separated from the hostname by a colon, may be
included.  If the name or address contains colons (for example, if
it is an IPv6 address), enclose it in square brackets to
distinguish the colon from a port separator.  For your computer to
be able to communicate with the KDC for each realm, this tag must
be given a value in each realm subsection in the configuration
file, or there must be DNS SRV records specifying the KDCs.

\sphinxlineitem{\sphinxstylestrong{kpasswd\_server}}
\sphinxAtStartPar
The location of the password change server for the realm, using
the same syntax as \sphinxstylestrong{kdc}.  If there is no such entry, DNS will
be queried (unless forbidden by \sphinxstylestrong{dns\_lookup\_kdc}).  Finally,
port 464 on the \sphinxstylestrong{admin\_server} host will be tried.

\sphinxlineitem{\sphinxstylestrong{master\_kdc}}
\sphinxAtStartPar
The name for \sphinxstylestrong{primary\_kdc} prior to release 1.19.  Its value is
used as a fallback if \sphinxstylestrong{primary\_kdc} is not specified.

\sphinxlineitem{\sphinxstylestrong{primary\_kdc}}
\sphinxAtStartPar
Identifies the primary KDC(s).  Currently, this tag is used in only
one case: If an attempt to get credentials fails because of an
invalid password, the client software will attempt to contact the
primary KDC, in case the user’s password has just been changed, and
the updated database has not been propagated to the replica
servers yet.  New in release 1.19.

\sphinxlineitem{\sphinxstylestrong{sitename}}
\sphinxAtStartPar
Specifies the name of the host’s site for the purpose of DNS\sphinxhyphen{}based
KDC discovery for this realm.  New in release 1.22.

\sphinxlineitem{\sphinxstylestrong{v4\_instance\_convert}}
\sphinxAtStartPar
This subsection allows the administrator to configure exceptions
to the \sphinxstylestrong{default\_domain} mapping rule.  It contains V4 instances
(the tag name) which should be translated to some specific
hostname (the tag value) as the second component in a Kerberos V5
principal name.

\sphinxlineitem{\sphinxstylestrong{v4\_realm}}
\sphinxAtStartPar
This relation is used by the krb524 library routines when
converting a V5 principal name to a V4 principal name.  It is used
when the V4 realm name and the V5 realm name are not the same, but
still share the same principal names and passwords. The tag value
is the Kerberos V4 realm name.

\end{description}


\paragraph{{[}domain\_realm{]}}
\label{\detokenize{admin/conf_files/krb5_conf:domain-realm}}\label{\detokenize{admin/conf_files/krb5_conf:id3}}
\sphinxAtStartPar
The {[}domain\_realm{]} section provides a translation from hostnames to
Kerberos realms.  Each tag is a domain name, providing the mapping for
that domain and all subdomains.  If the tag begins with a period
(\sphinxcode{\sphinxupquote{.}}) then it applies only to subdomains.  The Kerberos realm may be
identified either in the {\hyperref[\detokenize{admin/conf_files/krb5_conf:realms}]{\sphinxcrossref{realms}}} section or using DNS SRV records.
Tag names should be in lower case.  For example:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{p}{[}\PYG{n}{domain\PYGZus{}realm}\PYG{p}{]}
    \PYG{n}{crash}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{o}{=} \PYG{n}{TEST}\PYG{o}{.}\PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}
    \PYG{o}{.}\PYG{n}{dev}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{o}{=} \PYG{n}{TEST}\PYG{o}{.}\PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}
    \PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{o}{=} \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}
\end{sphinxVerbatim}

\sphinxAtStartPar
maps the host with the name \sphinxcode{\sphinxupquote{crash.mit.edu}} into the
\sphinxcode{\sphinxupquote{TEST.ATHENA.MIT.EDU}} realm.  The second entry maps all hosts under the
domain \sphinxcode{\sphinxupquote{dev.mit.edu}} into the \sphinxcode{\sphinxupquote{TEST.ATHENA.MIT.EDU}} realm, but not
the host with the name \sphinxcode{\sphinxupquote{dev.mit.edu}}.  That host is matched
by the third entry, which maps the host \sphinxcode{\sphinxupquote{mit.edu}} and all hosts
under the domain \sphinxcode{\sphinxupquote{mit.edu}} that do not match a preceding rule
into the realm \sphinxcode{\sphinxupquote{ATHENA.MIT.EDU}}.

\sphinxAtStartPar
If no translation entry applies to a hostname used for a service
principal for a service ticket request, the library will try to get a
referral to the appropriate realm from the client realm’s KDC.  If
that does not succeed, the host’s realm is considered to be the
hostname’s domain portion converted to uppercase, unless the
\sphinxstylestrong{realm\_try\_domains} setting in {[}libdefaults{]} causes a different
parent domain to be used.


\paragraph{{[}capaths{]}}
\label{\detokenize{admin/conf_files/krb5_conf:capaths}}\label{\detokenize{admin/conf_files/krb5_conf:id4}}
\sphinxAtStartPar
In order to perform direct (non\sphinxhyphen{}hierarchical) cross\sphinxhyphen{}realm
authentication, configuration is needed to determine the
authentication paths between realms.

\sphinxAtStartPar
A client will use this section to find the authentication path between
its realm and the realm of the server.  The server will use this
section to verify the authentication path used by the client, by
checking the transited field of the received ticket.

\sphinxAtStartPar
There is a tag for each participating client realm, and each tag has
subtags for each of the server realms.  The value of the subtags is an
intermediate realm which may participate in the cross\sphinxhyphen{}realm
authentication.  The subtags may be repeated if there is more then one
intermediate realm.  A value of “.” means that the two realms share
keys directly, and no intermediate realms should be allowed to
participate.

\sphinxAtStartPar
Only those entries which will be needed on the client or the server
need to be present.  A client needs a tag for its local realm with
subtags for all the realms of servers it will need to authenticate to.
A server needs a tag for each realm of the clients it will serve, with
a subtag of the server realm.

\sphinxAtStartPar
For example, \sphinxcode{\sphinxupquote{ANL.GOV}}, \sphinxcode{\sphinxupquote{PNL.GOV}}, and \sphinxcode{\sphinxupquote{NERSC.GOV}} all wish to
use the \sphinxcode{\sphinxupquote{ES.NET}} realm as an intermediate realm.  ANL has a sub
realm of \sphinxcode{\sphinxupquote{TEST.ANL.GOV}} which will authenticate with \sphinxcode{\sphinxupquote{NERSC.GOV}}
but not \sphinxcode{\sphinxupquote{PNL.GOV}}.  The {[}capaths{]} section for \sphinxcode{\sphinxupquote{ANL.GOV}} systems
would look like this:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{p}{[}\PYG{n}{capaths}\PYG{p}{]}
    \PYG{n}{ANL}\PYG{o}{.}\PYG{n}{GOV} \PYG{o}{=} \PYG{p}{\PYGZob{}}
        \PYG{n}{TEST}\PYG{o}{.}\PYG{n}{ANL}\PYG{o}{.}\PYG{n}{GOV} \PYG{o}{=} \PYG{o}{.}
        \PYG{n}{PNL}\PYG{o}{.}\PYG{n}{GOV} \PYG{o}{=} \PYG{n}{ES}\PYG{o}{.}\PYG{n}{NET}
        \PYG{n}{NERSC}\PYG{o}{.}\PYG{n}{GOV} \PYG{o}{=} \PYG{n}{ES}\PYG{o}{.}\PYG{n}{NET}
        \PYG{n}{ES}\PYG{o}{.}\PYG{n}{NET} \PYG{o}{=} \PYG{o}{.}
    \PYG{p}{\PYGZcb{}}
    \PYG{n}{TEST}\PYG{o}{.}\PYG{n}{ANL}\PYG{o}{.}\PYG{n}{GOV} \PYG{o}{=} \PYG{p}{\PYGZob{}}
        \PYG{n}{ANL}\PYG{o}{.}\PYG{n}{GOV} \PYG{o}{=} \PYG{o}{.}
    \PYG{p}{\PYGZcb{}}
    \PYG{n}{PNL}\PYG{o}{.}\PYG{n}{GOV} \PYG{o}{=} \PYG{p}{\PYGZob{}}
        \PYG{n}{ANL}\PYG{o}{.}\PYG{n}{GOV} \PYG{o}{=} \PYG{n}{ES}\PYG{o}{.}\PYG{n}{NET}
    \PYG{p}{\PYGZcb{}}
    \PYG{n}{NERSC}\PYG{o}{.}\PYG{n}{GOV} \PYG{o}{=} \PYG{p}{\PYGZob{}}
        \PYG{n}{ANL}\PYG{o}{.}\PYG{n}{GOV} \PYG{o}{=} \PYG{n}{ES}\PYG{o}{.}\PYG{n}{NET}
    \PYG{p}{\PYGZcb{}}
    \PYG{n}{ES}\PYG{o}{.}\PYG{n}{NET} \PYG{o}{=} \PYG{p}{\PYGZob{}}
        \PYG{n}{ANL}\PYG{o}{.}\PYG{n}{GOV} \PYG{o}{=} \PYG{o}{.}
    \PYG{p}{\PYGZcb{}}
\end{sphinxVerbatim}

\sphinxAtStartPar
The {[}capaths{]} section of the configuration file used on \sphinxcode{\sphinxupquote{NERSC.GOV}}
systems would look like this:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{p}{[}\PYG{n}{capaths}\PYG{p}{]}
    \PYG{n}{NERSC}\PYG{o}{.}\PYG{n}{GOV} \PYG{o}{=} \PYG{p}{\PYGZob{}}
        \PYG{n}{ANL}\PYG{o}{.}\PYG{n}{GOV} \PYG{o}{=} \PYG{n}{ES}\PYG{o}{.}\PYG{n}{NET}
        \PYG{n}{TEST}\PYG{o}{.}\PYG{n}{ANL}\PYG{o}{.}\PYG{n}{GOV} \PYG{o}{=} \PYG{n}{ES}\PYG{o}{.}\PYG{n}{NET}
        \PYG{n}{TEST}\PYG{o}{.}\PYG{n}{ANL}\PYG{o}{.}\PYG{n}{GOV} \PYG{o}{=} \PYG{n}{ANL}\PYG{o}{.}\PYG{n}{GOV}
        \PYG{n}{PNL}\PYG{o}{.}\PYG{n}{GOV} \PYG{o}{=} \PYG{n}{ES}\PYG{o}{.}\PYG{n}{NET}
        \PYG{n}{ES}\PYG{o}{.}\PYG{n}{NET} \PYG{o}{=} \PYG{o}{.}
    \PYG{p}{\PYGZcb{}}
    \PYG{n}{ANL}\PYG{o}{.}\PYG{n}{GOV} \PYG{o}{=} \PYG{p}{\PYGZob{}}
        \PYG{n}{NERSC}\PYG{o}{.}\PYG{n}{GOV} \PYG{o}{=} \PYG{n}{ES}\PYG{o}{.}\PYG{n}{NET}
    \PYG{p}{\PYGZcb{}}
    \PYG{n}{PNL}\PYG{o}{.}\PYG{n}{GOV} \PYG{o}{=} \PYG{p}{\PYGZob{}}
        \PYG{n}{NERSC}\PYG{o}{.}\PYG{n}{GOV} \PYG{o}{=} \PYG{n}{ES}\PYG{o}{.}\PYG{n}{NET}
    \PYG{p}{\PYGZcb{}}
    \PYG{n}{ES}\PYG{o}{.}\PYG{n}{NET} \PYG{o}{=} \PYG{p}{\PYGZob{}}
        \PYG{n}{NERSC}\PYG{o}{.}\PYG{n}{GOV} \PYG{o}{=} \PYG{o}{.}
    \PYG{p}{\PYGZcb{}}
    \PYG{n}{TEST}\PYG{o}{.}\PYG{n}{ANL}\PYG{o}{.}\PYG{n}{GOV} \PYG{o}{=} \PYG{p}{\PYGZob{}}
        \PYG{n}{NERSC}\PYG{o}{.}\PYG{n}{GOV} \PYG{o}{=} \PYG{n}{ANL}\PYG{o}{.}\PYG{n}{GOV}
        \PYG{n}{NERSC}\PYG{o}{.}\PYG{n}{GOV} \PYG{o}{=} \PYG{n}{ES}\PYG{o}{.}\PYG{n}{NET}
    \PYG{p}{\PYGZcb{}}
\end{sphinxVerbatim}

\sphinxAtStartPar
When a subtag is used more than once within a tag, clients will use
the order of values to determine the path.  The order of values is not
important to servers.


\paragraph{{[}appdefaults{]}}
\label{\detokenize{admin/conf_files/krb5_conf:appdefaults}}\label{\detokenize{admin/conf_files/krb5_conf:id5}}
\sphinxAtStartPar
Each tag in the {[}appdefaults{]} section names a Kerberos V5 application
or an option that is used by some Kerberos V5 application{[}s{]}.  The
value of the tag defines the default behaviors for that application.

\sphinxAtStartPar
For example:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{p}{[}\PYG{n}{appdefaults}\PYG{p}{]}
    \PYG{n}{telnet} \PYG{o}{=} \PYG{p}{\PYGZob{}}
        \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{o}{=} \PYG{p}{\PYGZob{}}
            \PYG{n}{option1} \PYG{o}{=} \PYG{n}{false}
        \PYG{p}{\PYGZcb{}}
    \PYG{p}{\PYGZcb{}}
    \PYG{n}{telnet} \PYG{o}{=} \PYG{p}{\PYGZob{}}
        \PYG{n}{option1} \PYG{o}{=} \PYG{n}{true}
        \PYG{n}{option2} \PYG{o}{=} \PYG{n}{true}
    \PYG{p}{\PYGZcb{}}
    \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{o}{=} \PYG{p}{\PYGZob{}}
        \PYG{n}{option2} \PYG{o}{=} \PYG{n}{false}
    \PYG{p}{\PYGZcb{}}
    \PYG{n}{option2} \PYG{o}{=} \PYG{n}{true}
\end{sphinxVerbatim}

\sphinxAtStartPar
The above four ways of specifying the value of an option are shown in
order of decreasing precedence. In this example, if telnet is running
in the realm EXAMPLE.COM, it should, by default, have option1 and
option2 set to true.  However, a telnet program in the realm
\sphinxcode{\sphinxupquote{ATHENA.MIT.EDU}} should have \sphinxcode{\sphinxupquote{option1}} set to false and
\sphinxcode{\sphinxupquote{option2}} set to true.  Any other programs in ATHENA.MIT.EDU should
have \sphinxcode{\sphinxupquote{option2}} set to false by default.  Any programs running in
other realms should have \sphinxcode{\sphinxupquote{option2}} set to true.

\sphinxAtStartPar
The list of specifiable options for each application may be found in
that application’s man pages.  The application defaults specified here
are overridden by those specified in the {\hyperref[\detokenize{admin/conf_files/krb5_conf:realms}]{\sphinxcrossref{realms}}} section.


\paragraph{{[}plugins{]}}
\label{\detokenize{admin/conf_files/krb5_conf:plugins}}\label{\detokenize{admin/conf_files/krb5_conf:id6}}\begin{itemize}
\item {} 
\sphinxAtStartPar
{\hyperref[\detokenize{admin/conf_files/krb5_conf:pwqual}]{\sphinxcrossref{pwqual}}} interface

\item {} 
\sphinxAtStartPar
{\hyperref[\detokenize{admin/conf_files/krb5_conf:kadm5-hook}]{\sphinxcrossref{kadm5\_hook}}} interface

\item {} 
\sphinxAtStartPar
{\hyperref[\detokenize{admin/conf_files/krb5_conf:clpreauth}]{\sphinxcrossref{clpreauth}}} and {\hyperref[\detokenize{admin/conf_files/krb5_conf:kdcpreauth}]{\sphinxcrossref{kdcpreauth}}} interfaces

\end{itemize}

\sphinxAtStartPar
Tags in the {[}plugins{]} section can be used to register dynamic plugin
modules and to turn modules on and off.  Not every krb5 pluggable
interface uses the {[}plugins{]} section; the ones that do are documented
here.

\sphinxAtStartPar
New in release 1.9.

\sphinxAtStartPar
Each pluggable interface corresponds to a subsection of {[}plugins{]}.
All subsections support the same tags:
\begin{description}
\sphinxlineitem{\sphinxstylestrong{disable}}
\sphinxAtStartPar
This tag may have multiple values. If there are values for this
tag, then the named modules will be disabled for the pluggable
interface.

\sphinxlineitem{\sphinxstylestrong{enable\_only}}
\sphinxAtStartPar
This tag may have multiple values. If there are values for this
tag, then only the named modules will be enabled for the pluggable
interface.

\sphinxlineitem{\sphinxstylestrong{module}}
\sphinxAtStartPar
This tag may have multiple values.  Each value is a string of the
form \sphinxcode{\sphinxupquote{modulename:pathname}}, which causes the shared object
located at \sphinxstyleemphasis{pathname} to be registered as a dynamic module named
\sphinxstyleemphasis{modulename} for the pluggable interface.  If \sphinxstyleemphasis{pathname} is not an
absolute path, it will be treated as relative to the
\sphinxstylestrong{plugin\_base\_dir} value from {\hyperref[\detokenize{admin/conf_files/krb5_conf:libdefaults}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}libdefaults{]}}}}}.

\end{description}

\sphinxAtStartPar
For pluggable interfaces where module order matters, modules
registered with a \sphinxstylestrong{module} tag normally come first, in the order
they are registered, followed by built\sphinxhyphen{}in modules in the order they
are documented below.  If \sphinxstylestrong{enable\_only} tags are used, then the
order of those tags overrides the normal module order.

\sphinxAtStartPar
The following subsections are currently supported within the {[}plugins{]}
section:


\subparagraph{ccselect interface}
\label{\detokenize{admin/conf_files/krb5_conf:ccselect-interface}}\label{\detokenize{admin/conf_files/krb5_conf:ccselect}}
\sphinxAtStartPar
The ccselect subsection controls modules for credential cache
selection within a cache collection.  In addition to any registered
dynamic modules, the following built\sphinxhyphen{}in modules exist (and may be
disabled with the disable tag):
\begin{description}
\sphinxlineitem{\sphinxstylestrong{k5identity}}
\sphinxAtStartPar
Uses a .k5identity file in the user’s home directory to select a
client principal

\sphinxlineitem{\sphinxstylestrong{realm}}
\sphinxAtStartPar
Uses the service realm to guess an appropriate cache from the
collection

\sphinxlineitem{\sphinxstylestrong{hostname}}
\sphinxAtStartPar
If the service principal is host\sphinxhyphen{}based, uses the service hostname
to guess an appropriate cache from the collection

\end{description}


\subparagraph{pwqual interface}
\label{\detokenize{admin/conf_files/krb5_conf:pwqual-interface}}\label{\detokenize{admin/conf_files/krb5_conf:pwqual}}
\sphinxAtStartPar
The pwqual subsection controls modules for the password quality
interface, which is used to reject weak passwords when passwords are
changed.  The following built\sphinxhyphen{}in modules exist for this interface:
\begin{description}
\sphinxlineitem{\sphinxstylestrong{dict}}
\sphinxAtStartPar
Checks against the realm dictionary file

\sphinxlineitem{\sphinxstylestrong{empty}}
\sphinxAtStartPar
Rejects empty passwords

\sphinxlineitem{\sphinxstylestrong{hesiod}}
\sphinxAtStartPar
Checks against user information stored in Hesiod (only if Kerberos
was built with Hesiod support)

\sphinxlineitem{\sphinxstylestrong{princ}}
\sphinxAtStartPar
Checks against components of the principal name

\end{description}


\subparagraph{kadm5\_hook interface}
\label{\detokenize{admin/conf_files/krb5_conf:kadm5-hook-interface}}\label{\detokenize{admin/conf_files/krb5_conf:kadm5-hook}}
\sphinxAtStartPar
The kadm5\_hook interface provides plugins with information on
principal creation, modification, password changes and deletion.  This
interface can be used to write a plugin to synchronize MIT Kerberos
with another database such as Active Directory.  No plugins are built
in for this interface.


\subparagraph{kadm5\_auth interface}
\label{\detokenize{admin/conf_files/krb5_conf:kadm5-auth-interface}}\label{\detokenize{admin/conf_files/krb5_conf:kadm5-auth}}
\sphinxAtStartPar
The kadm5\_auth section (introduced in release 1.16) controls modules
for the kadmin authorization interface, which determines whether a
client principal is allowed to perform a kadmin operation.  The
following built\sphinxhyphen{}in modules exist for this interface:
\begin{description}
\sphinxlineitem{\sphinxstylestrong{acl}}
\sphinxAtStartPar
This module reads the {\hyperref[\detokenize{admin/conf_files/kadm5_acl:kadm5-acl-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kadm5.acl}}}} file, and authorizes
operations which are allowed according to the rules in the file.

\sphinxlineitem{\sphinxstylestrong{self}}
\sphinxAtStartPar
This module authorizes self\sphinxhyphen{}service operations including password
changes, creation of new random keys, fetching the client’s
principal record or string attributes, and fetching the policy
record associated with the client principal.

\end{description}


\subparagraph{clpreauth and kdcpreauth interfaces}
\label{\detokenize{admin/conf_files/krb5_conf:clpreauth-and-kdcpreauth-interfaces}}\label{\detokenize{admin/conf_files/krb5_conf:kdcpreauth}}\label{\detokenize{admin/conf_files/krb5_conf:clpreauth}}
\sphinxAtStartPar
The clpreauth and kdcpreauth interfaces allow plugin modules to
provide client and KDC preauthentication mechanisms.  The following
built\sphinxhyphen{}in modules exist for these interfaces:
\begin{description}
\sphinxlineitem{\sphinxstylestrong{pkinit}}
\sphinxAtStartPar
This module implements the PKINIT preauthentication mechanism.

\sphinxlineitem{\sphinxstylestrong{encrypted\_challenge}}
\sphinxAtStartPar
This module implements the encrypted challenge FAST factor.

\sphinxlineitem{\sphinxstylestrong{encrypted\_timestamp}}
\sphinxAtStartPar
This module implements the encrypted timestamp mechanism.

\end{description}


\subparagraph{hostrealm interface}
\label{\detokenize{admin/conf_files/krb5_conf:hostrealm-interface}}\label{\detokenize{admin/conf_files/krb5_conf:hostrealm}}
\sphinxAtStartPar
The hostrealm section (introduced in release 1.12) controls modules
for the host\sphinxhyphen{}to\sphinxhyphen{}realm interface, which affects the local mapping of
hostnames to realm names and the choice of default realm.  The following
built\sphinxhyphen{}in modules exist for this interface:
\begin{description}
\sphinxlineitem{\sphinxstylestrong{profile}}
\sphinxAtStartPar
This module consults the {[}domain\_realm{]} section of the profile for
authoritative host\sphinxhyphen{}to\sphinxhyphen{}realm mappings, and the \sphinxstylestrong{default\_realm}
variable for the default realm.

\sphinxlineitem{\sphinxstylestrong{dns}}
\sphinxAtStartPar
This module looks for DNS records for fallback host\sphinxhyphen{}to\sphinxhyphen{}realm
mappings and the default realm.  It only operates if the
\sphinxstylestrong{dns\_lookup\_realm} variable is set to true.

\sphinxlineitem{\sphinxstylestrong{domain}}
\sphinxAtStartPar
This module applies heuristics for fallback host\sphinxhyphen{}to\sphinxhyphen{}realm
mappings.  It implements the \sphinxstylestrong{realm\_try\_domains} variable, and
uses the uppercased parent domain of the hostname if that does not
produce a result.

\end{description}


\subparagraph{localauth interface}
\label{\detokenize{admin/conf_files/krb5_conf:localauth-interface}}\label{\detokenize{admin/conf_files/krb5_conf:localauth}}
\sphinxAtStartPar
The localauth section (introduced in release 1.12) controls modules
for the local authorization interface, which affects the relationship
between Kerberos principals and local system accounts.  The following
built\sphinxhyphen{}in modules exist for this interface:
\begin{description}
\sphinxlineitem{\sphinxstylestrong{default}}
\sphinxAtStartPar
This module implements the \sphinxstylestrong{DEFAULT} type for \sphinxstylestrong{auth\_to\_local}
values.

\sphinxlineitem{\sphinxstylestrong{rule}}
\sphinxAtStartPar
This module implements the \sphinxstylestrong{RULE} type for \sphinxstylestrong{auth\_to\_local}
values.

\sphinxlineitem{\sphinxstylestrong{names}}
\sphinxAtStartPar
This module looks for an \sphinxstylestrong{auth\_to\_local\_names} mapping for the
principal name.

\sphinxlineitem{\sphinxstylestrong{auth\_to\_local}}
\sphinxAtStartPar
This module processes \sphinxstylestrong{auth\_to\_local} values in the default
realm’s section, and applies the default method if no
\sphinxstylestrong{auth\_to\_local} values exist.

\sphinxlineitem{\sphinxstylestrong{k5login}}
\sphinxAtStartPar
This module authorizes a principal to a local account according to
the account’s \DUrole{xref,std,std-ref}{.k5login(5)} file.

\sphinxlineitem{\sphinxstylestrong{an2ln}}
\sphinxAtStartPar
This module authorizes a principal to a local account if the
principal name maps to the local account name.

\end{description}


\subparagraph{certauth interface}
\label{\detokenize{admin/conf_files/krb5_conf:certauth-interface}}\label{\detokenize{admin/conf_files/krb5_conf:certauth}}
\sphinxAtStartPar
The certauth section (introduced in release 1.16) controls modules for
the certificate authorization interface, which determines whether a
certificate is allowed to preauthenticate a user via PKINIT.  The
following built\sphinxhyphen{}in modules exist for this interface:
\begin{description}
\sphinxlineitem{\sphinxstylestrong{pkinit\_san}}
\sphinxAtStartPar
This module authorizes the certificate if it contains a PKINIT
Subject Alternative Name for the requested client principal, or a
Microsoft UPN SAN matching the principal if \sphinxstylestrong{pkinit\_allow\_upn}
is set to true for the realm.

\sphinxlineitem{\sphinxstylestrong{pkinit\_eku}}
\sphinxAtStartPar
This module rejects the certificate if it does not contain an
Extended Key Usage attribute consistent with the
\sphinxstylestrong{pkinit\_eku\_checking} value for the realm.

\sphinxlineitem{\sphinxstylestrong{dbmatch}}
\sphinxAtStartPar
This module authorizes or rejects the certificate according to
whether it matches the \sphinxstylestrong{pkinit\_cert\_match} string attribute on
the client principal, if that attribute is present.

\end{description}


\subsubsection{PKINIT options}
\label{\detokenize{admin/conf_files/krb5_conf:pkinit-options}}
\begin{sphinxadmonition}{note}{Note:}
\sphinxAtStartPar
The following are PKINIT\sphinxhyphen{}specific options.  These values may
be specified in {[}libdefaults{]} as global defaults, or within
a realm\sphinxhyphen{}specific subsection of {[}libdefaults{]}, or may be
specified as realm\sphinxhyphen{}specific values in the {[}realms{]} section.
A realm\sphinxhyphen{}specific value overrides, not adds to, a generic
{[}libdefaults{]} specification.  The search order is:
\end{sphinxadmonition}
\begin{enumerate}
\sphinxsetlistlabels{\arabic}{enumi}{enumii}{}{.}%
\item {} 
\sphinxAtStartPar
realm\sphinxhyphen{}specific subsection of {[}libdefaults{]}:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{p}{[}\PYG{n}{libdefaults}\PYG{p}{]}
    \PYG{n}{EXAMPLE}\PYG{o}{.}\PYG{n}{COM} \PYG{o}{=} \PYG{p}{\PYGZob{}}
        \PYG{n}{pkinit\PYGZus{}anchors} \PYG{o}{=} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{usr}\PYG{o}{/}\PYG{n}{local}\PYG{o}{/}\PYG{n}{example}\PYG{o}{.}\PYG{n}{com}\PYG{o}{.}\PYG{n}{crt}
    \PYG{p}{\PYGZcb{}}
\end{sphinxVerbatim}

\item {} 
\sphinxAtStartPar
realm\sphinxhyphen{}specific value in the {[}realms{]} section:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{p}{[}\PYG{n}{realms}\PYG{p}{]}
    \PYG{n}{OTHERREALM}\PYG{o}{.}\PYG{n}{ORG} \PYG{o}{=} \PYG{p}{\PYGZob{}}
        \PYG{n}{pkinit\PYGZus{}anchors} \PYG{o}{=} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{usr}\PYG{o}{/}\PYG{n}{local}\PYG{o}{/}\PYG{n}{otherrealm}\PYG{o}{.}\PYG{n}{org}\PYG{o}{.}\PYG{n}{crt}
    \PYG{p}{\PYGZcb{}}
\end{sphinxVerbatim}

\item {} 
\sphinxAtStartPar
generic value in the {[}libdefaults{]} section:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{p}{[}\PYG{n}{libdefaults}\PYG{p}{]}
    \PYG{n}{pkinit\PYGZus{}anchors} \PYG{o}{=} \PYG{n}{DIR}\PYG{p}{:}\PYG{o}{/}\PYG{n}{usr}\PYG{o}{/}\PYG{n}{local}\PYG{o}{/}\PYG{n}{generic\PYGZus{}trusted\PYGZus{}cas}\PYG{o}{/}
\end{sphinxVerbatim}

\end{enumerate}


\paragraph{Specifying PKINIT identity information}
\label{\detokenize{admin/conf_files/krb5_conf:specifying-pkinit-identity-information}}\label{\detokenize{admin/conf_files/krb5_conf:pkinit-identity}}
\sphinxAtStartPar
The syntax for specifying Public Key identity, trust, and revocation
information for PKINIT is as follows:
\begin{description}
\sphinxlineitem{\sphinxstylestrong{FILE:}\sphinxstyleemphasis{filename}{[}\sphinxstylestrong{,}\sphinxstyleemphasis{keyfilename}{]}}
\sphinxAtStartPar
This option has context\sphinxhyphen{}specific behavior.

\sphinxAtStartPar
In \sphinxstylestrong{pkinit\_identity} or \sphinxstylestrong{pkinit\_identities}, \sphinxstyleemphasis{filename}
specifies the name of a PEM\sphinxhyphen{}format file containing the user’s
certificate.  If \sphinxstyleemphasis{keyfilename} is not specified, the user’s
private key is expected to be in \sphinxstyleemphasis{filename} as well.  Otherwise,
\sphinxstyleemphasis{keyfilename} is the name of the file containing the private key.

\sphinxAtStartPar
In \sphinxstylestrong{pkinit\_anchors} or \sphinxstylestrong{pkinit\_pool}, \sphinxstyleemphasis{filename} is assumed to
be the name of an OpenSSL\sphinxhyphen{}style ca\sphinxhyphen{}bundle file.

\sphinxlineitem{\sphinxstylestrong{DIR:}\sphinxstyleemphasis{dirname}}
\sphinxAtStartPar
This option has context\sphinxhyphen{}specific behavior.

\sphinxAtStartPar
In \sphinxstylestrong{pkinit\_identity} or \sphinxstylestrong{pkinit\_identities}, \sphinxstyleemphasis{dirname}
specifies a directory with files named \sphinxcode{\sphinxupquote{*.crt}} and \sphinxcode{\sphinxupquote{*.key}}
where the first part of the file name is the same for matching
pairs of certificate and private key files.  When a file with a
name ending with \sphinxcode{\sphinxupquote{.crt}} is found, a matching file ending with
\sphinxcode{\sphinxupquote{.key}} is assumed to contain the private key.  If no such file
is found, then the certificate in the \sphinxcode{\sphinxupquote{.crt}} is not used.

\sphinxAtStartPar
In \sphinxstylestrong{pkinit\_anchors} or \sphinxstylestrong{pkinit\_pool}, \sphinxstyleemphasis{dirname} is assumed to
be an OpenSSL\sphinxhyphen{}style hashed CA directory where each CA cert is
stored in a file named \sphinxcode{\sphinxupquote{hash\sphinxhyphen{}of\sphinxhyphen{}ca\sphinxhyphen{}cert.\#}}.  This infrastructure
is encouraged, but all files in the directory will be examined and
if they contain certificates (in PEM format), they will be used.

\sphinxAtStartPar
In \sphinxstylestrong{pkinit\_revoke}, \sphinxstyleemphasis{dirname} is assumed to be an OpenSSL\sphinxhyphen{}style
hashed CA directory where each revocation list is stored in a file
named \sphinxcode{\sphinxupquote{hash\sphinxhyphen{}of\sphinxhyphen{}ca\sphinxhyphen{}cert.r\#}}.  This infrastructure is encouraged,
but all files in the directory will be examined and if they
contain a revocation list (in PEM format), they will be used.

\sphinxlineitem{\sphinxstylestrong{PKCS12:}\sphinxstyleemphasis{filename}}
\sphinxAtStartPar
\sphinxstyleemphasis{filename} is the name of a PKCS \#12 format file, containing the
user’s certificate and private key.

\sphinxlineitem{\sphinxstylestrong{PKCS11:}{[}\sphinxstylestrong{module\_name=}{]}\sphinxstyleemphasis{modname}{[}\sphinxstylestrong{:slotid=}\sphinxstyleemphasis{slot\sphinxhyphen{}id}{]}{[}\sphinxstylestrong{:token=}\sphinxstyleemphasis{token\sphinxhyphen{}label}{]}{[}\sphinxstylestrong{:certid=}\sphinxstyleemphasis{cert\sphinxhyphen{}id}{]}{[}\sphinxstylestrong{:certlabel=}\sphinxstyleemphasis{cert\sphinxhyphen{}label}{]}}
\sphinxAtStartPar
All keyword/values are optional.  \sphinxstyleemphasis{modname} specifies the location
of a library implementing PKCS \#11.  If a value is encountered
with no keyword, it is assumed to be the \sphinxstyleemphasis{modname}.  If no
module\sphinxhyphen{}name is specified, the default is {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{PKCS11\_MODNAME}}}}.
\sphinxcode{\sphinxupquote{slotid=}} and/or \sphinxcode{\sphinxupquote{token=}} may be specified to force the use of
a particular smard card reader or token if there is more than one
available.  \sphinxcode{\sphinxupquote{certid=}} and/or \sphinxcode{\sphinxupquote{certlabel=}} may be specified to
force the selection of a particular certificate on the device.
Specifier values must not contain colon characters, as colons are
always treated as separators.  See the \sphinxstylestrong{pkinit\_cert\_match}
configuration option for more ways to select a particular
certificate to use for PKINIT.

\sphinxlineitem{\sphinxstylestrong{ENV:}\sphinxstyleemphasis{envvar}}
\sphinxAtStartPar
\sphinxstyleemphasis{envvar} specifies the name of an environment variable which has
been set to a value conforming to one of the previous values.  For
example, \sphinxcode{\sphinxupquote{ENV:X509\_PROXY}}, where environment variable
\sphinxcode{\sphinxupquote{X509\_PROXY}} has been set to \sphinxcode{\sphinxupquote{FILE:/tmp/my\_proxy.pem}}.

\end{description}


\paragraph{PKINIT krb5.conf options}
\label{\detokenize{admin/conf_files/krb5_conf:pkinit-krb5-conf-options}}\begin{description}
\sphinxlineitem{\sphinxstylestrong{pkinit\_anchors}}
\sphinxAtStartPar
Specifies the location of trusted anchor (root) certificates which
the client trusts to sign KDC certificates.  This option may be
specified multiple times.  These values from the config file are
not used if the user specifies X509\_anchors on the command line.

\sphinxlineitem{\sphinxstylestrong{pkinit\_cert\_match}}
\sphinxAtStartPar
Specifies matching rules that the client certificate must match
before it is used to attempt PKINIT authentication.  If a user has
multiple certificates available (on a smart card, or via other
media), there must be exactly one certificate chosen before
attempting PKINIT authentication.  This option may be specified
multiple times.  All the available certificates are checked
against each rule in order until there is a match of exactly one
certificate.

\sphinxAtStartPar
The Subject and Issuer comparison strings are the \index{RFC@\spxentry{RFC}!RFC 2253@\spxentry{RFC 2253}}\sphinxhref{https://datatracker.ietf.org/doc/html/rfc2253.html}{\sphinxstylestrong{RFC 2253}}
string representations from the certificate Subject DN and Issuer
DN values.

\sphinxAtStartPar
The syntax of the matching rules is:
\begin{quote}

\sphinxAtStartPar
{[}\sphinxstyleemphasis{relation\sphinxhyphen{}operator}{]}\sphinxstyleemphasis{component\sphinxhyphen{}rule} …
\end{quote}

\sphinxAtStartPar
where:
\begin{description}
\sphinxlineitem{\sphinxstyleemphasis{relation\sphinxhyphen{}operator}}
\sphinxAtStartPar
can be either \sphinxcode{\sphinxupquote{\&\&}}, meaning all component rules must match,
or \sphinxcode{\sphinxupquote{||}}, meaning only one component rule must match.  The
default is \sphinxcode{\sphinxupquote{\&\&}}.

\sphinxlineitem{\sphinxstyleemphasis{component\sphinxhyphen{}rule}}
\sphinxAtStartPar
can be one of the following.  Note that there is no
punctuation or whitespace between component rules.
\begin{quote}

\begin{DUlineblock}{0em}
\item[] \sphinxstylestrong{\textless{}SUBJECT\textgreater{}}\sphinxstyleemphasis{regular\sphinxhyphen{}expression}
\item[] \sphinxstylestrong{\textless{}ISSUER\textgreater{}}\sphinxstyleemphasis{regular\sphinxhyphen{}expression}
\item[] \sphinxstylestrong{\textless{}SAN\textgreater{}}\sphinxstyleemphasis{regular\sphinxhyphen{}expression}
\item[] \sphinxstylestrong{\textless{}EKU\textgreater{}}\sphinxstyleemphasis{extended\sphinxhyphen{}key\sphinxhyphen{}usage\sphinxhyphen{}list}
\item[] \sphinxstylestrong{\textless{}KU\textgreater{}}\sphinxstyleemphasis{key\sphinxhyphen{}usage\sphinxhyphen{}list}
\end{DUlineblock}
\end{quote}

\sphinxAtStartPar
\sphinxstyleemphasis{extended\sphinxhyphen{}key\sphinxhyphen{}usage\sphinxhyphen{}list} is a comma\sphinxhyphen{}separated list of
required Extended Key Usage values.  All values in the list
must be present in the certificate.  Extended Key Usage values
can be:
\begin{itemize}
\item {} 
\sphinxAtStartPar
pkinit

\item {} 
\sphinxAtStartPar
msScLogin

\item {} 
\sphinxAtStartPar
clientAuth

\item {} 
\sphinxAtStartPar
emailProtection

\end{itemize}

\sphinxAtStartPar
\sphinxstyleemphasis{key\sphinxhyphen{}usage\sphinxhyphen{}list} is a comma\sphinxhyphen{}separated list of required Key
Usage values.  All values in the list must be present in the
certificate.  Key Usage values can be:
\begin{itemize}
\item {} 
\sphinxAtStartPar
digitalSignature

\item {} 
\sphinxAtStartPar
keyEncipherment

\end{itemize}

\end{description}

\sphinxAtStartPar
Examples:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{pkinit\PYGZus{}cert\PYGZus{}match} \PYG{o}{=} \PYG{o}{|}\PYG{o}{|}\PYG{o}{\PYGZlt{}}\PYG{n}{SUBJECT}\PYG{o}{\PYGZgt{}}\PYG{o}{.}\PYG{o}{*}\PYG{n}{DoE}\PYG{o}{.}\PYG{o}{*}\PYG{o}{\PYGZlt{}}\PYG{n}{SAN}\PYG{o}{\PYGZgt{}}\PYG{o}{.}\PYG{o}{*}\PYG{n+nd}{@EXAMPLE}\PYG{o}{.}\PYG{n}{COM}
\PYG{n}{pkinit\PYGZus{}cert\PYGZus{}match} \PYG{o}{=} \PYG{o}{\PYGZam{}}\PYG{o}{\PYGZam{}}\PYG{o}{\PYGZlt{}}\PYG{n}{EKU}\PYG{o}{\PYGZgt{}}\PYG{n}{msScLogin}\PYG{p}{,}\PYG{n}{clientAuth}\PYG{o}{\PYGZlt{}}\PYG{n}{ISSUER}\PYG{o}{\PYGZgt{}}\PYG{o}{.}\PYG{o}{*}\PYG{n}{DoE}\PYG{o}{.}\PYG{o}{*}
\PYG{n}{pkinit\PYGZus{}cert\PYGZus{}match} \PYG{o}{=} \PYG{o}{\PYGZlt{}}\PYG{n}{EKU}\PYG{o}{\PYGZgt{}}\PYG{n}{msScLogin}\PYG{p}{,}\PYG{n}{clientAuth}\PYG{o}{\PYGZlt{}}\PYG{n}{KU}\PYG{o}{\PYGZgt{}}\PYG{n}{digitalSignature}
\end{sphinxVerbatim}

\sphinxlineitem{\sphinxstylestrong{pkinit\_eku\_checking}}
\sphinxAtStartPar
This option specifies what Extended Key Usage value the KDC
certificate presented to the client must contain.  (Note that if
the KDC certificate has the pkinit SubjectAlternativeName encoded
as the Kerberos TGS name, EKU checking is not necessary since the
issuing CA has certified this as a KDC certificate.)  The values
recognized in the krb5.conf file are:
\begin{description}
\sphinxlineitem{\sphinxstylestrong{kpKDC}}
\sphinxAtStartPar
This is the default value and specifies that the KDC must have
the id\sphinxhyphen{}pkinit\sphinxhyphen{}KPKdc EKU as defined in \index{RFC@\spxentry{RFC}!RFC 4556@\spxentry{RFC 4556}}\sphinxhref{https://datatracker.ietf.org/doc/html/rfc4556.html}{\sphinxstylestrong{RFC 4556}}.

\sphinxlineitem{\sphinxstylestrong{kpServerAuth}}
\sphinxAtStartPar
If \sphinxstylestrong{kpServerAuth} is specified, a KDC certificate with the
id\sphinxhyphen{}kp\sphinxhyphen{}serverAuth EKU will be accepted.  This key usage value
is used in most commercially issued server certificates.

\sphinxlineitem{\sphinxstylestrong{none}}
\sphinxAtStartPar
If \sphinxstylestrong{none} is specified, then the KDC certificate will not be
checked to verify it has an acceptable EKU.  The use of this
option is not recommended.

\end{description}

\sphinxlineitem{\sphinxstylestrong{pkinit\_dh\_min\_bits}}
\sphinxAtStartPar
Specifies the group of the Diffie\sphinxhyphen{}Hellman key the client will
attempt to use.  The acceptable values are 1024, 2048, P\sphinxhyphen{}256,
4096, P\sphinxhyphen{}384, and P\sphinxhyphen{}521.  The default is 2048.  (P\sphinxhyphen{}256, P\sphinxhyphen{}384, and
P\sphinxhyphen{}521 are new in release 1.22.)

\sphinxlineitem{\sphinxstylestrong{pkinit\_identities}}
\sphinxAtStartPar
Specifies the location(s) to be used to find the user’s X.509
identity information.  If this option is specified multiple times,
each value is attempted in order until certificates are found.
Note that these values are not used if the user specifies
\sphinxstylestrong{X509\_user\_identity} on the command line.

\sphinxlineitem{\sphinxstylestrong{pkinit\_kdc\_hostname}}
\sphinxAtStartPar
The presence of this option indicates that the client is willing
to accept a KDC certificate with a dNSName SAN (Subject
Alternative Name) rather than requiring the id\sphinxhyphen{}pkinit\sphinxhyphen{}san as
defined in \index{RFC@\spxentry{RFC}!RFC 4556@\spxentry{RFC 4556}}\sphinxhref{https://datatracker.ietf.org/doc/html/rfc4556.html}{\sphinxstylestrong{RFC 4556}}.  This option may be specified multiple
times.  Its value should contain the acceptable hostname for the
KDC (as contained in its certificate).

\sphinxlineitem{\sphinxstylestrong{pkinit\_pool}}
\sphinxAtStartPar
Specifies the location of intermediate certificates which may be
used by the client to complete the trust chain between a KDC
certificate and a trusted anchor.  This option may be specified
multiple times.

\sphinxlineitem{\sphinxstylestrong{pkinit\_require\_crl\_checking}}
\sphinxAtStartPar
The default certificate verification process will always check the
available revocation information to see if a certificate has been
revoked.  If a match is found for the certificate in a CRL,
verification fails.  If the certificate being verified is not
listed in a CRL, or there is no CRL present for its issuing CA,
and \sphinxstylestrong{pkinit\_require\_crl\_checking} is false, then verification
succeeds.

\sphinxAtStartPar
However, if \sphinxstylestrong{pkinit\_require\_crl\_checking} is true and there is
no CRL information available for the issuing CA, then verification
fails.

\sphinxAtStartPar
\sphinxstylestrong{pkinit\_require\_crl\_checking} should be set to true if the
policy is such that up\sphinxhyphen{}to\sphinxhyphen{}date CRLs must be present for every CA.

\sphinxlineitem{\sphinxstylestrong{pkinit\_revoke}}
\sphinxAtStartPar
Specifies the location of Certificate Revocation List (CRL)
information to be used by the client when verifying the validity
of the KDC certificate presented.  This option may be specified
multiple times.

\end{description}


\subsubsection{Parameter expansion}
\label{\detokenize{admin/conf_files/krb5_conf:parameter-expansion}}\label{\detokenize{admin/conf_files/krb5_conf:id7}}
\sphinxAtStartPar
Starting with release 1.11, several variables, such as
\sphinxstylestrong{default\_keytab\_name}, allow parameters to be expanded.
Valid parameters are:
\begin{quote}


\begin{savenotes}\sphinxattablestart
\sphinxthistablewithglobalstyle
\centering
\begin{tabulary}{\linewidth}[t]{TT}
\sphinxtoprule
\sphinxtableatstartofbodyhook
\sphinxAtStartPar
\%\{TEMP\}
&
\sphinxAtStartPar
Temporary directory
\\
\sphinxhline
\sphinxAtStartPar
\%\{uid\}
&
\sphinxAtStartPar
Unix real UID or Windows SID
\\
\sphinxhline
\sphinxAtStartPar
\%\{euid\}
&
\sphinxAtStartPar
Unix effective user ID or Windows SID
\\
\sphinxhline
\sphinxAtStartPar
\%\{USERID\}
&
\sphinxAtStartPar
Same as \%\{uid\}
\\
\sphinxhline
\sphinxAtStartPar
\%\{null\}
&
\sphinxAtStartPar
Empty string
\\
\sphinxhline
\sphinxAtStartPar
\%\{LIBDIR\}
&
\sphinxAtStartPar
Installation library directory
\\
\sphinxhline
\sphinxAtStartPar
\%\{BINDIR\}
&
\sphinxAtStartPar
Installation binary directory
\\
\sphinxhline
\sphinxAtStartPar
\%\{SBINDIR\}
&
\sphinxAtStartPar
Installation admin binary directory
\\
\sphinxhline
\sphinxAtStartPar
\%\{username\}
&
\sphinxAtStartPar
(Unix) Username of effective user ID
\\
\sphinxhline
\sphinxAtStartPar
\%\{APPDATA\}
&
\sphinxAtStartPar
(Windows) Roaming application data for current user
\\
\sphinxhline
\sphinxAtStartPar
\%\{COMMON\_APPDATA\}
&
\sphinxAtStartPar
(Windows) Application data for all users
\\
\sphinxhline
\sphinxAtStartPar
\%\{LOCAL\_APPDATA\}
&
\sphinxAtStartPar
(Windows) Local application data for current user
\\
\sphinxhline
\sphinxAtStartPar
\%\{SYSTEM\}
&
\sphinxAtStartPar
(Windows) Windows system folder
\\
\sphinxhline
\sphinxAtStartPar
\%\{WINDOWS\}
&
\sphinxAtStartPar
(Windows) Windows folder
\\
\sphinxhline
\sphinxAtStartPar
\%\{USERCONFIG\}
&
\sphinxAtStartPar
(Windows) Per\sphinxhyphen{}user MIT krb5 config file directory
\\
\sphinxhline
\sphinxAtStartPar
\%\{COMMONCONFIG\}
&
\sphinxAtStartPar
(Windows) Common MIT krb5 config file directory
\\
\sphinxbottomrule
\end{tabulary}
\sphinxtableafterendhook\par
\sphinxattableend\end{savenotes}
\end{quote}


\subsubsection{Sample krb5.conf file}
\label{\detokenize{admin/conf_files/krb5_conf:sample-krb5-conf-file}}
\sphinxAtStartPar
Here is an example of a generic krb5.conf file:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{p}{[}\PYG{n}{libdefaults}\PYG{p}{]}
    \PYG{n}{default\PYGZus{}realm} \PYG{o}{=} \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}
    \PYG{n}{dns\PYGZus{}lookup\PYGZus{}kdc} \PYG{o}{=} \PYG{n}{true}
    \PYG{n}{dns\PYGZus{}lookup\PYGZus{}realm} \PYG{o}{=} \PYG{n}{false}

\PYG{p}{[}\PYG{n}{realms}\PYG{p}{]}
    \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{o}{=} \PYG{p}{\PYGZob{}}
        \PYG{n}{kdc} \PYG{o}{=} \PYG{n}{kerberos}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}
        \PYG{n}{kdc} \PYG{o}{=} \PYG{n}{kerberos}\PYG{o}{\PYGZhy{}}\PYG{l+m+mf}{1.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}
        \PYG{n}{kdc} \PYG{o}{=} \PYG{n}{kerberos}\PYG{o}{\PYGZhy{}}\PYG{l+m+mf}{2.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}
        \PYG{n}{admin\PYGZus{}server} \PYG{o}{=} \PYG{n}{kerberos}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}
        \PYG{n}{primary\PYGZus{}kdc} \PYG{o}{=} \PYG{n}{kerberos}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}
    \PYG{p}{\PYGZcb{}}
    \PYG{n}{EXAMPLE}\PYG{o}{.}\PYG{n}{COM} \PYG{o}{=} \PYG{p}{\PYGZob{}}
        \PYG{n}{kdc} \PYG{o}{=} \PYG{n}{kerberos}\PYG{o}{.}\PYG{n}{example}\PYG{o}{.}\PYG{n}{com}
        \PYG{n}{kdc} \PYG{o}{=} \PYG{n}{kerberos}\PYG{o}{\PYGZhy{}}\PYG{l+m+mf}{1.}\PYG{n}{example}\PYG{o}{.}\PYG{n}{com}
        \PYG{n}{admin\PYGZus{}server} \PYG{o}{=} \PYG{n}{kerberos}\PYG{o}{.}\PYG{n}{example}\PYG{o}{.}\PYG{n}{com}
    \PYG{p}{\PYGZcb{}}

\PYG{p}{[}\PYG{n}{domain\PYGZus{}realm}\PYG{p}{]}
    \PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{o}{=} \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}

\PYG{p}{[}\PYG{n}{capaths}\PYG{p}{]}
    \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{o}{=} \PYG{p}{\PYGZob{}}
           \PYG{n}{EXAMPLE}\PYG{o}{.}\PYG{n}{COM} \PYG{o}{=} \PYG{o}{.}
    \PYG{p}{\PYGZcb{}}
    \PYG{n}{EXAMPLE}\PYG{o}{.}\PYG{n}{COM} \PYG{o}{=} \PYG{p}{\PYGZob{}}
           \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{o}{=} \PYG{o}{.}
    \PYG{p}{\PYGZcb{}}
\end{sphinxVerbatim}


\subsubsection{FILES}
\label{\detokenize{admin/conf_files/krb5_conf:files}}
\sphinxAtStartPar
\sphinxcode{\sphinxupquote{/etc/krb5.conf}}


\subsubsection{SEE ALSO}
\label{\detokenize{admin/conf_files/krb5_conf:see-also}}
\sphinxAtStartPar
syslog(3)

\sphinxstepscope


\subsection{kdc.conf}
\label{\detokenize{admin/conf_files/kdc_conf:kdc-conf}}\label{\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}}\label{\detokenize{admin/conf_files/kdc_conf::doc}}
\sphinxAtStartPar
The kdc.conf file supplements {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}} for programs which
are typically only used on a KDC, such as the {\hyperref[\detokenize{admin/admin_commands/krb5kdc:krb5kdc-8}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5kdc}}}} and
{\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} daemons and the {\hyperref[\detokenize{admin/admin_commands/kdb5_util:kdb5-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_util}}}} program.
Relations documented here may also be specified in krb5.conf; for the
KDC programs mentioned, krb5.conf and kdc.conf will be merged into a
single configuration profile.

\sphinxAtStartPar
Normally, the kdc.conf file is found in the KDC state directory,
{\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LOCALSTATEDIR}}}}\sphinxcode{\sphinxupquote{/krb5kdc}}.  You can override the default location by setting the
environment variable \sphinxstylestrong{KRB5\_KDC\_PROFILE}.

\sphinxAtStartPar
Please note that you need to restart the KDC daemon for any configuration
changes to take effect.


\subsubsection{Structure}
\label{\detokenize{admin/conf_files/kdc_conf:structure}}
\sphinxAtStartPar
The kdc.conf file is set up in the same format as the
{\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}} file.


\subsubsection{Sections}
\label{\detokenize{admin/conf_files/kdc_conf:sections}}
\sphinxAtStartPar
The kdc.conf file may contain the following sections:


\begin{savenotes}\sphinxattablestart
\sphinxthistablewithglobalstyle
\centering
\begin{tabulary}{\linewidth}[t]{TT}
\sphinxtoprule
\sphinxtableatstartofbodyhook
\sphinxAtStartPar
{\hyperref[\detokenize{admin/conf_files/kdc_conf:kdcdefaults}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}kdcdefaults{]}}}}}
&
\sphinxAtStartPar
Default values for KDC behavior
\\
\sphinxhline
\sphinxAtStartPar
{\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-realms}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}realms{]}}}}}
&
\sphinxAtStartPar
Realm\sphinxhyphen{}specific database configuration and settings
\\
\sphinxhline
\sphinxAtStartPar
{\hyperref[\detokenize{admin/conf_files/kdc_conf:dbdefaults}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}dbdefaults{]}}}}}
&
\sphinxAtStartPar
Default database settings
\\
\sphinxhline
\sphinxAtStartPar
{\hyperref[\detokenize{admin/conf_files/kdc_conf:dbmodules}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}dbmodules{]}}}}}
&
\sphinxAtStartPar
Per\sphinxhyphen{}database settings
\\
\sphinxhline
\sphinxAtStartPar
{\hyperref[\detokenize{admin/conf_files/kdc_conf:logging}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}logging{]}}}}}
&
\sphinxAtStartPar
Controls how Kerberos daemons perform logging
\\
\sphinxbottomrule
\end{tabulary}
\sphinxtableafterendhook\par
\sphinxattableend\end{savenotes}


\paragraph{{[}kdcdefaults{]}}
\label{\detokenize{admin/conf_files/kdc_conf:kdcdefaults}}\label{\detokenize{admin/conf_files/kdc_conf:id1}}
\sphinxAtStartPar
Some relations in the {[}kdcdefaults{]} section specify default values for
realm variables, to be used if the {[}realms{]} subsection does not
contain a relation for the tag.  See the {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-realms}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}realms{]}}}}} section for
the definitions of these relations.
\begin{itemize}
\item {} 
\sphinxAtStartPar
\sphinxstylestrong{host\_based\_services}

\item {} 
\sphinxAtStartPar
\sphinxstylestrong{kdc\_listen}

\item {} 
\sphinxAtStartPar
\sphinxstylestrong{kdc\_ports}

\item {} 
\sphinxAtStartPar
\sphinxstylestrong{kdc\_tcp\_listen}

\item {} 
\sphinxAtStartPar
\sphinxstylestrong{kdc\_tcp\_ports}

\item {} 
\sphinxAtStartPar
\sphinxstylestrong{no\_host\_referral}

\item {} 
\sphinxAtStartPar
\sphinxstylestrong{restrict\_anonymous\_to\_tgt}

\end{itemize}

\sphinxAtStartPar
The following {[}kdcdefaults{]} variables have no per\sphinxhyphen{}realm equivalent:
\begin{description}
\sphinxlineitem{\sphinxstylestrong{kdc\_max\_dgram\_reply\_size}}
\sphinxAtStartPar
Specifies the maximum packet size that can be sent over UDP.  The
default value is 4096 bytes.

\sphinxlineitem{\sphinxstylestrong{kdc\_tcp\_listen\_backlog}}
\sphinxAtStartPar
(Integer.)  Set the size of the listen queue length for the KDC
daemon.  The value may be limited by OS settings.  The default
value is 5.

\sphinxlineitem{\sphinxstylestrong{spake\_preauth\_kdc\_challenge}}
\sphinxAtStartPar
(String.)  Specifies the group for a SPAKE optimistic challenge.
See the \sphinxstylestrong{spake\_preauth\_groups} variable in {\hyperref[\detokenize{admin/conf_files/krb5_conf:libdefaults}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}libdefaults{]}}}}}
for possible values.  The default is not to issue an optimistic
challenge.  (New in release 1.17.)

\end{description}


\paragraph{{[}realms{]}}
\label{\detokenize{admin/conf_files/kdc_conf:realms}}\label{\detokenize{admin/conf_files/kdc_conf:kdc-realms}}
\sphinxAtStartPar
Each tag in the {[}realms{]} section is the name of a Kerberos realm.  The
value of the tag is a subsection where the relations define KDC
parameters for that particular realm.  The following example shows how
to define one parameter for the ATHENA.MIT.EDU realm:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{p}{[}\PYG{n}{realms}\PYG{p}{]}
    \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{o}{=} \PYG{p}{\PYGZob{}}
        \PYG{n}{max\PYGZus{}renewable\PYGZus{}life} \PYG{o}{=} \PYG{l+m+mi}{7}\PYG{n}{d} \PYG{l+m+mi}{0}\PYG{n}{h} \PYG{l+m+mi}{0}\PYG{n}{m} \PYG{l+m+mi}{0}\PYG{n}{s}
    \PYG{p}{\PYGZcb{}}
\end{sphinxVerbatim}

\sphinxAtStartPar
The following tags may be specified in a {[}realms{]} subsection:
\begin{description}
\sphinxlineitem{\sphinxstylestrong{acl\_file}}
\sphinxAtStartPar
(String.)  Location of the access control list file that
{\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} uses to determine which principals are allowed
which permissions on the Kerberos database.  To operate without an
ACL file, set this relation to the empty string with \sphinxcode{\sphinxupquote{acl\_file =
""}}.  The default value is {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LOCALSTATEDIR}}}}\sphinxcode{\sphinxupquote{/krb5kdc}}\sphinxcode{\sphinxupquote{/kadm5.acl}}.  For more
information on Kerberos ACL file see {\hyperref[\detokenize{admin/conf_files/kadm5_acl:kadm5-acl-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kadm5.acl}}}}.

\sphinxlineitem{\sphinxstylestrong{database\_module}}
\sphinxAtStartPar
(String.)  This relation indicates the name of the configuration
section under {\hyperref[\detokenize{admin/conf_files/kdc_conf:dbmodules}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}dbmodules{]}}}}} for database\sphinxhyphen{}specific parameters
used by the loadable database library.  The default value is the
realm name.  If this configuration section does not exist, default
values will be used for all database parameters.

\sphinxlineitem{\sphinxstylestrong{database\_name}}
\sphinxAtStartPar
(String, deprecated.)  This relation specifies the location of the
Kerberos database for this realm, if the DB2 module is being used
and the {\hyperref[\detokenize{admin/conf_files/kdc_conf:dbmodules}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}dbmodules{]}}}}} configuration section does not specify a
database name.  The default value is {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LOCALSTATEDIR}}}}\sphinxcode{\sphinxupquote{/krb5kdc}}\sphinxcode{\sphinxupquote{/principal}}.

\sphinxlineitem{\sphinxstylestrong{default\_principal\_expiration}}
\sphinxAtStartPar
(\DUrole{xref,std,std-ref}{abstime} string.)  Specifies the default expiration date of
principals created in this realm.  The default value is 0, which
means no expiration date.

\sphinxlineitem{\sphinxstylestrong{default\_principal\_flags}}
\sphinxAtStartPar
(Flag string.)  Specifies the default attributes of principals
created in this realm.  The format for this string is a
comma\sphinxhyphen{}separated list of flags, with ‘+’ before each flag that
should be enabled and ‘\sphinxhyphen{}’ before each flag that should be
disabled.  The \sphinxstylestrong{postdateable}, \sphinxstylestrong{forwardable}, \sphinxstylestrong{tgt\sphinxhyphen{}based},
\sphinxstylestrong{renewable}, \sphinxstylestrong{proxiable}, \sphinxstylestrong{dup\sphinxhyphen{}skey}, \sphinxstylestrong{allow\sphinxhyphen{}tickets}, and
\sphinxstylestrong{service} flags default to enabled.

\sphinxAtStartPar
There are a number of possible flags:
\begin{description}
\sphinxlineitem{\sphinxstylestrong{allow\sphinxhyphen{}tickets}}
\sphinxAtStartPar
Enabling this flag means that the KDC will issue tickets for
this principal.  Disabling this flag essentially deactivates
the principal within this realm.

\sphinxlineitem{\sphinxstylestrong{dup\sphinxhyphen{}skey}}
\sphinxAtStartPar
Enabling this flag allows the KDC to issue user\sphinxhyphen{}to\sphinxhyphen{}user
service tickets for this principal.

\sphinxlineitem{\sphinxstylestrong{forwardable}}
\sphinxAtStartPar
Enabling this flag allows the principal to obtain forwardable
tickets.

\sphinxlineitem{\sphinxstylestrong{hwauth}}
\sphinxAtStartPar
If this flag is enabled, then the principal is required to
preauthenticate using a hardware device before receiving any
tickets.

\sphinxlineitem{\sphinxstylestrong{no\sphinxhyphen{}auth\sphinxhyphen{}data\sphinxhyphen{}required}}
\sphinxAtStartPar
Enabling this flag prevents PAC or AD\sphinxhyphen{}SIGNEDPATH data from
being added to service tickets for the principal.

\sphinxlineitem{\sphinxstylestrong{ok\sphinxhyphen{}as\sphinxhyphen{}delegate}}
\sphinxAtStartPar
If this flag is enabled, it hints the client that credentials
can and should be delegated when authenticating to the
service.

\sphinxlineitem{\sphinxstylestrong{ok\sphinxhyphen{}to\sphinxhyphen{}auth\sphinxhyphen{}as\sphinxhyphen{}delegate}}
\sphinxAtStartPar
Enabling this flag allows the principal to use S4USelf tickets.

\sphinxlineitem{\sphinxstylestrong{postdateable}}
\sphinxAtStartPar
Enabling this flag allows the principal to obtain postdateable
tickets.

\sphinxlineitem{\sphinxstylestrong{preauth}}
\sphinxAtStartPar
If this flag is enabled on a client principal, then that
principal is required to preauthenticate to the KDC before
receiving any tickets.  On a service principal, enabling this
flag means that service tickets for this principal will only
be issued to clients with a TGT that has the preauthenticated
bit set.

\sphinxlineitem{\sphinxstylestrong{proxiable}}
\sphinxAtStartPar
Enabling this flag allows the principal to obtain proxy
tickets.

\sphinxlineitem{\sphinxstylestrong{pwchange}}
\sphinxAtStartPar
Enabling this flag forces a password change for this
principal.

\sphinxlineitem{\sphinxstylestrong{pwservice}}
\sphinxAtStartPar
If this flag is enabled, it marks this principal as a password
change service.  This should only be used in special cases,
for example, if a user’s password has expired, then the user
has to get tickets for that principal without going through
the normal password authentication in order to be able to
change the password.

\sphinxlineitem{\sphinxstylestrong{renewable}}
\sphinxAtStartPar
Enabling this flag allows the principal to obtain renewable
tickets.

\sphinxlineitem{\sphinxstylestrong{service}}
\sphinxAtStartPar
Enabling this flag allows the the KDC to issue service tickets
for this principal.  In release 1.17 and later, user\sphinxhyphen{}to\sphinxhyphen{}user
service tickets are still allowed if the \sphinxstylestrong{dup\sphinxhyphen{}skey} flag is
set.

\sphinxlineitem{\sphinxstylestrong{tgt\sphinxhyphen{}based}}
\sphinxAtStartPar
Enabling this flag allows a principal to obtain tickets based
on a ticket\sphinxhyphen{}granting\sphinxhyphen{}ticket, rather than repeating the
authentication process that was used to obtain the TGT.

\end{description}

\sphinxlineitem{\sphinxstylestrong{dict\_file}}
\sphinxAtStartPar
(String.)  Location of the dictionary file containing strings that
are not allowed as passwords.  The file should contain one string
per line, with no additional whitespace.  If none is specified or
if there is no policy assigned to the principal, no dictionary
checks of passwords will be performed.

\sphinxlineitem{\sphinxstylestrong{disable\_pac}}
\sphinxAtStartPar
(Boolean value.)  If true, the KDC will not issue PACs for this
realm, and S4U2Self and S4U2Proxy operations will be disabled.
The default is false, which will permit the KDC to issue PACs.
New in release 1.20.

\sphinxlineitem{\sphinxstylestrong{encrypted\_challenge\_indicator}}
\sphinxAtStartPar
(String.)  Specifies the authentication indicator value that the KDC
asserts into tickets obtained using FAST encrypted challenge
pre\sphinxhyphen{}authentication.  New in 1.16.

\sphinxlineitem{\sphinxstylestrong{host\_based\_services}}
\sphinxAtStartPar
(Whitespace\sphinxhyphen{} or comma\sphinxhyphen{}separated list.)  Lists services which will
get host\sphinxhyphen{}based referral processing even if the server principal is
not marked as host\sphinxhyphen{}based by the client.

\sphinxlineitem{\sphinxstylestrong{iprop\_enable}}
\sphinxAtStartPar
(Boolean value.)  Specifies whether incremental database
propagation is enabled.  The default value is false.

\sphinxlineitem{\sphinxstylestrong{iprop\_ulogsize}}
\sphinxAtStartPar
(Integer.)  Specifies the maximum number of log entries to be
retained for incremental propagation.  The default value is 1000.
Prior to release 1.11, the maximum value was 2500.  New in release
1.19.

\sphinxlineitem{\sphinxstylestrong{iprop\_master\_ulogsize}}
\sphinxAtStartPar
The name for \sphinxstylestrong{iprop\_ulogsize} prior to release 1.19.  Its value is
used as a fallback if \sphinxstylestrong{iprop\_ulogsize} is not specified.

\sphinxlineitem{\sphinxstylestrong{iprop\_replica\_poll}}
\sphinxAtStartPar
(Delta time string.)  Specifies how often the replica KDC polls
for new updates from the primary.  The default value is \sphinxcode{\sphinxupquote{2m}}
(that is, two minutes).  New in release 1.17.

\sphinxlineitem{\sphinxstylestrong{iprop\_slave\_poll}}
\sphinxAtStartPar
(Delta time string.)  The name for \sphinxstylestrong{iprop\_replica\_poll} prior to
release 1.17.  Its value is used as a fallback if
\sphinxstylestrong{iprop\_replica\_poll} is not specified.

\sphinxlineitem{\sphinxstylestrong{iprop\_listen}}
\sphinxAtStartPar
(Whitespace\sphinxhyphen{} or comma\sphinxhyphen{}separated list.)  Specifies the iprop RPC
listening addresses and/or ports for the {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} daemon.
Each entry may be an interface address, a port number, or an
address and port number separated by a colon.  If the address
contains colons, enclose it in square brackets.  If no address is
specified, the wildcard address is used.  If kadmind fails to bind
to any of the specified addresses, it will fail to start.  The
default (when \sphinxstylestrong{iprop\_enable} is true) is to bind to the wildcard
address at the port specified in \sphinxstylestrong{iprop\_port}.  New in release
1.15.

\sphinxlineitem{\sphinxstylestrong{iprop\_port}}
\sphinxAtStartPar
(Port number.)  Specifies the port number to be used for
incremental propagation.  When \sphinxstylestrong{iprop\_enable} is true, this
relation is required in the replica KDC configuration file, and
this relation or \sphinxstylestrong{iprop\_listen} is required in the primary
configuration file, as there is no default port number.  Port
numbers specified in \sphinxstylestrong{iprop\_listen} entries will override this
port number for the {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} daemon.

\sphinxlineitem{\sphinxstylestrong{iprop\_resync\_timeout}}
\sphinxAtStartPar
(Delta time string.)  Specifies the amount of time to wait for a
full propagation to complete.  This is optional in configuration
files, and is used by replica KDCs only.  The default value is 5
minutes (\sphinxcode{\sphinxupquote{5m}}).  New in release 1.11.

\sphinxlineitem{\sphinxstylestrong{iprop\_logfile}}
\sphinxAtStartPar
(File name.)  Specifies where the update log file for the realm
database is to be stored.  The default is to use the
\sphinxstylestrong{database\_name} entry from the realms section of the krb5 config
file, with \sphinxcode{\sphinxupquote{.ulog}} appended.  (NOTE: If \sphinxstylestrong{database\_name} isn’t
specified in the realms section, perhaps because the LDAP database
back end is being used, or the file name is specified in the
{[}dbmodules{]} section, then the hard\sphinxhyphen{}coded default for
\sphinxstylestrong{database\_name} is used.  Determination of the \sphinxstylestrong{iprop\_logfile}
default value will not use values from the {[}dbmodules{]} section.)

\sphinxlineitem{\sphinxstylestrong{kadmind\_listen}}
\sphinxAtStartPar
(Whitespace\sphinxhyphen{} or comma\sphinxhyphen{}separated list.)  Specifies the kadmin RPC
listening addresses and/or ports for the {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} daemon.
Each entry may be an interface address, a port number, an address
and port number separated by a colon, or a UNIX domain socket
pathname.  If the address contains colons, enclose it in square
brackets.  If no address is specified, the wildcard address is
used.  To disable listening for kadmin RPC connections, set this
relation to the empty string with \sphinxcode{\sphinxupquote{kadmind\_listen = ""}}.  If
kadmind fails to bind to any of the specified addresses, it will
fail to start.  The default is to bind to the wildcard address at
the port specified in \sphinxstylestrong{kadmind\_port}, or the standard kadmin
port (749).  New in release 1.15.

\sphinxlineitem{\sphinxstylestrong{kadmind\_port}}
\sphinxAtStartPar
(Port number.)  Specifies the port on which the {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}}
daemon is to listen for this realm.  Port numbers specified in
\sphinxstylestrong{kadmind\_listen} entries will override this port number.  The
assigned port for kadmind is 749, which is used by default.

\sphinxlineitem{\sphinxstylestrong{key\_stash\_file}}
\sphinxAtStartPar
(String.)  Specifies the location where the master key has been
stored (via kdb5\_util stash).  The default is {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LOCALSTATEDIR}}}}\sphinxcode{\sphinxupquote{/krb5kdc}}\sphinxcode{\sphinxupquote{/.k5.REALM}}, where \sphinxstyleemphasis{REALM} is the Kerberos realm.

\sphinxlineitem{\sphinxstylestrong{kdc\_listen}}
\sphinxAtStartPar
(Whitespace\sphinxhyphen{} or comma\sphinxhyphen{}separated list.)  Specifies the listening
addresses and/or ports for the {\hyperref[\detokenize{admin/admin_commands/krb5kdc:krb5kdc-8}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5kdc}}}} daemon.  Each
entry may be an interface address, a port number, an address and
port number separated by a colon, or a UNIX domain socket
pathname.  If the address contains colons, enclose it in square
brackets.  If no address is specified, the wildcard address is
used.  If no port is specified, the standard port (88) is used.
To disable listening on UDP, set this relation to the empty string
with \sphinxcode{\sphinxupquote{kdc\_listen = ""}}.  If the KDC daemon fails to bind to any
of the specified addresses, it will fail to start.  The default is
to bind to the wildcard address on the standard port.  New in
release 1.15.

\sphinxlineitem{\sphinxstylestrong{kdc\_ports}}
\sphinxAtStartPar
(Whitespace\sphinxhyphen{} or comma\sphinxhyphen{}separated list, deprecated.)  Prior to
release 1.15, this relation lists the ports for the
{\hyperref[\detokenize{admin/admin_commands/krb5kdc:krb5kdc-8}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5kdc}}}} daemon to listen on for UDP requests.  In
release 1.15 and later, it has the same meaning as \sphinxstylestrong{kdc\_listen}
if that relation is not defined.

\sphinxlineitem{\sphinxstylestrong{kdc\_tcp\_listen}}
\sphinxAtStartPar
(Whitespace\sphinxhyphen{} or comma\sphinxhyphen{}separated list.)  Specifies the TCP
listening addresses and/or ports for the {\hyperref[\detokenize{admin/admin_commands/krb5kdc:krb5kdc-8}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5kdc}}}} daemon.
The syntax is identical to that of \sphinxstylestrong{kdc\_listen}.  To disable
listening on TCP, set this relation to the empty string with
\sphinxcode{\sphinxupquote{kdc\_tcp\_listen = ""}}.  The default is to bind to the same
addresses and ports as for UDP.  New in release 1.15.

\sphinxlineitem{\sphinxstylestrong{kdc\_tcp\_ports}}
\sphinxAtStartPar
(Whitespace\sphinxhyphen{} or comma\sphinxhyphen{}separated list, deprecated.)  Prior to
release 1.15, this relation lists the ports for the
{\hyperref[\detokenize{admin/admin_commands/krb5kdc:krb5kdc-8}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5kdc}}}} daemon to listen on for UDP requests.  In
release 1.15 and later, it has the same meaning as
\sphinxstylestrong{kdc\_tcp\_listen} if that relation is not defined.

\sphinxlineitem{\sphinxstylestrong{kpasswd\_listen}}
\sphinxAtStartPar
(Comma\sphinxhyphen{}separated list.)  Specifies the kpasswd listening
addresses and/or ports for the {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} daemon.  Each
entry may be an interface address, a port number, an address and
port number separated by a colon, or a UNIX domain socket
pathname.  If the address contains colons, enclose it in square
brackets.  If no address is specified, the wildcard address is
used.  To disable listening for kpasswd requests, set this
relation to the empty string with \sphinxcode{\sphinxupquote{kpasswd\_listen = ""}}.  If
kadmind fails to bind to any of the specified addresses, it will
fail to start.  The default is to bind to the wildcard address at
the port specified in \sphinxstylestrong{kpasswd\_port}, or the standard kpasswd
port (464).  New in release 1.15.

\sphinxlineitem{\sphinxstylestrong{kpasswd\_port}}
\sphinxAtStartPar
(Port number.)  Specifies the port on which the {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}}
daemon is to listen for password change requests for this realm.
Port numbers specified in \sphinxstylestrong{kpasswd\_listen} entries will override
this port number.  The assigned port for password change requests
is 464, which is used by default.

\sphinxlineitem{\sphinxstylestrong{master\_key\_name}}
\sphinxAtStartPar
(String.)  Specifies the name of the principal associated with the
master key.  The default is \sphinxcode{\sphinxupquote{K/M}}.

\sphinxlineitem{\sphinxstylestrong{master\_key\_type}}
\sphinxAtStartPar
(Key type string.)  Specifies the master key’s key type.  The
default value for this is \sphinxcode{\sphinxupquote{aes256\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha1\sphinxhyphen{}96}}.  For a list of all possible
values, see {\hyperref[\detokenize{admin/conf_files/kdc_conf:encryption-types}]{\sphinxcrossref{\DUrole{std,std-ref}{Encryption types}}}}.

\sphinxlineitem{\sphinxstylestrong{max\_life}}
\sphinxAtStartPar
(\DUrole{xref,std,std-ref}{duration} string.)  Specifies the maximum time period for
which a ticket may be valid in this realm.  The default value is
24 hours.

\sphinxlineitem{\sphinxstylestrong{max\_renewable\_life}}
\sphinxAtStartPar
(\DUrole{xref,std,std-ref}{duration} string.)  Specifies the maximum time period
during which a valid ticket may be renewed in this realm.
The default value is 0.

\sphinxlineitem{\sphinxstylestrong{no\_host\_referral}}
\sphinxAtStartPar
(Whitespace\sphinxhyphen{} or comma\sphinxhyphen{}separated list.)  Lists services to block
from getting host\sphinxhyphen{}based referral processing, even if the client
marks the server principal as host\sphinxhyphen{}based or the service is also
listed in \sphinxstylestrong{host\_based\_services}.  \sphinxcode{\sphinxupquote{no\_host\_referral = *}} will
disable referral processing altogether.

\sphinxlineitem{\sphinxstylestrong{reject\_bad\_transit}}
\sphinxAtStartPar
(Boolean value.)  If set to true, the KDC will check the list of
transited realms for cross\sphinxhyphen{}realm tickets against the transit path
computed from the realm names and the capaths section of its
{\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}} file; if the path in the ticket to be issued
contains any realms not in the computed path, the ticket will not
be issued, and an error will be returned to the client instead.
If this value is set to false, such tickets will be issued
anyways, and it will be left up to the application server to
validate the realm transit path.

\sphinxAtStartPar
If the disable\sphinxhyphen{}transited\sphinxhyphen{}check flag is set in the incoming
request, this check is not performed at all.  Having the
\sphinxstylestrong{reject\_bad\_transit} option will cause such ticket requests to
be rejected always.

\sphinxAtStartPar
This transit path checking and config file option currently apply
only to TGS requests.

\sphinxAtStartPar
The default value is true.

\sphinxlineitem{\sphinxstylestrong{restrict\_anonymous\_to\_tgt}}
\sphinxAtStartPar
(Boolean value.)  If set to true, the KDC will reject ticket
requests from anonymous principals to service principals other
than the realm’s ticket\sphinxhyphen{}granting service.  This option allows
anonymous PKINIT to be enabled for use as FAST armor tickets
without allowing anonymous authentication to services.  The
default value is false.  New in release 1.9.

\sphinxlineitem{\sphinxstylestrong{spake\_preauth\_indicator}}
\sphinxAtStartPar
(String.)  Specifies an authentication indicator value that the
KDC asserts into tickets obtained using SPAKE pre\sphinxhyphen{}authentication.
The default is not to add any indicators.  This option may be
specified multiple times.  New in release 1.17.

\sphinxlineitem{\sphinxstylestrong{supported\_enctypes}}
\sphinxAtStartPar
(List of \sphinxstyleemphasis{key}:\sphinxstyleemphasis{salt} strings.)  Specifies the default key/salt
combinations of principals for this realm.  Any principals created
through {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} will have keys of these types.  The
default value for this tag is \sphinxcode{\sphinxupquote{aes256\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha1\sphinxhyphen{}96:normal aes128\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha1\sphinxhyphen{}96:normal}}.  For lists of
possible values, see {\hyperref[\detokenize{admin/conf_files/kdc_conf:keysalt-lists}]{\sphinxcrossref{\DUrole{std,std-ref}{Keysalt lists}}}}.

\end{description}


\paragraph{{[}dbdefaults{]}}
\label{\detokenize{admin/conf_files/kdc_conf:dbdefaults}}\label{\detokenize{admin/conf_files/kdc_conf:id2}}
\sphinxAtStartPar
The {[}dbdefaults{]} section specifies default values for some database
parameters, to be used if the {[}dbmodules{]} subsection does not contain
a relation for the tag.  See the {\hyperref[\detokenize{admin/conf_files/kdc_conf:dbmodules}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}dbmodules{]}}}}} section for the
definitions of these relations.
\begin{itemize}
\item {} 
\sphinxAtStartPar
\sphinxstylestrong{ldap\_kerberos\_container\_dn}

\item {} 
\sphinxAtStartPar
\sphinxstylestrong{ldap\_kdc\_dn}

\item {} 
\sphinxAtStartPar
\sphinxstylestrong{ldap\_kdc\_sasl\_authcid}

\item {} 
\sphinxAtStartPar
\sphinxstylestrong{ldap\_kdc\_sasl\_authzid}

\item {} 
\sphinxAtStartPar
\sphinxstylestrong{ldap\_kdc\_sasl\_mech}

\item {} 
\sphinxAtStartPar
\sphinxstylestrong{ldap\_kdc\_sasl\_realm}

\item {} 
\sphinxAtStartPar
\sphinxstylestrong{ldap\_kadmind\_dn}

\item {} 
\sphinxAtStartPar
\sphinxstylestrong{ldap\_kadmind\_sasl\_authcid}

\item {} 
\sphinxAtStartPar
\sphinxstylestrong{ldap\_kadmind\_sasl\_authzid}

\item {} 
\sphinxAtStartPar
\sphinxstylestrong{ldap\_kadmind\_sasl\_mech}

\item {} 
\sphinxAtStartPar
\sphinxstylestrong{ldap\_kadmind\_sasl\_realm}

\item {} 
\sphinxAtStartPar
\sphinxstylestrong{ldap\_service\_password\_file}

\item {} 
\sphinxAtStartPar
\sphinxstylestrong{ldap\_conns\_per\_server}

\end{itemize}


\paragraph{{[}dbmodules{]}}
\label{\detokenize{admin/conf_files/kdc_conf:dbmodules}}\label{\detokenize{admin/conf_files/kdc_conf:id3}}
\sphinxAtStartPar
The {[}dbmodules{]} section contains parameters used by the KDC database
library and database modules.  Each tag in the {[}dbmodules{]} section is
the name of a Kerberos realm or a section name specified by a realm’s
\sphinxstylestrong{database\_module} parameter.  The following example shows how to
define one database parameter for the ATHENA.MIT.EDU realm:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{p}{[}\PYG{n}{dbmodules}\PYG{p}{]}
    \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{o}{=} \PYG{p}{\PYGZob{}}
        \PYG{n}{disable\PYGZus{}last\PYGZus{}success} \PYG{o}{=} \PYG{n}{true}
    \PYG{p}{\PYGZcb{}}
\end{sphinxVerbatim}

\sphinxAtStartPar
The following tags may be specified in a {[}dbmodules{]} subsection:
\begin{description}
\sphinxlineitem{\sphinxstylestrong{database\_name}}
\sphinxAtStartPar
This DB2\sphinxhyphen{}specific tag indicates the location of the database in
the filesystem.  The default is {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LOCALSTATEDIR}}}}\sphinxcode{\sphinxupquote{/krb5kdc}}\sphinxcode{\sphinxupquote{/principal}}.

\sphinxlineitem{\sphinxstylestrong{db\_library}}
\sphinxAtStartPar
This tag indicates the name of the loadable database module.  The
value should be \sphinxcode{\sphinxupquote{db2}} for the DB2 module, \sphinxcode{\sphinxupquote{klmdb}} for the LMDB
module, or \sphinxcode{\sphinxupquote{kldap}} for the LDAP module.

\sphinxlineitem{\sphinxstylestrong{disable\_last\_success}}
\sphinxAtStartPar
If set to \sphinxcode{\sphinxupquote{true}}, suppresses KDC updates to the “Last successful
authentication” field of principal entries requiring
preauthentication.  Setting this flag may improve performance.
(Principal entries which do not require preauthentication never
update the “Last successful authentication” field.).  First
introduced in release 1.9.

\sphinxlineitem{\sphinxstylestrong{disable\_lockout}}
\sphinxAtStartPar
If set to \sphinxcode{\sphinxupquote{true}}, suppresses KDC updates to the “Last failed
authentication” and “Failed password attempts” fields of principal
entries requiring preauthentication.  Setting this flag may
improve performance, but also disables account lockout.  First
introduced in release 1.9.

\sphinxlineitem{\sphinxstylestrong{ldap\_conns\_per\_server}}
\sphinxAtStartPar
This LDAP\sphinxhyphen{}specific tag indicates the number of connections to be
maintained per LDAP server.

\sphinxlineitem{\sphinxstylestrong{ldap\_kdc\_dn} and \sphinxstylestrong{ldap\_kadmind\_dn}}
\sphinxAtStartPar
These LDAP\sphinxhyphen{}specific tags indicate the default DN for binding to
the LDAP server.  The {\hyperref[\detokenize{admin/admin_commands/krb5kdc:krb5kdc-8}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5kdc}}}} daemon uses
\sphinxstylestrong{ldap\_kdc\_dn}, while the {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} daemon and other
administrative programs use \sphinxstylestrong{ldap\_kadmind\_dn}.  The kadmind DN
must have the rights to read and write the Kerberos data in the
LDAP database.  The KDC DN must have the same rights, unless
\sphinxstylestrong{disable\_lockout} and \sphinxstylestrong{disable\_last\_success} are true, in
which case it only needs to have rights to read the Kerberos data.
These tags are ignored if a SASL mechanism is set with
\sphinxstylestrong{ldap\_kdc\_sasl\_mech} or \sphinxstylestrong{ldap\_kadmind\_sasl\_mech}.

\sphinxlineitem{\sphinxstylestrong{ldap\_kdc\_sasl\_mech} and \sphinxstylestrong{ldap\_kadmind\_sasl\_mech}}
\sphinxAtStartPar
These LDAP\sphinxhyphen{}specific tags specify the SASL mechanism (such as
\sphinxcode{\sphinxupquote{EXTERNAL}}) to use when binding to the LDAP server.  New in
release 1.13.

\sphinxlineitem{\sphinxstylestrong{ldap\_kdc\_sasl\_authcid} and \sphinxstylestrong{ldap\_kadmind\_sasl\_authcid}}
\sphinxAtStartPar
These LDAP\sphinxhyphen{}specific tags specify the SASL authentication identity
to use when binding to the LDAP server.  Not all SASL mechanisms
require an authentication identity.  If the SASL mechanism
requires a secret (such as the password for \sphinxcode{\sphinxupquote{DIGEST\sphinxhyphen{}MD5}}), these
tags also determine the name within the
\sphinxstylestrong{ldap\_service\_password\_file} where the secret is stashed.  New
in release 1.13.

\sphinxlineitem{\sphinxstylestrong{ldap\_kdc\_sasl\_authzid} and \sphinxstylestrong{ldap\_kadmind\_sasl\_authzid}}
\sphinxAtStartPar
These LDAP\sphinxhyphen{}specific tags specify the SASL authorization identity
to use when binding to the LDAP server.  In most circumstances
they do not need to be specified.  New in release 1.13.

\sphinxlineitem{\sphinxstylestrong{ldap\_kdc\_sasl\_realm} and \sphinxstylestrong{ldap\_kadmind\_sasl\_realm}}
\sphinxAtStartPar
These LDAP\sphinxhyphen{}specific tags specify the SASL realm to use when
binding to the LDAP server.  In most circumstances they do not
need to be set.  New in release 1.13.

\sphinxlineitem{\sphinxstylestrong{ldap\_kerberos\_container\_dn}}
\sphinxAtStartPar
This LDAP\sphinxhyphen{}specific tag indicates the DN of the container object
where the realm objects will be located.

\sphinxlineitem{\sphinxstylestrong{ldap\_servers}}
\sphinxAtStartPar
This LDAP\sphinxhyphen{}specific tag indicates the list of LDAP servers that the
Kerberos servers can connect to.  The list of LDAP servers is
whitespace\sphinxhyphen{}separated.  The LDAP server is specified by a LDAP URI.
It is recommended to use \sphinxcode{\sphinxupquote{ldapi:}} or \sphinxcode{\sphinxupquote{ldaps:}} URLs to connect
to the LDAP server.

\sphinxlineitem{\sphinxstylestrong{ldap\_service\_password\_file}}
\sphinxAtStartPar
This LDAP\sphinxhyphen{}specific tag indicates the file containing the stashed
passwords (created by \sphinxcode{\sphinxupquote{kdb5\_ldap\_util stashsrvpw}}) for the
\sphinxstylestrong{ldap\_kdc\_dn} and \sphinxstylestrong{ldap\_kadmind\_dn} objects, or for the
\sphinxstylestrong{ldap\_kdc\_sasl\_authcid} or \sphinxstylestrong{ldap\_kadmind\_sasl\_authcid} names
for SASL authentication.  This file must be kept secure.

\sphinxlineitem{\sphinxstylestrong{mapsize}}
\sphinxAtStartPar
This LMDB\sphinxhyphen{}specific tag indicates the maximum size of the two
database environments in megabytes.  The default value is 128.
Increase this value to address “Environment mapsize limit reached”
errors.  New in release 1.17.

\sphinxlineitem{\sphinxstylestrong{max\_readers}}
\sphinxAtStartPar
This LMDB\sphinxhyphen{}specific tag indicates the maximum number of concurrent
reading processes for the databases.  The default value is 128.
New in release 1.17.

\sphinxlineitem{\sphinxstylestrong{nosync}}
\sphinxAtStartPar
This LMDB\sphinxhyphen{}specific tag can be set to improve the throughput of
kadmind and other administrative agents, at the expense of
durability (recent database changes may not survive a power outage
or other sudden reboot).  It does not affect the throughput of the
KDC.  The default value is false.  New in release 1.17.

\sphinxlineitem{\sphinxstylestrong{unlockiter}}
\sphinxAtStartPar
If set to \sphinxcode{\sphinxupquote{true}}, this DB2\sphinxhyphen{}specific tag causes iteration
operations to release the database lock while processing each
principal.  Setting this flag to \sphinxcode{\sphinxupquote{true}} can prevent extended
blocking of KDC or kadmin operations when dumps of large databases
are in progress.  First introduced in release 1.13.

\end{description}

\sphinxAtStartPar
The following tag may be specified directly in the {[}dbmodules{]}
section to control where database modules are loaded from:
\begin{description}
\sphinxlineitem{\sphinxstylestrong{db\_module\_dir}}
\sphinxAtStartPar
This tag controls where the plugin system looks for database
modules.  The value should be an absolute path.

\end{description}


\paragraph{{[}logging{]}}
\label{\detokenize{admin/conf_files/kdc_conf:logging}}\label{\detokenize{admin/conf_files/kdc_conf:id4}}
\sphinxAtStartPar
The {[}logging{]} section indicates how {\hyperref[\detokenize{admin/admin_commands/krb5kdc:krb5kdc-8}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5kdc}}}} and
{\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} perform logging.  It may contain the following
relations:
\begin{description}
\sphinxlineitem{\sphinxstylestrong{admin\_server}}
\sphinxAtStartPar
Specifies how {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} performs logging.

\sphinxlineitem{\sphinxstylestrong{kdc}}
\sphinxAtStartPar
Specifies how {\hyperref[\detokenize{admin/admin_commands/krb5kdc:krb5kdc-8}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5kdc}}}} performs logging.

\sphinxlineitem{\sphinxstylestrong{default}}
\sphinxAtStartPar
Specifies how either daemon performs logging in the absence of
relations specific to the daemon.

\sphinxlineitem{\sphinxstylestrong{debug}}
\sphinxAtStartPar
(Boolean value.)  Specifies whether debugging messages are
included in log outputs other than SYSLOG.  Debugging messages are
always included in the system log output because syslog performs
its own priority filtering.  The default value is false.  New in
release 1.15.

\end{description}

\sphinxAtStartPar
Logging specifications may have the following forms:
\begin{description}
\sphinxlineitem{\sphinxstylestrong{FILE=}\sphinxstyleemphasis{filename} or \sphinxstylestrong{FILE:}\sphinxstyleemphasis{filename}}
\sphinxAtStartPar
This value causes the daemon’s logging messages to go to the
\sphinxstyleemphasis{filename}.  If the \sphinxcode{\sphinxupquote{=}} form is used, the file is overwritten.
If the \sphinxcode{\sphinxupquote{:}} form is used, the file is appended to.

\sphinxlineitem{\sphinxstylestrong{STDERR}}
\sphinxAtStartPar
This value causes the daemon’s logging messages to go to its
standard error stream.

\sphinxlineitem{\sphinxstylestrong{CONSOLE}}
\sphinxAtStartPar
This value causes the daemon’s logging messages to go to the
console, if the system supports it.

\sphinxlineitem{\sphinxstylestrong{DEVICE=}\sphinxstyleemphasis{\textless{}devicename\textgreater{}}}
\sphinxAtStartPar
This causes the daemon’s logging messages to go to the specified
device.

\sphinxlineitem{\sphinxstylestrong{SYSLOG}{[}\sphinxstylestrong{:}\sphinxstyleemphasis{severity}{[}\sphinxstylestrong{:}\sphinxstyleemphasis{facility}{]}{]}}
\sphinxAtStartPar
This causes the daemon’s logging messages to go to the system log.

\sphinxAtStartPar
For backward compatibility, a severity argument may be specified,
and must be specified in order to specify a facility.  This
argument will be ignored.

\sphinxAtStartPar
The facility argument specifies the facility under which the
messages are logged.  This may be any of the following facilities
supported by the syslog(3) call minus the LOG\_ prefix: \sphinxstylestrong{KERN},
\sphinxstylestrong{USER}, \sphinxstylestrong{MAIL}, \sphinxstylestrong{DAEMON}, \sphinxstylestrong{AUTH}, \sphinxstylestrong{LPR}, \sphinxstylestrong{NEWS},
\sphinxstylestrong{UUCP}, \sphinxstylestrong{CRON}, and \sphinxstylestrong{LOCAL0} through \sphinxstylestrong{LOCAL7}.  If no
facility is specified, the default is \sphinxstylestrong{AUTH}.

\end{description}

\sphinxAtStartPar
In the following example, the logging messages from the KDC will go to
the console and to the system log under the facility LOG\_DAEMON, and
the logging messages from the administrative server will be appended
to the file \sphinxcode{\sphinxupquote{/var/adm/kadmin.log}} and sent to the device
\sphinxcode{\sphinxupquote{/dev/tty04}}.

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{p}{[}\PYG{n}{logging}\PYG{p}{]}
    \PYG{n}{kdc} \PYG{o}{=} \PYG{n}{CONSOLE}
    \PYG{n}{kdc} \PYG{o}{=} \PYG{n}{SYSLOG}\PYG{p}{:}\PYG{n}{INFO}\PYG{p}{:}\PYG{n}{DAEMON}
    \PYG{n}{admin\PYGZus{}server} \PYG{o}{=} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{var}\PYG{o}{/}\PYG{n}{adm}\PYG{o}{/}\PYG{n}{kadmin}\PYG{o}{.}\PYG{n}{log}
    \PYG{n}{admin\PYGZus{}server} \PYG{o}{=} \PYG{n}{DEVICE}\PYG{o}{=}\PYG{o}{/}\PYG{n}{dev}\PYG{o}{/}\PYG{n}{tty04}
\end{sphinxVerbatim}

\sphinxAtStartPar
If no logging specification is given, the default is to use syslog.
To disable logging entirely, specify \sphinxcode{\sphinxupquote{default = DEVICE=/dev/null}}.


\paragraph{{[}otp{]}}
\label{\detokenize{admin/conf_files/kdc_conf:otp}}\label{\detokenize{admin/conf_files/kdc_conf:id5}}
\sphinxAtStartPar
Each subsection of {[}otp{]} is the name of an OTP token type.  The tags
within the subsection define the configuration required to forward a
One Time Password request to a RADIUS server.

\sphinxAtStartPar
For each token type, the following tags may be specified:
\begin{description}
\sphinxlineitem{\sphinxstylestrong{server}}
\sphinxAtStartPar
This is the server to send the RADIUS request to.  It can be a
hostname with optional port, an ip address with optional port, or
a Unix domain socket address.  The default is
{\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LOCALSTATEDIR}}}}\sphinxcode{\sphinxupquote{/krb5kdc}}\sphinxcode{\sphinxupquote{/\textless{}name\textgreater{}.socket}}.

\sphinxlineitem{\sphinxstylestrong{secret}}
\sphinxAtStartPar
This tag indicates a filename (which may be relative to {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LOCALSTATEDIR}}}}\sphinxcode{\sphinxupquote{/krb5kdc}})
containing the secret used to encrypt the RADIUS packets.  The
secret should appear in the first line of the file by itself;
leading and trailing whitespace on the line will be removed.  If
the value of \sphinxstylestrong{server} is a Unix domain socket address, this tag
is optional, and an empty secret will be used if it is not
specified.  Otherwise, this tag is required.

\sphinxlineitem{\sphinxstylestrong{timeout}}
\sphinxAtStartPar
An integer which specifies the time in seconds during which the
KDC should attempt to contact the RADIUS server.  This tag is the
total time across all retries and should be less than the time
which an OTP value remains valid for.  The default is 5 seconds.

\sphinxlineitem{\sphinxstylestrong{retries}}
\sphinxAtStartPar
This tag specifies the number of retries to make to the RADIUS
server.  The default is 3 retries (4 tries).

\sphinxlineitem{\sphinxstylestrong{strip\_realm}}
\sphinxAtStartPar
If this tag is \sphinxcode{\sphinxupquote{true}}, the principal without the realm will be
passed to the RADIUS server.  Otherwise, the realm will be
included.  The default value is \sphinxcode{\sphinxupquote{true}}.

\sphinxlineitem{\sphinxstylestrong{indicator}}
\sphinxAtStartPar
This tag specifies an authentication indicator to be included in
the ticket if this token type is used to authenticate.  This
option may be specified multiple times.  (New in release 1.14.)

\end{description}

\sphinxAtStartPar
In the following example, requests are sent to a remote server via UDP:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
[otp]
    MyRemoteTokenType = \PYGZob{}
        server = radius.mydomain.com:1812
        secret = SEmfiajf42\PYGZdl{}
        timeout = 15
        retries = 5
        strip\PYGZus{}realm = true
    \PYGZcb{}
\end{sphinxVerbatim}

\sphinxAtStartPar
An implicit default token type named \sphinxcode{\sphinxupquote{DEFAULT}} is defined for when
the per\sphinxhyphen{}principal configuration does not specify a token type.  Its
configuration is shown below.  You may override this token type to
something applicable for your situation:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{p}{[}\PYG{n}{otp}\PYG{p}{]}
    \PYG{n}{DEFAULT} \PYG{o}{=} \PYG{p}{\PYGZob{}}
        \PYG{n}{strip\PYGZus{}realm} \PYG{o}{=} \PYG{n}{false}
    \PYG{p}{\PYGZcb{}}
\end{sphinxVerbatim}


\subsubsection{PKINIT options}
\label{\detokenize{admin/conf_files/kdc_conf:pkinit-options}}
\begin{sphinxadmonition}{note}{Note:}
\sphinxAtStartPar
The following are pkinit\sphinxhyphen{}specific options.  These values may
be specified in {[}kdcdefaults{]} as global defaults, or within
a realm\sphinxhyphen{}specific subsection of {[}realms{]}.  Also note that a
realm\sphinxhyphen{}specific value over\sphinxhyphen{}rides, does not add to, a generic
{[}kdcdefaults{]} specification.  The search order is:
\end{sphinxadmonition}
\begin{enumerate}
\sphinxsetlistlabels{\arabic}{enumi}{enumii}{}{.}%
\item {} 
\sphinxAtStartPar
realm\sphinxhyphen{}specific subsection of {[}realms{]}:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{p}{[}\PYG{n}{realms}\PYG{p}{]}
    \PYG{n}{EXAMPLE}\PYG{o}{.}\PYG{n}{COM} \PYG{o}{=} \PYG{p}{\PYGZob{}}
        \PYG{n}{pkinit\PYGZus{}anchors} \PYG{o}{=} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{usr}\PYG{o}{/}\PYG{n}{local}\PYG{o}{/}\PYG{n}{example}\PYG{o}{.}\PYG{n}{com}\PYG{o}{.}\PYG{n}{crt}
    \PYG{p}{\PYGZcb{}}
\end{sphinxVerbatim}

\item {} 
\sphinxAtStartPar
generic value in the {[}kdcdefaults{]} section:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{p}{[}\PYG{n}{kdcdefaults}\PYG{p}{]}
    \PYG{n}{pkinit\PYGZus{}anchors} \PYG{o}{=} \PYG{n}{DIR}\PYG{p}{:}\PYG{o}{/}\PYG{n}{usr}\PYG{o}{/}\PYG{n}{local}\PYG{o}{/}\PYG{n}{generic\PYGZus{}trusted\PYGZus{}cas}\PYG{o}{/}
\end{sphinxVerbatim}

\end{enumerate}

\sphinxAtStartPar
For information about the syntax of some of these options, see
{\hyperref[\detokenize{admin/conf_files/krb5_conf:pkinit-identity}]{\sphinxcrossref{\DUrole{std,std-ref}{Specifying PKINIT identity information}}}} in
{\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}}.
\begin{description}
\sphinxlineitem{\sphinxstylestrong{pkinit\_anchors}}
\sphinxAtStartPar
Specifies the location of trusted anchor (root) certificates which
the KDC trusts to sign client certificates.  This option is
required if pkinit is to be supported by the KDC.  This option may
be specified multiple times.

\sphinxlineitem{\sphinxstylestrong{pkinit\_dh\_min\_bits}}
\sphinxAtStartPar
Specifies the minimum strength of Diffie\sphinxhyphen{}Hellman group the KDC is
willing to accept for key exchange.  Valid values in order of
increasing strength are 1024, 2048, P\sphinxhyphen{}256, 4096, P\sphinxhyphen{}384, and P\sphinxhyphen{}521.
The default is 2048.  (P\sphinxhyphen{}256, P\sphinxhyphen{}384, and P\sphinxhyphen{}521 are new in release
1.22.)

\sphinxlineitem{\sphinxstylestrong{pkinit\_allow\_upn}}
\sphinxAtStartPar
Specifies that the KDC is willing to accept client certificates
with the Microsoft UserPrincipalName (UPN) Subject Alternative
Name (SAN).  This means the KDC accepts the binding of the UPN in
the certificate to the Kerberos principal name.  The default value
is false.

\sphinxAtStartPar
Without this option, the KDC will only accept certificates with
the id\sphinxhyphen{}pkinit\sphinxhyphen{}san as defined in \index{RFC@\spxentry{RFC}!RFC 4556@\spxentry{RFC 4556}}\sphinxhref{https://datatracker.ietf.org/doc/html/rfc4556.html}{\sphinxstylestrong{RFC 4556}}.  There is currently
no option to disable SAN checking in the KDC.

\sphinxlineitem{\sphinxstylestrong{pkinit\_eku\_checking}}
\sphinxAtStartPar
This option specifies what Extended Key Usage (EKU) values the KDC
is willing to accept in client certificates.  The values
recognized in the kdc.conf file are:
\begin{description}
\sphinxlineitem{\sphinxstylestrong{kpClientAuth}}
\sphinxAtStartPar
This is the default value and specifies that client
certificates must have the id\sphinxhyphen{}pkinit\sphinxhyphen{}KPClientAuth EKU as
defined in \index{RFC@\spxentry{RFC}!RFC 4556@\spxentry{RFC 4556}}\sphinxhref{https://datatracker.ietf.org/doc/html/rfc4556.html}{\sphinxstylestrong{RFC 4556}}.

\sphinxlineitem{\sphinxstylestrong{scLogin}}
\sphinxAtStartPar
If scLogin is specified, client certificates with the
Microsoft Smart Card Login EKU (id\sphinxhyphen{}ms\sphinxhyphen{}kp\sphinxhyphen{}sc\sphinxhyphen{}logon) will be
accepted.

\sphinxlineitem{\sphinxstylestrong{none}}
\sphinxAtStartPar
If none is specified, then client certificates will not be
checked to verify they have an acceptable EKU.  The use of
this option is not recommended.

\end{description}

\sphinxlineitem{\sphinxstylestrong{pkinit\_identity}}
\sphinxAtStartPar
Specifies the location of the KDC’s X.509 identity information.
This option is required if pkinit is to be supported by the KDC.

\sphinxlineitem{\sphinxstylestrong{pkinit\_indicator}}
\sphinxAtStartPar
Specifies an authentication indicator to include in the ticket if
pkinit is used to authenticate.  This option may be specified
multiple times.  (New in release 1.14.)

\sphinxlineitem{\sphinxstylestrong{pkinit\_pool}}
\sphinxAtStartPar
Specifies the location of intermediate certificates which may be
used by the KDC to complete the trust chain between a client’s
certificate and a trusted anchor.  This option may be specified
multiple times.

\sphinxlineitem{\sphinxstylestrong{pkinit\_revoke}}
\sphinxAtStartPar
Specifies the location of Certificate Revocation List (CRL)
information to be used by the KDC when verifying the validity of
client certificates.  This option may be specified multiple times.

\sphinxlineitem{\sphinxstylestrong{pkinit\_require\_crl\_checking}}
\sphinxAtStartPar
The default certificate verification process will always check the
available revocation information to see if a certificate has been
revoked.  If a match is found for the certificate in a CRL,
verification fails.  If the certificate being verified is not
listed in a CRL, or there is no CRL present for its issuing CA,
and \sphinxstylestrong{pkinit\_require\_crl\_checking} is false, then verification
succeeds.

\sphinxAtStartPar
However, if \sphinxstylestrong{pkinit\_require\_crl\_checking} is true and there is
no CRL information available for the issuing CA, then verification
fails.

\sphinxAtStartPar
\sphinxstylestrong{pkinit\_require\_crl\_checking} should be set to true if the
policy is such that up\sphinxhyphen{}to\sphinxhyphen{}date CRLs must be present for every CA.

\sphinxlineitem{\sphinxstylestrong{pkinit\_require\_freshness}}
\sphinxAtStartPar
Specifies whether to require clients to include a freshness token
in PKINIT requests.  The default value is false.  (New in release
1.17.)

\end{description}


\subsubsection{Encryption types}
\label{\detokenize{admin/conf_files/kdc_conf:encryption-types}}\label{\detokenize{admin/conf_files/kdc_conf:id6}}
\sphinxAtStartPar
Any tag in the configuration files which requires a list of encryption
types can be set to some combination of the following strings.
Encryption types marked as “weak” and “deprecated” are available for
compatibility but not recommended for use.


\begin{savenotes}\sphinxattablestart
\sphinxthistablewithglobalstyle
\centering
\begin{tabulary}{\linewidth}[t]{TT}
\sphinxtoprule
\sphinxtableatstartofbodyhook
\sphinxAtStartPar
des3\sphinxhyphen{}cbc\sphinxhyphen{}raw
&
\sphinxAtStartPar
Triple DES cbc mode raw (weak)
\\
\sphinxhline
\sphinxAtStartPar
des3\sphinxhyphen{}cbc\sphinxhyphen{}sha1 des3\sphinxhyphen{}hmac\sphinxhyphen{}sha1 des3\sphinxhyphen{}cbc\sphinxhyphen{}sha1\sphinxhyphen{}kd
&
\sphinxAtStartPar
Triple DES cbc mode with HMAC/sha1 (deprecated)
\\
\sphinxhline
\sphinxAtStartPar
aes256\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha1\sphinxhyphen{}96 aes256\sphinxhyphen{}cts aes256\sphinxhyphen{}sha1
&
\sphinxAtStartPar
AES\sphinxhyphen{}256 CTS mode with 96\sphinxhyphen{}bit SHA\sphinxhyphen{}1 HMAC
\\
\sphinxhline
\sphinxAtStartPar
aes128\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha1\sphinxhyphen{}96 aes128\sphinxhyphen{}cts aes128\sphinxhyphen{}sha1
&
\sphinxAtStartPar
AES\sphinxhyphen{}128 CTS mode with 96\sphinxhyphen{}bit SHA\sphinxhyphen{}1 HMAC
\\
\sphinxhline
\sphinxAtStartPar
aes256\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha384\sphinxhyphen{}192 aes256\sphinxhyphen{}sha2
&
\sphinxAtStartPar
AES\sphinxhyphen{}256 CTS mode with 192\sphinxhyphen{}bit SHA\sphinxhyphen{}384 HMAC
\\
\sphinxhline
\sphinxAtStartPar
aes128\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha256\sphinxhyphen{}128 aes128\sphinxhyphen{}sha2
&
\sphinxAtStartPar
AES\sphinxhyphen{}128 CTS mode with 128\sphinxhyphen{}bit SHA\sphinxhyphen{}256 HMAC
\\
\sphinxhline
\sphinxAtStartPar
arcfour\sphinxhyphen{}hmac rc4\sphinxhyphen{}hmac arcfour\sphinxhyphen{}hmac\sphinxhyphen{}md5
&
\sphinxAtStartPar
RC4 with HMAC/MD5 (deprecated)
\\
\sphinxhline
\sphinxAtStartPar
arcfour\sphinxhyphen{}hmac\sphinxhyphen{}exp rc4\sphinxhyphen{}hmac\sphinxhyphen{}exp arcfour\sphinxhyphen{}hmac\sphinxhyphen{}md5\sphinxhyphen{}exp
&
\sphinxAtStartPar
Exportable RC4 with HMAC/MD5 (weak)
\\
\sphinxhline
\sphinxAtStartPar
camellia256\sphinxhyphen{}cts\sphinxhyphen{}cmac camellia256\sphinxhyphen{}cts
&
\sphinxAtStartPar
Camellia\sphinxhyphen{}256 CTS mode with CMAC
\\
\sphinxhline
\sphinxAtStartPar
camellia128\sphinxhyphen{}cts\sphinxhyphen{}cmac camellia128\sphinxhyphen{}cts
&
\sphinxAtStartPar
Camellia\sphinxhyphen{}128 CTS mode with CMAC
\\
\sphinxhline
\sphinxAtStartPar
des3
&
\sphinxAtStartPar
The triple DES family: des3\sphinxhyphen{}cbc\sphinxhyphen{}sha1
\\
\sphinxhline
\sphinxAtStartPar
aes
&
\sphinxAtStartPar
The AES family: aes256\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha1\sphinxhyphen{}96, aes128\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha1\sphinxhyphen{}96, aes256\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha384\sphinxhyphen{}192, and aes128\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha256\sphinxhyphen{}128
\\
\sphinxhline
\sphinxAtStartPar
rc4
&
\sphinxAtStartPar
The RC4 family: arcfour\sphinxhyphen{}hmac
\\
\sphinxhline
\sphinxAtStartPar
camellia
&
\sphinxAtStartPar
The Camellia family: camellia256\sphinxhyphen{}cts\sphinxhyphen{}cmac and camellia128\sphinxhyphen{}cts\sphinxhyphen{}cmac
\\
\sphinxbottomrule
\end{tabulary}
\sphinxtableafterendhook\par
\sphinxattableend\end{savenotes}

\sphinxAtStartPar
The string \sphinxstylestrong{DEFAULT} can be used to refer to the default set of
types for the variable in question.  Types or families can be removed
from the current list by prefixing them with a minus sign (“\sphinxhyphen{}“).
Types or families can be prefixed with a plus sign (“+”) for symmetry;
it has the same meaning as just listing the type or family.  For
example, “\sphinxcode{\sphinxupquote{DEFAULT \sphinxhyphen{}rc4}}” would be the default set of encryption
types with RC4 types removed, and “\sphinxcode{\sphinxupquote{des3 DEFAULT}}” would be the
default set of encryption types with triple DES types moved to the
front.

\sphinxAtStartPar
While \sphinxstylestrong{aes128\sphinxhyphen{}cts} and \sphinxstylestrong{aes256\sphinxhyphen{}cts} are supported for all Kerberos
operations, they are not supported by very old versions of our GSSAPI
implementation (krb5\sphinxhyphen{}1.3.1 and earlier).  Services running versions of
krb5 without AES support must not be given keys of these encryption
types in the KDC database.

\sphinxAtStartPar
The \sphinxstylestrong{aes128\sphinxhyphen{}sha2} and \sphinxstylestrong{aes256\sphinxhyphen{}sha2} encryption types are new in
release 1.15.  Services running versions of krb5 without support for
these newer encryption types must not be given keys of these
encryption types in the KDC database.


\subsubsection{Keysalt lists}
\label{\detokenize{admin/conf_files/kdc_conf:keysalt-lists}}\label{\detokenize{admin/conf_files/kdc_conf:id7}}
\sphinxAtStartPar
Kerberos keys for users are usually derived from passwords.  Kerberos
commands and configuration parameters that affect generation of keys
take lists of enctype\sphinxhyphen{}salttype (“keysalt”) pairs, known as \sphinxstyleemphasis{keysalt
lists}.  Each keysalt pair is an enctype name followed by a salttype
name, in the format \sphinxstyleemphasis{enc}:\sphinxstyleemphasis{salt}.  Individual keysalt list members are
separated by comma (“,”) characters or space characters.  For example:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{kadmin} \PYG{o}{\PYGZhy{}}\PYG{n}{e} \PYG{n}{aes256}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{p}{:}\PYG{n}{normal}\PYG{p}{,}\PYG{n}{aes128}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{p}{:}\PYG{n}{normal}
\end{sphinxVerbatim}

\sphinxAtStartPar
would start up kadmin so that by default it would generate
password\sphinxhyphen{}derived keys for the \sphinxstylestrong{aes256\sphinxhyphen{}cts} and \sphinxstylestrong{aes128\sphinxhyphen{}cts}
encryption types, using a \sphinxstylestrong{normal} salt.

\sphinxAtStartPar
To ensure that people who happen to pick the same password do not have
the same key, Kerberos 5 incorporates more information into the key
using something called a salt.  The supported salt types are as
follows:


\begin{savenotes}\sphinxattablestart
\sphinxthistablewithglobalstyle
\centering
\begin{tabulary}{\linewidth}[t]{TT}
\sphinxtoprule
\sphinxtableatstartofbodyhook
\sphinxAtStartPar
normal
&
\sphinxAtStartPar
default for Kerberos Version 5
\\
\sphinxhline
\sphinxAtStartPar
norealm
&
\sphinxAtStartPar
same as the default, without using realm information
\\
\sphinxhline
\sphinxAtStartPar
onlyrealm
&
\sphinxAtStartPar
uses only realm information as the salt
\\
\sphinxhline
\sphinxAtStartPar
special
&
\sphinxAtStartPar
generate a random salt
\\
\sphinxbottomrule
\end{tabulary}
\sphinxtableafterendhook\par
\sphinxattableend\end{savenotes}


\subsubsection{Sample kdc.conf File}
\label{\detokenize{admin/conf_files/kdc_conf:sample-kdc-conf-file}}
\sphinxAtStartPar
Here’s an example of a kdc.conf file:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{p}{[}\PYG{n}{kdcdefaults}\PYG{p}{]}
    \PYG{n}{kdc\PYGZus{}listen} \PYG{o}{=} \PYG{l+m+mi}{88}
    \PYG{n}{kdc\PYGZus{}tcp\PYGZus{}listen} \PYG{o}{=} \PYG{l+m+mi}{88}
\PYG{p}{[}\PYG{n}{realms}\PYG{p}{]}
    \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{o}{=} \PYG{p}{\PYGZob{}}
        \PYG{n}{kadmind\PYGZus{}port} \PYG{o}{=} \PYG{l+m+mi}{749}
        \PYG{n}{max\PYGZus{}life} \PYG{o}{=} \PYG{l+m+mi}{12}\PYG{n}{h} \PYG{l+m+mi}{0}\PYG{n}{m} \PYG{l+m+mi}{0}\PYG{n}{s}
        \PYG{n}{max\PYGZus{}renewable\PYGZus{}life} \PYG{o}{=} \PYG{l+m+mi}{7}\PYG{n}{d} \PYG{l+m+mi}{0}\PYG{n}{h} \PYG{l+m+mi}{0}\PYG{n}{m} \PYG{l+m+mi}{0}\PYG{n}{s}
        \PYG{n}{master\PYGZus{}key\PYGZus{}type} \PYG{o}{=} \PYG{n}{aes256}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{96}
        \PYG{n}{supported\PYGZus{}enctypes} \PYG{o}{=} \PYG{n}{aes256}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{96}\PYG{p}{:}\PYG{n}{normal} \PYG{n}{aes128}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{96}\PYG{p}{:}\PYG{n}{normal}
        \PYG{n}{database\PYGZus{}module} \PYG{o}{=} \PYG{n}{openldap\PYGZus{}ldapconf}
    \PYG{p}{\PYGZcb{}}

\PYG{p}{[}\PYG{n}{logging}\PYG{p}{]}
    \PYG{n}{kdc} \PYG{o}{=} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{usr}\PYG{o}{/}\PYG{n}{local}\PYG{o}{/}\PYG{n}{var}\PYG{o}{/}\PYG{n}{krb5kdc}\PYG{o}{/}\PYG{n}{kdc}\PYG{o}{.}\PYG{n}{log}
    \PYG{n}{admin\PYGZus{}server} \PYG{o}{=} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{usr}\PYG{o}{/}\PYG{n}{local}\PYG{o}{/}\PYG{n}{var}\PYG{o}{/}\PYG{n}{krb5kdc}\PYG{o}{/}\PYG{n}{kadmin}\PYG{o}{.}\PYG{n}{log}

\PYG{p}{[}\PYG{n}{dbdefaults}\PYG{p}{]}
    \PYG{n}{ldap\PYGZus{}kerberos\PYGZus{}container\PYGZus{}dn} \PYG{o}{=} \PYG{n}{cn}\PYG{o}{=}\PYG{n}{krbcontainer}\PYG{p}{,}\PYG{n}{dc}\PYG{o}{=}\PYG{n}{mit}\PYG{p}{,}\PYG{n}{dc}\PYG{o}{=}\PYG{n}{edu}

\PYG{p}{[}\PYG{n}{dbmodules}\PYG{p}{]}
    \PYG{n}{openldap\PYGZus{}ldapconf} \PYG{o}{=} \PYG{p}{\PYGZob{}}
        \PYG{n}{db\PYGZus{}library} \PYG{o}{=} \PYG{n}{kldap}
        \PYG{n}{disable\PYGZus{}last\PYGZus{}success} \PYG{o}{=} \PYG{n}{true}
        \PYG{n}{ldap\PYGZus{}kdc\PYGZus{}dn} \PYG{o}{=} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{cn=krbadmin,dc=mit,dc=edu}\PYG{l+s+s2}{\PYGZdq{}}
            \PYG{c+c1}{\PYGZsh{} this object needs to have read rights on}
            \PYG{c+c1}{\PYGZsh{} the realm container and principal subtrees}
        \PYG{n}{ldap\PYGZus{}kadmind\PYGZus{}dn} \PYG{o}{=} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{cn=krbadmin,dc=mit,dc=edu}\PYG{l+s+s2}{\PYGZdq{}}
            \PYG{c+c1}{\PYGZsh{} this object needs to have read and write rights on}
            \PYG{c+c1}{\PYGZsh{} the realm container and principal subtrees}
        \PYG{n}{ldap\PYGZus{}service\PYGZus{}password\PYGZus{}file} \PYG{o}{=} \PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{kerberos}\PYG{o}{/}\PYG{n}{service}\PYG{o}{.}\PYG{n}{keyfile}
        \PYG{n}{ldap\PYGZus{}servers} \PYG{o}{=} \PYG{n}{ldaps}\PYG{p}{:}\PYG{o}{/}\PYG{o}{/}\PYG{n}{kerberos}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}
        \PYG{n}{ldap\PYGZus{}conns\PYGZus{}per\PYGZus{}server} \PYG{o}{=} \PYG{l+m+mi}{5}
    \PYG{p}{\PYGZcb{}}
\end{sphinxVerbatim}


\subsubsection{FILES}
\label{\detokenize{admin/conf_files/kdc_conf:files}}
\sphinxAtStartPar
{\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LOCALSTATEDIR}}}}\sphinxcode{\sphinxupquote{/krb5kdc}}\sphinxcode{\sphinxupquote{/kdc.conf}}


\subsubsection{SEE ALSO}
\label{\detokenize{admin/conf_files/kdc_conf:see-also}}
\sphinxAtStartPar
{\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}}, {\hyperref[\detokenize{admin/admin_commands/krb5kdc:krb5kdc-8}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5kdc}}}}, {\hyperref[\detokenize{admin/conf_files/kadm5_acl:kadm5-acl-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kadm5.acl}}}}

\sphinxstepscope


\subsection{kadm5.acl}
\label{\detokenize{admin/conf_files/kadm5_acl:kadm5-acl}}\label{\detokenize{admin/conf_files/kadm5_acl:kadm5-acl-5}}\label{\detokenize{admin/conf_files/kadm5_acl::doc}}

\subsubsection{DESCRIPTION}
\label{\detokenize{admin/conf_files/kadm5_acl:description}}
\sphinxAtStartPar
The Kerberos {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} daemon uses an Access Control List
(ACL) file to manage access rights to the Kerberos database.
For operations that affect principals, the ACL file also controls
which principals can operate on which other principals.

\sphinxAtStartPar
The default location of the Kerberos ACL file is
{\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LOCALSTATEDIR}}}}\sphinxcode{\sphinxupquote{/krb5kdc}}\sphinxcode{\sphinxupquote{/kadm5.acl}}  unless this is overridden by the \sphinxstyleemphasis{acl\_file}
variable in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}.


\subsubsection{SYNTAX}
\label{\detokenize{admin/conf_files/kadm5_acl:syntax}}
\sphinxAtStartPar
Empty lines and lines starting with the sharp sign (\sphinxcode{\sphinxupquote{\#}}) are
ignored.  Lines containing ACL entries have the format:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{principal}  \PYG{n}{permissions}  \PYG{p}{[}\PYG{n}{target\PYGZus{}principal}  \PYG{p}{[}\PYG{n}{restrictions}\PYG{p}{]} \PYG{p}{]}
\end{sphinxVerbatim}

\begin{sphinxadmonition}{note}{Note:}
\sphinxAtStartPar
Line order in the ACL file is important.  The first matching entry
will control access for an actor principal on a target principal.
\end{sphinxadmonition}
\begin{description}
\sphinxlineitem{\sphinxstyleemphasis{principal}}
\sphinxAtStartPar
(Partially or fully qualified Kerberos principal name.) Specifies
the principal whose permissions are to be set.

\sphinxAtStartPar
Each component of the name may be wildcarded using the \sphinxcode{\sphinxupquote{*}}
character.

\sphinxlineitem{\sphinxstyleemphasis{permissions}}
\sphinxAtStartPar
Specifies what operations may or may not be performed by a
\sphinxstyleemphasis{principal} matching a particular entry.  This is a string of one or
more of the following list of characters or their upper\sphinxhyphen{}case
counterparts.  If the character is \sphinxstyleemphasis{upper\sphinxhyphen{}case}, then the operation
is disallowed.  If the character is \sphinxstyleemphasis{lower\sphinxhyphen{}case}, then the operation
is permitted.


\begin{savenotes}\sphinxattablestart
\sphinxthistablewithglobalstyle
\centering
\begin{tabulary}{\linewidth}[t]{TT}
\sphinxtoprule
\sphinxtableatstartofbodyhook
\sphinxAtStartPar
a
&
\sphinxAtStartPar
{[}Dis{]}allows the addition of principals or policies
\\
\sphinxhline
\sphinxAtStartPar
c
&
\sphinxAtStartPar
{[}Dis{]}allows the changing of passwords for principals
\\
\sphinxhline
\sphinxAtStartPar
d
&
\sphinxAtStartPar
{[}Dis{]}allows the deletion of principals or policies
\\
\sphinxhline
\sphinxAtStartPar
e
&
\sphinxAtStartPar
{[}Dis{]}allows the extraction of principal keys
\\
\sphinxhline
\sphinxAtStartPar
i
&
\sphinxAtStartPar
{[}Dis{]}allows inquiries about principals or policies
\\
\sphinxhline
\sphinxAtStartPar
l
&
\sphinxAtStartPar
{[}Dis{]}allows the listing of all principals or policies
\\
\sphinxhline
\sphinxAtStartPar
m
&
\sphinxAtStartPar
{[}Dis{]}allows the modification of principals or policies
\\
\sphinxhline
\sphinxAtStartPar
p
&
\sphinxAtStartPar
{[}Dis{]}allows the propagation of the principal database (used in {\hyperref[\detokenize{admin/database:incr-db-prop}]{\sphinxcrossref{\DUrole{std,std-ref}{Incremental database propagation}}}})
\\
\sphinxhline
\sphinxAtStartPar
s
&
\sphinxAtStartPar
{[}Dis{]}allows the explicit setting of the key for a principal
\\
\sphinxhline
\sphinxAtStartPar
x
&
\sphinxAtStartPar
Short for admcilsp. All privileges (except \sphinxcode{\sphinxupquote{e}})
\\
\sphinxhline
\sphinxAtStartPar
*
&
\sphinxAtStartPar
Same as x.
\\
\sphinxbottomrule
\end{tabulary}
\sphinxtableafterendhook\par
\sphinxattableend\end{savenotes}

\end{description}

\begin{sphinxadmonition}{note}{Note:}
\sphinxAtStartPar
The \sphinxcode{\sphinxupquote{extract}} privilege is not included in the wildcard
privilege; it must be explicitly assigned.  This privilege
allows the user to extract keys from the database, and must be
handled with great care to avoid disclosure of important keys
like those of the kadmin/* or krbtgt/* principals.  The
\sphinxstylestrong{lockdown\_keys} principal attribute can be used to prevent
key extraction from specific principals regardless of the
granted privilege.
\end{sphinxadmonition}
\begin{description}
\sphinxlineitem{\sphinxstyleemphasis{target\_principal}}
\sphinxAtStartPar
(Optional. Partially or fully qualified Kerberos principal name.)
Specifies the principal on which \sphinxstyleemphasis{permissions} may be applied.
Each component of the name may be wildcarded using the \sphinxcode{\sphinxupquote{*}}
character.

\sphinxAtStartPar
\sphinxstyleemphasis{target\_principal} can also include back\sphinxhyphen{}references to \sphinxstyleemphasis{principal},
in which \sphinxcode{\sphinxupquote{*number}} matches the corresponding wildcard in
\sphinxstyleemphasis{principal}.

\sphinxlineitem{\sphinxstyleemphasis{restrictions}}
\sphinxAtStartPar
(Optional) A string of flags. Allowed restrictions are:
\begin{quote}
\begin{description}
\sphinxlineitem{\{+|\sphinxhyphen{}\}\sphinxstyleemphasis{flagname}}
\sphinxAtStartPar
flag is forced to the indicated value.  The permissible flags
are the same as those for the \sphinxstylestrong{default\_principal\_flags}
variable in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}.

\sphinxlineitem{\sphinxstyleemphasis{\sphinxhyphen{}clearpolicy}}
\sphinxAtStartPar
policy is forced to be empty.

\sphinxlineitem{\sphinxstyleemphasis{\sphinxhyphen{}policy pol}}
\sphinxAtStartPar
policy is forced to be \sphinxstyleemphasis{pol}.

\sphinxlineitem{\sphinxhyphen{}\{\sphinxstyleemphasis{expire, pwexpire, maxlife, maxrenewlife}\} \sphinxstyleemphasis{time}}
\sphinxAtStartPar
(\DUrole{xref,std,std-ref}{getdate} string) associated value will be forced to
MIN(\sphinxstyleemphasis{time}, requested value).

\end{description}
\end{quote}

\sphinxAtStartPar
The above flags act as restrictions on any add or modify operation
which is allowed due to that ACL line.

\end{description}

\begin{sphinxadmonition}{warning}{Warning:}
\sphinxAtStartPar
If the kadmind ACL file is modified, the kadmind daemon needs to be
restarted for changes to take effect.
\end{sphinxadmonition}


\subsubsection{EXAMPLE}
\label{\detokenize{admin/conf_files/kadm5_acl:example}}
\sphinxAtStartPar
Here is an example of a kadm5.acl file:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{o}{*}\PYG{o}{/}\PYG{n}{admin}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}    \PYG{o}{*}                               \PYG{c+c1}{\PYGZsh{} line 1}
\PYG{n}{joeadmin}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}   \PYG{n}{ADMCIL}                          \PYG{c+c1}{\PYGZsh{} line 2}
\PYG{n}{joeadmin}\PYG{o}{/}\PYG{o}{*}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{n}{i}   \PYG{o}{*}\PYG{o}{/}\PYG{n}{root}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}       \PYG{c+c1}{\PYGZsh{} line 3}
\PYG{o}{*}\PYG{o}{/}\PYG{n}{root}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}     \PYG{n}{ci}  \PYG{o}{*}\PYG{l+m+mi}{1}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}           \PYG{c+c1}{\PYGZsh{} line 4}
\PYG{o}{*}\PYG{o}{/}\PYG{n}{root}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}     \PYG{n}{l}   \PYG{o}{*}                           \PYG{c+c1}{\PYGZsh{} line 5}
\PYG{n}{sms}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}        \PYG{n}{x}   \PYG{o}{*} \PYG{o}{\PYGZhy{}}\PYG{n}{maxlife} \PYG{l+m+mi}{9}\PYG{n}{h} \PYG{o}{\PYGZhy{}}\PYG{n}{postdateable} \PYG{c+c1}{\PYGZsh{} line 6}
\end{sphinxVerbatim}

\sphinxAtStartPar
(line 1) Any principal in the \sphinxcode{\sphinxupquote{ATHENA.MIT.EDU}} realm with an
\sphinxcode{\sphinxupquote{admin}} instance has all administrative privileges except extracting
keys.

\sphinxAtStartPar
(lines 1\sphinxhyphen{}3) The user \sphinxcode{\sphinxupquote{joeadmin}} has all permissions except
extracting keys with his \sphinxcode{\sphinxupquote{admin}} instance,
\sphinxcode{\sphinxupquote{joeadmin/admin@ATHENA.MIT.EDU}} (matches line 1).  He has no
permissions at all with his null instance, \sphinxcode{\sphinxupquote{joeadmin@ATHENA.MIT.EDU}}
(matches line 2).  His \sphinxcode{\sphinxupquote{root}} and other non\sphinxhyphen{}\sphinxcode{\sphinxupquote{admin}}, non\sphinxhyphen{}null
instances (e.g., \sphinxcode{\sphinxupquote{extra}} or \sphinxcode{\sphinxupquote{dbadmin}}) have inquire permissions
with any principal that has the instance \sphinxcode{\sphinxupquote{root}} (matches line 3).

\sphinxAtStartPar
(line 4) Any \sphinxcode{\sphinxupquote{root}} principal in \sphinxcode{\sphinxupquote{ATHENA.MIT.EDU}} can inquire
or change the password of their null instance, but not any other
null instance.  (Here, \sphinxcode{\sphinxupquote{*1}} denotes a back\sphinxhyphen{}reference to the
component matching the first wildcard in the actor principal.)

\sphinxAtStartPar
(line 5) Any \sphinxcode{\sphinxupquote{root}} principal in \sphinxcode{\sphinxupquote{ATHENA.MIT.EDU}} can generate
the list of principals in the database, and the list of policies
in the database.  This line is separate from line 4, because list
permission can only be granted globally, not to specific target
principals.

\sphinxAtStartPar
(line 6) Finally, the Service Management System principal
\sphinxcode{\sphinxupquote{sms@ATHENA.MIT.EDU}} has all permissions except extracting keys, but
any principal that it creates or modifies will not be able to get
postdateable tickets or tickets with a life of longer than 9 hours.


\subsubsection{MODULE BEHAVIOR}
\label{\detokenize{admin/conf_files/kadm5_acl:module-behavior}}
\sphinxAtStartPar
The ACL file can coexist with other authorization modules in release
1.16 and later, as configured in the {\hyperref[\detokenize{admin/conf_files/krb5_conf:kadm5-auth}]{\sphinxcrossref{\DUrole{std,std-ref}{kadm5\_auth interface}}}} section of
{\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}}.  The ACL file will positively authorize
operations according to the rules above, but will never
authoritatively deny an operation, so other modules can authorize
operations in addition to those authorized by the ACL file.

\sphinxAtStartPar
To operate without an ACL file, set the \sphinxstyleemphasis{acl\_file} variable in
{\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}} to the empty string with \sphinxcode{\sphinxupquote{acl\_file = ""}}.


\subsubsection{SEE ALSO}
\label{\detokenize{admin/conf_files/kadm5_acl:see-also}}
\sphinxAtStartPar
{\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}, {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}}

\sphinxstepscope


\chapter{Realm configuration decisions}
\label{\detokenize{admin/realm_config:realm-configuration-decisions}}\label{\detokenize{admin/realm_config::doc}}
\sphinxAtStartPar
Before installing Kerberos V5, it is necessary to consider the
following issues:
\begin{itemize}
\item {} 
\sphinxAtStartPar
The name of your Kerberos realm (or the name of each realm, if you
need more than one).

\item {} 
\sphinxAtStartPar
How you will assign your hostnames to Kerberos realms.

\item {} 
\sphinxAtStartPar
Which ports your KDC and and kadmind services will use, if they will
not be using the default ports.

\item {} 
\sphinxAtStartPar
How many replica KDCs you need and where they should be located.

\item {} 
\sphinxAtStartPar
The hostnames of your primary and replica KDCs.

\item {} 
\sphinxAtStartPar
How frequently you will propagate the database from the primary KDC
to the replica KDCs.

\end{itemize}


\section{Realm name}
\label{\detokenize{admin/realm_config:realm-name}}
\sphinxAtStartPar
Although your Kerberos realm can be any ASCII string, convention is to
make it the same as your domain name, in upper\sphinxhyphen{}case letters.

\sphinxAtStartPar
For example, hosts in the domain \sphinxcode{\sphinxupquote{example.com}} would be in the
Kerberos realm:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{EXAMPLE}\PYG{o}{.}\PYG{n}{COM}
\end{sphinxVerbatim}

\sphinxAtStartPar
If you need multiple Kerberos realms, MIT recommends that you use
descriptive names which end with your domain name, such as:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{BOSTON}\PYG{o}{.}\PYG{n}{EXAMPLE}\PYG{o}{.}\PYG{n}{COM}
\PYG{n}{HOUSTON}\PYG{o}{.}\PYG{n}{EXAMPLE}\PYG{o}{.}\PYG{n}{COM}
\end{sphinxVerbatim}


\section{Mapping hostnames onto Kerberos realms}
\label{\detokenize{admin/realm_config:mapping-hostnames-onto-kerberos-realms}}\label{\detokenize{admin/realm_config:mapping-hostnames}}
\sphinxAtStartPar
Mapping hostnames onto Kerberos realms is done in one of three ways.

\sphinxAtStartPar
The first mechanism works through a set of rules in the
{\hyperref[\detokenize{admin/conf_files/krb5_conf:domain-realm}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}domain\_realm{]}}}}} section of {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}}.  You can specify
mappings for an entire domain or on a per\sphinxhyphen{}hostname basis.  Typically
you would do this by specifying the mappings for a given domain or
subdomain and listing the exceptions.

\sphinxAtStartPar
The second mechanism is to use KDC host\sphinxhyphen{}based service referrals.  With
this method, the KDC’s krb5.conf has a full {[}domain\_realm{]} mapping for
hosts, but the clients do not, or have mappings for only a subset of
the hosts they might contact.  When a client needs to contact a server
host for which it has no mapping, it will ask the client realm’s KDC
for the service ticket, and will receive a referral to the appropriate
service realm.

\sphinxAtStartPar
To use referrals, clients must be running MIT krb5 1.6 or later, and
the KDC must be running MIT krb5 1.7 or later.  The
\sphinxstylestrong{host\_based\_services} and \sphinxstylestrong{no\_host\_referral} variables in the
{\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-realms}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}realms{]}}}}} section of {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}} can be used to
fine\sphinxhyphen{}tune referral behavior on the KDC.

\sphinxAtStartPar
It is also possible for clients to use DNS TXT records, if
\sphinxstylestrong{dns\_lookup\_realm} is enabled in {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}}.  Such lookups
are disabled by default because DNS is an insecure protocol and security
holes could result if DNS records are spoofed.  If enabled, the client
will try to look up a TXT record formed by prepending the prefix
\sphinxcode{\sphinxupquote{\_kerberos}} to the hostname in question.  If that record is not
found, the client will attempt a lookup by prepending \sphinxcode{\sphinxupquote{\_kerberos}} to the
host’s domain name, then its parent domain, up to the top\sphinxhyphen{}level domain.
For the hostname \sphinxcode{\sphinxupquote{boston.engineering.example.com}}, the names looked up
would be:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{\PYGZus{}kerberos}\PYG{o}{.}\PYG{n}{boston}\PYG{o}{.}\PYG{n}{engineering}\PYG{o}{.}\PYG{n}{example}\PYG{o}{.}\PYG{n}{com}
\PYG{n}{\PYGZus{}kerberos}\PYG{o}{.}\PYG{n}{engineering}\PYG{o}{.}\PYG{n}{example}\PYG{o}{.}\PYG{n}{com}
\PYG{n}{\PYGZus{}kerberos}\PYG{o}{.}\PYG{n}{example}\PYG{o}{.}\PYG{n}{com}
\PYG{n}{\PYGZus{}kerberos}\PYG{o}{.}\PYG{n}{com}
\end{sphinxVerbatim}

\sphinxAtStartPar
The value of the first TXT record found is taken as the realm name.

\sphinxAtStartPar
Even if you do not choose to use this mechanism within your site,
you may wish to set it up anyway, for use when interacting with other sites.


\section{Ports for the KDC and admin services}
\label{\detokenize{admin/realm_config:ports-for-the-kdc-and-admin-services}}
\sphinxAtStartPar
The default ports used by Kerberos are port 88 for the KDC and port
749 for the admin server.  You can, however, choose to run on other
ports, as long as they are specified in each host’s
{\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}} files or in DNS SRV records, and the
{\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}} file on each KDC.  For a more thorough treatment of
port numbers used by the Kerberos V5 programs, refer to the
{\hyperref[\detokenize{admin/appl_servers:conf-firewall}]{\sphinxcrossref{\DUrole{std,std-ref}{Configuring your firewall to work with Kerberos V5}}}}.


\section{Replica KDCs}
\label{\detokenize{admin/realm_config:replica-kdcs}}
\sphinxAtStartPar
Replica KDCs provide an additional source of Kerberos ticket\sphinxhyphen{}granting
services in the event of inaccessibility of the primary KDC.  The
number of replica KDCs you need and the decision of where to place them,
both physically and logically, depends on the specifics of your
network.

\sphinxAtStartPar
Kerberos authentication requires that each client be able to contact a
KDC.  Therefore, you need to anticipate any likely reason a KDC might
be unavailable and have a replica KDC to take up the slack.

\sphinxAtStartPar
Some considerations include:
\begin{itemize}
\item {} 
\sphinxAtStartPar
Have at least one replica KDC as a backup, for when the primary KDC
is down, is being upgraded, or is otherwise unavailable.

\item {} 
\sphinxAtStartPar
If your network is split such that a network outage is likely to
cause a network partition (some segment or segments of the network
to become cut off or isolated from other segments), have a replica
KDC accessible to each segment.

\item {} 
\sphinxAtStartPar
If possible, have at least one replica KDC in a different building
from the primary, in case of power outages, fires, or other
localized disasters.

\end{itemize}


\section{Hostnames for KDCs}
\label{\detokenize{admin/realm_config:hostnames-for-kdcs}}\label{\detokenize{admin/realm_config:kdc-hostnames}}
\sphinxAtStartPar
MIT recommends that your KDCs have a predefined set of CNAME records
(DNS hostname aliases), such as \sphinxcode{\sphinxupquote{kerberos}} for the primary KDC and
\sphinxcode{\sphinxupquote{kerberos\sphinxhyphen{}1}}, \sphinxcode{\sphinxupquote{kerberos\sphinxhyphen{}2}}, … for the replica KDCs.  This way,
if you need to swap a machine, you only need to change a DNS entry,
rather than having to change hostnames.

\sphinxAtStartPar
As of MIT krb5 1.4, clients can locate a realm’s KDCs through DNS
using SRV records (\index{RFC@\spxentry{RFC}!RFC 2782@\spxentry{RFC 2782}}\sphinxhref{https://datatracker.ietf.org/doc/html/rfc2782.html}{\sphinxstylestrong{RFC 2782}}), assuming the Kerberos realm name is
also a DNS domain name.  These records indicate the hostname and port
number to contact for that service, optionally with weighting and
prioritization.  The domain name used in the SRV record name is the
realm name.  Several different Kerberos\sphinxhyphen{}related service names are
used:
\begin{description}
\sphinxlineitem{\_kerberos.\_udp}
\sphinxAtStartPar
This is for contacting any KDC by UDP.  This entry will be used
the most often.  Normally you should list port 88 on each of your
KDCs.

\sphinxlineitem{\_kerberos.\_tcp}
\sphinxAtStartPar
This is for contacting any KDC by TCP.  Normally you should use
port 88.  This entry should be omitted if the KDC does not listen
on TCP ports, as was the default prior to release 1.13.

\sphinxlineitem{\_kerberos\sphinxhyphen{}master.\_udp}
\sphinxAtStartPar
This entry should refer to those KDCs, if any, that will
immediately see password changes to the Kerberos database.  If a
user is logging in and the password appears to be incorrect, the
client will retry with the primary KDC before failing with an
“incorrect password” error given.

\sphinxAtStartPar
If you have only one KDC, or for whatever reason there is no
accessible KDC that would get database changes faster than the
others, you do not need to define this entry.

\sphinxlineitem{\_kerberos\sphinxhyphen{}adm.\_tcp}
\sphinxAtStartPar
This should list port 749 on your primary KDC.  Support for it is
not complete at this time, but it will eventually be used by the
{\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} program and related utilities.  For now, you will
also need the \sphinxstylestrong{admin\_server} variable in {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}}.

\sphinxlineitem{\_kerberos\sphinxhyphen{}master.\_tcp}
\sphinxAtStartPar
The corresponding TCP port for \_kerberos\sphinxhyphen{}master.\_udp, assuming the
primary KDC listens on a TCP port.

\sphinxlineitem{\_kpasswd.\_udp}
\sphinxAtStartPar
This entry should list port 464 on your primary KDC.  It is used
when a user changes her password.  If this entry is not defined
but a \_kerberos\sphinxhyphen{}adm.\_tcp entry is defined, the client will use the
\_kerberos\sphinxhyphen{}adm.\_tcp entry with the port number changed to 464.

\sphinxlineitem{\_kpasswd.\_tcp}
\sphinxAtStartPar
The corresponding TCP port for \_kpasswd.\_udp.

\end{description}

\sphinxAtStartPar
The DNS SRV specification requires that the hostnames listed be the
canonical names, not aliases.  So, for example, you might include the
following records in your (BIND\sphinxhyphen{}style) zone file:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYGZdl{}ORIGIN foobar.com.
\PYGZus{}kerberos               TXT       \PYGZdq{}FOOBAR.COM\PYGZdq{}
kerberos                CNAME     daisy
kerberos\PYGZhy{}1              CNAME     use\PYGZhy{}the\PYGZhy{}force\PYGZhy{}luke
kerberos\PYGZhy{}2              CNAME     bunny\PYGZhy{}rabbit
\PYGZus{}kerberos.\PYGZus{}udp          SRV       0 0 88 daisy
                        SRV       0 0 88 use\PYGZhy{}the\PYGZhy{}force\PYGZhy{}luke
                        SRV       0 0 88 bunny\PYGZhy{}rabbit
\PYGZus{}kerberos\PYGZhy{}master.\PYGZus{}udp   SRV       0 0 88 daisy
\PYGZus{}kerberos\PYGZhy{}adm.\PYGZus{}tcp      SRV       0 0 749 daisy
\PYGZus{}kpasswd.\PYGZus{}udp           SRV       0 0 464 daisy
\end{sphinxVerbatim}

\sphinxAtStartPar
Clients can also be configured with the explicit location of services
using the \sphinxstylestrong{kdc}, \sphinxstylestrong{master\_kdc}, \sphinxstylestrong{admin\_server}, and
\sphinxstylestrong{kpasswd\_server} variables in the {\hyperref[\detokenize{admin/conf_files/krb5_conf:realms}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}realms{]}}}}} section of
{\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}}.  Even if some clients will be configured with
explicit server locations, providing SRV records will still benefit
unconfigured clients, and be useful for other sites.

\sphinxAtStartPar
Clients can be configured with the \sphinxstylestrong{sitename} realm variable (new in
release 1.22).  If a site name is set, the client first attempts SRV
record lookups with “.*sitename*.\_sites” inserted after the service
and protocol name and before the Kerberos realm.  Site\sphinxhyphen{}specific
records may indicate servers more proximal to the client, allowing for
faster access.


\section{KDC Discovery}
\label{\detokenize{admin/realm_config:kdc-discovery}}\label{\detokenize{admin/realm_config:id1}}
\sphinxAtStartPar
As of MIT krb5 1.15, clients can also locate KDCs in DNS through URI
records (\index{RFC@\spxentry{RFC}!RFC 7553@\spxentry{RFC 7553}}\sphinxhref{https://datatracker.ietf.org/doc/html/rfc7553.html}{\sphinxstylestrong{RFC 7553}}).  Limitations with the SRV record format may
result in extra DNS queries in situations where a client must failover
to other transport types, or find a primary server.  The URI record
can convey more information about a realm’s KDCs with a single query.

\sphinxAtStartPar
The client performs a query for the following URI records:
\begin{itemize}
\item {} 
\sphinxAtStartPar
\sphinxcode{\sphinxupquote{\_kerberos.REALM}} for finding KDCs.

\item {} 
\sphinxAtStartPar
\sphinxcode{\sphinxupquote{\_kerberos\sphinxhyphen{}adm.REALM}} for finding kadmin services.

\item {} 
\sphinxAtStartPar
\sphinxcode{\sphinxupquote{\_kpasswd.REALM}} for finding password services.

\end{itemize}

\sphinxAtStartPar
The URI record includes a priority, weight, and a URI string that
consists of case\sphinxhyphen{}insensitive colon separated fields, in the form
\sphinxcode{\sphinxupquote{scheme:{[}flags{]}:transport:residual}}.
\begin{itemize}
\item {} 
\sphinxAtStartPar
\sphinxstyleemphasis{scheme} defines the registered URI type.  It should always be
\sphinxcode{\sphinxupquote{krb5srv}}.

\item {} 
\sphinxAtStartPar
\sphinxstyleemphasis{flags} contains zero or more flag characters.  Currently the only
valid flag is \sphinxcode{\sphinxupquote{m}}, which indicates that the record is for a
primary server.

\item {} 
\sphinxAtStartPar
\sphinxstyleemphasis{transport} defines the transport type of the residual URL or
address.  Accepted values are \sphinxcode{\sphinxupquote{tcp}}, \sphinxcode{\sphinxupquote{udp}}, or \sphinxcode{\sphinxupquote{kkdcp}} for the
MS\sphinxhyphen{}KKDCP type.

\item {} 
\sphinxAtStartPar
\sphinxstyleemphasis{residual} contains the hostname, IP address, or URL to be
contacted using the specified transport, with an optional port
extension.  The MS\sphinxhyphen{}KKDCP transport type uses a HTTPS URL, and can
include a port and/or path extension.

\end{itemize}

\sphinxAtStartPar
An example of URI records in a zone file:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{\PYGZus{}kerberos}\PYG{o}{.}\PYG{n}{EXAMPLE}\PYG{o}{.}\PYG{n}{COM}  \PYG{n}{URI}  \PYG{l+m+mi}{10} \PYG{l+m+mi}{1} \PYG{n}{krb5srv}\PYG{p}{:}\PYG{n}{m}\PYG{p}{:}\PYG{n}{tcp}\PYG{p}{:}\PYG{n}{kdc1}\PYG{o}{.}\PYG{n}{example}\PYG{o}{.}\PYG{n}{com}
                       \PYG{n}{URI}  \PYG{l+m+mi}{20} \PYG{l+m+mi}{1} \PYG{n}{krb5srv}\PYG{p}{:}\PYG{n}{m}\PYG{p}{:}\PYG{n}{udp}\PYG{p}{:}\PYG{n}{kdc2}\PYG{o}{.}\PYG{n}{example}\PYG{o}{.}\PYG{n}{com}\PYG{p}{:}\PYG{l+m+mi}{89}
                       \PYG{n}{URI}  \PYG{l+m+mi}{40} \PYG{l+m+mi}{1} \PYG{n}{krb5srv}\PYG{p}{:}\PYG{p}{:}\PYG{n}{udp}\PYG{p}{:}\PYG{l+m+mf}{10.10}\PYG{l+m+mf}{.0}\PYG{l+m+mf}{.23}
                       \PYG{n}{URI}  \PYG{l+m+mi}{30} \PYG{l+m+mi}{1} \PYG{n}{krb5srv}\PYG{p}{:}\PYG{p}{:}\PYG{n}{kkdcp}\PYG{p}{:}\PYG{n}{https}\PYG{p}{:}\PYG{o}{/}\PYG{o}{/}\PYG{n}{proxy}\PYG{p}{:}\PYG{l+m+mi}{89}\PYG{o}{/}\PYG{n}{auth}
\end{sphinxVerbatim}

\sphinxAtStartPar
URI lookups are enabled by default, and can be disabled by setting
\sphinxstylestrong{dns\_uri\_lookup} in the {\hyperref[\detokenize{admin/conf_files/krb5_conf:libdefaults}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}libdefaults{]}}}}} section of
{\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}} to False.  When enabled, URI lookups take
precedence over SRV lookups, falling back to SRV lookups if no URI
records are found.

\sphinxAtStartPar
The \sphinxstylestrong{sitename} variable in the {\hyperref[\detokenize{admin/conf_files/krb5_conf:realms}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}realms{]}}}}} section of
{\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}} applies to URI lookups as well as SRV lookups.


\section{Database propagation}
\label{\detokenize{admin/realm_config:database-propagation}}\label{\detokenize{admin/realm_config:db-prop}}
\sphinxAtStartPar
The Kerberos database resides on the primary KDC, and must be
propagated regularly (usually by a cron job) to the replica KDCs.  In
deciding how frequently the propagation should happen, you will need
to balance the amount of time the propagation takes against the
maximum reasonable amount of time a user should have to wait for a
password change to take effect.

\sphinxAtStartPar
If the propagation time is longer than this maximum reasonable time
(e.g., you have a particularly large database, you have a lot of
replicas, or you experience frequent network delays), you may wish to
cut down on your propagation delay by performing the propagation in
parallel.  To do this, have the primary KDC propagate the database to
one set of replicas, and then have each of these replicas propagate
the database to additional replicas.

\sphinxAtStartPar
See also {\hyperref[\detokenize{admin/database:incr-db-prop}]{\sphinxcrossref{\DUrole{std,std-ref}{Incremental database propagation}}}}

\sphinxstepscope


\chapter{Database administration}
\label{\detokenize{admin/database:database-administration}}\label{\detokenize{admin/database::doc}}
\sphinxAtStartPar
A Kerberos database contains all of a realm’s Kerberos principals,
their passwords, and other administrative information about each
principal.  For the most part, you will use the {\hyperref[\detokenize{admin/admin_commands/kdb5_util:kdb5-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_util}}}}
program to manipulate the Kerberos database as a whole, and the
{\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} program to make changes to the entries in the
database.  (One notable exception is that users will use the
\DUrole{xref,std,std-ref}{kpasswd(1)} program to change their own passwords.)  The kadmin
program has its own command\sphinxhyphen{}line interface, to which you type the
database administrating commands.

\sphinxAtStartPar
{\hyperref[\detokenize{admin/admin_commands/kdb5_util:kdb5-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_util}}}} provides a means to create, delete, load, or dump
a Kerberos database.  It also contains commands to roll over the
database master key, and to stash a copy of the key so that the
{\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} and {\hyperref[\detokenize{admin/admin_commands/krb5kdc:krb5kdc-8}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5kdc}}}} daemons can use the database
without manual input.

\sphinxAtStartPar
{\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} provides for the maintenance of Kerberos principals,
password policies, and service key tables (keytabs).  Normally it
operates as a network client using Kerberos authentication to
communicate with {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}}, but there is also a variant, named
kadmin.local, which directly accesses the Kerberos database on the
local filesystem (or through LDAP).  kadmin.local is necessary to set
up enough of the database to be able to use the remote version.

\sphinxAtStartPar
kadmin can authenticate to the admin server using the service
principal \sphinxcode{\sphinxupquote{kadmin/admin}} or \sphinxcode{\sphinxupquote{kadmin/HOST}} (where \sphinxstyleemphasis{HOST} is the
hostname of the admin server).  If the credentials cache contains a
ticket for either service principal and the \sphinxstylestrong{\sphinxhyphen{}c} ccache option is
specified, that ticket is used to authenticate to KADM5.  Otherwise,
the \sphinxstylestrong{\sphinxhyphen{}p} and \sphinxstylestrong{\sphinxhyphen{}k} options are used to specify the client Kerberos
principal name used to authenticate.  Once kadmin has determined the
principal name, it requests a \sphinxcode{\sphinxupquote{kadmin/admin}} Kerberos service ticket
from the KDC, and uses that service ticket to authenticate to KADM5.

\sphinxAtStartPar
See {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} for the available kadmin and kadmin.local
commands and options.


\section{Principals}
\label{\detokenize{admin/database:principals}}\label{\detokenize{admin/database:id1}}
\sphinxAtStartPar
Each entry in the Kerberos database contains a Kerberos principal and
the attributes and policies associated with that principal.

\sphinxAtStartPar
To add a principal to the database, use the {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}}
\sphinxstylestrong{add\_principal} command.  User principals should usually be created
with the \sphinxcode{\sphinxupquote{+requires\_preauth \sphinxhyphen{}allow\_svr}} options to help mitigate
dictionary attacks (see {\hyperref[\detokenize{admin/dictionary:dictionary}]{\sphinxcrossref{\DUrole{std,std-ref}{Addressing dictionary attack risks}}}}):

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{addprinc} \PYG{o}{+}\PYG{n}{requires\PYGZus{}preauth} \PYG{o}{\PYGZhy{}}\PYG{n}{allow\PYGZus{}svr} \PYG{n}{alice}
\PYG{n}{Enter} \PYG{n}{password} \PYG{k}{for} \PYG{n}{principal} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{alice@KRBTEST.COM}\PYG{l+s+s2}{\PYGZdq{}}\PYG{p}{:}
\PYG{n}{Re}\PYG{o}{\PYGZhy{}}\PYG{n}{enter} \PYG{n}{password} \PYG{k}{for} \PYG{n}{principal} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{alice@KRBTEST.COM}\PYG{l+s+s2}{\PYGZdq{}}\PYG{p}{:}
\end{sphinxVerbatim}

\sphinxAtStartPar
User principals which will authenticate with {\hyperref[\detokenize{admin/pkinit:pkinit}]{\sphinxcrossref{\DUrole{std,std-ref}{PKINIT configuration}}}} should
instead by created with the \sphinxcode{\sphinxupquote{\sphinxhyphen{}nokey}} option:
\begin{quote}

\sphinxAtStartPar
kadmin: addprinc \sphinxhyphen{}nokey alice
\end{quote}

\sphinxAtStartPar
Service principals can be created with the \sphinxcode{\sphinxupquote{\sphinxhyphen{}nokey}} option;
long\sphinxhyphen{}term keys will be added when a keytab is generated:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{addprinc} \PYG{o}{\PYGZhy{}}\PYG{n}{nokey} \PYG{n}{host}\PYG{o}{/}\PYG{n}{foo}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}
\PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{ktadd} \PYG{o}{\PYGZhy{}}\PYG{n}{k} \PYG{n}{foo}\PYG{o}{.}\PYG{n}{keytab} \PYG{n}{host}\PYG{o}{/}\PYG{n}{foo}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}
\PYG{n}{Entry} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{host}\PYG{o}{/}\PYG{n}{foo}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{k}{with} \PYG{n}{kvno} \PYG{l+m+mi}{1}\PYG{p}{,} \PYG{n}{encryption} \PYG{n+nb}{type} \PYG{n}{aes256}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{96} \PYG{n}{added} \PYG{n}{to} \PYG{n}{keytab} \PYG{n}{WRFILE}\PYG{p}{:}\PYG{n}{foo}\PYG{o}{.}\PYG{n}{keytab}\PYG{o}{.}
\PYG{n}{Entry} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{host}\PYG{o}{/}\PYG{n}{foo}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{k}{with} \PYG{n}{kvno} \PYG{l+m+mi}{1}\PYG{p}{,} \PYG{n}{encryption} \PYG{n+nb}{type} \PYG{n}{aes128}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{96} \PYG{n}{added} \PYG{n}{to} \PYG{n}{keytab} \PYG{n}{WRFILE}\PYG{p}{:}\PYG{n}{foo}\PYG{o}{.}\PYG{n}{keytab}\PYG{o}{.}
\end{sphinxVerbatim}

\sphinxAtStartPar
To modify attributes of an existing principal, use the kadmin
\sphinxstylestrong{modify\_principal} command:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{modprinc} \PYG{o}{\PYGZhy{}}\PYG{n}{expire} \PYG{n}{tomorrow} \PYG{n}{alice}
\PYG{n}{Principal} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{alice@KRBTEST.COM}\PYG{l+s+s2}{\PYGZdq{}} \PYG{n}{modified}\PYG{o}{.}
\end{sphinxVerbatim}

\sphinxAtStartPar
To delete a principal, use the kadmin \sphinxstylestrong{delete\_principal} command:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
kadmin: delprinc alice
Are you sure you want to delete the principal \PYGZdq{}alice@KRBTEST.COM\PYGZdq{}? (yes/no): yes
Principal \PYGZdq{}alice@KRBTEST.COM\PYGZdq{} deleted.
Make sure that you have removed this principal from all ACLs before reusing.
\end{sphinxVerbatim}

\sphinxAtStartPar
To change a principal’s password, use the kadmin \sphinxstylestrong{change\_password}
command.  Password changes made through kadmin are subject to the same
password policies as would apply to password changes made through
\DUrole{xref,std,std-ref}{kpasswd(1)}.

\sphinxAtStartPar
To view the attributes of a principal, use the kadmin\textasciigrave{}
\sphinxstylestrong{get\_principal} command.

\sphinxAtStartPar
To generate a listing of principals, use the kadmin
\sphinxstylestrong{list\_principals} command.

\sphinxAtStartPar
To give a principal additional names, use the kadmin \sphinxstylestrong{add\_alias}
command to create aliases to the principal (new in release 1.22).
Aliases can be removed with the \sphinxstylestrong{delete\_principal} command.


\section{Policies}
\label{\detokenize{admin/database:policies}}\label{\detokenize{admin/database:id2}}
\sphinxAtStartPar
A policy is a set of rules governing passwords.  Policies can dictate
minimum and maximum password lifetimes, minimum number of characters
and character classes a password must contain, and the number of old
passwords kept in the database.

\sphinxAtStartPar
To add a new policy, use the {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} \sphinxstylestrong{add\_policy} command:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{addpol} \PYG{o}{\PYGZhy{}}\PYG{n}{maxlife} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{1 year}\PYG{l+s+s2}{\PYGZdq{}} \PYG{o}{\PYGZhy{}}\PYG{n}{history} \PYG{l+m+mi}{3} \PYG{n}{stduser}
\end{sphinxVerbatim}

\sphinxAtStartPar
To modify attributes of a principal, use the kadmin \sphinxstylestrong{modify\_policy}
command.  To delete a policy, use the kadmin \sphinxstylestrong{delete\_policy}
command.

\sphinxAtStartPar
To associate a policy with a principal, use the kadmin
\sphinxstylestrong{modify\_principal} command with the \sphinxstylestrong{\sphinxhyphen{}policy} option:
\begin{quote}

\sphinxAtStartPar
kadmin: modprinc \sphinxhyphen{}policy stduser alice
Principal “\sphinxhref{mailto:alice@KRBTEST.COM}{alice@KRBTEST.COM}” modified.
\end{quote}

\sphinxAtStartPar
A principal entry may be associated with a nonexistent policy, either
because the policy did not exist at the time of associated or was
deleted afterwards.  kadmin will warn when associated a principal with
a nonexistent policy, and will annotate the policy name with “{[}does
not exist{]}” in the \sphinxstylestrong{get\_principal} output.


\subsection{Updating the history key}
\label{\detokenize{admin/database:updating-the-history-key}}\label{\detokenize{admin/database:updating-history-key}}
\sphinxAtStartPar
If a policy specifies a number of old keys kept of two or more, the
stored old keys are encrypted in a history key, which is found in the
key data of the \sphinxcode{\sphinxupquote{kadmin/history}} principal.

\sphinxAtStartPar
Currently there is no support for proper rollover of the history key,
but you can change the history key (for example, to use a better
encryption type) at the cost of invalidating currently stored old
keys.  To change the history key, run:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{change\PYGZus{}password} \PYG{o}{\PYGZhy{}}\PYG{n}{randkey} \PYG{n}{kadmin}\PYG{o}{/}\PYG{n}{history}
\end{sphinxVerbatim}

\sphinxAtStartPar
This command will fail if you specify the \sphinxstylestrong{\sphinxhyphen{}keepold} flag.  Only one
new history key will be created, even if you specify multiple key/salt
combinations.

\sphinxAtStartPar
In the future, we plan to migrate towards encrypting old keys in the
master key instead of the history key, and implementing proper
rollover support for stored old keys.


\section{Privileges}
\label{\detokenize{admin/database:privileges}}\label{\detokenize{admin/database:id3}}
\sphinxAtStartPar
Administrative privileges for the Kerberos database are stored in the
file {\hyperref[\detokenize{admin/conf_files/kadm5_acl:kadm5-acl-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kadm5.acl}}}}.

\begin{sphinxadmonition}{note}{Note:}
\sphinxAtStartPar
A common use of an admin instance is so you can grant
separate permissions (such as administrator access to the
Kerberos database) to a separate Kerberos principal. For
example, the user \sphinxcode{\sphinxupquote{joeadmin}} might have a principal for
his administrative use, called \sphinxcode{\sphinxupquote{joeadmin/admin}}.  This
way, \sphinxcode{\sphinxupquote{joeadmin}} would obtain \sphinxcode{\sphinxupquote{joeadmin/admin}} tickets
only when he actually needs to use those permissions.
\end{sphinxadmonition}


\section{Operations on the Kerberos database}
\label{\detokenize{admin/database:operations-on-the-kerberos-database}}\label{\detokenize{admin/database:db-operations}}
\sphinxAtStartPar
The {\hyperref[\detokenize{admin/admin_commands/kdb5_util:kdb5-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_util}}}} command is the primary tool for administrating
the Kerberos database when using the DB2 or LMDB modules (see
{\hyperref[\detokenize{admin/dbtypes:dbtypes}]{\sphinxcrossref{\DUrole{std,std-ref}{Database types}}}}).  Creating a database is described in
{\hyperref[\detokenize{admin/install_kdc:create-db}]{\sphinxcrossref{\DUrole{std,std-ref}{Create the KDC database}}}}.

\sphinxAtStartPar
To create a stash file using the master password (because the database
was not created with one using the \sphinxcode{\sphinxupquote{create \sphinxhyphen{}s}} flag, or after
restoring from a backup which did not contain the stash file), use the
kdb5\_util \sphinxstylestrong{stash} command:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYGZdl{} kdb5\PYGZus{}util stash
kdb5\PYGZus{}util: Cannot find/read stored master key while reading master key
kdb5\PYGZus{}util: Warning: proceeding without master key
Enter KDC database master key:  \PYGZlt{}= Type the KDC database master password.
\end{sphinxVerbatim}

\sphinxAtStartPar
To destroy a database, use the kdb5\_util destroy command:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYGZdl{} kdb5\PYGZus{}util destroy
Deleting KDC database stored in \PYGZsq{}/var/krb5kdc/principal\PYGZsq{}, are you sure?
(type \PYGZsq{}yes\PYGZsq{} to confirm)? yes
OK, deleting database \PYGZsq{}/var/krb5kdc/principal\PYGZsq{}...
** Database \PYGZsq{}/var/krb5kdc/principal\PYGZsq{} destroyed.
\end{sphinxVerbatim}


\subsection{Dumping and loading a Kerberos database}
\label{\detokenize{admin/database:dumping-and-loading-a-kerberos-database}}\label{\detokenize{admin/database:restore-from-dump}}
\sphinxAtStartPar
To dump a Kerberos database into a text file for backup or transfer
purposes, use the {\hyperref[\detokenize{admin/admin_commands/kdb5_util:kdb5-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_util}}}} \sphinxstylestrong{dump} command on one of the
KDCs:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYGZdl{} kdb5\PYGZus{}util dump dumpfile

\PYGZdl{} kbd5\PYGZus{}util dump \PYGZhy{}verbose dumpfile
kadmin/admin@ATHENA.MIT.EDU
krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU
kadmin/history@ATHENA.MIT.EDU
K/M@ATHENA.MIT.EDU
kadmin/changepw@ATHENA.MIT.EDU
\end{sphinxVerbatim}

\sphinxAtStartPar
You may specify which principals to dump, using full principal names
including realm:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYGZdl{} kdb5\PYGZus{}util dump \PYGZhy{}verbose someprincs K/M@ATHENA.MIT.EDU kadmin/admin@ATHENA.MIT.EDU
kadmin/admin@ATHENA.MIT.EDU
K/M@ATHENA.MIT.EDU
\end{sphinxVerbatim}

\sphinxAtStartPar
To restore a Kerberos database dump from a file, use the
{\hyperref[\detokenize{admin/admin_commands/kdb5_util:kdb5-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_util}}}} \sphinxstylestrong{load} command:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYGZdl{} kdb5\PYGZus{}util load dumpfile
\end{sphinxVerbatim}

\sphinxAtStartPar
To update an existing database with a partial dump file containing
only some principals, use the \sphinxcode{\sphinxupquote{\sphinxhyphen{}update}} flag:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYGZdl{} kdb5\PYGZus{}util load \PYGZhy{}update someprincs
\end{sphinxVerbatim}

\begin{sphinxadmonition}{note}{Note:}
\sphinxAtStartPar
If the database file exists, and the \sphinxstyleemphasis{\sphinxhyphen{}update} flag was not
given, \sphinxstyleemphasis{kdb5\_util} will overwrite the existing database.
\end{sphinxadmonition}


\subsection{Updating the master key}
\label{\detokenize{admin/database:updating-the-master-key}}\label{\detokenize{admin/database:updating-master-key}}
\sphinxAtStartPar
Starting with release 1.7, {\hyperref[\detokenize{admin/admin_commands/kdb5_util:kdb5-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_util}}}} allows the master key
to be changed using a rollover process, with minimal loss of
availability.  To roll over the master key, follow these steps:
\begin{enumerate}
\sphinxsetlistlabels{\arabic}{enumi}{enumii}{}{.}%
\item {} 
\sphinxAtStartPar
On the primary KDC, run \sphinxcode{\sphinxupquote{kdb5\_util list\_mkeys}} to view the
current master key version number (KVNO).  If you have never rolled
over the master key before, this will likely be version 1:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYGZdl{} kdb5\PYGZus{}util list\PYGZus{}mkeys
Master keys for Principal: K/M@KRBTEST.COM
KVNO: 1, Enctype: aes256\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha384\PYGZhy{}192, Active on: Thu Jan 01 00:00:00 UTC 1970 *
\end{sphinxVerbatim}

\item {} 
\sphinxAtStartPar
On the primary KDC, run \sphinxcode{\sphinxupquote{kdb5\_util use\_mkey 1}} to ensure that a
master key activation list is present in the database.  This step
is unnecessary in release 1.11.4 or later, or if the database was
initially created with release 1.7 or later.

\item {} 
\sphinxAtStartPar
On the primary KDC, run \sphinxcode{\sphinxupquote{kdb5\_util add\_mkey \sphinxhyphen{}s}} to create a new
master key and write it to the stash file.  Enter a secure password
when prompted.  If this is the first time you are changing the
master key, the new key will have version 2.  The new master key
will not be used until you make it active.

\item {} 
\sphinxAtStartPar
Propagate the database to all replica KDCs, either manually or by
waiting until the next scheduled propagation.  If you do not have
any replica KDCs, you can skip this and the next step.

\item {} 
\sphinxAtStartPar
On each replica KDC, run \sphinxcode{\sphinxupquote{kdb5\_util list\_mkeys}} to verify that
the new master key is present, and then \sphinxcode{\sphinxupquote{kdb5\_util stash}} to
write the new master key to the replica KDC’s stash file.

\item {} 
\sphinxAtStartPar
On the primary KDC, run \sphinxcode{\sphinxupquote{kdb5\_util use\_mkey 2}} to begin using the
new master key.  Replace \sphinxcode{\sphinxupquote{2}} with the version of the new master
key, as appropriate.  You can optionally specify a date for the new
master key to become active; by default, it will become active
immediately.  Prior to release 1.12, {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} must be
restarted for this change to take full effect.

\item {} 
\sphinxAtStartPar
On the primary KDC, run \sphinxcode{\sphinxupquote{kdb5\_util update\_princ\_encryption}}.
This command will iterate over the database and re\sphinxhyphen{}encrypt all keys
in the new master key.  If the database is large and uses DB2, the
primary KDC will become unavailable while this command runs, but
clients should fail over to replica KDCs (if any are present)
during this time period.  In release 1.13 and later, you can
instead run \sphinxcode{\sphinxupquote{kdb5\_util \sphinxhyphen{}x unlockiter update\_princ\_encryption}} to
use unlocked iteration; this variant will take longer, but will
keep the database available to the KDC and kadmind while it runs.

\item {} 
\sphinxAtStartPar
Wait until the above changes have propagated to all replica KDCs
and until all running KDC and kadmind processes have serviced
requests using updated principal entries.

\item {} 
\sphinxAtStartPar
On the primary KDC, run \sphinxcode{\sphinxupquote{kdb5\_util purge\_mkeys}} to clean up the
old master key.

\end{enumerate}


\section{Operations on the LDAP database}
\label{\detokenize{admin/database:operations-on-the-ldap-database}}\label{\detokenize{admin/database:ops-on-ldap}}
\sphinxAtStartPar
The {\hyperref[\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_ldap\_util}}}} command is the primary tool for
administrating the Kerberos database when using the LDAP module.
Creating an LDAP Kerberos database is describe in {\hyperref[\detokenize{admin/conf_ldap:conf-ldap}]{\sphinxcrossref{\DUrole{std,std-ref}{Configuring Kerberos with OpenLDAP back\sphinxhyphen{}end}}}}.

\sphinxAtStartPar
To view a list of realms in the LDAP database, use the kdb5\_ldap\_util
\sphinxstylestrong{list} command:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYGZdl{} kdb5\PYGZus{}ldap\PYGZus{}util list
KRBTEST.COM
\end{sphinxVerbatim}

\sphinxAtStartPar
To modify the attributes of a realm, use the kdb5\_ldap\_util \sphinxstylestrong{modify}
command.  For example, to change the default realm’s maximum ticket
life:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYGZdl{} kdb5\PYGZus{}ldap\PYGZus{}util modify \PYGZhy{}maxtktlife \PYGZdq{}10 hours\PYGZdq{}
\end{sphinxVerbatim}

\sphinxAtStartPar
To display the attributes of a realm, use the kdb5\_ldap\_util \sphinxstylestrong{view}
command:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYGZdl{} kdb5\PYGZus{}ldap\PYGZus{}util view
               Realm Name: KRBTEST.COM
      Maximum Ticket Life: 0 days 00:10:00
\end{sphinxVerbatim}

\sphinxAtStartPar
To remove a realm from the LDAP database, destroying its contents, use
the kdb5\_ldap\_util \sphinxstylestrong{destroy} command:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYGZdl{} kdb5\PYGZus{}ldap\PYGZus{}util destroy
Deleting KDC database of \PYGZsq{}KRBTEST.COM\PYGZsq{}, are you sure?
(type \PYGZsq{}yes\PYGZsq{} to confirm)? yes
OK, deleting database of \PYGZsq{}KRBTEST.COM\PYGZsq{}...
** Database of \PYGZsq{}KRBTEST.COM\PYGZsq{} destroyed.
\end{sphinxVerbatim}


\subsection{Ticket Policy operations}
\label{\detokenize{admin/database:ticket-policy-operations}}
\sphinxAtStartPar
Unlike the DB2 and LMDB modules, the LDAP module supports ticket
policy objects, which can be associated with principals to restrict
maximum ticket lifetimes and set mandatory principal flags.  Ticket
policy objects are distinct from the password policies described
earlier on this page, and are chiefly managed through kdb5\_ldap\_util
rather than kadmin.  To create a new ticket policy, use the
kdb5\_ldap\_util \sphinxstylestrong{create\_policy} command:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYGZdl{} kdb5\PYGZus{}ldap\PYGZus{}util create\PYGZus{}policy \PYGZhy{}maxrenewlife \PYGZdq{}2 days\PYGZdq{} users
\end{sphinxVerbatim}

\sphinxAtStartPar
To associate a ticket policy with a principal, use the
{\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} \sphinxstylestrong{modify\_principal} (or \sphinxstylestrong{add\_principal}) command
with the \sphinxstylestrong{\sphinxhyphen{}x tktpolicy=}\sphinxstyleemphasis{policy} option:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYGZdl{} kadmin.local modprinc \PYGZhy{}x tktpolicy=users alice
\end{sphinxVerbatim}

\sphinxAtStartPar
To remove a ticket policy reference from a principal, use the same
command with an empty \sphinxstyleemphasis{policy}:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYGZdl{} kadmin.local modprinc \PYGZhy{}x tktpolicy= alice
\end{sphinxVerbatim}

\sphinxAtStartPar
To list the existing ticket policy objects, use the kdb5\_ldap\_util
\sphinxstylestrong{list\_policy} command:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYGZdl{} kdb5\PYGZus{}ldap\PYGZus{}util list\PYGZus{}policy
users
\end{sphinxVerbatim}

\sphinxAtStartPar
To modify the attributes of a ticket policy object, use the
kdb5\_ldap\_util \sphinxstylestrong{modify\_policy} command:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYGZdl{} kdb5\PYGZus{}ldap\PYGZus{}util modify\PYGZus{}policy \PYGZhy{}allow\PYGZus{}svr +requires\PYGZus{}preauth users
\end{sphinxVerbatim}

\sphinxAtStartPar
To view the attributes of a ticket policy object, use the
kdb5\_ldap\_util \sphinxstylestrong{view\_policy} command:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYGZdl{} kdb5\PYGZus{}ldap\PYGZus{}util view\PYGZus{}policy users
            Ticket policy: users
   Maximum renewable life: 2 days 00:00:00
             Ticket flags: REQUIRES\PYGZus{}PRE\PYGZus{}AUTH DISALLOW\PYGZus{}SVR
\end{sphinxVerbatim}

\sphinxAtStartPar
To destroy an ticket policy object, use the kdb5\_ldap\_util
\sphinxstylestrong{destroy\_policy} command:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYGZdl{} kdb5\PYGZus{}ldap\PYGZus{}util destroy\PYGZus{}policy users
This will delete the policy object \PYGZsq{}users\PYGZsq{}, are you sure?
(type \PYGZsq{}yes\PYGZsq{} to confirm)? yes
** policy object \PYGZsq{}users\PYGZsq{} deleted.
\end{sphinxVerbatim}


\section{Cross\sphinxhyphen{}realm authentication}
\label{\detokenize{admin/database:cross-realm-authentication}}\label{\detokenize{admin/database:xrealm-authn}}
\sphinxAtStartPar
In order for a KDC in one realm to authenticate Kerberos users in a
different realm, it must share a key with the KDC in the other realm.
In both databases, there must be krbtgt service principals for both realms.
For example, if you need to do cross\sphinxhyphen{}realm authentication between the realms
\sphinxcode{\sphinxupquote{ATHENA.MIT.EDU}} and \sphinxcode{\sphinxupquote{EXAMPLE.COM}}, you would need to add the
principals \sphinxcode{\sphinxupquote{krbtgt/EXAMPLE.COM@ATHENA.MIT.EDU}} and
\sphinxcode{\sphinxupquote{krbtgt/ATHENA.MIT.EDU@EXAMPLE.COM}} to both databases.
These principals must all have the same passwords, key version
numbers, and encryption types; this may require explicitly setting
the key version number with the \sphinxstylestrong{\sphinxhyphen{}kvno} option.

\sphinxAtStartPar
In the ATHENA.MIT.EDU and EXAMPLE.COM cross\sphinxhyphen{}realm case, the administrators
would run the following commands on the KDCs in both realms:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{shell}\PYG{o}{\PYGZpc{}}\PYG{p}{:} \PYG{n}{kadmin}\PYG{o}{.}\PYG{n}{local} \PYG{o}{\PYGZhy{}}\PYG{n}{e} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{aes256\PYGZhy{}cts:normal}\PYG{l+s+s2}{\PYGZdq{}}
\PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{addprinc} \PYG{o}{\PYGZhy{}}\PYG{n}{requires\PYGZus{}preauth} \PYG{n}{krbtgt}\PYG{o}{/}\PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}\PYG{n+nd}{@EXAMPLE}\PYG{o}{.}\PYG{n}{COM}
\PYG{n}{Enter} \PYG{n}{password} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{krbtgt}\PYG{o}{/}\PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}\PYG{n+nd}{@EXAMPLE}\PYG{o}{.}\PYG{n}{COM}\PYG{p}{:}
\PYG{n}{Re}\PYG{o}{\PYGZhy{}}\PYG{n}{enter} \PYG{n}{password} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{krbtgt}\PYG{o}{/}\PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}\PYG{n+nd}{@EXAMPLE}\PYG{o}{.}\PYG{n}{COM}\PYG{p}{:}
\PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{addprinc} \PYG{o}{\PYGZhy{}}\PYG{n}{requires\PYGZus{}preauth} \PYG{n}{krbtgt}\PYG{o}{/}\PYG{n}{EXAMPLE}\PYG{o}{.}\PYG{n}{COM}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}
\PYG{n}{Enter} \PYG{n}{password} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{krbtgt}\PYG{o}{/}\PYG{n}{EXAMPLE}\PYG{o}{.}\PYG{n}{COM}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}\PYG{p}{:}
\PYG{n}{Enter} \PYG{n}{password} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{krbtgt}\PYG{o}{/}\PYG{n}{EXAMPLE}\PYG{o}{.}\PYG{n}{COM}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}\PYG{p}{:}
\PYG{n}{kadmin}\PYG{p}{:}
\end{sphinxVerbatim}

\begin{sphinxadmonition}{note}{Note:}
\sphinxAtStartPar
Even if most principals in a realm are generally created
with the \sphinxstylestrong{requires\_preauth} flag enabled, this flag is not
desirable on cross\sphinxhyphen{}realm authentication keys because doing
so makes it impossible to disable preauthentication on a
service\sphinxhyphen{}by\sphinxhyphen{}service basis.  Disabling it as in the example
above is recommended.
\end{sphinxadmonition}

\begin{sphinxadmonition}{note}{Note:}
\sphinxAtStartPar
It is very important that these principals have good
passwords.  MIT recommends that TGT principal passwords be
at least 26 characters of random ASCII text.
\end{sphinxadmonition}


\section{Changing the krbtgt key}
\label{\detokenize{admin/database:changing-the-krbtgt-key}}\label{\detokenize{admin/database:changing-krbtgt-key}}
\sphinxAtStartPar
A Kerberos Ticket Granting Ticket (TGT) is a service ticket for the
principal \sphinxcode{\sphinxupquote{krbtgt/REALM}}.  The key for this principal is created
when the Kerberos database is initialized and need not be changed.
However, it will only have the encryption types supported by the KDC
at the time of the initial database creation.  To allow use of newer
encryption types for the TGT, this key has to be changed.

\sphinxAtStartPar
Changing this key using the normal {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}}
\sphinxstylestrong{change\_password} command would invalidate any previously issued
TGTs.  Therefore, when changing this key, normally one should use the
\sphinxstylestrong{\sphinxhyphen{}keepold} flag to change\_password to retain the previous key in the
database as well as the new key.  For example:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{change\PYGZus{}password} \PYG{o}{\PYGZhy{}}\PYG{n}{randkey} \PYG{o}{\PYGZhy{}}\PYG{n}{keepold} \PYG{n}{krbtgt}\PYG{o}{/}\PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}
\end{sphinxVerbatim}

\begin{sphinxadmonition}{warning}{Warning:}
\sphinxAtStartPar
After issuing this command, the old key is still valid
and is still vulnerable to (for instance) brute force
attacks.  To completely retire an old key or encryption
type, run the kadmin \sphinxstylestrong{purgekeys} command to delete keys
with older kvnos, ideally first making sure that all
tickets issued with the old keys have expired.
\end{sphinxadmonition}

\sphinxAtStartPar
Only the first krbtgt key of the newest key version is used to encrypt
ticket\sphinxhyphen{}granting tickets.  However, the set of encryption types present
in the krbtgt keys is used by default to determine the session key
types supported by the krbtgt service (see
{\hyperref[\detokenize{admin/enctypes:session-key-selection}]{\sphinxcrossref{\DUrole{std,std-ref}{Session key selection}}}}).  Because non\sphinxhyphen{}MIT Kerberos clients
sometimes send a limited set of encryption types when making AS
requests, it can be important for the krbtgt service to support
multiple encryption types.  This can be accomplished by giving the
krbtgt principal multiple keys, which is usually as simple as not
specifying any \sphinxstylestrong{\sphinxhyphen{}e} option when changing the krbtgt key, or by
setting the \sphinxstylestrong{session\_enctypes} string attribute on the krbtgt
principal (see {\hyperref[\detokenize{admin/admin_commands/kadmin_local:set-string}]{\sphinxcrossref{\DUrole{std,std-ref}{set\_string}}}}).

\sphinxAtStartPar
Due to a bug in releases 1.8 through 1.13, renewed and forwarded
tickets may not work if the original ticket was obtained prior to a
krbtgt key change and the modified ticket is obtained afterwards.
Upgrading the KDC to release 1.14 or later will correct this bug.


\section{Incremental database propagation}
\label{\detokenize{admin/database:incremental-database-propagation}}\label{\detokenize{admin/database:incr-db-prop}}

\subsection{Overview}
\label{\detokenize{admin/database:overview}}
\sphinxAtStartPar
At some very large sites, dumping and transmitting the database can
take more time than is desirable for changes to propagate from the
primary KDC to the replica KDCs.  The incremental propagation support
added in the 1.7 release is intended to address this.

\sphinxAtStartPar
With incremental propagation enabled, all programs on the primary KDC
that change the database also write information about the changes to
an “update log” file, maintained as a circular buffer of a certain
size.  A process on each replica KDC connects to a service on the
primary KDC (currently implemented in the {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} server) and
periodically requests the changes that have been made since the last
check.  By default, this check is done every two minutes.

\sphinxAtStartPar
Incremental propagation uses the following entries in the per\sphinxhyphen{}realm
data in the KDC config file (See {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}):


\begin{savenotes}\sphinxattablestart
\sphinxthistablewithglobalstyle
\centering
\begin{tabulary}{\linewidth}[t]{TTT}
\sphinxtoprule
\sphinxtableatstartofbodyhook
\sphinxAtStartPar
iprop\_enable
&
\sphinxAtStartPar
\sphinxstyleemphasis{boolean}
&
\sphinxAtStartPar
If \sphinxstyleemphasis{true}, then incremental propagation is enabled, and (as noted below) normal kprop propagation is disabled. The default is \sphinxstyleemphasis{false}.
\\
\sphinxhline
\sphinxAtStartPar
iprop\_master\_ulogsize
&
\sphinxAtStartPar
\sphinxstyleemphasis{integer}
&
\sphinxAtStartPar
Indicates the number of entries that should be retained in the update log. The default is 1000; the maximum number is 2500.
\\
\sphinxhline
\sphinxAtStartPar
iprop\_replica\_poll
&
\sphinxAtStartPar
\sphinxstyleemphasis{time interval}
&
\sphinxAtStartPar
Indicates how often the replica should poll the primary KDC for changes to the database. The default is two minutes.
\\
\sphinxhline
\sphinxAtStartPar
iprop\_port
&
\sphinxAtStartPar
\sphinxstyleemphasis{integer}
&
\sphinxAtStartPar
Specifies the port number to be used for incremental propagation. This is required in both primary and replica configuration files.
\\
\sphinxhline
\sphinxAtStartPar
iprop\_resync\_timeout
&
\sphinxAtStartPar
\sphinxstyleemphasis{integer}
&
\sphinxAtStartPar
Specifies the number of seconds to wait for a full propagation to complete. This is optional on replica configurations.  Defaults to 300 seconds (5 minutes).
\\
\sphinxhline
\sphinxAtStartPar
iprop\_logfile
&
\sphinxAtStartPar
\sphinxstyleemphasis{file name}
&
\sphinxAtStartPar
Specifies where the update log file for the realm database is to be stored. The default is to use the \sphinxstyleemphasis{database\_name} entry from the realms section of the config file {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}, with \sphinxstyleemphasis{.ulog} appended. (NOTE: If database\_name isn’t specified in the realms section, perhaps because the LDAP database back end is being used, or the file name is specified in the \sphinxstyleemphasis{dbmodules} section, then the hard\sphinxhyphen{}coded default for \sphinxstyleemphasis{database\_name} is used. Determination of the \sphinxstyleemphasis{iprop\_logfile}  default value will not use values from the \sphinxstyleemphasis{dbmodules} section.)
\\
\sphinxbottomrule
\end{tabulary}
\sphinxtableafterendhook\par
\sphinxattableend\end{savenotes}

\sphinxAtStartPar
Both primary and replica sides must have a principal named
\sphinxcode{\sphinxupquote{kiprop/hostname}} (where \sphinxstyleemphasis{hostname} is the lowercase,
fully\sphinxhyphen{}qualified, canonical name for the host) registered in the
Kerberos database, and have keys for that principal stored in the
default keytab file ({\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{DEFKTNAME}}}}).  The \sphinxcode{\sphinxupquote{kiprop/hostname}} principal may
have been created automatically for the primary KDC, but it must
always be created for replica KDCs.

\sphinxAtStartPar
On the primary KDC side, the \sphinxcode{\sphinxupquote{kiprop/hostname}} principal must be
listed in the kadmind ACL file {\hyperref[\detokenize{admin/conf_files/kadm5_acl:kadm5-acl-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kadm5.acl}}}}, and given the
\sphinxstylestrong{p} privilege (see {\hyperref[\detokenize{admin/database:privileges}]{\sphinxcrossref{\DUrole{std,std-ref}{Privileges}}}}).

\sphinxAtStartPar
On the replica KDC side, {\hyperref[\detokenize{admin/admin_commands/kpropd:kpropd-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kpropd}}}} should be run.  When
incremental propagation is enabled, it will connect to the kadmind on
the primary KDC and start requesting updates.

\sphinxAtStartPar
The normal kprop mechanism is disabled by the incremental propagation
support.  However, if the replica has been unable to fetch changes
from the primary KDC for too long (network problems, perhaps), the log
on the primary may wrap around and overwrite some of the updates that
the replica has not yet retrieved.  In this case, the replica will
instruct the primary KDC to dump the current database out to a file
and invoke a one\sphinxhyphen{}time kprop propagation, with special options to also
convey the point in the update log at which the replica should resume
fetching incremental updates.  Thus, all the keytab and ACL setup
previously described for kprop propagation is still needed.

\sphinxAtStartPar
If an environment has a large number of replicas, it may be desirable
to arrange them in a hierarchy instead of having the primary serve
updates to every replica.  To do this, run \sphinxcode{\sphinxupquote{kadmind \sphinxhyphen{}proponly}} on
each intermediate replica, and \sphinxcode{\sphinxupquote{kpropd \sphinxhyphen{}A upstreamhostname}} on
downstream replicas to direct each one to the appropriate upstream
replica.

\sphinxAtStartPar
There are several known restrictions in the current implementation:
\begin{itemize}
\item {} 
\sphinxAtStartPar
The incremental update protocol does not transport changes to policy
objects.  Any policy changes on the primary will result in full
resyncs to all replicas.

\item {} 
\sphinxAtStartPar
The replica’s KDB module must support locking; it cannot be using the
LDAP KDB module.

\item {} 
\sphinxAtStartPar
The primary and replica must be able to initiate TCP connections in
both directions, without an intervening NAT.

\end{itemize}


\subsection{Sun/MIT incremental propagation differences}
\label{\detokenize{admin/database:sun-mit-incremental-propagation-differences}}
\sphinxAtStartPar
Sun donated the original code for supporting incremental database
propagation to MIT.  Some changes have been made in the MIT source
tree that will be visible to administrators.  (These notes are based
on Sun’s patches.  Changes to Sun’s implementation since then may not
be reflected here.)

\sphinxAtStartPar
The Sun config file support looks for \sphinxcode{\sphinxupquote{sunw\_dbprop\_enable}},
\sphinxcode{\sphinxupquote{sunw\_dbprop\_master\_ulogsize}}, and \sphinxcode{\sphinxupquote{sunw\_dbprop\_slave\_poll}}.

\sphinxAtStartPar
The incremental propagation service is implemented as an ONC RPC
service.  In the Sun implementation, the service is registered with
rpcbind (also known as portmapper) and the client looks up the port
number to contact.  In the MIT implementation, where interaction with
some modern versions of rpcbind doesn’t always work well, the port
number must be specified in the config file on both the primary and
replica sides.

\sphinxAtStartPar
The Sun implementation hard\sphinxhyphen{}codes pathnames in \sphinxcode{\sphinxupquote{/var/krb5}} for the
update log and the per\sphinxhyphen{}replica kprop dump files.  In the MIT
implementation, the pathname for the update log is specified in the
config file, and the per\sphinxhyphen{}replica dump files are stored in
{\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LOCALSTATEDIR}}}}\sphinxcode{\sphinxupquote{/krb5kdc}}\sphinxcode{\sphinxupquote{/replica\_datatrans\_hostname}}.

\sphinxstepscope


\chapter{Database types}
\label{\detokenize{admin/dbtypes:database-types}}\label{\detokenize{admin/dbtypes:dbtypes}}\label{\detokenize{admin/dbtypes::doc}}
\sphinxAtStartPar
A Kerberos database can be implemented with one of three built\sphinxhyphen{}in
database providers, called KDB modules.  Software which incorporates
the MIT krb5 KDC may also provide its own KDB module.  The following
subsections describe the three built\sphinxhyphen{}in KDB modules and the
configuration specific to them.

\sphinxAtStartPar
The database type can be configured with the \sphinxstylestrong{db\_library} variable
in the {\hyperref[\detokenize{admin/conf_files/kdc_conf:dbmodules}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}dbmodules{]}}}}} subsection for the realm.  For example:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{p}{[}\PYG{n}{dbmodules}\PYG{p}{]}
    \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{o}{=} \PYG{p}{\PYGZob{}}
        \PYG{n}{db\PYGZus{}library} \PYG{o}{=} \PYG{n}{db2}
    \PYG{p}{\PYGZcb{}}
\end{sphinxVerbatim}

\sphinxAtStartPar
If the \sphinxcode{\sphinxupquote{ATHENA.MIT.EDU}} realm subsection contains a
\sphinxstylestrong{database\_module} setting, then the subsection within
\sphinxcode{\sphinxupquote{{[}dbmodules{]}}} should use that name instead of \sphinxcode{\sphinxupquote{ATHENA.MIT.EDU}}.

\sphinxAtStartPar
To transition from one database type to another, stop the
{\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} service, use \sphinxcode{\sphinxupquote{kdb5\_util dump}} to create a dump
file, change the \sphinxstylestrong{db\_library} value and set any appropriate
configuration for the new database type, and use \sphinxcode{\sphinxupquote{kdb5\_util load}} to
create and populate the new database.  If the new database type is
LDAP, create the new database using \sphinxcode{\sphinxupquote{kdb5\_ldap\_util}} and populate it
from the dump file using \sphinxcode{\sphinxupquote{kdb5\_util load \sphinxhyphen{}update}}.  Then restart the
{\hyperref[\detokenize{admin/admin_commands/krb5kdc:krb5kdc-8}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5kdc}}}} and {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} services.


\section{Berkeley database module (db2)}
\label{\detokenize{admin/dbtypes:berkeley-database-module-db2}}
\sphinxAtStartPar
The default KDB module is \sphinxcode{\sphinxupquote{db2}}, which uses a version of the
Berkeley DB library.  It creates four files based on the database
pathname.  If the pathname ends with \sphinxcode{\sphinxupquote{principal}} then the four files
are:
\begin{itemize}
\item {} 
\sphinxAtStartPar
\sphinxcode{\sphinxupquote{principal}}, containing principal entry data

\item {} 
\sphinxAtStartPar
\sphinxcode{\sphinxupquote{principal.ok}}, a lock file for the principal database

\item {} 
\sphinxAtStartPar
\sphinxcode{\sphinxupquote{principal.kadm5}}, containing policy object data

\item {} 
\sphinxAtStartPar
\sphinxcode{\sphinxupquote{principal.kadm5.lock}}, a lock file for the policy database

\end{itemize}

\sphinxAtStartPar
For large databases, the {\hyperref[\detokenize{admin/admin_commands/kdb5_util:kdb5-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_util}}}} \sphinxstylestrong{dump} command (perhaps
invoked by {\hyperref[\detokenize{admin/admin_commands/kprop:kprop-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kprop}}}} or by {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} for incremental
propagation) may cause {\hyperref[\detokenize{admin/admin_commands/krb5kdc:krb5kdc-8}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5kdc}}}} to stop for a noticeable
period of time while it iterates over the database.  This delay can be
avoided by disabling account lockout features so that the KDC does not
perform database writes (see {\hyperref[\detokenize{admin/lockout:disable-lockout}]{\sphinxcrossref{\DUrole{std,std-ref}{KDC performance and account lockout}}}}).  Alternatively,
a slower form of iteration can be enabled by setting the
\sphinxstylestrong{unlockiter} variable to \sphinxcode{\sphinxupquote{true}}.  For example:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{p}{[}\PYG{n}{dbmodules}\PYG{p}{]}
    \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{o}{=} \PYG{p}{\PYGZob{}}
        \PYG{n}{db\PYGZus{}library} \PYG{o}{=} \PYG{n}{db2}
        \PYG{n}{unlockiter} \PYG{o}{=} \PYG{n}{true}
    \PYG{p}{\PYGZcb{}}
\end{sphinxVerbatim}

\sphinxAtStartPar
In rare cases, a power failure or other unclean system shutdown may
cause inconsistencies in the internal pointers within a database file,
such that \sphinxcode{\sphinxupquote{kdb5\_util dump}} cannot retrieve all principal entries in
the database.  In this situation, it may be possible to retrieve all
of the principal data by running \sphinxcode{\sphinxupquote{kdb5\_util dump \sphinxhyphen{}recurse}} to
iterate over the database using the tree pointers instead of the
iteration pointers.  Running \sphinxcode{\sphinxupquote{kdb5\_util dump \sphinxhyphen{}rev}} to iterate over
the database backwards may also retrieve some of the data which is not
retrieved by a normal dump operation.


\section{Lightning Memory\sphinxhyphen{}Mapped Database module (klmdb)}
\label{\detokenize{admin/dbtypes:lightning-memory-mapped-database-module-klmdb}}
\sphinxAtStartPar
The klmdb module was added in release 1.17.  It uses the LMDB library,
and may offer better performance and reliability than the db2 module.
It creates four files based on the database pathname.  If the pathname
ends with \sphinxcode{\sphinxupquote{principal}}, then the four files are:
\begin{itemize}
\item {} 
\sphinxAtStartPar
\sphinxcode{\sphinxupquote{principal.mdb}}, containing policy object data and most principal
entry data

\item {} 
\sphinxAtStartPar
\sphinxcode{\sphinxupquote{principal.mdb\sphinxhyphen{}lock}}, a lock file for the primary database

\item {} 
\sphinxAtStartPar
\sphinxcode{\sphinxupquote{principal.lockout.mdb}}, containing the account lockout attributes
(last successful authentication time, last failed authentication
time, and number of failed attempts) for each principal entry

\item {} 
\sphinxAtStartPar
\sphinxcode{\sphinxupquote{principal.lockout.mdb\sphinxhyphen{}lock}}, a lock file for the lockout database

\end{itemize}

\sphinxAtStartPar
Separating out the lockout attributes ensures that the KDC will never
block on an administrative operation such as a database dump or load.
It also allows the KDC to operate without write access to the primary
database.  If both account lockout features are disabled (see
{\hyperref[\detokenize{admin/lockout:disable-lockout}]{\sphinxcrossref{\DUrole{std,std-ref}{KDC performance and account lockout}}}}), the lockout database files will be created
but will not subsequently be opened, and the account lockout
attributes will always have zero values.

\sphinxAtStartPar
Because LMDB creates a memory map to the database files, it requires a
configured memory map size which also determines the maximum size of
the database.  This size is applied equally to the two databases, so
twice the configured size will be consumed in the process address
space; this is primarily a limitation on 32\sphinxhyphen{}bit platforms.  The
default value of 128 megabytes should be sufficient for several
hundred thousand principal entries.  If the limit is reached, kadmin
operations will fail and the error message “Environment mapsize limit
reached” will appear in the kadmind log file.  In this case, the
\sphinxstylestrong{mapsize} variable can be used to increase the map size.  The
following example sets the map size to 512 megabytes:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{p}{[}\PYG{n}{dbmodules}\PYG{p}{]}
    \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{o}{=} \PYG{p}{\PYGZob{}}
        \PYG{n}{db\PYGZus{}library} \PYG{o}{=} \PYG{n}{klmdb}
        \PYG{n}{mapsize} \PYG{o}{=} \PYG{l+m+mi}{512}
    \PYG{p}{\PYGZcb{}}
\end{sphinxVerbatim}

\sphinxAtStartPar
LMDB has a configurable maximum number of readers.  The default value
of 128 should be sufficient for most deployments.  If you are going to
use a large number of KDC worker processes, it may be necessary to set
the \sphinxstylestrong{max\_readers} variable to a larger number.

\sphinxAtStartPar
By default, LMDB synchronizes database files to disk after each write
transaction to ensure durability in the case of an unclean system
shutdown.  The klmdb module always turns synchronization off for the
lockout database to ensure reasonable KDC performance, but leaves it
on for the primary database.  If high throughput for administrative
operations (including password changes) is required, the \sphinxstylestrong{nosync}
variable can be set to “true” to disable synchronization for the
primary database.

\sphinxAtStartPar
The klmdb module does not support explicit locking with the
{\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} \sphinxstylestrong{lock} command.


\section{LDAP module (kldap)}
\label{\detokenize{admin/dbtypes:ldap-module-kldap}}
\sphinxAtStartPar
The kldap module stores principal and policy data using an LDAP
server.  To use it you must configure an LDAP server to use the
Kerberos schema.  See {\hyperref[\detokenize{admin/conf_ldap:conf-ldap}]{\sphinxcrossref{\DUrole{std,std-ref}{Configuring Kerberos with OpenLDAP back\sphinxhyphen{}end}}}} for details.

\sphinxAtStartPar
Because {\hyperref[\detokenize{admin/admin_commands/krb5kdc:krb5kdc-8}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5kdc}}}} is single\sphinxhyphen{}threaded, latency in LDAP database
accesses may limit KDC operation throughput.  If the LDAP server is
located on the same server host as the KDC and accessed through an
\sphinxcode{\sphinxupquote{ldapi://}} URL, latency should be minimal.  If this is not possible,
consider starting multiple KDC worker processes with the
{\hyperref[\detokenize{admin/admin_commands/krb5kdc:krb5kdc-8}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5kdc}}}} \sphinxstylestrong{\sphinxhyphen{}w} option to enable concurrent processing of KDC
requests.

\sphinxAtStartPar
The kldap module does not support explicit locking with the
{\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} \sphinxstylestrong{lock} command.

\sphinxstepscope


\chapter{Account lockout}
\label{\detokenize{admin/lockout:account-lockout}}\label{\detokenize{admin/lockout:lockout}}\label{\detokenize{admin/lockout::doc}}
\sphinxAtStartPar
As of release 1.8, the KDC can be configured to lock out principals
after a number of failed authentication attempts within a period of
time.  Account lockout can make it more difficult to attack a
principal’s password by brute force, but also makes it easy for an
attacker to deny access to a principal.


\section{Configuring account lockout}
\label{\detokenize{admin/lockout:configuring-account-lockout}}
\sphinxAtStartPar
Account lockout only works for principals with the
\sphinxstylestrong{+requires\_preauth} flag set.  Without this flag, the KDC cannot
know whether or not a client successfully decrypted the ticket it
issued.  It is also important to set the \sphinxstylestrong{\sphinxhyphen{}allow\_svr} flag on a
principal to protect its password from an off\sphinxhyphen{}line dictionary attack
through a TGS request.  You can set these flags on a principal with
{\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} as follows:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{modprinc} \PYG{o}{+}\PYG{n}{requires\PYGZus{}preauth} \PYG{o}{\PYGZhy{}}\PYG{n}{allow\PYGZus{}svr} \PYG{n}{PRINCNAME}
\end{sphinxVerbatim}

\sphinxAtStartPar
Account lockout parameters are configured via {\hyperref[\detokenize{admin/database:policies}]{\sphinxcrossref{\DUrole{std,std-ref}{policy objects}}}}.  There may be an existing policy associated with user
principals (such as the “default” policy), or you may need to create a
new one and associate it with each user principal.

\sphinxAtStartPar
The policy parameters related to account lockout are:
\begin{itemize}
\item {} 
\sphinxAtStartPar
{\hyperref[\detokenize{admin/admin_commands/kadmin_local:policy-maxfailure}]{\sphinxcrossref{\DUrole{std,std-ref}{maxfailure}}}}: the number of failed attempts
before the principal is locked out

\item {} 
\sphinxAtStartPar
{\hyperref[\detokenize{admin/admin_commands/kadmin_local:policy-failurecountinterval}]{\sphinxcrossref{\DUrole{std,std-ref}{failurecountinterval}}}}: the
allowable interval between failed attempts

\item {} 
\sphinxAtStartPar
{\hyperref[\detokenize{admin/admin_commands/kadmin_local:policy-lockoutduration}]{\sphinxcrossref{\DUrole{std,std-ref}{lockoutduration}}}}: the amount of time
a principal is locked out for

\end{itemize}

\sphinxAtStartPar
Here is an example of setting these parameters on a new policy and
associating it with a principal:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{addpol} \PYG{o}{\PYGZhy{}}\PYG{n}{maxfailure} \PYG{l+m+mi}{10} \PYG{o}{\PYGZhy{}}\PYG{n}{failurecountinterval} \PYG{l+m+mi}{180}
    \PYG{o}{\PYGZhy{}}\PYG{n}{lockoutduration} \PYG{l+m+mi}{60} \PYG{n}{lockout\PYGZus{}policy}
\PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{modprinc} \PYG{o}{\PYGZhy{}}\PYG{n}{policy} \PYG{n}{lockout\PYGZus{}policy} \PYG{n}{PRINCNAME}
\end{sphinxVerbatim}


\section{Testing account lockout}
\label{\detokenize{admin/lockout:testing-account-lockout}}
\sphinxAtStartPar
To test that account lockout is working, try authenticating as the
principal (hopefully not one that might be in use) multiple times with
the wrong password.  For instance, if \sphinxstylestrong{maxfailure} is set to 2, you
might see:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYGZdl{} kinit user
Password for user@KRBTEST.COM:
kinit: Password incorrect while getting initial credentials
\PYGZdl{} kinit user
Password for user@KRBTEST.COM:
kinit: Password incorrect while getting initial credentials
\PYGZdl{} kinit user
kinit: Client\PYGZsq{}s credentials have been revoked while getting initial credentials
\end{sphinxVerbatim}


\section{Account lockout principal state}
\label{\detokenize{admin/lockout:account-lockout-principal-state}}
\sphinxAtStartPar
A principal entry keeps three pieces of state related to account
lockout:
\begin{itemize}
\item {} 
\sphinxAtStartPar
The time of last successful authentication

\item {} 
\sphinxAtStartPar
The time of last failed authentication

\item {} 
\sphinxAtStartPar
A counter of failed attempts

\end{itemize}

\sphinxAtStartPar
The time of last successful authentication is not actually needed for
the account lockout system to function, but may be of administrative
interest.  These fields can be observed with the \sphinxstylestrong{getprinc} kadmin
command.  For example:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{getprinc} \PYG{n}{user}
\PYG{n}{Principal}\PYG{p}{:} \PYG{n}{user}\PYG{n+nd}{@KRBTEST}\PYG{o}{.}\PYG{n}{COM}
\PYG{o}{.}\PYG{o}{.}\PYG{o}{.}
\PYG{n}{Last} \PYG{n}{successful} \PYG{n}{authentication}\PYG{p}{:} \PYG{p}{[}\PYG{n}{never}\PYG{p}{]}
\PYG{n}{Last} \PYG{n}{failed} \PYG{n}{authentication}\PYG{p}{:} \PYG{n}{Mon} \PYG{n}{Dec} \PYG{l+m+mi}{03} \PYG{l+m+mi}{12}\PYG{p}{:}\PYG{l+m+mi}{30}\PYG{p}{:}\PYG{l+m+mi}{33} \PYG{n}{EST} \PYG{l+m+mi}{2012}
\PYG{n}{Failed} \PYG{n}{password} \PYG{n}{attempts}\PYG{p}{:} \PYG{l+m+mi}{2}
\PYG{o}{.}\PYG{o}{.}\PYG{o}{.}
\end{sphinxVerbatim}

\sphinxAtStartPar
A principal which has been locked out can be administratively unlocked
with the \sphinxstylestrong{\sphinxhyphen{}unlock} option to the \sphinxstylestrong{modprinc} kadmin command:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{modprinc} \PYG{o}{\PYGZhy{}}\PYG{n}{unlock} \PYG{n}{PRINCNAME}
\end{sphinxVerbatim}

\sphinxAtStartPar
This command will reset the number of failed attempts to 0.


\section{KDC replication and account lockout}
\label{\detokenize{admin/lockout:kdc-replication-and-account-lockout}}
\sphinxAtStartPar
The account lockout state of a principal is not replicated by either
traditional {\hyperref[\detokenize{admin/admin_commands/kprop:kprop-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kprop}}}} or incremental propagation.  Because of
this, the number of attempts an attacker can make within a time period
is multiplied by the number of KDCs.  For instance, if the
\sphinxstylestrong{maxfailure} parameter on a policy is 10 and there are four KDCs in
the environment (a primary and three replicas), an attacker could make
as many as 40 attempts before the principal is locked out on all four
KDCs.

\sphinxAtStartPar
An administrative unlock is propagated from the primary to the replica
KDCs during the next propagation.  Propagation of an administrative
unlock will cause the counter of failed attempts on each replica to
reset to 1 on the next failure.

\sphinxAtStartPar
If a KDC environment uses a replication strategy other than kprop or
incremental propagation, such as the LDAP KDB module with multi\sphinxhyphen{}master
LDAP replication, then account lockout state may be replicated between
KDCs and the concerns of this section may not apply.


\section{KDC performance and account lockout}
\label{\detokenize{admin/lockout:kdc-performance-and-account-lockout}}\label{\detokenize{admin/lockout:disable-lockout}}
\sphinxAtStartPar
In order to fully track account lockout state, the KDC must write to
the the database on each successful and failed authentication.
Writing to the database is generally more expensive than reading from
it, so these writes may have a significant impact on KDC performance.
As of release 1.9, it is possible to turn off account lockout state
tracking in order to improve performance, by setting the
\sphinxstylestrong{disable\_last\_success} and \sphinxstylestrong{disable\_lockout} variables in the
database module subsection of {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}.  For example:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{p}{[}\PYG{n}{dbmodules}\PYG{p}{]}
    \PYG{n}{DB} \PYG{o}{=} \PYG{p}{\PYGZob{}}
        \PYG{n}{disable\PYGZus{}last\PYGZus{}success} \PYG{o}{=} \PYG{n}{true}
        \PYG{n}{disable\PYGZus{}lockout} \PYG{o}{=} \PYG{n}{true}
    \PYG{p}{\PYGZcb{}}
\end{sphinxVerbatim}

\sphinxAtStartPar
Of the two variables, setting \sphinxstylestrong{disable\_last\_success} will usually
have the largest positive impact on performance, and will still allow
account lockout policies to operate.  However, it will make it
impossible to observe the last successful authentication time with
kadmin.


\section{KDC setup and account lockout}
\label{\detokenize{admin/lockout:kdc-setup-and-account-lockout}}
\sphinxAtStartPar
To update the account lockout state on principals, the KDC must be
able to write to the principal database.  For the DB2 module, no
special setup is required.  For the LDAP module, the KDC DN must be
granted write access to the principal objects.  If the KDC DN has only
read access, account lockout will not function.

\sphinxstepscope


\chapter{Configuring Kerberos with OpenLDAP back\sphinxhyphen{}end}
\label{\detokenize{admin/conf_ldap:configuring-kerberos-with-openldap-back-end}}\label{\detokenize{admin/conf_ldap:conf-ldap}}\label{\detokenize{admin/conf_ldap::doc}}\begin{enumerate}
\sphinxsetlistlabels{\arabic}{enumi}{enumii}{}{.}%
\item {} 
\sphinxAtStartPar
Make sure the LDAP server is using local authentication
(\sphinxcode{\sphinxupquote{ldapi://}}) or TLS (\sphinxcode{\sphinxupquote{ldaps}}).  See
\sphinxurl{https://www.openldap.org/doc/admin/tls.html} for instructions on
configuring TLS support in OpenLDAP.

\item {} 
\sphinxAtStartPar
Add the Kerberos schema file to the LDAP Server using the OpenLDAP
LDIF file from the krb5 source directory
(\sphinxcode{\sphinxupquote{src/plugins/kdb/ldap/libkdb\_ldap/kerberos.openldap.ldif}}).
The following example uses local authentication:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{ldapadd} \PYG{o}{\PYGZhy{}}\PYG{n}{Y} \PYG{n}{EXTERNAL} \PYG{o}{\PYGZhy{}}\PYG{n}{H} \PYG{n}{ldapi}\PYG{p}{:}\PYG{o}{/}\PYG{o}{/}\PYG{o}{/} \PYG{o}{\PYGZhy{}}\PYG{n}{f} \PYG{o}{/}\PYG{n}{path}\PYG{o}{/}\PYG{n}{to}\PYG{o}{/}\PYG{n}{kerberos}\PYG{o}{.}\PYG{n}{openldap}\PYG{o}{.}\PYG{n}{ldif}
\end{sphinxVerbatim}

\item {} 
\sphinxAtStartPar
Choose DNs for the {\hyperref[\detokenize{admin/admin_commands/krb5kdc:krb5kdc-8}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5kdc}}}} and {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} servers
to bind to the LDAP server, and create them if necessary.  Specify
these DNs with the \sphinxstylestrong{ldap\_kdc\_dn} and \sphinxstylestrong{ldap\_kadmind\_dn}
directives in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}.  The kadmind DN will also be
used for administrative commands such as {\hyperref[\detokenize{admin/admin_commands/kdb5_util:kdb5-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_util}}}}.

\sphinxAtStartPar
Alternatively, you may configure krb5kdc and kadmind to use SASL
authentication to access the LDAP server; see the {\hyperref[\detokenize{admin/conf_files/kdc_conf:dbmodules}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}dbmodules{]}}}}}
relations \sphinxstylestrong{ldap\_kdc\_sasl\_mech} and similar.

\item {} 
\sphinxAtStartPar
Specify a location for the LDAP service password file by setting
\sphinxstylestrong{ldap\_service\_password\_file}.  Use \sphinxcode{\sphinxupquote{kdb5\_ldap\_util stashsrvpw}}
to stash passwords for the KDC and kadmind DNs chosen above.  For
example:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{kdb5\PYGZus{}ldap\PYGZus{}util} \PYG{n}{stashsrvpw} \PYG{o}{\PYGZhy{}}\PYG{n}{f} \PYG{o}{/}\PYG{n}{path}\PYG{o}{/}\PYG{n}{to}\PYG{o}{/}\PYG{n}{service}\PYG{o}{.}\PYG{n}{keyfile} \PYG{n}{cn}\PYG{o}{=}\PYG{n}{krbadmin}\PYG{p}{,}\PYG{n}{dc}\PYG{o}{=}\PYG{n}{example}\PYG{p}{,}\PYG{n}{dc}\PYG{o}{=}\PYG{n}{com}
\end{sphinxVerbatim}

\sphinxAtStartPar
Skip this step if you are using SASL authentication and the
mechanism does not require a password.

\item {} 
\sphinxAtStartPar
Choose a DN for the global Kerberos container entry (but do not
create the entry at this time).  Specify this DN with the
\sphinxstylestrong{ldap\_kerberos\_container\_dn} directive in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}.
Realm container entries will be created underneath this DN.
Principal entries may exist either underneath the realm container
(the default) or in separate trees referenced from the realm
container.

\item {} 
\sphinxAtStartPar
Configure the LDAP server ACLs to enable the KDC and kadmin server
DNs to read and write the Kerberos data.  If
\sphinxstylestrong{disable\_last\_success} and \sphinxstylestrong{disable\_lockout} are both set to
true in the {\hyperref[\detokenize{admin/conf_files/kdc_conf:dbmodules}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}dbmodules{]}}}}} subsection for the realm, then the
KDC DN only requires read access to the Kerberos data.

\sphinxAtStartPar
Sample access control information:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{access} \PYG{n}{to} \PYG{n}{dn}\PYG{o}{.}\PYG{n}{base}\PYG{o}{=}\PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{\PYGZdq{}}
    \PYG{n}{by} \PYG{o}{*} \PYG{n}{read}

\PYG{n}{access} \PYG{n}{to} \PYG{n}{dn}\PYG{o}{.}\PYG{n}{base}\PYG{o}{=}\PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{cn=Subschema}\PYG{l+s+s2}{\PYGZdq{}}
    \PYG{n}{by} \PYG{o}{*} \PYG{n}{read}

\PYG{c+c1}{\PYGZsh{} Provide access to the realm container.}
\PYG{n}{access} \PYG{n}{to} \PYG{n}{dn}\PYG{o}{.}\PYG{n}{subtree}\PYG{o}{=} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{cn=EXAMPLE.COM,cn=krbcontainer,dc=example,dc=com}\PYG{l+s+s2}{\PYGZdq{}}
    \PYG{n}{by} \PYG{n}{dn}\PYG{o}{.}\PYG{n}{exact}\PYG{o}{=}\PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{cn=kdc\PYGZhy{}service,dc=example,dc=com}\PYG{l+s+s2}{\PYGZdq{}} \PYG{n}{write}
    \PYG{n}{by} \PYG{n}{dn}\PYG{o}{.}\PYG{n}{exact}\PYG{o}{=}\PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{cn=adm\PYGZhy{}service,dc=example,dc=com}\PYG{l+s+s2}{\PYGZdq{}} \PYG{n}{write}
    \PYG{n}{by} \PYG{o}{*} \PYG{n}{none}

\PYG{c+c1}{\PYGZsh{} Provide access to principals, if not underneath the realm container.}
\PYG{n}{access} \PYG{n}{to} \PYG{n}{dn}\PYG{o}{.}\PYG{n}{subtree}\PYG{o}{=} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{ou=users,dc=example,dc=com}\PYG{l+s+s2}{\PYGZdq{}}
    \PYG{n}{by} \PYG{n}{dn}\PYG{o}{.}\PYG{n}{exact}\PYG{o}{=}\PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{cn=kdc\PYGZhy{}service,dc=example,dc=com}\PYG{l+s+s2}{\PYGZdq{}} \PYG{n}{write}
    \PYG{n}{by} \PYG{n}{dn}\PYG{o}{.}\PYG{n}{exact}\PYG{o}{=}\PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{cn=adm\PYGZhy{}service,dc=example,dc=com}\PYG{l+s+s2}{\PYGZdq{}} \PYG{n}{write}
    \PYG{n}{by} \PYG{o}{*} \PYG{n}{none}

\PYG{n}{access} \PYG{n}{to} \PYG{o}{*}
    \PYG{n}{by} \PYG{o}{*} \PYG{n}{read}
\end{sphinxVerbatim}

\sphinxAtStartPar
If the locations of the container and principals or the DNs of the
service objects for a realm are changed then this information
should be updated.

\item {} 
\sphinxAtStartPar
In {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}, make sure the following relations are set
in the {\hyperref[\detokenize{admin/conf_files/kdc_conf:dbmodules}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}dbmodules{]}}}}} subsection for the realm:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
db\PYGZus{}library (set to ``kldap``)
ldap\PYGZus{}kerberos\PYGZus{}container\PYGZus{}dn
ldap\PYGZus{}kdc\PYGZus{}dn
ldap\PYGZus{}kadmind\PYGZus{}dn
ldap\PYGZus{}service\PYGZus{}password\PYGZus{}file
ldap\PYGZus{}servers
\end{sphinxVerbatim}

\item {} 
\sphinxAtStartPar
Create the realm using {\hyperref[\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_ldap\_util}}}}:
\begin{quote}

\sphinxAtStartPar
kdb5\_ldap\_util create \sphinxhyphen{}subtrees ou=users,dc=example,dc=com \sphinxhyphen{}s
\end{quote}

\sphinxAtStartPar
Use the \sphinxstylestrong{\sphinxhyphen{}subtrees} option if the principals are to exist in a
separate subtree from the realm container.  Before executing the
command, make sure that the subtree mentioned above
\sphinxcode{\sphinxupquote{(ou=users,dc=example,dc=com)}} exists.  If the principals will
exist underneath the realm container, omit the \sphinxstylestrong{\sphinxhyphen{}subtrees} option
and do not worry about creating the principal subtree.

\sphinxAtStartPar
For more information, refer to the section {\hyperref[\detokenize{admin/database:ops-on-ldap}]{\sphinxcrossref{\DUrole{std,std-ref}{Operations on the LDAP database}}}}.

\sphinxAtStartPar
The realm object is created under the
\sphinxstylestrong{ldap\_kerberos\_container\_dn} specified in the configuration
file.  This operation will also create the Kerberos container, if
not present already.  This container can be used to store
information related to multiple realms.

\item {} 
\sphinxAtStartPar
Add an \sphinxcode{\sphinxupquote{eq}} index for \sphinxcode{\sphinxupquote{krbPrincipalName}} to speed up principal
lookup operations.  See
\sphinxurl{https://www.openldap.org/doc/admin/tuning.html\#Indexes} for
details.

\end{enumerate}

\sphinxAtStartPar
With the LDAP back end it is possible to provide aliases for principal
entries.  Beginning in release 1.22, aliases can be added with the
kadmin \sphinxstylestrong{add\_alias} command, but it is also possible (in release 1.7
or later) to provide aliases through direct manipulation of the LDAP
entries.

\sphinxAtStartPar
An entry with aliases contains multiple values of the
\sphinxstyleemphasis{krbPrincipalName} attribute.  Since LDAP attribute values are not
ordered, it is necessary to specify which principal name is canonical,
by using the \sphinxstyleemphasis{krbCanonicalName} attribute.  Therefore, to create
aliases for an entry, first set the \sphinxstyleemphasis{krbCanonicalName} attribute of
the entry to the canonical principal name (which should be identical
to the pre\sphinxhyphen{}existing \sphinxstyleemphasis{krbPrincipalName} value), and then add additional
\sphinxstyleemphasis{krbPrincipalName} attributes for the aliases.

\sphinxAtStartPar
Principal aliases are only returned by the KDC when the client
requests canonicalization.  Canonicalization is normally requested for
service principals; for client principals, an explicit flag is often
required (e.g., \sphinxcode{\sphinxupquote{kinit \sphinxhyphen{}C}}) and canonicalization is only performed
for initial ticket requests.

\sphinxstepscope


\chapter{Application servers}
\label{\detokenize{admin/appl_servers:application-servers}}\label{\detokenize{admin/appl_servers::doc}}
\sphinxAtStartPar
If you need to install the Kerberos V5 programs on an application
server, please refer to the Kerberos V5 Installation Guide.  Once you
have installed the software, you need to add that host to the Kerberos
database (see {\hyperref[\detokenize{admin/database:principals}]{\sphinxcrossref{\DUrole{std,std-ref}{Principals}}}}), and generate a keytab for that host,
that contains the host’s key.  You also need to make sure the host’s
clock is within your maximum clock skew of the KDCs.


\section{Keytabs}
\label{\detokenize{admin/appl_servers:keytabs}}
\sphinxAtStartPar
A keytab is a host’s copy of its own keylist, which is analogous to a
user’s password.  An application server that needs to authenticate
itself to the KDC has to have a keytab that contains its own principal
and key.  Just as it is important for users to protect their
passwords, it is equally important for hosts to protect their keytabs.
You should always store keytab files on local disk, and make them
readable only by root, and you should never send a keytab file over a
network in the clear.  Ideally, you should run the {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}}
command to extract a keytab on the host on which the keytab is to
reside.


\subsection{Adding principals to keytabs}
\label{\detokenize{admin/appl_servers:adding-principals-to-keytabs}}\label{\detokenize{admin/appl_servers:add-princ-kt}}
\sphinxAtStartPar
To generate a keytab, or to add a principal to an existing keytab, use
the \sphinxstylestrong{ktadd} command from kadmin.  Here is a sample session, using
configuration files that enable only AES encryption:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{ktadd} \PYG{n}{host}\PYG{o}{/}\PYG{n}{daffodil}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}
\PYG{n}{Entry} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{host}\PYG{o}{/}\PYG{n}{daffodil}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{k}{with} \PYG{n}{kvno} \PYG{l+m+mi}{2}\PYG{p}{,} \PYG{n}{encryption} \PYG{n+nb}{type} \PYG{n}{aes256}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{96} \PYG{n}{added} \PYG{n}{to} \PYG{n}{keytab} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab}
\PYG{n}{Entry} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{host}\PYG{o}{/}\PYG{n}{daffodil}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{k}{with} \PYG{n}{kvno} \PYG{l+m+mi}{2}\PYG{p}{,} \PYG{n}{encryption} \PYG{n+nb}{type} \PYG{n}{aes128}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{96} \PYG{n}{added} \PYG{n}{to} \PYG{n}{keytab} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab}
\end{sphinxVerbatim}


\subsection{Removing principals from keytabs}
\label{\detokenize{admin/appl_servers:removing-principals-from-keytabs}}
\sphinxAtStartPar
To remove a principal from an existing keytab, use the kadmin
\sphinxstylestrong{ktremove} command:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{kadmin}\PYG{p}{:}  \PYG{n}{ktremove} \PYG{n}{host}\PYG{o}{/}\PYG{n}{daffodil}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}
\PYG{n}{Entry} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{host}\PYG{o}{/}\PYG{n}{daffodil}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{k}{with} \PYG{n}{kvno} \PYG{l+m+mi}{2} \PYG{n}{removed} \PYG{k+kn}{from} \PYG{n+nn}{keytab} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab}\PYG{o}{.}
\PYG{n}{Entry} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{host}\PYG{o}{/}\PYG{n}{daffodil}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{k}{with} \PYG{n}{kvno} \PYG{l+m+mi}{2} \PYG{n}{removed} \PYG{k+kn}{from} \PYG{n+nn}{keytab} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab}\PYG{o}{.}
\end{sphinxVerbatim}


\subsection{Using a keytab to acquire client credentials}
\label{\detokenize{admin/appl_servers:using-a-keytab-to-acquire-client-credentials}}
\sphinxAtStartPar
While keytabs are ordinarily used to accept credentials from clients,
they can also be used to acquire initial credentials, allowing one
service to authenticate to another.

\sphinxAtStartPar
To manually obtain credentials using a keytab, use the \DUrole{xref,std,std-ref}{kinit(1)}
\sphinxstylestrong{\sphinxhyphen{}k} option, together with the \sphinxstylestrong{\sphinxhyphen{}t} option if the keytab is not in
the default location.

\sphinxAtStartPar
Beginning with release 1.11, GSSAPI applications can be configured to
automatically obtain initial credentials from a keytab as needed.  The
recommended configuration is as follows:
\begin{enumerate}
\sphinxsetlistlabels{\arabic}{enumi}{enumii}{}{.}%
\item {} 
\sphinxAtStartPar
Create a keytab containing a single entry for the desired client
identity.

\item {} 
\sphinxAtStartPar
Place the keytab in a location readable by the service, and set the
\sphinxstylestrong{KRB5\_CLIENT\_KTNAME} environment variable to its filename.
Alternatively, use the \sphinxstylestrong{default\_client\_keytab\_name} profile
variable in {\hyperref[\detokenize{admin/conf_files/krb5_conf:libdefaults}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}libdefaults{]}}}}}, or use the default location of
{\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{DEFCKTNAME}}}}.

\item {} 
\sphinxAtStartPar
Set \sphinxstylestrong{KRB5CCNAME} to a filename writable by the service, which
will not be used for any other purpose.  Do not manually obtain
credentials at this location.  (Another credential cache type
besides \sphinxstylestrong{FILE} can be used if desired, as long the cache will not
conflict with another use.  A \sphinxstylestrong{MEMORY} cache can be used if the
service runs as a long\sphinxhyphen{}lived process.  See \DUrole{xref,std,std-ref}{ccache\_definition}
for details.)

\item {} 
\sphinxAtStartPar
Start the service.  When it authenticates using GSSAPI, it will
automatically obtain credentials from the client keytab into the
specified credential cache, and refresh them before they expire.

\end{enumerate}


\section{Clock Skew}
\label{\detokenize{admin/appl_servers:clock-skew}}
\sphinxAtStartPar
A Kerberos application server host must keep its clock synchronized or
it will reject authentication requests from clients.  Modern operating
systems typically provide a facility to maintain the correct time;
make sure it is enabled.  This is especially important on virtual
machines, where clocks tend to drift more rapidly than normal machine
clocks.

\sphinxAtStartPar
The default allowable clock skew is controlled by the \sphinxstylestrong{clockskew}
variable in {\hyperref[\detokenize{admin/conf_files/krb5_conf:libdefaults}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}libdefaults{]}}}}}.


\section{Getting DNS information correct}
\label{\detokenize{admin/appl_servers:getting-dns-information-correct}}
\sphinxAtStartPar
Several aspects of Kerberos rely on name service.  When a hostname is
used to name a service, clients may canonicalize the hostname using
forward and possibly reverse name resolution.  The result of this
canonicalization must match the principal entry in the host’s keytab,
or authentication will fail.  To work with all client canonicalization
configurations, each host’s canonical name must be the fully\sphinxhyphen{}qualified
host name (including the domain), and each host’s IP address must
reverse\sphinxhyphen{}resolve to the canonical name.

\sphinxAtStartPar
Configuration of hostnames varies by operating system.  On the
application server itself, canonicalization will typically use the
\sphinxcode{\sphinxupquote{/etc/hosts}} file rather than the DNS.  Ensure that the line for the
server’s hostname is in the following form:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{IP} \PYG{n}{address}      \PYG{n}{fully}\PYG{o}{\PYGZhy{}}\PYG{n}{qualified} \PYG{n}{hostname}        \PYG{n}{aliases}
\end{sphinxVerbatim}

\sphinxAtStartPar
Here is a sample \sphinxcode{\sphinxupquote{/etc/hosts}} file:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{c+c1}{\PYGZsh{} this is a comment}
\PYG{l+m+mf}{127.0}\PYG{l+m+mf}{.0}\PYG{l+m+mf}{.1}      \PYG{n}{localhost} \PYG{n}{localhost}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}
\PYG{l+m+mf}{10.0}\PYG{l+m+mf}{.0}\PYG{l+m+mf}{.6}       \PYG{n}{daffodil}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{n}{daffodil} \PYG{n}{trillium} \PYG{n}{wake}\PYG{o}{\PYGZhy{}}\PYG{n}{robin}
\end{sphinxVerbatim}

\sphinxAtStartPar
The output of \sphinxcode{\sphinxupquote{klist \sphinxhyphen{}k}} for this example host should look like:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{viola}\PYG{c+c1}{\PYGZsh{} klist \PYGZhy{}k}
\PYG{n}{Keytab} \PYG{n}{name}\PYG{p}{:} \PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab}
\PYG{n}{KVNO} \PYG{n}{Principal}
\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}} \PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}
   \PYG{l+m+mi}{2} \PYG{n}{host}\PYG{o}{/}\PYG{n}{daffodil}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}
\end{sphinxVerbatim}

\sphinxAtStartPar
If you were to ssh to this host with a fresh credentials cache (ticket
file), and then \DUrole{xref,std,std-ref}{klist(1)}, the output should list a service
principal of \sphinxcode{\sphinxupquote{host/daffodil.mit.edu@ATHENA.MIT.EDU}}.


\section{Configuring your firewall to work with Kerberos V5}
\label{\detokenize{admin/appl_servers:configuring-your-firewall-to-work-with-kerberos-v5}}\label{\detokenize{admin/appl_servers:conf-firewall}}
\sphinxAtStartPar
If you need off\sphinxhyphen{}site users to be able to get Kerberos tickets in your
realm, they must be able to get to your KDC.  This requires either
that you have a replica KDC outside your firewall, or that you
configure your firewall to allow UDP requests into at least one of
your KDCs, on whichever port the KDC is running.  (The default is port
88; other ports may be specified in the KDC’s {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}
file.)  Similarly, if you need off\sphinxhyphen{}site users to be able to change
their passwords in your realm, they must be able to get to your
Kerberos admin server on the kpasswd port (which defaults to 464).  If
you need off\sphinxhyphen{}site users to be able to administer your Kerberos realm,
they must be able to get to your Kerberos admin server on the
administrative port (which defaults to 749).

\sphinxAtStartPar
If your on\sphinxhyphen{}site users inside your firewall will need to get to KDCs in
other realms, you will also need to configure your firewall to allow
outgoing TCP and UDP requests to port 88, and to port 464 to allow
password changes.  If your on\sphinxhyphen{}site users inside your firewall will
need to get to Kerberos admin servers in other realms, you will also
need to allow outgoing TCP and UDP requests to port 749.

\sphinxAtStartPar
If any of your KDCs are outside your firewall, you will need to allow
kprop requests to get through to the remote KDC.  {\hyperref[\detokenize{admin/admin_commands/kprop:kprop-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kprop}}}} uses
the \sphinxcode{\sphinxupquote{krb5\_prop}} service on port 754 (tcp).

\sphinxAtStartPar
The book \sphinxstyleemphasis{UNIX System Security}, by David Curry, is a good starting
point for learning to configure firewalls.

\sphinxstepscope


\chapter{Host configuration}
\label{\detokenize{admin/host_config:host-configuration}}\label{\detokenize{admin/host_config::doc}}
\sphinxAtStartPar
All hosts running Kerberos software, whether they are clients,
application servers, or KDCs, can be configured using
{\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}}.  Here we describe some of the behavior changes
you might want to make.


\section{Default realm}
\label{\detokenize{admin/host_config:default-realm}}
\sphinxAtStartPar
In the {\hyperref[\detokenize{admin/conf_files/krb5_conf:libdefaults}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}libdefaults{]}}}}} section, the \sphinxstylestrong{default\_realm} realm
relation sets the default Kerberos realm.  For example:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{p}{[}\PYG{n}{libdefaults}\PYG{p}{]}
    \PYG{n}{default\PYGZus{}realm} \PYG{o}{=} \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}
\end{sphinxVerbatim}

\sphinxAtStartPar
The default realm affects Kerberos behavior in the following ways:
\begin{itemize}
\item {} 
\sphinxAtStartPar
When a principal name is parsed from text, the default realm is used
if no \sphinxcode{\sphinxupquote{@REALM}} component is specified.

\item {} 
\sphinxAtStartPar
The default realm affects login authorization as described below.

\item {} 
\sphinxAtStartPar
For programs which operate on a Kerberos database, the default realm
is used to determine which database to operate on, unless the \sphinxstylestrong{\sphinxhyphen{}r}
parameter is given to specify a realm.

\item {} 
\sphinxAtStartPar
A server program may use the default realm when looking up its key
in a {\hyperref[\detokenize{admin/install_appl_srv:keytab-file}]{\sphinxcrossref{\DUrole{std,std-ref}{keytab file}}}}, if its realm is not
determined by {\hyperref[\detokenize{admin/conf_files/krb5_conf:domain-realm}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}domain\_realm{]}}}}} configuration or by the server
program itself.

\item {} 
\sphinxAtStartPar
If \DUrole{xref,std,std-ref}{kinit(1)} is passed the \sphinxstylestrong{\sphinxhyphen{}n} flag, it requests anonymous
tickets from the default realm.

\end{itemize}

\sphinxAtStartPar
In some situations, these uses of the default realm might conflict.
For example, it might be desirable for principal name parsing to use
one realm by default, but for login authorization to use a second
realm.  In this situation, the first realm can be configured as the
default realm, and \sphinxstylestrong{auth\_to\_local} relations can be used as
described below to use the second realm for login authorization.


\section{Login authorization}
\label{\detokenize{admin/host_config:login-authorization}}\label{\detokenize{admin/host_config:id1}}
\sphinxAtStartPar
If a host runs a Kerberos\sphinxhyphen{}enabled login service such as OpenSSH with
GSSAPIAuthentication enabled, login authorization rules determine
whether a Kerberos principal is allowed to access a local account.

\sphinxAtStartPar
By default, a Kerberos principal is allowed access to an account if
its realm matches the default realm and its name matches the account
name.  (For historical reasons, access is also granted by default if
the name has two components and the second component matches the
default realm; for instance, \sphinxcode{\sphinxupquote{alice/ATHENA.MIT.EDU@ATHENA.MIT.EDU}}
is granted access to the \sphinxcode{\sphinxupquote{alice}} account if \sphinxcode{\sphinxupquote{ATHENA.MIT.EDU}} is
the default realm.)

\sphinxAtStartPar
The simplest way to control local access is using \DUrole{xref,std,std-ref}{.k5login(5)}
files.  To use these, place a \sphinxcode{\sphinxupquote{.k5login}} file in the home directory
of each account listing the principal names which should have login
access to that account.  If it is not desirable to use \sphinxcode{\sphinxupquote{.k5login}}
files located in account home directories, the \sphinxstylestrong{k5login\_directory}
relation in the {\hyperref[\detokenize{admin/conf_files/krb5_conf:libdefaults}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}libdefaults{]}}}}} section can specify a directory
containing one file per account uname.

\sphinxAtStartPar
By default, if a \sphinxcode{\sphinxupquote{.k5login}} file is present, it controls
authorization both positively and negatively\textendash{}any principal name
contained in the file is granted access and any other principal name
is denied access, even if it would have had access if the \sphinxcode{\sphinxupquote{.k5login}}
file didn’t exist.  The \sphinxstylestrong{k5login\_authoritative} relation in the
{\hyperref[\detokenize{admin/conf_files/krb5_conf:libdefaults}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}libdefaults{]}}}}} section can be set to false to make \sphinxcode{\sphinxupquote{.k5login}}
files provide positive authorization only.

\sphinxAtStartPar
The \sphinxstylestrong{auth\_to\_local} relation in the {\hyperref[\detokenize{admin/conf_files/krb5_conf:realms}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}realms{]}}}}} section for the
default realm can specify pattern\sphinxhyphen{}matching rules to control login
authorization.  For example, the following configuration allows access
to principals from a different realm than the default realm:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
[realms]
    DEFAULT.REALM = \PYGZob{}
        \PYGZsh{} Allow access to principals from OTHER.REALM.
        \PYGZsh{}
        \PYGZsh{} [1:\PYGZdl{}1@\PYGZdl{}0] matches single\PYGZhy{}component principal names and creates
        \PYGZsh{} a selection string containing the principal name and realm.
        \PYGZsh{}
        \PYGZsh{} (.*@OTHER\PYGZbs{}.REALM) matches against the selection string, so that
        \PYGZsh{} only principals in OTHER.REALM are matched.
        \PYGZsh{}
        \PYGZsh{} s/@OTHER\PYGZbs{}.REALM\PYGZdl{}// removes the realm name, leaving behind the
        \PYGZsh{} principal name as the account name.
        auth\PYGZus{}to\PYGZus{}local = RULE:[1:\PYGZdl{}1@\PYGZdl{}0](.*@OTHER\PYGZbs{}.REALM)s/@OTHER\PYGZbs{}.REALM\PYGZdl{}//

        \PYGZsh{} Also allow principals from the default realm.  Omit this line
        \PYGZsh{} to only allow access to principals in OTHER.REALM.
        auth\PYGZus{}to\PYGZus{}local = DEFAULT
    \PYGZcb{}
\end{sphinxVerbatim}

\sphinxAtStartPar
The \sphinxstylestrong{auth\_to\_local\_names} subsection of the {\hyperref[\detokenize{admin/conf_files/krb5_conf:realms}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}realms{]}}}}} section
for the default realm can specify explicit mappings from principal
names to local accounts.  The key used in this subsection is the
principal name without realm, so it is only safe to use in a Kerberos
environment with a single realm or a tightly controlled set of realms.
An example use of \sphinxstylestrong{auth\_to\_local\_names} might be:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{p}{[}\PYG{n}{realms}\PYG{p}{]}
    \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{o}{=} \PYG{p}{\PYGZob{}}
        \PYG{n}{auth\PYGZus{}to\PYGZus{}local\PYGZus{}names} \PYG{o}{=} \PYG{p}{\PYGZob{}}
            \PYG{c+c1}{\PYGZsh{} Careful, these match principals in any realm!}
            \PYG{n}{host}\PYG{o}{/}\PYG{n}{example}\PYG{o}{.}\PYG{n}{com} \PYG{o}{=} \PYG{n}{hostaccount}
            \PYG{n}{fred} \PYG{o}{=} \PYG{n}{localfred}
        \PYG{p}{\PYGZcb{}}
    \PYG{p}{\PYGZcb{}}
\end{sphinxVerbatim}

\sphinxAtStartPar
Local authorization behavior can also be modified using plugin
modules; see \DUrole{xref,std,std-ref}{hostrealm\_plugin} for details.


\section{Plugin module configuration}
\label{\detokenize{admin/host_config:plugin-module-configuration}}\label{\detokenize{admin/host_config:plugin-config}}
\sphinxAtStartPar
Many aspects of Kerberos behavior, such as client preauthentication
and KDC service location, can be modified through the use of plugin
modules.  For most of these behaviors, you can use the {\hyperref[\detokenize{admin/conf_files/krb5_conf:plugins}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}plugins{]}}}}}
section of krb5.conf to register third\sphinxhyphen{}party modules, and to switch
off registered or built\sphinxhyphen{}in modules.

\sphinxAtStartPar
A plugin module takes the form of a Unix shared object
(\sphinxcode{\sphinxupquote{modname.so}}) or Windows DLL (\sphinxcode{\sphinxupquote{modname.dll}}).  If you have
installed a third\sphinxhyphen{}party plugin module and want to register it, you do
so using the \sphinxstylestrong{module} relation in the appropriate subsection of the
{[}plugins{]} section.  The value for \sphinxstylestrong{module} must give the module name
and the path to the module, separated by a colon.  The module name
will often be the same as the shared object’s name, but in unusual
cases (such as a shared object which implements multiple modules for
the same interface) it might not be.  For example, to register a
client preauthentication module named \sphinxcode{\sphinxupquote{mypreauth}} installed at
\sphinxcode{\sphinxupquote{/path/to/mypreauth.so}}, you could write:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{p}{[}\PYG{n}{plugins}\PYG{p}{]}
    \PYG{n}{clpreauth} \PYG{o}{=} \PYG{p}{\PYGZob{}}
        \PYG{n}{module} \PYG{o}{=} \PYG{n}{mypreauth}\PYG{p}{:}\PYG{o}{/}\PYG{n}{path}\PYG{o}{/}\PYG{n}{to}\PYG{o}{/}\PYG{n}{mypreauth}\PYG{o}{.}\PYG{n}{so}
    \PYG{p}{\PYGZcb{}}
\end{sphinxVerbatim}

\sphinxAtStartPar
Many of the pluggable behaviors in MIT krb5 contain built\sphinxhyphen{}in modules
which can be switched off.  You can disable a built\sphinxhyphen{}in module (or one
you have registered) using the \sphinxstylestrong{disable} directive in the
appropriate subsection of the {[}plugins{]} section.  For example, to
disable the use of .k5identity files to select credential caches, you
could write:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{p}{[}\PYG{n}{plugins}\PYG{p}{]}
    \PYG{n}{ccselect} \PYG{o}{=} \PYG{p}{\PYGZob{}}
        \PYG{n}{disable} \PYG{o}{=} \PYG{n}{k5identity}
    \PYG{p}{\PYGZcb{}}
\end{sphinxVerbatim}

\sphinxAtStartPar
If you want to disable multiple modules, specify the \sphinxstylestrong{disable}
directive multiple times, giving one module to disable each time.

\sphinxAtStartPar
Alternatively, you can explicitly specify which modules you want to be
enabled for that behavior using the \sphinxstylestrong{enable\_only} directive.  For
example, to make {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} check password quality using only a
module you have registered, and no other mechanism, you could write:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{p}{[}\PYG{n}{plugins}\PYG{p}{]}
    \PYG{n}{pwqual} \PYG{o}{=} \PYG{p}{\PYGZob{}}
        \PYG{n}{module} \PYG{o}{=} \PYG{n}{mymodule}\PYG{p}{:}\PYG{o}{/}\PYG{n}{path}\PYG{o}{/}\PYG{n}{to}\PYG{o}{/}\PYG{n}{mymodule}\PYG{o}{.}\PYG{n}{so}
        \PYG{n}{enable\PYGZus{}only} \PYG{o}{=} \PYG{n}{mymodule}
    \PYG{p}{\PYGZcb{}}
\end{sphinxVerbatim}

\sphinxAtStartPar
Again, if you want to specify multiple modules, specify the
\sphinxstylestrong{enable\_only} directive multiple times, giving one module to enable
each time.

\sphinxAtStartPar
Some Kerberos interfaces use different mechanisms to register plugin
modules.


\subsection{KDC location modules}
\label{\detokenize{admin/host_config:kdc-location-modules}}
\sphinxAtStartPar
For historical reasons, modules to control how KDC servers are located
are registered simply by placing the shared object or DLL into the
“libkrb5” subdirectory of the krb5 plugin directory, which defaults to
{\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LIBDIR}}}}\sphinxcode{\sphinxupquote{/krb5/plugins}}.  For example, Samba’s winbind krb5
locator plugin would be registered by placing its shared object in
{\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LIBDIR}}}}\sphinxcode{\sphinxupquote{/krb5/plugins/libkrb5/winbind\_krb5\_locator.so}}.


\subsection{GSSAPI mechanism modules}
\label{\detokenize{admin/host_config:gssapi-mechanism-modules}}\label{\detokenize{admin/host_config:gssapi-plugin-config}}
\sphinxAtStartPar
GSSAPI mechanism modules are registered using the file
{\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{SYSCONFDIR}}}}\sphinxcode{\sphinxupquote{/gss/mech}} or configuration files in the
{\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{SYSCONFDIR}}}}\sphinxcode{\sphinxupquote{/gss/mech.d}} directory with a \sphinxcode{\sphinxupquote{.conf}}
suffix.  Each line in these files has the form:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{name}  \PYG{n}{oid}  \PYG{n}{pathname}  \PYG{p}{[}\PYG{n}{options}\PYG{p}{]}  \PYG{o}{\PYGZlt{}}\PYG{n+nb}{type}\PYG{o}{\PYGZgt{}}
\end{sphinxVerbatim}

\sphinxAtStartPar
Only the name, oid, and pathname are required.  \sphinxstyleemphasis{name} is the
mechanism name, which may be used for debugging or logging purposes.
\sphinxstyleemphasis{oid} is the object identifier of the GSSAPI mechanism to be
registered.  \sphinxstyleemphasis{pathname} is a path to the module shared object or DLL.
\sphinxstyleemphasis{options} (if present) are options provided to the plugin module,
surrounded in square brackets.  \sphinxstyleemphasis{type} (if present) can be used to
indicate a special type of module.  Currently the only special module
type is “interposer”, for a module designed to intercept calls to
other mechanisms.

\sphinxAtStartPar
If the environment variable \sphinxstylestrong{GSS\_MECH\_CONFIG} is set, its value is
used as the sole mechanism configuration filename.


\subsection{Configuration profile modules}
\label{\detokenize{admin/host_config:configuration-profile-modules}}\label{\detokenize{admin/host_config:profile-plugin-config}}
\sphinxAtStartPar
A configuration profile module replaces the information source for
{\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}} itself.  To use a profile module, begin krb5.conf
with the line:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{module} \PYG{n}{PATHNAME}\PYG{p}{:}\PYG{n}{STRING}
\end{sphinxVerbatim}

\sphinxAtStartPar
where \sphinxstyleemphasis{PATHNAME} is a path to the module shared object or DLL, and
\sphinxstyleemphasis{STRING} is a string to provide to the module.  The module will then
take over, and the rest of krb5.conf will be ignored.

\sphinxstepscope


\chapter{Backups of secure hosts}
\label{\detokenize{admin/backup_host:backups-of-secure-hosts}}\label{\detokenize{admin/backup_host::doc}}
\sphinxAtStartPar
When you back up a secure host, you should exclude the host’s keytab
file from the backup.  If someone obtained a copy of the keytab from a
backup, that person could make any host masquerade as the host whose
keytab was compromised.  In many configurations, knowledge of the
host’s keytab also allows root access to the host.  This could be
particularly dangerous if the compromised keytab was from one of your
KDCs.  If the machine has a disk crash and the keytab file is lost, it
is easy to generate another keytab file.  (See {\hyperref[\detokenize{admin/appl_servers:add-princ-kt}]{\sphinxcrossref{\DUrole{std,std-ref}{Adding principals to keytabs}}}}.)
If you are unable to exclude particular files from backups, you should
ensure that the backups are kept as secure as the host’s root
password.


\section{Backing up the Kerberos database}
\label{\detokenize{admin/backup_host:backing-up-the-kerberos-database}}
\sphinxAtStartPar
As with any file, it is possible that your Kerberos database could
become corrupted.  If this happens on one of the replica KDCs, you
might never notice, since the next automatic propagation of the
database would install a fresh copy.  However, if it happens to the
primary KDC, the corrupted database would be propagated to all of the
replicas during the next propagation.  For this reason, MIT recommends
that you back up your Kerberos database regularly.  Because the primary
KDC is continuously dumping the database to a file in order to
propagate it to the replica KDCs, it is a simple matter to have a cron
job periodically copy the dump file to a secure machine elsewhere on
your network.  (Of course, it is important to make the host where
these backups are stored as secure as your KDCs, and to encrypt its
transmission across your network.)  Then if your database becomes
corrupted, you can load the most recent dump onto the primary KDC.
(See {\hyperref[\detokenize{admin/database:restore-from-dump}]{\sphinxcrossref{\DUrole{std,std-ref}{Dumping and loading a Kerberos database}}}}.)

\sphinxstepscope


\chapter{PKINIT configuration}
\label{\detokenize{admin/pkinit:pkinit-configuration}}\label{\detokenize{admin/pkinit:pkinit}}\label{\detokenize{admin/pkinit::doc}}
\sphinxAtStartPar
PKINIT is a preauthentication mechanism for Kerberos 5 which uses
X.509 certificates to authenticate the KDC to clients and vice versa.
PKINIT can also be used to enable anonymity support, allowing clients
to communicate securely with the KDC or with application servers
without authenticating as a particular client principal.


\section{Creating certificates}
\label{\detokenize{admin/pkinit:creating-certificates}}
\sphinxAtStartPar
PKINIT requires an X.509 certificate for the KDC and one for each
client principal which will authenticate using PKINIT.  For anonymous
PKINIT, a KDC certificate is required, but client certificates are
not.  A commercially issued server certificate can be used for the KDC
certificate, but generally cannot be used for client certificates.

\sphinxAtStartPar
The instruction in this section describe how to establish a
certificate authority and create standard PKINIT certificates.  Skip
this section if you are using a commercially issued server certificate
as the KDC certificate for anonymous PKINIT, or if you are configuring
a client to use an Active Directory KDC.


\subsection{Generating a certificate authority certificate}
\label{\detokenize{admin/pkinit:generating-a-certificate-authority-certificate}}
\sphinxAtStartPar
You can establish a new certificate authority (CA) for use with a
PKINIT deployment with the commands:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{openssl} \PYG{n}{genrsa} \PYG{o}{\PYGZhy{}}\PYG{n}{out} \PYG{n}{cakey}\PYG{o}{.}\PYG{n}{pem} \PYG{l+m+mi}{2048}
\PYG{n}{openssl} \PYG{n}{req} \PYG{o}{\PYGZhy{}}\PYG{n}{key} \PYG{n}{cakey}\PYG{o}{.}\PYG{n}{pem} \PYG{o}{\PYGZhy{}}\PYG{n}{new} \PYG{o}{\PYGZhy{}}\PYG{n}{x509} \PYG{o}{\PYGZhy{}}\PYG{n}{out} \PYG{n}{cacert}\PYG{o}{.}\PYG{n}{pem} \PYG{o}{\PYGZhy{}}\PYG{n}{days} \PYG{l+m+mi}{3650}
\end{sphinxVerbatim}

\sphinxAtStartPar
The second command will ask for the values of several certificate
fields.  These fields can be set to any values.  You can adjust the
expiration time of the CA certificate by changing the number after
\sphinxcode{\sphinxupquote{\sphinxhyphen{}days}}.  Since the CA certificate must be deployed to client
machines each time it changes, it should normally have an expiration
time far in the future; however, expiration times after 2037 may cause
interoperability issues in rare circumstances.

\sphinxAtStartPar
The result of these commands will be two files, cakey.pem and
cacert.pem.  cakey.pem will contain a 2048\sphinxhyphen{}bit RSA private key, which
must be carefully protected.  cacert.pem will contain the CA
certificate, which must be placed in the filesystems of the KDC and
each client host.  cakey.pem will be required to create KDC and client
certificates.


\subsection{Generating a KDC certificate}
\label{\detokenize{admin/pkinit:generating-a-kdc-certificate}}
\sphinxAtStartPar
A KDC certificate for use with PKINIT is required to have some unusual
fields, which makes generating them with OpenSSL somewhat complicated.
First, you will need a file containing the following:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
[kdc\PYGZus{}cert]
basicConstraints=CA:FALSE
keyUsage=nonRepudiation,digitalSignature,keyEncipherment,keyAgreement
extendedKeyUsage=1.3.6.1.5.2.3.5
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
issuerAltName=issuer:copy
subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:kdc\PYGZus{}princ\PYGZus{}name

[kdc\PYGZus{}princ\PYGZus{}name]
realm=EXP:0,GeneralString:\PYGZdl{}\PYGZob{}ENV::REALM\PYGZcb{}
principal\PYGZus{}name=EXP:1,SEQUENCE:kdc\PYGZus{}principal\PYGZus{}seq

[kdc\PYGZus{}principal\PYGZus{}seq]
name\PYGZus{}type=EXP:0,INTEGER:2
name\PYGZus{}string=EXP:1,SEQUENCE:kdc\PYGZus{}principals

[kdc\PYGZus{}principals]
princ1=GeneralString:krbtgt
princ2=GeneralString:\PYGZdl{}\PYGZob{}ENV::REALM\PYGZcb{}
\end{sphinxVerbatim}

\sphinxAtStartPar
If the above contents are placed in extensions.kdc, you can generate
and sign a KDC certificate with the following commands:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{openssl} \PYG{n}{genrsa} \PYG{o}{\PYGZhy{}}\PYG{n}{out} \PYG{n}{kdckey}\PYG{o}{.}\PYG{n}{pem} \PYG{l+m+mi}{2048}
\PYG{n}{openssl} \PYG{n}{req} \PYG{o}{\PYGZhy{}}\PYG{n}{new} \PYG{o}{\PYGZhy{}}\PYG{n}{out} \PYG{n}{kdc}\PYG{o}{.}\PYG{n}{req} \PYG{o}{\PYGZhy{}}\PYG{n}{key} \PYG{n}{kdckey}\PYG{o}{.}\PYG{n}{pem}
\PYG{n}{env} \PYG{n}{REALM}\PYG{o}{=}\PYG{n}{YOUR\PYGZus{}REALMNAME} \PYG{n}{openssl} \PYG{n}{x509} \PYG{o}{\PYGZhy{}}\PYG{n}{req} \PYG{o}{\PYGZhy{}}\PYG{o+ow}{in} \PYG{n}{kdc}\PYG{o}{.}\PYG{n}{req} \PYGZbs{}
    \PYG{o}{\PYGZhy{}}\PYG{n}{CAkey} \PYG{n}{cakey}\PYG{o}{.}\PYG{n}{pem} \PYG{o}{\PYGZhy{}}\PYG{n}{CA} \PYG{n}{cacert}\PYG{o}{.}\PYG{n}{pem} \PYG{o}{\PYGZhy{}}\PYG{n}{out} \PYG{n}{kdc}\PYG{o}{.}\PYG{n}{pem} \PYG{o}{\PYGZhy{}}\PYG{n}{days} \PYG{l+m+mi}{365} \PYGZbs{}
    \PYG{o}{\PYGZhy{}}\PYG{n}{extfile} \PYG{n}{extensions}\PYG{o}{.}\PYG{n}{kdc} \PYG{o}{\PYGZhy{}}\PYG{n}{extensions} \PYG{n}{kdc\PYGZus{}cert} \PYG{o}{\PYGZhy{}}\PYG{n}{CAcreateserial}
\PYG{n}{rm} \PYG{n}{kdc}\PYG{o}{.}\PYG{n}{req}
\end{sphinxVerbatim}

\sphinxAtStartPar
The second command will ask for the values of certificate fields,
which can be set to any values.  In the third command, substitute your
KDC’s realm name for YOUR\_REALMNAME.  You can adjust the certificate’s
expiration date by changing the number after \sphinxcode{\sphinxupquote{\sphinxhyphen{}days}}.  Remember to
create a new KDC certificate before the old one expires.

\sphinxAtStartPar
The result of this operation will be in two files, kdckey.pem and
kdc.pem.  Both files must be placed in the KDC’s filesystem.
kdckey.pem, which contains the KDC’s private key, must be carefully
protected.

\sphinxAtStartPar
If you examine the KDC certificate with \sphinxcode{\sphinxupquote{openssl x509 \sphinxhyphen{}in kdc.pem
\sphinxhyphen{}text \sphinxhyphen{}noout}}, OpenSSL will not know how to display the KDC principal
name in the Subject Alternative Name extension, so it will appear as
\sphinxcode{\sphinxupquote{othername:\textless{}unsupported\textgreater{}}}.  This is normal and does not mean
anything is wrong with the KDC certificate.


\subsection{Generating client certificates}
\label{\detokenize{admin/pkinit:generating-client-certificates}}
\sphinxAtStartPar
PKINIT client certificates also must have some unusual certificate
fields.  To generate a client certificate with OpenSSL for a
single\sphinxhyphen{}component principal name, you will need an extensions file
(different from the KDC extensions file above) containing:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
[client\PYGZus{}cert]
basicConstraints=CA:FALSE
keyUsage=digitalSignature,keyEncipherment,keyAgreement
extendedKeyUsage=1.3.6.1.5.2.3.4
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
issuerAltName=issuer:copy
subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:princ\PYGZus{}name

[princ\PYGZus{}name]
realm=EXP:0,GeneralString:\PYGZdl{}\PYGZob{}ENV::REALM\PYGZcb{}
principal\PYGZus{}name=EXP:1,SEQUENCE:principal\PYGZus{}seq

[principal\PYGZus{}seq]
name\PYGZus{}type=EXP:0,INTEGER:1
name\PYGZus{}string=EXP:1,SEQUENCE:principals

[principals]
princ1=GeneralString:\PYGZdl{}\PYGZob{}ENV::CLIENT\PYGZcb{}
\end{sphinxVerbatim}

\sphinxAtStartPar
If the above contents are placed in extensions.client, you can
generate and sign a client certificate with the following commands:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{openssl} \PYG{n}{genrsa} \PYG{o}{\PYGZhy{}}\PYG{n}{out} \PYG{n}{clientkey}\PYG{o}{.}\PYG{n}{pem} \PYG{l+m+mi}{2048}
\PYG{n}{openssl} \PYG{n}{req} \PYG{o}{\PYGZhy{}}\PYG{n}{new} \PYG{o}{\PYGZhy{}}\PYG{n}{key} \PYG{n}{clientkey}\PYG{o}{.}\PYG{n}{pem} \PYG{o}{\PYGZhy{}}\PYG{n}{out} \PYG{n}{client}\PYG{o}{.}\PYG{n}{req}
\PYG{n}{env} \PYG{n}{REALM}\PYG{o}{=}\PYG{n}{YOUR\PYGZus{}REALMNAME} \PYG{n}{CLIENT}\PYG{o}{=}\PYG{n}{YOUR\PYGZus{}PRINCNAME} \PYG{n}{openssl} \PYG{n}{x509} \PYGZbs{}
    \PYG{o}{\PYGZhy{}}\PYG{n}{CAkey} \PYG{n}{cakey}\PYG{o}{.}\PYG{n}{pem} \PYG{o}{\PYGZhy{}}\PYG{n}{CA} \PYG{n}{cacert}\PYG{o}{.}\PYG{n}{pem} \PYG{o}{\PYGZhy{}}\PYG{n}{req} \PYG{o}{\PYGZhy{}}\PYG{o+ow}{in} \PYG{n}{client}\PYG{o}{.}\PYG{n}{req} \PYGZbs{}
    \PYG{o}{\PYGZhy{}}\PYG{n}{extensions} \PYG{n}{client\PYGZus{}cert} \PYG{o}{\PYGZhy{}}\PYG{n}{extfile} \PYG{n}{extensions}\PYG{o}{.}\PYG{n}{client} \PYGZbs{}
    \PYG{o}{\PYGZhy{}}\PYG{n}{days} \PYG{l+m+mi}{365} \PYG{o}{\PYGZhy{}}\PYG{n}{out} \PYG{n}{client}\PYG{o}{.}\PYG{n}{pem}
\PYG{n}{rm} \PYG{n}{client}\PYG{o}{.}\PYG{n}{req}
\end{sphinxVerbatim}

\sphinxAtStartPar
Normally, the first two commands should be run on the client host, and
the resulting client.req file transferred to the certificate authority
host for the third command.  As in the previous steps, the second
command will ask for the values of certificate fields, which can be
set to any values.  In the third command, substitute your realm’s name
for YOUR\_REALMNAME and the client’s principal name (without realm) for
YOUR\_PRINCNAME.  You can adjust the certificate’s expiration date by
changing the number after \sphinxcode{\sphinxupquote{\sphinxhyphen{}days}}.

\sphinxAtStartPar
The result of this operation will be two files, clientkey.pem and
client.pem.  Both files must be present on the client’s host;
clientkey.pem, which contains the client’s private key, must be
protected from access by others.

\sphinxAtStartPar
As in the KDC certificate, OpenSSL will display the client principal
name as \sphinxcode{\sphinxupquote{othername:\textless{}unsupported\textgreater{}}} in the Subject Alternative Name
extension of a PKINIT client certificate.

\sphinxAtStartPar
If the client principal name contains more than one component
(e.g. \sphinxcode{\sphinxupquote{host/example.com@REALM}}), the \sphinxcode{\sphinxupquote{{[}principals{]}}} section of
\sphinxcode{\sphinxupquote{extensions.client}} must be altered to contain multiple entries.
(Simply setting \sphinxcode{\sphinxupquote{CLIENT}} to \sphinxcode{\sphinxupquote{host/example.com}} would generate a
certificate for \sphinxcode{\sphinxupquote{host\textbackslash{}/example.com@REALM}} which would not match the
multi\sphinxhyphen{}component principal name.)  For a two\sphinxhyphen{}component principal, the
section should read:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
[principals]
princ1=GeneralString:\PYGZdl{}\PYGZob{}ENV::CLIENT1\PYGZcb{}
princ2=GeneralString:\PYGZdl{}\PYGZob{}ENV::CLIENT2\PYGZcb{}
\end{sphinxVerbatim}

\sphinxAtStartPar
The environment variables \sphinxcode{\sphinxupquote{CLIENT1}} and \sphinxcode{\sphinxupquote{CLIENT2}} must then be set
to the first and second components when running \sphinxcode{\sphinxupquote{openssl x509}}.


\section{Configuring the KDC}
\label{\detokenize{admin/pkinit:configuring-the-kdc}}
\sphinxAtStartPar
The KDC must have filesystem access to the KDC certificate (kdc.pem)
and the KDC private key (kdckey.pem).  Configure the following
relation in the KDC’s {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}} file, either in the
{\hyperref[\detokenize{admin/conf_files/kdc_conf:kdcdefaults}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}kdcdefaults{]}}}}} section or in a {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-realms}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}realms{]}}}}} subsection (with
appropriate pathnames):

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{pkinit\PYGZus{}identity} \PYG{o}{=} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{var}\PYG{o}{/}\PYG{n}{lib}\PYG{o}{/}\PYG{n}{krb5kdc}\PYG{o}{/}\PYG{n}{kdc}\PYG{o}{.}\PYG{n}{pem}\PYG{p}{,}\PYG{o}{/}\PYG{n}{var}\PYG{o}{/}\PYG{n}{lib}\PYG{o}{/}\PYG{n}{krb5kdc}\PYG{o}{/}\PYG{n}{kdckey}\PYG{o}{.}\PYG{n}{pem}
\end{sphinxVerbatim}

\sphinxAtStartPar
If any clients will authenticate using regular (as opposed to
anonymous) PKINIT, the KDC must also have filesystem access to the CA
certificate (cacert.pem), and the following configuration (with the
appropriate pathname):

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{pkinit\PYGZus{}anchors} \PYG{o}{=} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{var}\PYG{o}{/}\PYG{n}{lib}\PYG{o}{/}\PYG{n}{krb5kdc}\PYG{o}{/}\PYG{n}{cacert}\PYG{o}{.}\PYG{n}{pem}
\end{sphinxVerbatim}

\sphinxAtStartPar
Because of the larger size of requests and responses using PKINIT, you
may also need to allow TCP access to the KDC:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{kdc\PYGZus{}tcp\PYGZus{}listen} \PYG{o}{=} \PYG{l+m+mi}{88}
\end{sphinxVerbatim}

\sphinxAtStartPar
Restart the {\hyperref[\detokenize{admin/admin_commands/krb5kdc:krb5kdc-8}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5kdc}}}} daemon to pick up the configuration
changes.

\sphinxAtStartPar
The principal entry for each PKINIT\sphinxhyphen{}using client must be configured to
require preauthentication.  Ensure this with the command:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{kadmin} \PYG{o}{\PYGZhy{}}\PYG{n}{q} \PYG{l+s+s1}{\PYGZsq{}}\PYG{l+s+s1}{modprinc +requires\PYGZus{}preauth YOUR\PYGZus{}PRINCNAME}\PYG{l+s+s1}{\PYGZsq{}}
\end{sphinxVerbatim}

\sphinxAtStartPar
Starting with release 1.12, it is possible to remove the long\sphinxhyphen{}term
keys of a principal entry, which can save some space in the database
and help to clarify some PKINIT\sphinxhyphen{}related error conditions by not asking
for a password:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{kadmin} \PYG{o}{\PYGZhy{}}\PYG{n}{q} \PYG{l+s+s1}{\PYGZsq{}}\PYG{l+s+s1}{purgekeys \PYGZhy{}all YOUR\PYGZus{}PRINCNAME}\PYG{l+s+s1}{\PYGZsq{}}
\end{sphinxVerbatim}

\sphinxAtStartPar
These principal options can also be specified at principal creation
time as follows:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{kadmin} \PYG{o}{\PYGZhy{}}\PYG{n}{q} \PYG{l+s+s1}{\PYGZsq{}}\PYG{l+s+s1}{add\PYGZus{}principal +requires\PYGZus{}preauth \PYGZhy{}nokey YOUR\PYGZus{}PRINCNAME}\PYG{l+s+s1}{\PYGZsq{}}
\end{sphinxVerbatim}

\sphinxAtStartPar
By default, the KDC requires PKINIT client certificates to have the
standard Extended Key Usage and Subject Alternative Name attributes
for PKINIT.  Starting in release 1.16, it is possible to authorize
client certificates based on the subject or other criteria instead of
the standard PKINIT Subject Alternative Name, by setting the
\sphinxstylestrong{pkinit\_cert\_match} string attribute on each client principal entry.
For example:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{kadmin} \PYG{n}{set\PYGZus{}string} \PYG{n}{user}\PYG{n+nd}{@REALM} \PYG{n}{pkinit\PYGZus{}cert\PYGZus{}match} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{\PYGZlt{}SUBJECT\PYGZgt{}CN=user@REALM\PYGZdl{}}\PYG{l+s+s2}{\PYGZdq{}}
\end{sphinxVerbatim}

\sphinxAtStartPar
The \sphinxstylestrong{pkinit\_cert\_match} string attribute follows the syntax used by
the {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}} \sphinxstylestrong{pkinit\_cert\_match} relation.  To allow the
use of non\sphinxhyphen{}PKINIT client certificates, it will also be necessary to
disable key usage checking using the \sphinxstylestrong{pkinit\_eku\_checking} relation;
for example:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{p}{[}\PYG{n}{kdcdefaults}\PYG{p}{]}
    \PYG{n}{pkinit\PYGZus{}eku\PYGZus{}checking} \PYG{o}{=} \PYG{n}{none}
\end{sphinxVerbatim}


\section{Configuring the clients}
\label{\detokenize{admin/pkinit:configuring-the-clients}}
\sphinxAtStartPar
Client hosts must be configured to trust the issuing authority for the
KDC certificate.  For a newly established certificate authority, the
client host must have filesystem access to the CA certificate
(cacert.pem) and the following relation in {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}} in the
appropriate {\hyperref[\detokenize{admin/conf_files/krb5_conf:realms}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}realms{]}}}}} subsection (with appropriate pathnames):

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{pkinit\PYGZus{}anchors} \PYG{o}{=} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{/}\PYG{n}{cacert}\PYG{o}{.}\PYG{n}{pem}
\end{sphinxVerbatim}

\sphinxAtStartPar
If the KDC certificate is a commercially issued server certificate,
the issuing certificate is most likely included in a system directory.
You can specify it by filename as above, or specify the whole
directory like so:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{pkinit\PYGZus{}anchors} \PYG{o}{=} \PYG{n}{DIR}\PYG{p}{:}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{ssl}\PYG{o}{/}\PYG{n}{certs}
\end{sphinxVerbatim}

\sphinxAtStartPar
A commercially issued server certificate will usually not have the
standard PKINIT principal name or Extended Key Usage extensions, so
the following additional configuration is required:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{pkinit\PYGZus{}eku\PYGZus{}checking} \PYG{o}{=} \PYG{n}{kpServerAuth}
\PYG{n}{pkinit\PYGZus{}kdc\PYGZus{}hostname} \PYG{o}{=} \PYG{n}{hostname}\PYG{o}{.}\PYG{n}{of}\PYG{o}{.}\PYG{n}{kdc}\PYG{o}{.}\PYG{n}{certificate}
\end{sphinxVerbatim}

\sphinxAtStartPar
Multiple \sphinxstylestrong{pkinit\_kdc\_hostname} relations can be configured to
recognize multiple KDC certificates.  If the KDC is an Active
Directory domain controller, setting \sphinxstylestrong{pkinit\_kdc\_hostname} is
necessary, but it should not be necessary to set
\sphinxstylestrong{pkinit\_eku\_checking}.

\sphinxAtStartPar
To perform regular (as opposed to anonymous) PKINIT authentication, a
client host must have filesystem access to a client certificate
(client.pem), and the corresponding private key (clientkey.pem).
Configure the following relations in the client host’s
{\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}} file in the appropriate {\hyperref[\detokenize{admin/conf_files/krb5_conf:realms}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}realms{]}}}}} subsection
(with appropriate pathnames):

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{pkinit\PYGZus{}identities} \PYG{o}{=} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{/}\PYG{n}{client}\PYG{o}{.}\PYG{n}{pem}\PYG{p}{,}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{/}\PYG{n}{clientkey}\PYG{o}{.}\PYG{n}{pem}
\end{sphinxVerbatim}

\sphinxAtStartPar
If the KDC and client are properly configured, it should now be
possible to run \sphinxcode{\sphinxupquote{kinit username}} without entering a password.


\section{Anonymous PKINIT}
\label{\detokenize{admin/pkinit:anonymous-pkinit}}\label{\detokenize{admin/pkinit:id1}}
\sphinxAtStartPar
Anonymity support in Kerberos allows a client to obtain a ticket
without authenticating as any particular principal.  Such a ticket can
be used as a FAST armor ticket, or to securely communicate with an
application server anonymously.

\sphinxAtStartPar
To configure anonymity support, you must generate or otherwise procure
a KDC certificate and configure the KDC host, but you do not need to
generate any client certificates.  On the KDC, you must set the
\sphinxstylestrong{pkinit\_identity} variable to provide the KDC certificate, but do
not need to set the \sphinxstylestrong{pkinit\_anchors} variable or store the issuing
certificate if you won’t have any client certificates to verify.  On
client hosts, you must set the \sphinxstylestrong{pkinit\_anchors} variable (and
possibly \sphinxstylestrong{pkinit\_kdc\_hostname} and \sphinxstylestrong{pkinit\_eku\_checking}) in order
to trust the issuing authority for the KDC certificate, but do not
need to set the \sphinxstylestrong{pkinit\_identities} variable.

\sphinxAtStartPar
Anonymity support is not enabled by default.  To enable it, you must
create the principal \sphinxcode{\sphinxupquote{WELLKNOWN/ANONYMOUS}} using the command:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{kadmin} \PYG{o}{\PYGZhy{}}\PYG{n}{q} \PYG{l+s+s1}{\PYGZsq{}}\PYG{l+s+s1}{addprinc \PYGZhy{}randkey WELLKNOWN/ANONYMOUS}\PYG{l+s+s1}{\PYGZsq{}}
\end{sphinxVerbatim}

\sphinxAtStartPar
Some Kerberos deployments include application servers which lack
proper access control, and grant some level of access to any user who
can authenticate.  In such an environment, enabling anonymity support
on the KDC would present a security issue.  If you need to enable
anonymity support for TGTs (for use as FAST armor tickets) without
enabling anonymous authentication to application servers, you can set
the variable \sphinxstylestrong{restrict\_anonymous\_to\_tgt} to \sphinxcode{\sphinxupquote{true}} in the
appropriate {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-realms}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}realms{]}}}}} subsection of the KDC’s
{\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}} file.

\sphinxAtStartPar
To obtain anonymous credentials on a client, run \sphinxcode{\sphinxupquote{kinit \sphinxhyphen{}n}}, or
\sphinxcode{\sphinxupquote{kinit \sphinxhyphen{}n @REALMNAME}} to specify a realm.  The resulting tickets
will have the client name \sphinxcode{\sphinxupquote{WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS}}.


\section{Freshness tokens}
\label{\detokenize{admin/pkinit:freshness-tokens}}
\sphinxAtStartPar
Freshness tokens can ensure that the client has recently had access to
its certificate private key.  If freshness tokens are not required by
the KDC, a client program with temporary possession of the private key
can compose requests for future timestamps and use them later.

\sphinxAtStartPar
In release 1.17 and later, freshness tokens are supported by the
client and are sent by the KDC when the client indicates support for
them.  Because not all clients support freshness tokens yet, they are
not required by default.  To check if freshness tokens are supported
by a realm’s clients, look in the KDC logs for the lines:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{PKINIT}\PYG{p}{:} \PYG{n}{freshness} \PYG{n}{token} \PYG{n}{received} \PYG{k+kn}{from} \PYG{o}{\PYGZlt{}}\PYG{n}{client} \PYG{n}{principal}\PYG{o}{\PYGZgt{}}
\PYG{n}{PKINIT}\PYG{p}{:} \PYG{n}{no} \PYG{n}{freshness} \PYG{n}{token} \PYG{n}{received} \PYG{k+kn}{from} \PYG{o}{\PYGZlt{}}\PYG{n}{client} \PYG{n}{principal}\PYG{o}{\PYGZgt{}}
\end{sphinxVerbatim}

\sphinxAtStartPar
To require freshness tokens for all clients in a realm (except for
clients authenticating anonymously), set the
\sphinxstylestrong{pkinit\_require\_freshness} variable to \sphinxcode{\sphinxupquote{true}} in the appropriate
{\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-realms}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}realms{]}}}}} subsection of the KDC’s {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}} file.  To
test that this option is in effect, run \sphinxcode{\sphinxupquote{kinit \sphinxhyphen{}X disable\_freshness}}
and verify that authentication is unsuccessful.

\sphinxstepscope


\chapter{OTP Preauthentication}
\label{\detokenize{admin/otp:otp-preauthentication}}\label{\detokenize{admin/otp:otp-preauth}}\label{\detokenize{admin/otp::doc}}
\sphinxAtStartPar
OTP is a preauthentication mechanism for Kerberos 5 which uses One
Time Passwords (OTP) to authenticate the client to the KDC.  The OTP
is passed to the KDC over an encrypted FAST channel in clear\sphinxhyphen{}text.
The KDC uses the password along with per\sphinxhyphen{}user configuration to proxy
the request to a third\sphinxhyphen{}party RADIUS system.  This enables
out\sphinxhyphen{}of\sphinxhyphen{}the\sphinxhyphen{}box compatibility with a large number of already widely
deployed proprietary systems.

\sphinxAtStartPar
Additionally, our implementation of the OTP system allows for the
passing of RADIUS requests over a UNIX domain stream socket.  This
permits the use of a local companion daemon which can handle the
details of authentication.


\section{Defining token types}
\label{\detokenize{admin/otp:defining-token-types}}
\sphinxAtStartPar
Token types are defined in either {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}} or
{\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}} according to the following format:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{p}{[}\PYG{n}{otp}\PYG{p}{]}
    \PYG{o}{\PYGZlt{}}\PYG{n}{name}\PYG{o}{\PYGZgt{}} \PYG{o}{=} \PYG{p}{\PYGZob{}}
        \PYG{n}{server} \PYG{o}{=} \PYG{o}{\PYGZlt{}}\PYG{n}{host}\PYG{p}{:}\PYG{n}{port} \PYG{o+ow}{or} \PYG{n}{filename}\PYG{o}{\PYGZgt{}} \PYG{p}{(}\PYG{n}{default}\PYG{p}{:} \PYG{n}{see} \PYG{n}{below}\PYG{p}{)}
        \PYG{n}{secret} \PYG{o}{=} \PYG{o}{\PYGZlt{}}\PYG{n}{filename}\PYG{o}{\PYGZgt{}}
        \PYG{n}{timeout} \PYG{o}{=} \PYG{o}{\PYGZlt{}}\PYG{n}{integer}\PYG{o}{\PYGZgt{}} \PYG{p}{(}\PYG{n}{default}\PYG{p}{:} \PYG{l+m+mi}{5} \PYG{p}{[}\PYG{n}{seconds}\PYG{p}{]}\PYG{p}{)}
        \PYG{n}{retries} \PYG{o}{=} \PYG{o}{\PYGZlt{}}\PYG{n}{integer}\PYG{o}{\PYGZgt{}} \PYG{p}{(}\PYG{n}{default}\PYG{p}{:} \PYG{l+m+mi}{3}\PYG{p}{)}
        \PYG{n}{strip\PYGZus{}realm} \PYG{o}{=} \PYG{o}{\PYGZlt{}}\PYG{n}{boolean}\PYG{o}{\PYGZgt{}} \PYG{p}{(}\PYG{n}{default}\PYG{p}{:} \PYG{n}{true}\PYG{p}{)}
        \PYG{n}{indicator} \PYG{o}{=} \PYG{o}{\PYGZlt{}}\PYG{n}{string}\PYG{o}{\PYGZgt{}} \PYG{p}{(}\PYG{n}{default}\PYG{p}{:} \PYG{n}{none}\PYG{p}{)}
    \PYG{p}{\PYGZcb{}}
\end{sphinxVerbatim}

\sphinxAtStartPar
If the server field begins with ‘/’, it will be interpreted as a UNIX
socket.  Otherwise, it is assumed to be in the format host:port.  When
a UNIX domain socket is specified, the secret field is optional and an
empty secret is used by default.  If the server field is not
specified, it defaults to {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{RUNSTATEDIR}}}}\sphinxcode{\sphinxupquote{/krb5kdc}}\sphinxcode{\sphinxupquote{/\textless{}name\textgreater{}.socket}}.

\sphinxAtStartPar
When forwarding the request over RADIUS, by default the principal is
used in the User\sphinxhyphen{}Name attribute of the RADIUS packet.  The strip\_realm
parameter controls whether the principal is forwarded with or without
the realm portion.

\sphinxAtStartPar
If an indicator field is present, tickets issued using this token type
will be annotated with the specified authentication indicator (see
{\hyperref[\detokenize{admin/auth_indicator:auth-indicator}]{\sphinxcrossref{\DUrole{std,std-ref}{Authentication indicators}}}}).  This key may be specified multiple times to
add multiple indicators.


\section{The default token type}
\label{\detokenize{admin/otp:the-default-token-type}}
\sphinxAtStartPar
A default token type is used internally when no token type is specified for a
given user.  It is defined as follows:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{p}{[}\PYG{n}{otp}\PYG{p}{]}
    \PYG{n}{DEFAULT} \PYG{o}{=} \PYG{p}{\PYGZob{}}
        \PYG{n}{strip\PYGZus{}realm} \PYG{o}{=} \PYG{n}{false}
    \PYG{p}{\PYGZcb{}}
\end{sphinxVerbatim}

\sphinxAtStartPar
The administrator may override the internal \sphinxcode{\sphinxupquote{DEFAULT}} token type
simply by defining a configuration with the same name.


\section{Token instance configuration}
\label{\detokenize{admin/otp:token-instance-configuration}}
\sphinxAtStartPar
To enable OTP for a client principal, the administrator must define
the \sphinxstylestrong{otp} string attribute for that principal.  (See
{\hyperref[\detokenize{admin/admin_commands/kadmin_local:set-string}]{\sphinxcrossref{\DUrole{std,std-ref}{set\_string}}}}.)  The \sphinxstylestrong{otp} user string is a JSON string of the
format:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
[\PYGZob{}
\PYG{+w}{    }\PYGZdq{}type\PYGZdq{}:\PYG{+w}{ }\PYG{n+nt}{\PYGZlt{}string}\PYG{n+nt}{\PYGZgt{}},
\PYG{+w}{    }\PYGZdq{}username\PYGZdq{}:\PYG{+w}{ }\PYG{n+nt}{\PYGZlt{}string}\PYG{n+nt}{\PYGZgt{}},
\PYG{+w}{    }\PYGZdq{}indicators\PYGZdq{}:\PYG{+w}{ }[\PYG{n+nt}{\PYGZlt{}string}\PYG{n+nt}{\PYGZgt{}},\PYG{+w}{ }...]
\PYG{+w}{ }\PYGZcb{},\PYG{+w}{ }...]
\end{sphinxVerbatim}

\sphinxAtStartPar
This is an array of token objects.  Both fields of token objects are
optional.  The \sphinxstylestrong{type} field names the token type of this token; if
not specified, it defaults to \sphinxcode{\sphinxupquote{DEFAULT}}.  The \sphinxstylestrong{username} field
specifies the value to be sent in the User\sphinxhyphen{}Name RADIUS attribute.  If
not specified, the principal name is sent, with or without realm as
defined in the token type.  The \sphinxstylestrong{indicators} field specifies a list
of authentication indicators to annotate tickets with, overriding any
indicators specified in the token type.

\sphinxAtStartPar
For ease of configuration, an empty array (\sphinxcode{\sphinxupquote{{[}{]}}}) is treated as
equivalent to one DEFAULT token (\sphinxcode{\sphinxupquote{{[}\{\}{]}}}).


\section{Other considerations}
\label{\detokenize{admin/otp:other-considerations}}\begin{enumerate}
\sphinxsetlistlabels{\arabic}{enumi}{enumii}{}{.}%
\item {} 
\sphinxAtStartPar
FAST is required for OTP to work.

\end{enumerate}

\sphinxstepscope


\chapter{SPAKE Preauthentication}
\label{\detokenize{admin/spake:spake-preauthentication}}\label{\detokenize{admin/spake:spake}}\label{\detokenize{admin/spake::doc}}
\sphinxAtStartPar
SPAKE preauthentication (added in release 1.17) uses public key
cryptography techniques to protect against {\hyperref[\detokenize{admin/dictionary:dictionary}]{\sphinxcrossref{\DUrole{std,std-ref}{password dictionary
attacks}}}}.  Unlike {\hyperref[\detokenize{admin/pkinit:pkinit}]{\sphinxcrossref{\DUrole{std,std-ref}{PKINIT}}}}, it does not
require any additional infrastructure such as certificates; it simply
needs to be turned on.  Using SPAKE preauthentication may modestly
increase the CPU and network load on the KDC.

\sphinxAtStartPar
SPAKE preauthentication can use one of four elliptic curve groups for
its password\sphinxhyphen{}authenticated key exchange.  The recommended group is
\sphinxcode{\sphinxupquote{edwards25519}}; three NIST curves (\sphinxcode{\sphinxupquote{P\sphinxhyphen{}256}}, \sphinxcode{\sphinxupquote{P\sphinxhyphen{}384}}, and
\sphinxcode{\sphinxupquote{P\sphinxhyphen{}521}}) are also supported.

\sphinxAtStartPar
By default, SPAKE with the \sphinxcode{\sphinxupquote{edwards25519}} group is enabled on
clients, but the KDC does not offer SPAKE by default.  To turn it on,
set the \sphinxstylestrong{spake\_preauth\_groups} variable in {\hyperref[\detokenize{admin/conf_files/krb5_conf:libdefaults}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}libdefaults{]}}}}} to a
list of allowed groups.  This variable affects both the client and the
KDC.  Simply setting it to \sphinxcode{\sphinxupquote{edwards25519}} is recommended:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{p}{[}\PYG{n}{libdefaults}\PYG{p}{]}
    \PYG{n}{spake\PYGZus{}preauth\PYGZus{}groups} \PYG{o}{=} \PYG{n}{edwards25519}
\end{sphinxVerbatim}

\sphinxAtStartPar
Set the \sphinxstylestrong{+requires\_preauth} and \sphinxstylestrong{\sphinxhyphen{}allow\_svr} flags on client
principal entries, as you would for any preauthentication mechanism:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{modprinc} \PYG{o}{+}\PYG{n}{requires\PYGZus{}preauth} \PYG{o}{\PYGZhy{}}\PYG{n}{allow\PYGZus{}svr} \PYG{n}{PRINCNAME}
\end{sphinxVerbatim}

\sphinxAtStartPar
Clients which do not implement SPAKE preauthentication will fall back
to encrypted timestamp.

\sphinxAtStartPar
An active attacker can force a fallback to encrypted timestamp by
modifying the initial KDC response, defeating the protection against
dictionary attacks.  To prevent this fallback on clients which do
implement SPAKE preauthentication, set the
\sphinxstylestrong{disable\_encrypted\_timestamp} variable to \sphinxcode{\sphinxupquote{true}} in the
{\hyperref[\detokenize{admin/conf_files/krb5_conf:realms}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}realms{]}}}}} subsection for realms whose KDCs offer SPAKE
preauthentication.

\sphinxAtStartPar
By default, SPAKE preauthentication requires an extra network round
trip to the KDC during initial authentication.  If most of the clients
in a realm support SPAKE, this extra round trip can be eliminated
using an optimistic challenge, by setting the
\sphinxstylestrong{spake\_preauth\_kdc\_challenge} variable in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdcdefaults}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}kdcdefaults{]}}}}} to a
single group name:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{p}{[}\PYG{n}{kdcdefaults}\PYG{p}{]}
    \PYG{n}{spake\PYGZus{}preauth\PYGZus{}kdc\PYGZus{}challenge} \PYG{o}{=} \PYG{n}{edwards25519}
\end{sphinxVerbatim}

\sphinxAtStartPar
Using optimistic challenge will cause the KDC to do extra work for
initial authentication requests that do not result in SPAKE
preauthentication, but will save work when SPAKE preauthentication is
used.

\sphinxstepscope


\chapter{Addressing dictionary attack risks}
\label{\detokenize{admin/dictionary:addressing-dictionary-attack-risks}}\label{\detokenize{admin/dictionary:dictionary}}\label{\detokenize{admin/dictionary::doc}}
\sphinxAtStartPar
Kerberos initial authentication is normally secured using the client
principal’s long\sphinxhyphen{}term key, which for users is generally derived from a
password.  Using a pasword\sphinxhyphen{}derived long\sphinxhyphen{}term key carries the risk of a
dictionary attack, where an attacker tries a sequence of possible
passwords, possibly requiring much less effort than would be required
to try all possible values of the key.  Even if {\hyperref[\detokenize{admin/database:policies}]{\sphinxcrossref{\DUrole{std,std-ref}{password policy
objects}}}} are used to force users not to pick trivial
passwords, dictionary attacks can sometimes be successful against a
significant fraction of the users in a realm.  Dictionary attacks are
not a concern for principals using random keys.

\sphinxAtStartPar
A dictionary attack may be online or offline.  An online dictionary
attack is performed by trying each password in a separate request to
the KDC, and is therefore visible to the KDC and also limited in speed
by the KDC’s processing power and the network capacity between the
client and the KDC.  Online dictionary attacks can be mitigated using
{\hyperref[\detokenize{admin/lockout:lockout}]{\sphinxcrossref{\DUrole{std,std-ref}{account lockout}}}}.  This measure is not totally
satisfactory, as it makes it easy for an attacker to deny access to a
client principal.

\sphinxAtStartPar
An offline dictionary attack is performed by obtaining a ciphertext
generated using the password\sphinxhyphen{}derived key, and trying each password
against the ciphertext.  This category of attack is invisible to the
KDC and can be performed much faster than an online attack.  The
attack will generally take much longer with more recent encryption
types (particularly the ones based on AES), because those encryption
types use a much more expensive string\sphinxhyphen{}to\sphinxhyphen{}key function.  However, the
best defense is to deny the attacker access to a useful ciphertext.
The required defensive measures depend on the attacker’s level of
network access.

\sphinxAtStartPar
An off\sphinxhyphen{}path attacker has no access to packets sent between legitimate
users and the KDC.  An off\sphinxhyphen{}path attacker could gain access to an
attackable ciphertext either by making an AS request for a client
principal which does not have the \sphinxstylestrong{+requires\_preauth} flag, or by
making a TGS request (after authenticating as a different user) for a
server principal which does not have the \sphinxstylestrong{\sphinxhyphen{}allow\_svr} flag.  To
address off\sphinxhyphen{}path attackers, a KDC administrator should set those flags
on principals with password\sphinxhyphen{}derived keys:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{add\PYGZus{}principal} \PYG{o}{+}\PYG{n}{requires\PYGZus{}preauth} \PYG{o}{\PYGZhy{}}\PYG{n}{allow\PYGZus{}svr} \PYG{n}{princname}
\end{sphinxVerbatim}

\sphinxAtStartPar
An attacker with passive network access (one who can monitor packets
sent between legitimate users and the KDC, but cannot change them or
insert their own packets) can gain access to an attackable ciphertext
by observing an authentication by a user using the most common form of
preauthentication, encrypted timestamp.  Any of the following methods
can prevent dictionary attacks by attackers with passive network
access:
\begin{itemize}
\item {} 
\sphinxAtStartPar
Enabling {\hyperref[\detokenize{admin/spake:spake}]{\sphinxcrossref{\DUrole{std,std-ref}{SPAKE preauthentication}}}} (added in release
1.17) on the KDC, and ensuring that all clients are able to support
it.

\item {} 
\sphinxAtStartPar
Using an {\hyperref[\detokenize{admin/https:https}]{\sphinxcrossref{\DUrole{std,std-ref}{HTTPS proxy}}}} for communication with the KDC,
if the attacker cannot monitor communication between the proxy
server and the KDC.

\item {} 
\sphinxAtStartPar
Using FAST, protecting the initial authentication with either a
random key (such as a host key) or with {\hyperref[\detokenize{admin/pkinit:anonymous-pkinit}]{\sphinxcrossref{\DUrole{std,std-ref}{anonymous PKINIT}}}}.

\end{itemize}

\sphinxAtStartPar
An attacker with active network access (one who can inject or modify
packets sent between legitimate users and the KDC) can try to fool the
client software into sending an attackable ciphertext using an
encryption type and salt string of the attacker’s choosing.  Any of the
following methods can prevent dictionary attacks by active attackers:
\begin{itemize}
\item {} 
\sphinxAtStartPar
Enabling SPAKE preauthentication and setting the
\sphinxstylestrong{disable\_encrypted\_timestamp} variable to \sphinxcode{\sphinxupquote{true}} in the
{\hyperref[\detokenize{admin/conf_files/krb5_conf:realms}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}realms{]}}}}} subsection of the client configuration.

\item {} 
\sphinxAtStartPar
Using an HTTPS proxy as described above, configured in the client’s
krb5.conf realm configuration.  If {\hyperref[\detokenize{admin/realm_config:kdc-discovery}]{\sphinxcrossref{\DUrole{std,std-ref}{KDC discovery}}}} is used to locate a proxy server, an active
attacker may be able to use DNS spoofing to cause the client to use
a different HTTPS server or to not use HTTPS.

\item {} 
\sphinxAtStartPar
Using FAST as described above.

\end{itemize}

\sphinxAtStartPar
If {\hyperref[\detokenize{admin/pkinit:pkinit}]{\sphinxcrossref{\DUrole{std,std-ref}{PKINIT}}}} or {\hyperref[\detokenize{admin/otp:otp-preauth}]{\sphinxcrossref{\DUrole{std,std-ref}{OTP}}}} are used for
initial authentication, the principal’s long\sphinxhyphen{}term keys are not used
and dictionary attacks are usually not a concern.

\sphinxstepscope


\chapter{Principal names and DNS}
\label{\detokenize{admin/princ_dns:principal-names-and-dns}}\label{\detokenize{admin/princ_dns::doc}}
\sphinxAtStartPar
Kerberos clients can do DNS lookups to canonicalize service principal
names.  This can cause difficulties when setting up Kerberos
application servers, especially when the client’s name for the service
is different from what the service thinks its name is.


\section{Service principal names}
\label{\detokenize{admin/princ_dns:service-principal-names}}
\sphinxAtStartPar
A frequently used kind of principal name is the host\sphinxhyphen{}based service
principal name.  This kind of principal name has two components: a
service name and a hostname.  For example, \sphinxcode{\sphinxupquote{imap/imap.example.com}}
is the principal name of the “imap” service on the host
“imap.example.com”.  Other possible service names for the first
component include “host” (remote login services such as ssh), “HTTP”,
and “nfs” (Network File System).

\sphinxAtStartPar
Service administrators often publish well\sphinxhyphen{}known hostname aliases that
they would prefer users to use instead of the canonical name of the
service host.  This gives service administrators more flexibility in
deploying services.  For example, a shell login server might be named
“long\sphinxhyphen{}vanity\sphinxhyphen{}hostname.example.com”, but users will naturally prefer to
type something like “login.example.com”.  Hostname aliases also allow
for administrators to set up load balancing for some sorts of services
based on rotating \sphinxcode{\sphinxupquote{CNAME}} records in DNS.


\section{Service principal canonicalization}
\label{\detokenize{admin/princ_dns:service-principal-canonicalization}}
\sphinxAtStartPar
In the MIT krb5 client library, canonicalization of host\sphinxhyphen{}based service
principals is controlled by the \sphinxstylestrong{dns\_canonicalize\_hostname},
\sphinxstylestrong{rnds}, and \sphinxstylestrong{qualify\_shortname} variables in {\hyperref[\detokenize{admin/conf_files/krb5_conf:libdefaults}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}libdefaults{]}}}}}.

\sphinxAtStartPar
If \sphinxstylestrong{dns\_canonicalize\_hostname} is set to \sphinxcode{\sphinxupquote{true}} (the default
value), the client performs forward resolution by looking up the IPv4
and/or IPv6 addresses of the hostname using \sphinxcode{\sphinxupquote{getaddrinfo()}}.  This
process will typically add a domain suffix to the hostname if needed,
and follow CNAME records in the DNS.  If \sphinxstylestrong{rdns} is also set to
\sphinxcode{\sphinxupquote{true}} (the default), the client will then perform a reverse lookup
of the first returned Internet address using \sphinxcode{\sphinxupquote{getnameinfo()}},
finding the name associated with the PTR record.

\sphinxAtStartPar
If \sphinxstylestrong{dns\_canonicalize\_hostname} is set to \sphinxcode{\sphinxupquote{false}}, the hostname is
not canonicalized using DNS.  If the hostname has only one component
(i.e. it contains no “.” characters), the host’s primary DNS search
domain will be appended, if there is one.  The \sphinxstylestrong{qualify\_shortname}
variable can be used to override or disable this suffix.

\sphinxAtStartPar
If \sphinxstylestrong{dns\_canonicalize\_hostname} is set to \sphinxcode{\sphinxupquote{fallback}} (added in
release 1.18), the hostname is initially treated according to the
rules for \sphinxcode{\sphinxupquote{dns\_canonicalize\_hostname=false}}.  If a ticket request
fails because the service principal is unknown, the hostname will be
canonicalized according to the rules for
\sphinxcode{\sphinxupquote{dns\_canonicalize\_hostname=true}} and the request will be retried.

\sphinxAtStartPar
In all cases, the hostname is converted to lowercase, and any trailing
dot is removed.


\section{Reverse DNS mismatches}
\label{\detokenize{admin/princ_dns:reverse-dns-mismatches}}
\sphinxAtStartPar
Sometimes, an enterprise will have control over its forward DNS but
not its reverse DNS.  The reverse DNS is sometimes under the control
of the Internet service provider of the enterprise, and the enterprise
may not have much influence in setting up reverse DNS records for its
address space.  If there are difficulties with getting forward and
reverse DNS to match, it is best to set \sphinxcode{\sphinxupquote{rdns = false}} on client
machines.


\section{Overriding application behavior}
\label{\detokenize{admin/princ_dns:overriding-application-behavior}}
\sphinxAtStartPar
Applications can choose to use a default hostname component in their
service principal name when accepting authentication, which avoids
some sorts of hostname mismatches.  Because not all relevant
applications do this yet, using the {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}} setting:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{p}{[}\PYG{n}{libdefaults}\PYG{p}{]}
    \PYG{n}{ignore\PYGZus{}acceptor\PYGZus{}hostname} \PYG{o}{=} \PYG{n}{true}
\end{sphinxVerbatim}

\sphinxAtStartPar
will allow the Kerberos library to override the application’s choice
of service principal hostname and will allow a server program to
accept incoming authentications using any key in its keytab that
matches the service name and realm name (if given).  This setting
defaults to “false” and is available in releases krb5\sphinxhyphen{}1.10 and later.


\section{Provisioning keytabs}
\label{\detokenize{admin/princ_dns:provisioning-keytabs}}
\sphinxAtStartPar
One service principal entry that should be in the keytab is a
principal whose hostname component is the canonical hostname that
\sphinxcode{\sphinxupquote{getaddrinfo()}} reports for all known aliases for the host.  If the
reverse DNS information does not match this canonical hostname, an
additional service principal entry should be in the keytab for this
different hostname.


\section{Specific application advice}
\label{\detokenize{admin/princ_dns:specific-application-advice}}

\subsection{Secure shell (ssh)}
\label{\detokenize{admin/princ_dns:secure-shell-ssh}}
\sphinxAtStartPar
Setting \sphinxcode{\sphinxupquote{GSSAPIStrictAcceptorCheck = no}} in the configuration file
of modern versions of the openssh daemon will allow the daemon to try
any key in its keytab when accepting a connection, rather than looking
for the keytab entry that matches the host’s own idea of its name
(typically the name that \sphinxcode{\sphinxupquote{gethostname()}} returns).  This requires
krb5\sphinxhyphen{}1.10 or later.


\subsection{OpenLDAP (ldapsearch, etc.)}
\label{\detokenize{admin/princ_dns:openldap-ldapsearch-etc}}
\sphinxAtStartPar
OpenLDAP’s SASL implementation performs reverse DNS lookup in order to
canonicalize service principal names, even if \sphinxstylestrong{rdns} is set to
\sphinxcode{\sphinxupquote{false}} in the Kerberos configuration.  To disable this behavior,
add \sphinxcode{\sphinxupquote{SASL\_NOCANON on}} to \sphinxcode{\sphinxupquote{ldap.conf}}, or set the
\sphinxcode{\sphinxupquote{LDAPSASL\_NOCANON}} environment variable.

\sphinxstepscope


\chapter{Encryption types}
\label{\detokenize{admin/enctypes:encryption-types}}\label{\detokenize{admin/enctypes:enctypes}}\label{\detokenize{admin/enctypes::doc}}
\sphinxAtStartPar
Kerberos can use a variety of cipher algorithms to protect data.  A
Kerberos \sphinxstylestrong{encryption type} (also known as an \sphinxstylestrong{enctype}) is a
specific combination of a cipher algorithm with an integrity algorithm
to provide both confidentiality and integrity to data.


\section{Enctypes in requests}
\label{\detokenize{admin/enctypes:enctypes-in-requests}}
\sphinxAtStartPar
Clients make two types of requests (KDC\sphinxhyphen{}REQ) to the KDC: AS\sphinxhyphen{}REQs and
TGS\sphinxhyphen{}REQs.  The client uses the AS\sphinxhyphen{}REQ to obtain initial tickets
(typically a Ticket\sphinxhyphen{}Granting Ticket (TGT)), and uses the TGS\sphinxhyphen{}REQ to
obtain service tickets.

\sphinxAtStartPar
The KDC uses three different keys when issuing a ticket to a client:
\begin{itemize}
\item {} 
\sphinxAtStartPar
The long\sphinxhyphen{}term key of the service: the KDC uses this to encrypt the
actual service ticket.  The KDC only uses the first long\sphinxhyphen{}term key in
the most recent kvno for this purpose.

\item {} 
\sphinxAtStartPar
The session key: the KDC randomly chooses this key and places one
copy inside the ticket and the other copy inside the encrypted part
of the reply.

\item {} 
\sphinxAtStartPar
The reply\sphinxhyphen{}encrypting key: the KDC uses this to encrypt the reply it
sends to the client.  For AS replies, this is a long\sphinxhyphen{}term key of the
client principal.  For TGS replies, this is either the session key of the
authenticating ticket, or a subsession key.

\end{itemize}

\sphinxAtStartPar
Each of these keys is of a specific enctype.

\sphinxAtStartPar
Each request type allows the client to submit a list of enctypes that
it is willing to accept.  For the AS\sphinxhyphen{}REQ, this list affects both the
session key selection and the reply\sphinxhyphen{}encrypting key selection.  For the
TGS\sphinxhyphen{}REQ, this list only affects the session key selection.


\section{Session key selection}
\label{\detokenize{admin/enctypes:session-key-selection}}\label{\detokenize{admin/enctypes:id1}}
\sphinxAtStartPar
The KDC chooses the session key enctype by taking the intersection of
its \sphinxstylestrong{permitted\_enctypes} list, the list of long\sphinxhyphen{}term keys for the
most recent kvno of the service, and the client’s requested list of
enctypes.  Starting in krb5\sphinxhyphen{}1.21, all services are assumed to support
aes256\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha1\sphinxhyphen{}96; also, des3\sphinxhyphen{}cbc\sphinxhyphen{}sha1 and arcfour\sphinxhyphen{}hmac session
keys will not be issued by default.

\sphinxAtStartPar
Starting in krb5\sphinxhyphen{}1.11, it is possible to set a string attribute on a
service principal to control what session key enctypes the KDC may
issue for service tickets for that principal, overriding the service’s
long\sphinxhyphen{}term keys and the assumption of aes256\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha1\sphinxhyphen{}96 support.
See {\hyperref[\detokenize{admin/admin_commands/kadmin_local:set-string}]{\sphinxcrossref{\DUrole{std,std-ref}{set\_string}}}} in {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} for details.


\section{Choosing enctypes for a service}
\label{\detokenize{admin/enctypes:choosing-enctypes-for-a-service}}
\sphinxAtStartPar
Generally, a service should have a key of the strongest
enctype that both it and the KDC support.  If the KDC is running a
release earlier than krb5\sphinxhyphen{}1.11, it is also useful to generate an
additional key for each enctype that the service can support.  The KDC
will only use the first key in the list of long\sphinxhyphen{}term keys for encrypting
the service ticket, but the additional long\sphinxhyphen{}term keys indicate the
other enctypes that the service supports.

\sphinxAtStartPar
As noted above, starting with release krb5\sphinxhyphen{}1.11, there are additional
configuration settings that control session key enctype selection
independently of the set of long\sphinxhyphen{}term keys that the KDC has stored for
a service principal.


\section{Configuration variables}
\label{\detokenize{admin/enctypes:configuration-variables}}
\sphinxAtStartPar
The following \sphinxcode{\sphinxupquote{{[}libdefaults{]}}} settings in {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}} will
affect how enctypes are chosen.
\begin{description}
\sphinxlineitem{\sphinxstylestrong{allow\_weak\_crypto}}
\sphinxAtStartPar
defaults to \sphinxstyleemphasis{false} starting with krb5\sphinxhyphen{}1.8.  When \sphinxstyleemphasis{false}, removes
weak enctypes from \sphinxstylestrong{permitted\_enctypes},
\sphinxstylestrong{default\_tkt\_enctypes}, and \sphinxstylestrong{default\_tgs\_enctypes}.  Do not
set this to \sphinxstyleemphasis{true} unless the use of weak enctypes is an
acceptable risk for your environment and the weak enctypes are
required for backward compatibility.

\sphinxlineitem{\sphinxstylestrong{allow\_des3}}
\sphinxAtStartPar
was added in release 1.21 and defaults to \sphinxstyleemphasis{false}.  Unless this
flag is set to \sphinxstyleemphasis{true}, the KDC will not issue tickets with
des3\sphinxhyphen{}cbc\sphinxhyphen{}sha1 session keys.  In a future release, this flag will
control whether des3\sphinxhyphen{}cbc\sphinxhyphen{}sha1 is permitted in similar fashion to
weak enctypes.

\sphinxlineitem{\sphinxstylestrong{allow\_rc4}}
\sphinxAtStartPar
was added in release 1.21 and defaults to \sphinxstyleemphasis{false}.  Unless this
flag is set to \sphinxstyleemphasis{true}, the KDC will not issue tickets with
arcfour\sphinxhyphen{}hmac session keys.  In a future release, this flag will
control whether arcfour\sphinxhyphen{}hmac is permitted in similar fashion to
weak enctypes.

\sphinxlineitem{\sphinxstylestrong{permitted\_enctypes}}
\sphinxAtStartPar
controls the set of enctypes that a service will permit for
session keys and for ticket and authenticator encryption.  The KDC
and other programs that access the Kerberos database will ignore
keys of non\sphinxhyphen{}permitted enctypes.  Starting in release 1.18, this
setting also acts as the default for \sphinxstylestrong{default\_tkt\_enctypes} and
\sphinxstylestrong{default\_tgs\_enctypes}.

\sphinxlineitem{\sphinxstylestrong{default\_tkt\_enctypes}}
\sphinxAtStartPar
controls the default set of enctypes that the Kerberos client
library requests when making an AS\sphinxhyphen{}REQ.  Do not set this unless
required for specific backward compatibility purposes; stale
values of this setting can prevent clients from taking advantage
of new stronger enctypes when the libraries are upgraded.

\sphinxlineitem{\sphinxstylestrong{default\_tgs\_enctypes}}
\sphinxAtStartPar
controls the default set of enctypes that the Kerberos client
library requests when making a TGS\sphinxhyphen{}REQ.  Do not set this unless
required for specific backward compatibility purposes; stale
values of this setting can prevent clients from taking advantage
of new stronger enctypes when the libraries are upgraded.

\end{description}

\sphinxAtStartPar
The following per\sphinxhyphen{}realm setting in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}} affects the
generation of long\sphinxhyphen{}term keys.
\begin{description}
\sphinxlineitem{\sphinxstylestrong{supported\_enctypes}}
\sphinxAtStartPar
controls the default set of enctype\sphinxhyphen{}salttype pairs that {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}}
will use for generating long\sphinxhyphen{}term keys, either randomly or from
passwords

\end{description}


\section{Enctype compatibility}
\label{\detokenize{admin/enctypes:enctype-compatibility}}
\sphinxAtStartPar
See {\hyperref[\detokenize{admin/conf_files/kdc_conf:encryption-types}]{\sphinxcrossref{\DUrole{std,std-ref}{Encryption types}}}} for additional information about enctypes.


\begin{savenotes}\sphinxattablestart
\sphinxthistablewithglobalstyle
\centering
\begin{tabulary}{\linewidth}[t]{TTTT}
\sphinxtoprule
\sphinxstyletheadfamily 
\sphinxAtStartPar
enctype
&\sphinxstyletheadfamily 
\sphinxAtStartPar
weak?
&\sphinxstyletheadfamily 
\sphinxAtStartPar
krb5
&\sphinxstyletheadfamily 
\sphinxAtStartPar
Windows
\\
\sphinxmidrule
\sphinxtableatstartofbodyhook
\sphinxAtStartPar
des\sphinxhyphen{}cbc\sphinxhyphen{}crc
&
\sphinxAtStartPar
weak
&
\sphinxAtStartPar
\textless{}1.18
&
\sphinxAtStartPar
\textgreater{}=2000
\\
\sphinxhline
\sphinxAtStartPar
des\sphinxhyphen{}cbc\sphinxhyphen{}md4
&
\sphinxAtStartPar
weak
&
\sphinxAtStartPar
\textless{}1.18
&
\sphinxAtStartPar
?
\\
\sphinxhline
\sphinxAtStartPar
des\sphinxhyphen{}cbc\sphinxhyphen{}md5
&
\sphinxAtStartPar
weak
&
\sphinxAtStartPar
\textless{}1.18
&
\sphinxAtStartPar
\textgreater{}=2000
\\
\sphinxhline
\sphinxAtStartPar
des3\sphinxhyphen{}cbc\sphinxhyphen{}sha1
&
\sphinxAtStartPar
deprecated
&
\sphinxAtStartPar
\textgreater{}=1.1
&
\sphinxAtStartPar
none
\\
\sphinxhline
\sphinxAtStartPar
arcfour\sphinxhyphen{}hmac
&
\sphinxAtStartPar
deprecated
&
\sphinxAtStartPar
\textgreater{}=1.3
&
\sphinxAtStartPar
\textgreater{}=2000
\\
\sphinxhline
\sphinxAtStartPar
arcfour\sphinxhyphen{}hmac\sphinxhyphen{}exp
&
\sphinxAtStartPar
weak
&
\sphinxAtStartPar
\textgreater{}=1.3
&
\sphinxAtStartPar
\textgreater{}=2000
\\
\sphinxhline
\sphinxAtStartPar
aes128\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha1\sphinxhyphen{}96
&&
\sphinxAtStartPar
\textgreater{}=1.3
&
\sphinxAtStartPar
\textgreater{}=Vista
\\
\sphinxhline
\sphinxAtStartPar
aes256\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha1\sphinxhyphen{}96
&&
\sphinxAtStartPar
\textgreater{}=1.3
&
\sphinxAtStartPar
\textgreater{}=Vista
\\
\sphinxhline
\sphinxAtStartPar
aes128\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha256\sphinxhyphen{}128
&&
\sphinxAtStartPar
\textgreater{}=1.15
&
\sphinxAtStartPar
none
\\
\sphinxhline
\sphinxAtStartPar
aes256\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha384\sphinxhyphen{}192
&&
\sphinxAtStartPar
\textgreater{}=1.15
&
\sphinxAtStartPar
none
\\
\sphinxhline
\sphinxAtStartPar
camellia128\sphinxhyphen{}cts\sphinxhyphen{}cmac
&&
\sphinxAtStartPar
\textgreater{}=1.9
&
\sphinxAtStartPar
none
\\
\sphinxhline
\sphinxAtStartPar
camellia256\sphinxhyphen{}cts\sphinxhyphen{}cmac
&&
\sphinxAtStartPar
\textgreater{}=1.9
&
\sphinxAtStartPar
none
\\
\sphinxbottomrule
\end{tabulary}
\sphinxtableafterendhook\par
\sphinxattableend\end{savenotes}

\sphinxAtStartPar
krb5 releases 1.18 and later do not support single\sphinxhyphen{}DES.  krb5 releases
1.8 and later disable the single\sphinxhyphen{}DES enctypes by default.  Microsoft
Windows releases Windows 7 and later disable single\sphinxhyphen{}DES enctypes by
default.

\sphinxAtStartPar
krb5 releases 1.17 and later flag deprecated encryption types
(including \sphinxcode{\sphinxupquote{des3\sphinxhyphen{}cbc\sphinxhyphen{}sha1}} and \sphinxcode{\sphinxupquote{arcfour\sphinxhyphen{}hmac}}) in KDC logs and
kadmin output.  krb5 release 1.19 issues a warning during initial
authentication if \sphinxcode{\sphinxupquote{des3\sphinxhyphen{}cbc\sphinxhyphen{}sha1}} is used.  Future releases will
disable \sphinxcode{\sphinxupquote{des3\sphinxhyphen{}cbc\sphinxhyphen{}sha1}} by default and eventually remove support for
it.


\section{Migrating away from older encryption types}
\label{\detokenize{admin/enctypes:migrating-away-from-older-encryption-types}}
\sphinxAtStartPar
Administrator intervention may be required to migrate a realm away
from legacy encryption types, especially if the realm was created
using krb5 release 1.2 or earlier.  This migration should be performed
before upgrading to krb5 versions which disable or remove support for
legacy encryption types.

\sphinxAtStartPar
If there is a \sphinxstylestrong{supported\_enctypes} setting in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}} on
the KDC, make sure that it does not include weak or deprecated
encryption types.  This will ensure that newly created keys do not use
those encryption types by default.

\sphinxAtStartPar
Check the \sphinxcode{\sphinxupquote{krbtgt/REALM}} principal using the {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}}
\sphinxstylestrong{getprinc} command.  If it lists a weak or deprecated encryption
type as the first key, it must be migrated using the procedure in
{\hyperref[\detokenize{admin/database:changing-krbtgt-key}]{\sphinxcrossref{\DUrole{std,std-ref}{Changing the krbtgt key}}}}.

\sphinxAtStartPar
Check the \sphinxcode{\sphinxupquote{kadmin/history}} principal, which should have only one key
entry.  If it uses a weak or deprecated encryption type, it should be
upgraded following the notes in {\hyperref[\detokenize{admin/database:updating-history-key}]{\sphinxcrossref{\DUrole{std,std-ref}{Updating the history key}}}}.

\sphinxAtStartPar
Check the other kadmin principals: kadmin/changepw, kadmin/admin, and
any kadmin/hostname principals that may exist.  These principals can
be upgraded with \sphinxstylestrong{change\_password \sphinxhyphen{}randkey} in kadmin.

\sphinxAtStartPar
Check the \sphinxcode{\sphinxupquote{K/M}} entry.  If it uses a weak or deprecated encryption
type, it should be upgraded following the procedure in
{\hyperref[\detokenize{admin/database:updating-master-key}]{\sphinxcrossref{\DUrole{std,std-ref}{Updating the master key}}}}.

\sphinxAtStartPar
User and service principals using legacy encryption types can be
enumerated with the {\hyperref[\detokenize{admin/admin_commands/kdb5_util:kdb5-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_util}}}} \sphinxstylestrong{tabdump keyinfo} command.

\sphinxAtStartPar
Service principals can be migrated with a keytab rotation on the
service host, which can be accomplished using the {\hyperref[\detokenize{admin/admin_commands/k5srvutil:k5srvutil-1}]{\sphinxcrossref{\DUrole{std,std-ref}{k5srvutil}}}}
\sphinxstylestrong{change} and \sphinxstylestrong{delold} commands.  Allow enough time for existing
tickets to expire between the change and delold operations.

\sphinxAtStartPar
User principals with password\sphinxhyphen{}based keys can be migrated with a
password change.  The realm administrator can set a password
expiration date using the {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} \sphinxstylestrong{modify\_principal
\sphinxhyphen{}pwexpire} command to force a password change.

\sphinxAtStartPar
If a legacy encryption type has not yet been disabled by default in
the version of krb5 running on the KDC, it can be disabled
administratively with the \sphinxstylestrong{permitted\_enctypes} variable.  For
example, setting \sphinxstylestrong{permitted\_enctypes} to \sphinxcode{\sphinxupquote{DEFAULT \sphinxhyphen{}des3 \sphinxhyphen{}rc4}} will
cause any database keys of the triple\sphinxhyphen{}DES and RC4 encryption types to
be ignored.

\sphinxstepscope


\chapter{HTTPS proxy configuration}
\label{\detokenize{admin/https:https-proxy-configuration}}\label{\detokenize{admin/https:https}}\label{\detokenize{admin/https::doc}}
\sphinxAtStartPar
In addition to being able to use UDP or TCP to communicate directly
with a KDC as is outlined in RFC4120, and with kpasswd services in a
similar fashion, the client libraries can attempt to use an HTTPS
proxy server to communicate with a KDC or kpasswd service, using the
protocol outlined in {[}MS\sphinxhyphen{}KKDCP{]}.

\sphinxAtStartPar
Communicating with a KDC through an HTTPS proxy allows clients to
contact servers when network firewalls might otherwise prevent them
from doing so.  The use of TLS also encrypts all traffic between the
clients and the KDC, preventing observers from conducting password
dictionary attacks or from observing the client and server principals
being authenticated, at additional computational cost to both clients
and servers.

\sphinxAtStartPar
An HTTPS proxy server is provided as a feature in some versions of
Microsoft Windows Server, and a WSGI implementation named \sphinxtitleref{kdcproxy}
is available in the python package index.


\section{Configuring the clients}
\label{\detokenize{admin/https:configuring-the-clients}}
\sphinxAtStartPar
To use an HTTPS proxy, a client host must trust the CA which issued
that proxy’s SSL certificate.  If that CA’s certificate is not in the
system\sphinxhyphen{}wide default set of trusted certificates, configure the
following relation in the client host’s {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}} file in
the appropriate {\hyperref[\detokenize{admin/conf_files/krb5_conf:realms}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}realms{]}}}}} subsection:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{http\PYGZus{}anchors} \PYG{o}{=} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{/}\PYG{n}{cacert}\PYG{o}{.}\PYG{n}{pem}
\end{sphinxVerbatim}

\sphinxAtStartPar
Adjust the pathname to match the path of the file which contains a
copy of the CA’s certificate.  The \sphinxtitleref{http\_anchors} option is documented
more fully in {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}}.

\sphinxAtStartPar
Configure the client to access the KDC and kpasswd service by
specifying their locations in its {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}} file in the form
of HTTPS URLs for the proxy server:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{kdc} \PYG{o}{=} \PYG{n}{https}\PYG{p}{:}\PYG{o}{/}\PYG{o}{/}\PYG{n}{server}\PYG{o}{.}\PYG{n}{fqdn}\PYG{o}{/}\PYG{n}{KdcProxy}
\PYG{n}{kpasswd\PYGZus{}server} \PYG{o}{=} \PYG{n}{https}\PYG{p}{:}\PYG{o}{/}\PYG{o}{/}\PYG{n}{server}\PYG{o}{.}\PYG{n}{fqdn}\PYG{o}{/}\PYG{n}{KdcProxy}
\end{sphinxVerbatim}

\sphinxAtStartPar
If the proxy and client are properly configured, client commands such
as \sphinxcode{\sphinxupquote{kinit}}, \sphinxcode{\sphinxupquote{kvno}}, and \sphinxcode{\sphinxupquote{kpasswd}} should all function normally.

\sphinxstepscope


\chapter{Authentication indicators}
\label{\detokenize{admin/auth_indicator:authentication-indicators}}\label{\detokenize{admin/auth_indicator:auth-indicator}}\label{\detokenize{admin/auth_indicator::doc}}
\sphinxAtStartPar
As of release 1.14, the KDC can be configured to annotate tickets if
the client authenticated using a stronger preauthentication mechanism
such as {\hyperref[\detokenize{admin/pkinit:pkinit}]{\sphinxcrossref{\DUrole{std,std-ref}{PKINIT}}}} or {\hyperref[\detokenize{admin/otp:otp-preauth}]{\sphinxcrossref{\DUrole{std,std-ref}{OTP}}}}.  These
annotations are called “authentication indicators.”  Service
principals can be configured to require particular authentication
indicators in order to authenticate to that service.  An
authentication indicator value can be any string chosen by the KDC
administrator; there are no pre\sphinxhyphen{}set values.

\sphinxAtStartPar
To use authentication indicators with PKINIT or OTP, first configure
the KDC to include an indicator when that preauthentication mechanism
is used.  For PKINIT, use the \sphinxstylestrong{pkinit\_indicator} variable in
{\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}.  For OTP, use the \sphinxstylestrong{indicator} variable in the
token type definition, or specify the indicators in the \sphinxstylestrong{otp} user
string as described in {\hyperref[\detokenize{admin/otp:otp-preauth}]{\sphinxcrossref{\DUrole{std,std-ref}{OTP Preauthentication}}}}.

\sphinxAtStartPar
To require an indicator to be present in order to authenticate to a
service principal, set the \sphinxstylestrong{require\_auth} string attribute on the
principal to the indicator value to be required.  If you wish to allow
one of several indicators to be accepted, you can specify multiple
indicator values separated by spaces.

\sphinxAtStartPar
For example, a realm could be configured to set the authentication
indicator value “strong” when PKINIT is used to authenticate, using a
setting in the {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-realms}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}realms{]}}}}} subsection:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{pkinit\PYGZus{}indicator} \PYG{o}{=} \PYG{n}{strong}
\end{sphinxVerbatim}

\sphinxAtStartPar
A service principal could be configured to require the “strong”
authentication indicator value:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYGZdl{} kadmin setstr host/high.value.server require\PYGZus{}auth strong
Password for user/admin@KRBTEST.COM:
\end{sphinxVerbatim}

\sphinxAtStartPar
A user who authenticates with PKINIT would be able to obtain a ticket
for the service principal:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYGZdl{} kinit \PYGZhy{}X X509\PYGZus{}user\PYGZus{}identity=FILE:/my/cert.pem,/my/key.pem user
\PYGZdl{} kvno host/high.value.server
host/high.value.server@KRBTEST.COM: kvno = 1
\end{sphinxVerbatim}

\sphinxAtStartPar
but a user who authenticates with a password would not:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYGZdl{} kinit user
Password for user@KRBTEST.COM:
\PYGZdl{} kvno host/high.value.server
kvno: KDC policy rejects request while getting credentials for
  host/high.value.server@KRBTEST.COM
\end{sphinxVerbatim}

\sphinxAtStartPar
GSSAPI server applications can inspect authentication indicators
through the \DUrole{xref,std,std-ref}{auth\sphinxhyphen{}indicators} name
attribute.

\sphinxstepscope


\chapter{Administration  programs}
\label{\detokenize{admin/admin_commands/index:administration-programs}}\label{\detokenize{admin/admin_commands/index::doc}}
\sphinxstepscope


\section{kadmin}
\label{\detokenize{admin/admin_commands/kadmin_local:kadmin}}\label{\detokenize{admin/admin_commands/kadmin_local:kadmin-1}}\label{\detokenize{admin/admin_commands/kadmin_local::doc}}

\subsection{SYNOPSIS}
\label{\detokenize{admin/admin_commands/kadmin_local:synopsis}}\phantomsection\label{\detokenize{admin/admin_commands/kadmin_local:kadmin-synopsis}}
\sphinxAtStartPar
\sphinxstylestrong{kadmin}
{[}\sphinxstylestrong{\sphinxhyphen{}O}|\sphinxstylestrong{\sphinxhyphen{}N}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}r} \sphinxstyleemphasis{realm}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}p} \sphinxstyleemphasis{principal}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}q} \sphinxstyleemphasis{query}{]}
{[}{[}\sphinxstylestrong{\sphinxhyphen{}c} \sphinxstyleemphasis{cache\_name}{]}|{[}\sphinxstylestrong{\sphinxhyphen{}k} {[}\sphinxstylestrong{\sphinxhyphen{}t} \sphinxstyleemphasis{keytab}{]}{]}|\sphinxstylestrong{\sphinxhyphen{}n}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}w} \sphinxstyleemphasis{password}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}s} \sphinxstyleemphasis{admin\_server}{[}:\sphinxstyleemphasis{port}{]}{]}
{[}command args…{]}

\sphinxAtStartPar
\sphinxstylestrong{kadmin.local}
{[}\sphinxstylestrong{\sphinxhyphen{}r} \sphinxstyleemphasis{realm}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}p} \sphinxstyleemphasis{principal}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}q} \sphinxstyleemphasis{query}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}d} \sphinxstyleemphasis{dbname}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}e} \sphinxstyleemphasis{enc}:\sphinxstyleemphasis{salt} …{]}
{[}\sphinxstylestrong{\sphinxhyphen{}m}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}x} \sphinxstyleemphasis{db\_args}{]}
{[}command args…{]}


\subsection{DESCRIPTION}
\label{\detokenize{admin/admin_commands/kadmin_local:description}}
\sphinxAtStartPar
kadmin and kadmin.local are command\sphinxhyphen{}line interfaces to the Kerberos V5
administration system.  They provide nearly identical functionalities;
the difference is that kadmin.local directly accesses the KDC
database, while kadmin performs operations using {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}}.
Except as explicitly noted otherwise, this man page will use “kadmin”
to refer to both versions.  kadmin provides for the maintenance of
Kerberos principals, password policies, and service key tables
(keytabs).

\sphinxAtStartPar
The remote kadmin client uses Kerberos to authenticate to kadmind
using the service principal \sphinxcode{\sphinxupquote{kadmin/admin}} or \sphinxcode{\sphinxupquote{kadmin/ADMINHOST}}
(where \sphinxstyleemphasis{ADMINHOST} is the fully\sphinxhyphen{}qualified hostname of the admin
server).  If the credentials cache contains a ticket for one of these
principals, and the \sphinxstylestrong{\sphinxhyphen{}c} credentials\_cache option is specified, that
ticket is used to authenticate to kadmind.  Otherwise, the \sphinxstylestrong{\sphinxhyphen{}p} and
\sphinxstylestrong{\sphinxhyphen{}k} options are used to specify the client Kerberos principal name
used to authenticate.  Once kadmin has determined the principal name,
it requests a service ticket from the KDC, and uses that service
ticket to authenticate to kadmind.

\sphinxAtStartPar
Since kadmin.local directly accesses the KDC database, it usually must
be run directly on the primary KDC with sufficient permissions to read
the KDC database.  If the KDC database uses the LDAP database module,
kadmin.local can be run on any host which can access the LDAP server.


\subsection{OPTIONS}
\label{\detokenize{admin/admin_commands/kadmin_local:options}}\phantomsection\label{\detokenize{admin/admin_commands/kadmin_local:kadmin-options}}\begin{description}
\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}r} \sphinxstyleemphasis{realm}}
\sphinxAtStartPar
Use \sphinxstyleemphasis{realm} as the default database realm.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}p} \sphinxstyleemphasis{principal}}
\sphinxAtStartPar
Use \sphinxstyleemphasis{principal} to authenticate.  Otherwise, kadmin will append
\sphinxcode{\sphinxupquote{/admin}} to the primary principal name of the default ccache,
the value of the \sphinxstylestrong{USER} environment variable, or the username as
obtained with getpwuid, in order of preference.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}k}}
\sphinxAtStartPar
Use a keytab to decrypt the KDC response instead of prompting for
a password.  In this case, the default principal will be
\sphinxcode{\sphinxupquote{host/hostname}}.  If there is no keytab specified with the
\sphinxstylestrong{\sphinxhyphen{}t} option, then the default keytab will be used.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}t} \sphinxstyleemphasis{keytab}}
\sphinxAtStartPar
Use \sphinxstyleemphasis{keytab} to decrypt the KDC response.  This can only be used
with the \sphinxstylestrong{\sphinxhyphen{}k} option.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}n}}
\sphinxAtStartPar
Requests anonymous processing.  Two types of anonymous principals
are supported.  For fully anonymous Kerberos, configure PKINIT on
the KDC and configure \sphinxstylestrong{pkinit\_anchors} in the client’s
{\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}}.  Then use the \sphinxstylestrong{\sphinxhyphen{}n} option with a principal
of the form \sphinxcode{\sphinxupquote{@REALM}} (an empty principal name followed by the
at\sphinxhyphen{}sign and a realm name).  If permitted by the KDC, an anonymous
ticket will be returned.  A second form of anonymous tickets is
supported; these realm\sphinxhyphen{}exposed tickets hide the identity of the
client but not the client’s realm.  For this mode, use \sphinxcode{\sphinxupquote{kinit
\sphinxhyphen{}n}} with a normal principal name.  If supported by the KDC, the
principal (but not realm) will be replaced by the anonymous
principal.  As of release 1.8, the MIT Kerberos KDC only supports
fully anonymous operation.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}c} \sphinxstyleemphasis{credentials\_cache}}
\sphinxAtStartPar
Use \sphinxstyleemphasis{credentials\_cache} as the credentials cache.  The cache
should contain a service ticket for the \sphinxcode{\sphinxupquote{kadmin/admin}} or
\sphinxcode{\sphinxupquote{kadmin/ADMINHOST}} (where \sphinxstyleemphasis{ADMINHOST} is the fully\sphinxhyphen{}qualified
hostname of the admin server) service; it can be acquired with the
\DUrole{xref,std,std-ref}{kinit(1)} program.  If this option is not specified, kadmin
requests a new service ticket from the KDC, and stores it in its
own temporary ccache.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}w} \sphinxstyleemphasis{password}}
\sphinxAtStartPar
Use \sphinxstyleemphasis{password} instead of prompting for one.  Use this option with
care, as it may expose the password to other users on the system
via the process list.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}q} \sphinxstyleemphasis{query}}
\sphinxAtStartPar
Perform the specified query and then exit.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}d} \sphinxstyleemphasis{dbname}}
\sphinxAtStartPar
Specifies the name of the KDC database.  This option does not
apply to the LDAP database module.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}s} \sphinxstyleemphasis{admin\_server}{[}:\sphinxstyleemphasis{port}{]}}
\sphinxAtStartPar
Specifies the admin server which kadmin should contact.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}m}}
\sphinxAtStartPar
If using kadmin.local, prompt for the database master password
instead of reading it from a stash file.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}e} “\sphinxstyleemphasis{enc}:\sphinxstyleemphasis{salt} …”}
\sphinxAtStartPar
Sets the keysalt list to be used for any new keys created.  See
{\hyperref[\detokenize{admin/conf_files/kdc_conf:keysalt-lists}]{\sphinxcrossref{\DUrole{std,std-ref}{Keysalt lists}}}} in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}} for a list of possible
values.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}O}}
\sphinxAtStartPar
Force use of old AUTH\_GSSAPI authentication flavor.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}N}}
\sphinxAtStartPar
Prevent fallback to AUTH\_GSSAPI authentication flavor.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}x} \sphinxstyleemphasis{db\_args}}
\sphinxAtStartPar
Specifies the database specific arguments.  See the next section
for supported options.

\end{description}

\sphinxAtStartPar
Starting with release 1.14, if any command\sphinxhyphen{}line arguments remain after
the options, they will be treated as a single query to be executed.
This mode of operation is intended for scripts and behaves differently
from the interactive mode in several respects:
\begin{itemize}
\item {} 
\sphinxAtStartPar
Query arguments are split by the shell, not by kadmin.

\item {} 
\sphinxAtStartPar
Informational and warning messages are suppressed.  Error messages
and query output (e.g. for \sphinxstylestrong{get\_principal}) will still be
displayed.

\item {} 
\sphinxAtStartPar
Confirmation prompts are disabled (as if \sphinxstylestrong{\sphinxhyphen{}force} was given).
Password prompts will still be issued as required.

\item {} 
\sphinxAtStartPar
The exit status will be non\sphinxhyphen{}zero if the query fails.

\end{itemize}

\sphinxAtStartPar
The \sphinxstylestrong{\sphinxhyphen{}q} option does not carry these behavior differences; the query
will be processed as if it was entered interactively.  The \sphinxstylestrong{\sphinxhyphen{}q}
option cannot be used in combination with a query in the remaining
arguments.


\subsection{DATABASE OPTIONS}
\label{\detokenize{admin/admin_commands/kadmin_local:database-options}}\label{\detokenize{admin/admin_commands/kadmin_local:dboptions}}
\sphinxAtStartPar
Database options can be used to override database\sphinxhyphen{}specific defaults.
Supported options for the DB2 module are:
\begin{quote}
\begin{description}
\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}x dbname=}*filename*}
\sphinxAtStartPar
Specifies the base filename of the DB2 database.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}x lockiter}}
\sphinxAtStartPar
Make iteration operations hold the lock for the duration of
the entire operation, rather than temporarily releasing the
lock while handling each principal.  This is the default
behavior, but this option exists to allow command line
override of a {[}dbmodules{]} setting.  First introduced in
release 1.13.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}x unlockiter}}
\sphinxAtStartPar
Make iteration operations unlock the database for each
principal, instead of holding the lock for the duration of the
entire operation.  First introduced in release 1.13.

\end{description}
\end{quote}

\sphinxAtStartPar
Supported options for the LDAP module are:
\begin{quote}
\begin{description}
\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}x host=}\sphinxstyleemphasis{ldapuri}}
\sphinxAtStartPar
Specifies the LDAP server to connect to by a LDAP URI.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}x binddn=}\sphinxstyleemphasis{bind\_dn}}
\sphinxAtStartPar
Specifies the DN used to bind to the LDAP server.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}x bindpwd=}\sphinxstyleemphasis{password}}
\sphinxAtStartPar
Specifies the password or SASL secret used to bind to the LDAP
server.  Using this option may expose the password to other
users on the system via the process list; to avoid this,
instead stash the password using the \sphinxstylestrong{stashsrvpw} command of
{\hyperref[\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_ldap\_util}}}}.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}x sasl\_mech=}\sphinxstyleemphasis{mechanism}}
\sphinxAtStartPar
Specifies the SASL mechanism used to bind to the LDAP server.
The bind DN is ignored if a SASL mechanism is used.  New in
release 1.13.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}x sasl\_authcid=}\sphinxstyleemphasis{name}}
\sphinxAtStartPar
Specifies the authentication name used when binding to the
LDAP server with a SASL mechanism, if the mechanism requires
one.  New in release 1.13.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}x sasl\_authzid=}\sphinxstyleemphasis{name}}
\sphinxAtStartPar
Specifies the authorization name used when binding to the LDAP
server with a SASL mechanism.  New in release 1.13.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}x sasl\_realm=}\sphinxstyleemphasis{realm}}
\sphinxAtStartPar
Specifies the realm used when binding to the LDAP server with
a SASL mechanism, if the mechanism uses one.  New in release
1.13.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}x debug=}\sphinxstyleemphasis{level}}
\sphinxAtStartPar
sets the OpenLDAP client library debug level.  \sphinxstyleemphasis{level} is an
integer to be interpreted by the library.  Debugging messages
are printed to standard error.  New in release 1.12.

\end{description}
\end{quote}


\subsection{COMMANDS}
\label{\detokenize{admin/admin_commands/kadmin_local:commands}}
\sphinxAtStartPar
When using the remote client, available commands may be restricted
according to the privileges specified in the {\hyperref[\detokenize{admin/conf_files/kadm5_acl:kadm5-acl-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kadm5.acl}}}} file
on the admin server.


\subsubsection{add\_principal}
\label{\detokenize{admin/admin_commands/kadmin_local:add-principal}}\label{\detokenize{admin/admin_commands/kadmin_local:id1}}\begin{quote}

\sphinxAtStartPar
\sphinxstylestrong{add\_principal} {[}\sphinxstyleemphasis{options}{]} \sphinxstyleemphasis{newprinc}
\end{quote}

\sphinxAtStartPar
Creates the principal \sphinxstyleemphasis{newprinc}, prompting twice for a password.  If
no password policy is specified with the \sphinxstylestrong{\sphinxhyphen{}policy} option, and the
policy named \sphinxcode{\sphinxupquote{default}} is assigned to the principal if it exists.
However, creating a policy named \sphinxcode{\sphinxupquote{default}} will not automatically
assign this policy to previously existing principals.  This policy
assignment can be suppressed with the \sphinxstylestrong{\sphinxhyphen{}clearpolicy} option.

\sphinxAtStartPar
This command requires the \sphinxstylestrong{add} privilege.

\sphinxAtStartPar
Aliases: \sphinxstylestrong{addprinc}, \sphinxstylestrong{ank}

\sphinxAtStartPar
Options:
\begin{description}
\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}expire} \sphinxstyleemphasis{expdate}}
\sphinxAtStartPar
(\DUrole{xref,std,std-ref}{getdate} string) The expiration date of the principal.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}pwexpire} \sphinxstyleemphasis{pwexpdate}}
\sphinxAtStartPar
(\DUrole{xref,std,std-ref}{getdate} string) The password expiration date.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}maxlife} \sphinxstyleemphasis{maxlife}}
\sphinxAtStartPar
(\DUrole{xref,std,std-ref}{duration} or \DUrole{xref,std,std-ref}{getdate} string) The maximum ticket life
for the principal.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}maxrenewlife} \sphinxstyleemphasis{maxrenewlife}}
\sphinxAtStartPar
(\DUrole{xref,std,std-ref}{duration} or \DUrole{xref,std,std-ref}{getdate} string) The maximum renewable
life of tickets for the principal.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}kvno} \sphinxstyleemphasis{kvno}}
\sphinxAtStartPar
The initial key version number.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}policy} \sphinxstyleemphasis{policy}}
\sphinxAtStartPar
The password policy used by this principal.  If not specified, the
policy \sphinxcode{\sphinxupquote{default}} is used if it exists (unless \sphinxstylestrong{\sphinxhyphen{}clearpolicy}
is specified).

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}clearpolicy}}
\sphinxAtStartPar
Prevents any policy from being assigned when \sphinxstylestrong{\sphinxhyphen{}policy} is not
specified.

\sphinxlineitem{\{\sphinxhyphen{}|+\}\sphinxstylestrong{allow\_postdated}}
\sphinxAtStartPar
\sphinxstylestrong{\sphinxhyphen{}allow\_postdated} prohibits this principal from obtaining
postdated tickets.  \sphinxstylestrong{+allow\_postdated} clears this flag.

\sphinxlineitem{\{\sphinxhyphen{}|+\}\sphinxstylestrong{allow\_forwardable}}
\sphinxAtStartPar
\sphinxstylestrong{\sphinxhyphen{}allow\_forwardable} prohibits this principal from obtaining
forwardable tickets.  \sphinxstylestrong{+allow\_forwardable} clears this flag.

\sphinxlineitem{\{\sphinxhyphen{}|+\}\sphinxstylestrong{allow\_renewable}}
\sphinxAtStartPar
\sphinxstylestrong{\sphinxhyphen{}allow\_renewable} prohibits this principal from obtaining
renewable tickets.  \sphinxstylestrong{+allow\_renewable} clears this flag.

\sphinxlineitem{\{\sphinxhyphen{}|+\}\sphinxstylestrong{allow\_proxiable}}
\sphinxAtStartPar
\sphinxstylestrong{\sphinxhyphen{}allow\_proxiable} prohibits this principal from obtaining
proxiable tickets.  \sphinxstylestrong{+allow\_proxiable} clears this flag.

\sphinxlineitem{\{\sphinxhyphen{}|+\}\sphinxstylestrong{allow\_dup\_skey}}
\sphinxAtStartPar
\sphinxstylestrong{\sphinxhyphen{}allow\_dup\_skey} disables user\sphinxhyphen{}to\sphinxhyphen{}user authentication for this
principal by prohibiting others from obtaining a service ticket
encrypted in this principal’s TGT session key.
\sphinxstylestrong{+allow\_dup\_skey} clears this flag.

\sphinxlineitem{\{\sphinxhyphen{}|+\}\sphinxstylestrong{requires\_preauth}}
\sphinxAtStartPar
\sphinxstylestrong{+requires\_preauth} requires this principal to preauthenticate
before being allowed to kinit.  \sphinxstylestrong{\sphinxhyphen{}requires\_preauth} clears this
flag.  When \sphinxstylestrong{+requires\_preauth} is set on a service principal,
the KDC will only issue service tickets for that service principal
if the client’s initial authentication was performed using
preauthentication.

\sphinxlineitem{\{\sphinxhyphen{}|+\}\sphinxstylestrong{requires\_hwauth}}
\sphinxAtStartPar
\sphinxstylestrong{+requires\_hwauth} requires this principal to preauthenticate
using a hardware device before being allowed to kinit.
\sphinxstylestrong{\sphinxhyphen{}requires\_hwauth} clears this flag.  When \sphinxstylestrong{+requires\_hwauth} is
set on a service principal, the KDC will only issue service tickets
for that service principal if the client’s initial authentication was
performed using a hardware device to preauthenticate.

\sphinxlineitem{\{\sphinxhyphen{}|+\}\sphinxstylestrong{ok\_as\_delegate}}
\sphinxAtStartPar
\sphinxstylestrong{+ok\_as\_delegate} sets the \sphinxstylestrong{okay as delegate} flag on tickets
issued with this principal as the service.  Clients may use this
flag as a hint that credentials should be delegated when
authenticating to the service.  \sphinxstylestrong{\sphinxhyphen{}ok\_as\_delegate} clears this
flag.

\sphinxlineitem{\{\sphinxhyphen{}|+\}\sphinxstylestrong{allow\_svr}}
\sphinxAtStartPar
\sphinxstylestrong{\sphinxhyphen{}allow\_svr} prohibits the issuance of service tickets for this
principal.  In release 1.17 and later, user\sphinxhyphen{}to\sphinxhyphen{}user service
tickets are still allowed unless the \sphinxstylestrong{\sphinxhyphen{}allow\_dup\_skey} flag is
also set.  \sphinxstylestrong{+allow\_svr} clears this flag.

\sphinxlineitem{\{\sphinxhyphen{}|+\}\sphinxstylestrong{allow\_tgs\_req}}
\sphinxAtStartPar
\sphinxstylestrong{\sphinxhyphen{}allow\_tgs\_req} specifies that a Ticket\sphinxhyphen{}Granting Service (TGS)
request for a service ticket for this principal is not permitted.
\sphinxstylestrong{+allow\_tgs\_req} clears this flag.

\sphinxlineitem{\{\sphinxhyphen{}|+\}\sphinxstylestrong{allow\_tix}}
\sphinxAtStartPar
\sphinxstylestrong{\sphinxhyphen{}allow\_tix} forbids the issuance of any tickets for this
principal.  \sphinxstylestrong{+allow\_tix} clears this flag.

\sphinxlineitem{\{\sphinxhyphen{}|+\}\sphinxstylestrong{needchange}}
\sphinxAtStartPar
\sphinxstylestrong{+needchange} forces a password change on the next initial
authentication to this principal.  \sphinxstylestrong{\sphinxhyphen{}needchange} clears this
flag.

\sphinxlineitem{\{\sphinxhyphen{}|+\}\sphinxstylestrong{password\_changing\_service}}
\sphinxAtStartPar
\sphinxstylestrong{+password\_changing\_service} marks this principal as a password
change service principal.

\sphinxlineitem{\{\sphinxhyphen{}|+\}\sphinxstylestrong{ok\_to\_auth\_as\_delegate}}
\sphinxAtStartPar
\sphinxstylestrong{+ok\_to\_auth\_as\_delegate} allows this principal to acquire
forwardable tickets to itself from arbitrary users, for use with
constrained delegation.

\sphinxlineitem{\{\sphinxhyphen{}|+\}\sphinxstylestrong{no\_auth\_data\_required}}
\sphinxAtStartPar
\sphinxstylestrong{+no\_auth\_data\_required} prevents PAC or AD\sphinxhyphen{}SIGNEDPATH data from
being added to service tickets for the principal.

\sphinxlineitem{\{\sphinxhyphen{}|+\}\sphinxstylestrong{lockdown\_keys}}
\sphinxAtStartPar
\sphinxstylestrong{+lockdown\_keys} prevents keys for this principal from leaving
the KDC via kadmind.  The chpass and extract operations are denied
for a principal with this attribute.  The chrand operation is
allowed, but will not return the new keys.  The delete and rename
operations are also denied if this attribute is set, in order to
prevent a malicious administrator from replacing principals like
krbtgt/* or kadmin/* with new principals without the attribute.
This attribute can be set via the network protocol, but can only
be removed using kadmin.local.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}randkey}}
\sphinxAtStartPar
Sets the key of the principal to a random value.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}nokey}}
\sphinxAtStartPar
Causes the principal to be created with no key.  New in release
1.12.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}pw} \sphinxstyleemphasis{password}}
\sphinxAtStartPar
Sets the password of the principal to the specified string and
does not prompt for a password.  Note: using this option in a
shell script may expose the password to other users on the system
via the process list.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}e} \sphinxstyleemphasis{enc}:\sphinxstyleemphasis{salt},…}
\sphinxAtStartPar
Uses the specified keysalt list for setting the keys of the
principal.  See {\hyperref[\detokenize{admin/conf_files/kdc_conf:keysalt-lists}]{\sphinxcrossref{\DUrole{std,std-ref}{Keysalt lists}}}} in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}} for a
list of possible values.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}x} \sphinxstyleemphasis{db\_princ\_args}}
\sphinxAtStartPar
Indicates database\sphinxhyphen{}specific options.  The options for the LDAP
database module are:
\begin{description}
\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}x dn=}\sphinxstyleemphasis{dn}}
\sphinxAtStartPar
Specifies the LDAP object that will contain the Kerberos
principal being created.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}x linkdn=}\sphinxstyleemphasis{dn}}
\sphinxAtStartPar
Specifies the LDAP object to which the newly created Kerberos
principal object will point.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}x containerdn=}\sphinxstyleemphasis{container\_dn}}
\sphinxAtStartPar
Specifies the container object under which the Kerberos
principal is to be created.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}x tktpolicy=}\sphinxstyleemphasis{policy}}
\sphinxAtStartPar
Associates a ticket policy to the Kerberos principal.

\end{description}

\begin{sphinxadmonition}{note}{Note:}\begin{itemize}
\item {} 
\sphinxAtStartPar
The \sphinxstylestrong{containerdn} and \sphinxstylestrong{linkdn} options cannot be
specified with the \sphinxstylestrong{dn} option.

\item {} 
\sphinxAtStartPar
If the \sphinxstyleemphasis{dn} or \sphinxstyleemphasis{containerdn} options are not specified while
adding the principal, the principals are created under the
principal container configured in the realm or the realm
container.

\item {} 
\sphinxAtStartPar
\sphinxstyleemphasis{dn} and \sphinxstyleemphasis{containerdn} should be within the subtrees or
principal container configured in the realm.

\end{itemize}
\end{sphinxadmonition}

\end{description}

\sphinxAtStartPar
Example:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{addprinc} \PYG{n}{jennifer}
\PYG{n}{No} \PYG{n}{policy} \PYG{n}{specified} \PYG{k}{for} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{jennifer@ATHENA.MIT.EDU}\PYG{l+s+s2}{\PYGZdq{}}\PYG{p}{;}
\PYG{n}{defaulting} \PYG{n}{to} \PYG{n}{no} \PYG{n}{policy}\PYG{o}{.}
\PYG{n}{Enter} \PYG{n}{password} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{jennifer}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}\PYG{p}{:}
\PYG{n}{Re}\PYG{o}{\PYGZhy{}}\PYG{n}{enter} \PYG{n}{password} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{jennifer}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}\PYG{p}{:}
\PYG{n}{Principal} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{jennifer@ATHENA.MIT.EDU}\PYG{l+s+s2}{\PYGZdq{}} \PYG{n}{created}\PYG{o}{.}
\PYG{n}{kadmin}\PYG{p}{:}
\end{sphinxVerbatim}


\subsubsection{modify\_principal}
\label{\detokenize{admin/admin_commands/kadmin_local:modify-principal}}\label{\detokenize{admin/admin_commands/kadmin_local:id2}}\begin{quote}

\sphinxAtStartPar
\sphinxstylestrong{modify\_principal} {[}\sphinxstyleemphasis{options}{]} \sphinxstyleemphasis{principal}
\end{quote}

\sphinxAtStartPar
Modifies the specified principal, changing the fields as specified.
The options to \sphinxstylestrong{add\_principal} also apply to this command, except
for the \sphinxstylestrong{\sphinxhyphen{}randkey}, \sphinxstylestrong{\sphinxhyphen{}pw}, and \sphinxstylestrong{\sphinxhyphen{}e} options.  In addition, the
option \sphinxstylestrong{\sphinxhyphen{}clearpolicy} will clear the current policy of a principal.

\sphinxAtStartPar
This command requires the \sphinxstyleemphasis{modify} privilege.

\sphinxAtStartPar
Alias: \sphinxstylestrong{modprinc}

\sphinxAtStartPar
Options (in addition to the \sphinxstylestrong{addprinc} options):
\begin{description}
\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}unlock}}
\sphinxAtStartPar
Unlocks a locked principal (one which has received too many failed
authentication attempts without enough time between them according
to its password policy) so that it can successfully authenticate.

\end{description}


\subsubsection{rename\_principal}
\label{\detokenize{admin/admin_commands/kadmin_local:rename-principal}}\label{\detokenize{admin/admin_commands/kadmin_local:id3}}\begin{quote}

\sphinxAtStartPar
\sphinxstylestrong{rename\_principal} {[}\sphinxstylestrong{\sphinxhyphen{}force}{]} \sphinxstyleemphasis{old\_principal} \sphinxstyleemphasis{new\_principal}
\end{quote}

\sphinxAtStartPar
Renames the specified \sphinxstyleemphasis{old\_principal} to \sphinxstyleemphasis{new\_principal}.  This
command prompts for confirmation, unless the \sphinxstylestrong{\sphinxhyphen{}force} option is
given.

\sphinxAtStartPar
This command requires the \sphinxstylestrong{add} and \sphinxstylestrong{delete} privileges.

\sphinxAtStartPar
Alias: \sphinxstylestrong{renprinc}


\subsubsection{add\_alias}
\label{\detokenize{admin/admin_commands/kadmin_local:add-alias}}\label{\detokenize{admin/admin_commands/kadmin_local:id4}}\begin{quote}

\sphinxAtStartPar
\sphinxstylestrong{add\_alias} \sphinxstyleemphasis{alias\_princ} \sphinxstyleemphasis{target\_princ}
\end{quote}

\sphinxAtStartPar
Create an alias \sphinxstyleemphasis{alias\_princ} pointing to \sphinxstyleemphasis{target\_princ}.  Aliases may
be chained (that is, \sphinxstyleemphasis{target\_princ} may itself be an alias) up to a
depth of 10.

\sphinxAtStartPar
This command requires the \sphinxstylestrong{add} privilege for \sphinxstyleemphasis{alias\_princ} and the
\sphinxstylestrong{modify} privilege for \sphinxstyleemphasis{target\_princ}.

\sphinxAtStartPar
(New in release 1.22.)

\sphinxAtStartPar
Aliases: \sphinxstylestrong{alias}


\subsubsection{delete\_principal}
\label{\detokenize{admin/admin_commands/kadmin_local:delete-principal}}\label{\detokenize{admin/admin_commands/kadmin_local:id5}}\begin{quote}

\sphinxAtStartPar
\sphinxstylestrong{delete\_principal} {[}\sphinxstylestrong{\sphinxhyphen{}force}{]} \sphinxstyleemphasis{principal}
\end{quote}

\sphinxAtStartPar
Deletes the specified \sphinxstyleemphasis{principal} or alias from the database.  This
command prompts for deletion, unless the \sphinxstylestrong{\sphinxhyphen{}force} option is given.

\sphinxAtStartPar
This command requires the \sphinxstylestrong{delete} privilege.

\sphinxAtStartPar
Alias: \sphinxstylestrong{delprinc}


\subsubsection{change\_password}
\label{\detokenize{admin/admin_commands/kadmin_local:change-password}}\label{\detokenize{admin/admin_commands/kadmin_local:id6}}\begin{quote}

\sphinxAtStartPar
\sphinxstylestrong{change\_password} {[}\sphinxstyleemphasis{options}{]} \sphinxstyleemphasis{principal}
\end{quote}

\sphinxAtStartPar
Changes the password of \sphinxstyleemphasis{principal}.  Prompts for a new password if
neither \sphinxstylestrong{\sphinxhyphen{}randkey} or \sphinxstylestrong{\sphinxhyphen{}pw} is specified.

\sphinxAtStartPar
This command requires the \sphinxstylestrong{changepw} privilege, or that the
principal running the program is the same as the principal being
changed.

\sphinxAtStartPar
Alias: \sphinxstylestrong{cpw}

\sphinxAtStartPar
The following options are available:
\begin{description}
\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}randkey}}
\sphinxAtStartPar
Sets the key of the principal to a random value.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}pw} \sphinxstyleemphasis{password}}
\sphinxAtStartPar
Set the password to the specified string.  Using this option in a
script may expose the password to other users on the system via
the process list.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}e} \sphinxstyleemphasis{enc}:\sphinxstyleemphasis{salt},…}
\sphinxAtStartPar
Uses the specified keysalt list for setting the keys of the
principal.  See {\hyperref[\detokenize{admin/conf_files/kdc_conf:keysalt-lists}]{\sphinxcrossref{\DUrole{std,std-ref}{Keysalt lists}}}} in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}} for a
list of possible values.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}keepold}}
\sphinxAtStartPar
Keeps the existing keys in the database.  This flag is usually not
necessary except perhaps for \sphinxcode{\sphinxupquote{krbtgt}} principals.

\end{description}

\sphinxAtStartPar
Example:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{cpw} \PYG{n}{systest}
\PYG{n}{Enter} \PYG{n}{password} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{systest}\PYG{n+nd}{@BLEEP}\PYG{o}{.}\PYG{n}{COM}\PYG{p}{:}
\PYG{n}{Re}\PYG{o}{\PYGZhy{}}\PYG{n}{enter} \PYG{n}{password} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{systest}\PYG{n+nd}{@BLEEP}\PYG{o}{.}\PYG{n}{COM}\PYG{p}{:}
\PYG{n}{Password} \PYG{k}{for} \PYG{n}{systest}\PYG{n+nd}{@BLEEP}\PYG{o}{.}\PYG{n}{COM} \PYG{n}{changed}\PYG{o}{.}
\PYG{n}{kadmin}\PYG{p}{:}
\end{sphinxVerbatim}


\subsubsection{purgekeys}
\label{\detokenize{admin/admin_commands/kadmin_local:purgekeys}}\label{\detokenize{admin/admin_commands/kadmin_local:id7}}\begin{quote}

\sphinxAtStartPar
\sphinxstylestrong{purgekeys} {[}\sphinxstylestrong{\sphinxhyphen{}all}|\sphinxstylestrong{\sphinxhyphen{}keepkvno} \sphinxstyleemphasis{oldest\_kvno\_to\_keep}{]} \sphinxstyleemphasis{principal}
\end{quote}

\sphinxAtStartPar
Purges previously retained old keys (e.g., from \sphinxstylestrong{change\_password
\sphinxhyphen{}keepold}) from \sphinxstyleemphasis{principal}.  If \sphinxstylestrong{\sphinxhyphen{}keepkvno} is specified, then
only purges keys with kvnos lower than \sphinxstyleemphasis{oldest\_kvno\_to\_keep}.  If
\sphinxstylestrong{\sphinxhyphen{}all} is specified, then all keys are purged.  The \sphinxstylestrong{\sphinxhyphen{}all} option
is new in release 1.12.

\sphinxAtStartPar
This command requires the \sphinxstylestrong{modify} privilege.


\subsubsection{get\_principal}
\label{\detokenize{admin/admin_commands/kadmin_local:get-principal}}\label{\detokenize{admin/admin_commands/kadmin_local:id8}}\begin{quote}

\sphinxAtStartPar
\sphinxstylestrong{get\_principal} {[}\sphinxstylestrong{\sphinxhyphen{}terse}{]} \sphinxstyleemphasis{principal}
\end{quote}

\sphinxAtStartPar
Gets the attributes of principal.  With the \sphinxstylestrong{\sphinxhyphen{}terse} option, outputs
fields as quoted tab\sphinxhyphen{}separated strings.

\sphinxAtStartPar
This command requires the \sphinxstylestrong{inquire} privilege, or that the principal
running the the program to be the same as the one being listed.

\sphinxAtStartPar
Alias: \sphinxstylestrong{getprinc}

\sphinxAtStartPar
Examples:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{getprinc} \PYG{n}{tlyu}\PYG{o}{/}\PYG{n}{admin}
\PYG{n}{Principal}\PYG{p}{:} \PYG{n}{tlyu}\PYG{o}{/}\PYG{n}{admin}\PYG{n+nd}{@BLEEP}\PYG{o}{.}\PYG{n}{COM}
\PYG{n}{Expiration} \PYG{n}{date}\PYG{p}{:} \PYG{p}{[}\PYG{n}{never}\PYG{p}{]}
\PYG{n}{Last} \PYG{n}{password} \PYG{n}{change}\PYG{p}{:} \PYG{n}{Mon} \PYG{n}{Aug} \PYG{l+m+mi}{12} \PYG{l+m+mi}{14}\PYG{p}{:}\PYG{l+m+mi}{16}\PYG{p}{:}\PYG{l+m+mi}{47} \PYG{n}{EDT} \PYG{l+m+mi}{1996}
\PYG{n}{Password} \PYG{n}{expiration} \PYG{n}{date}\PYG{p}{:} \PYG{p}{[}\PYG{n}{never}\PYG{p}{]}
\PYG{n}{Maximum} \PYG{n}{ticket} \PYG{n}{life}\PYG{p}{:} \PYG{l+m+mi}{0} \PYG{n}{days} \PYG{l+m+mi}{10}\PYG{p}{:}\PYG{l+m+mi}{00}\PYG{p}{:}\PYG{l+m+mi}{00}
\PYG{n}{Maximum} \PYG{n}{renewable} \PYG{n}{life}\PYG{p}{:} \PYG{l+m+mi}{7} \PYG{n}{days} \PYG{l+m+mi}{00}\PYG{p}{:}\PYG{l+m+mi}{00}\PYG{p}{:}\PYG{l+m+mi}{00}
\PYG{n}{Last} \PYG{n}{modified}\PYG{p}{:} \PYG{n}{Mon} \PYG{n}{Aug} \PYG{l+m+mi}{12} \PYG{l+m+mi}{14}\PYG{p}{:}\PYG{l+m+mi}{16}\PYG{p}{:}\PYG{l+m+mi}{47} \PYG{n}{EDT} \PYG{l+m+mi}{1996} \PYG{p}{(}\PYG{n}{bjaspan}\PYG{o}{/}\PYG{n}{admin}\PYG{n+nd}{@BLEEP}\PYG{o}{.}\PYG{n}{COM}\PYG{p}{)}
\PYG{n}{Last} \PYG{n}{successful} \PYG{n}{authentication}\PYG{p}{:} \PYG{p}{[}\PYG{n}{never}\PYG{p}{]}
\PYG{n}{Last} \PYG{n}{failed} \PYG{n}{authentication}\PYG{p}{:} \PYG{p}{[}\PYG{n}{never}\PYG{p}{]}
\PYG{n}{Failed} \PYG{n}{password} \PYG{n}{attempts}\PYG{p}{:} \PYG{l+m+mi}{0}
\PYG{n}{Number} \PYG{n}{of} \PYG{n}{keys}\PYG{p}{:} \PYG{l+m+mi}{1}
\PYG{n}{Key}\PYG{p}{:} \PYG{n}{vno} \PYG{l+m+mi}{1}\PYG{p}{,} \PYG{n}{aes256}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha384}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{192}
\PYG{n}{MKey}\PYG{p}{:} \PYG{n}{vno} \PYG{l+m+mi}{1}
\PYG{n}{Attributes}\PYG{p}{:}
\PYG{n}{Policy}\PYG{p}{:} \PYG{p}{[}\PYG{n}{none}\PYG{p}{]}

\PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{getprinc} \PYG{o}{\PYGZhy{}}\PYG{n}{terse} \PYG{n}{systest}
\PYG{n}{systest}\PYG{n+nd}{@BLEEP}\PYG{o}{.}\PYG{n}{COM}   \PYG{l+m+mi}{3}    \PYG{l+m+mi}{86400}     \PYG{l+m+mi}{604800}    \PYG{l+m+mi}{1}
\PYG{l+m+mi}{785926535} \PYG{l+m+mi}{753241234} \PYG{l+m+mi}{785900000}
\PYG{n}{tlyu}\PYG{o}{/}\PYG{n}{admin}\PYG{n+nd}{@BLEEP}\PYG{o}{.}\PYG{n}{COM}     \PYG{l+m+mi}{786100034} \PYG{l+m+mi}{0}    \PYG{l+m+mi}{0}
\PYG{n}{kadmin}\PYG{p}{:}
\end{sphinxVerbatim}


\subsubsection{list\_principals}
\label{\detokenize{admin/admin_commands/kadmin_local:list-principals}}\label{\detokenize{admin/admin_commands/kadmin_local:id9}}\begin{quote}

\sphinxAtStartPar
\sphinxstylestrong{list\_principals} {[}\sphinxstyleemphasis{expression}{]}
\end{quote}

\sphinxAtStartPar
Retrieves all or some principal names.  \sphinxstyleemphasis{expression} is a shell\sphinxhyphen{}style
glob expression that can contain the wild\sphinxhyphen{}card characters \sphinxcode{\sphinxupquote{?}},
\sphinxcode{\sphinxupquote{*}}, and \sphinxcode{\sphinxupquote{{[}{]}}}.  All principal names matching the expression are
printed.  If no expression is provided, all principal names are
printed.  If the expression does not contain an \sphinxcode{\sphinxupquote{@}} character, an
\sphinxcode{\sphinxupquote{@}} character followed by the local realm is appended to the
expression.

\sphinxAtStartPar
This command requires the \sphinxstylestrong{list} privilege.

\sphinxAtStartPar
Alias: \sphinxstylestrong{listprincs}, \sphinxstylestrong{get\_principals}, \sphinxstylestrong{getprincs}

\sphinxAtStartPar
Example:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{kadmin}\PYG{p}{:}  \PYG{n}{listprincs} \PYG{n}{test}\PYG{o}{*}
\PYG{n}{test3}\PYG{n+nd}{@SECURE}\PYG{o}{\PYGZhy{}}\PYG{n}{TEST}\PYG{o}{.}\PYG{n}{OV}\PYG{o}{.}\PYG{n}{COM}
\PYG{n}{test2}\PYG{n+nd}{@SECURE}\PYG{o}{\PYGZhy{}}\PYG{n}{TEST}\PYG{o}{.}\PYG{n}{OV}\PYG{o}{.}\PYG{n}{COM}
\PYG{n}{test1}\PYG{n+nd}{@SECURE}\PYG{o}{\PYGZhy{}}\PYG{n}{TEST}\PYG{o}{.}\PYG{n}{OV}\PYG{o}{.}\PYG{n}{COM}
\PYG{n}{testuser}\PYG{n+nd}{@SECURE}\PYG{o}{\PYGZhy{}}\PYG{n}{TEST}\PYG{o}{.}\PYG{n}{OV}\PYG{o}{.}\PYG{n}{COM}
\PYG{n}{kadmin}\PYG{p}{:}
\end{sphinxVerbatim}


\subsubsection{get\_strings}
\label{\detokenize{admin/admin_commands/kadmin_local:get-strings}}\label{\detokenize{admin/admin_commands/kadmin_local:id10}}\begin{quote}

\sphinxAtStartPar
\sphinxstylestrong{get\_strings} \sphinxstyleemphasis{principal}
\end{quote}

\sphinxAtStartPar
Displays string attributes on \sphinxstyleemphasis{principal}.

\sphinxAtStartPar
This command requires the \sphinxstylestrong{inquire} privilege.

\sphinxAtStartPar
Alias: \sphinxstylestrong{getstrs}


\subsubsection{set\_string}
\label{\detokenize{admin/admin_commands/kadmin_local:set-string}}\label{\detokenize{admin/admin_commands/kadmin_local:id11}}\begin{quote}

\sphinxAtStartPar
\sphinxstylestrong{set\_string} \sphinxstyleemphasis{principal} \sphinxstyleemphasis{name} \sphinxstyleemphasis{value}
\end{quote}

\sphinxAtStartPar
Sets a string attribute on \sphinxstyleemphasis{principal}.  String attributes are used to
supply per\sphinxhyphen{}principal configuration to the KDC and some KDC plugin
modules.  The following string attribute names are recognized by the
KDC:
\begin{description}
\sphinxlineitem{\sphinxstylestrong{require\_auth}}
\sphinxAtStartPar
Specifies an authentication indicator which is required to
authenticate to the principal as a service.  Multiple indicators
can be specified, separated by spaces; in this case any of the
specified indicators will be accepted.  (New in release 1.14.)

\sphinxlineitem{\sphinxstylestrong{session\_enctypes}}
\sphinxAtStartPar
Specifies the encryption types supported for session keys when the
principal is authenticated to as a server.  See
{\hyperref[\detokenize{admin/conf_files/kdc_conf:encryption-types}]{\sphinxcrossref{\DUrole{std,std-ref}{Encryption types}}}} in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}} for a list of the
accepted values.

\sphinxlineitem{\sphinxstylestrong{otp}}
\sphinxAtStartPar
Enables One Time Passwords (OTP) preauthentication for a client
\sphinxstyleemphasis{principal}.  The \sphinxstyleemphasis{value} is a JSON string representing an array
of objects, each having optional \sphinxcode{\sphinxupquote{type}} and \sphinxcode{\sphinxupquote{username}} fields.

\sphinxlineitem{\sphinxstylestrong{pkinit\_cert\_match}}
\sphinxAtStartPar
Specifies a matching expression that defines the certificate
attributes required for the client certificate used by the
principal during PKINIT authentication.  The matching expression
is in the same format as those used by the \sphinxstylestrong{pkinit\_cert\_match}
option in {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}}.  (New in release 1.16.)

\sphinxlineitem{\sphinxstylestrong{pac\_privsvr\_enctype}}
\sphinxAtStartPar
Forces the encryption type of the PAC KDC checksum buffers to the
specified encryption type for tickets issued to this server, by
deriving a key from the local krbtgt key if it is of a different
encryption type.  It may be necessary to set this value to
“aes256\sphinxhyphen{}sha1” on the cross\sphinxhyphen{}realm krbtgt entry for an Active
Directory realm when using aes\sphinxhyphen{}sha2 keys on the local krbtgt
entry.

\end{description}

\sphinxAtStartPar
This command requires the \sphinxstylestrong{modify} privilege.

\sphinxAtStartPar
Alias: \sphinxstylestrong{setstr}

\sphinxAtStartPar
Example:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{set\PYGZus{}string} \PYG{n}{host}\PYG{o}{/}\PYG{n}{foo}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{n}{session\PYGZus{}enctypes} \PYG{n}{aes128}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}
\PYG{n}{set\PYGZus{}string} \PYG{n}{user}\PYG{n+nd}{@FOO}\PYG{o}{.}\PYG{n}{COM} \PYG{n}{otp} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{[}\PYG{l+s+s2}{\PYGZob{}}\PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{type}\PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{:}\PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{hotp}\PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{,}\PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{username}\PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{:}\PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{al}\PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{\PYGZcb{}]}\PYG{l+s+s2}{\PYGZdq{}}
\end{sphinxVerbatim}


\subsubsection{del\_string}
\label{\detokenize{admin/admin_commands/kadmin_local:del-string}}\label{\detokenize{admin/admin_commands/kadmin_local:id12}}\begin{quote}

\sphinxAtStartPar
\sphinxstylestrong{del\_string} \sphinxstyleemphasis{principal} \sphinxstyleemphasis{key}
\end{quote}

\sphinxAtStartPar
Deletes a string attribute from \sphinxstyleemphasis{principal}.

\sphinxAtStartPar
This command requires the \sphinxstylestrong{delete} privilege.

\sphinxAtStartPar
Alias: \sphinxstylestrong{delstr}


\subsubsection{add\_policy}
\label{\detokenize{admin/admin_commands/kadmin_local:add-policy}}\label{\detokenize{admin/admin_commands/kadmin_local:id13}}\begin{quote}

\sphinxAtStartPar
\sphinxstylestrong{add\_policy} {[}\sphinxstyleemphasis{options}{]} \sphinxstyleemphasis{policy}
\end{quote}

\sphinxAtStartPar
Adds a password policy named \sphinxstyleemphasis{policy} to the database.

\sphinxAtStartPar
This command requires the \sphinxstylestrong{add} privilege.

\sphinxAtStartPar
Alias: \sphinxstylestrong{addpol}

\sphinxAtStartPar
The following options are available:
\begin{description}
\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}maxlife} \sphinxstyleemphasis{time}}
\sphinxAtStartPar
(\DUrole{xref,std,std-ref}{duration} or \DUrole{xref,std,std-ref}{getdate} string) Sets the maximum
lifetime of a password.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}minlife} \sphinxstyleemphasis{time}}
\sphinxAtStartPar
(\DUrole{xref,std,std-ref}{duration} or \DUrole{xref,std,std-ref}{getdate} string) Sets the minimum
lifetime of a password.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}minlength} \sphinxstyleemphasis{length}}
\sphinxAtStartPar
Sets the minimum length of a password.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}minclasses} \sphinxstyleemphasis{number}}
\sphinxAtStartPar
Sets the minimum number of character classes required in a
password.  The five character classes are lower case, upper case,
numbers, punctuation, and whitespace/unprintable characters.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}history} \sphinxstyleemphasis{number}}
\sphinxAtStartPar
Sets the number of past keys kept for a principal.  This option is
not supported with the LDAP KDC database module.

\end{description}
\phantomsection\label{\detokenize{admin/admin_commands/kadmin_local:policy-maxfailure}}\begin{description}
\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}maxfailure} \sphinxstyleemphasis{maxnumber}}
\sphinxAtStartPar
Sets the number of authentication failures before the principal is
locked.  Authentication failures are only tracked for principals
which require preauthentication.  The counter of failed attempts
resets to 0 after a successful attempt to authenticate.  A
\sphinxstyleemphasis{maxnumber} value of 0 (the default) disables lockout.

\end{description}
\phantomsection\label{\detokenize{admin/admin_commands/kadmin_local:policy-failurecountinterval}}\begin{description}
\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}failurecountinterval} \sphinxstyleemphasis{failuretime}}
\sphinxAtStartPar
(\DUrole{xref,std,std-ref}{duration} or \DUrole{xref,std,std-ref}{getdate} string) Sets the allowable time
between authentication failures.  If an authentication failure
happens after \sphinxstyleemphasis{failuretime} has elapsed since the previous
failure, the number of authentication failures is reset to 1.  A
\sphinxstyleemphasis{failuretime} value of 0 (the default) means forever.

\end{description}
\phantomsection\label{\detokenize{admin/admin_commands/kadmin_local:policy-lockoutduration}}\begin{description}
\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}lockoutduration} \sphinxstyleemphasis{lockouttime}}
\sphinxAtStartPar
(\DUrole{xref,std,std-ref}{duration} or \DUrole{xref,std,std-ref}{getdate} string) Sets the duration for
which the principal is locked from authenticating if too many
authentication failures occur without the specified failure count
interval elapsing.  A duration of 0 (the default) means the
principal remains locked out until it is administratively unlocked
with \sphinxcode{\sphinxupquote{modprinc \sphinxhyphen{}unlock}}.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}allowedkeysalts}}
\sphinxAtStartPar
Specifies the key/salt tuples supported for long\sphinxhyphen{}term keys when
setting or changing a principal’s password/keys.  See
{\hyperref[\detokenize{admin/conf_files/kdc_conf:keysalt-lists}]{\sphinxcrossref{\DUrole{std,std-ref}{Keysalt lists}}}} in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}} for a list of the
accepted values, but note that key/salt tuples must be separated
with commas (‘,’) only.  To clear the allowed key/salt policy use
a value of ‘\sphinxhyphen{}‘.

\end{description}

\sphinxAtStartPar
Example:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{add\PYGZus{}policy} \PYG{o}{\PYGZhy{}}\PYG{n}{maxlife} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{2 days}\PYG{l+s+s2}{\PYGZdq{}} \PYG{o}{\PYGZhy{}}\PYG{n}{minlength} \PYG{l+m+mi}{5} \PYG{n}{guests}
\PYG{n}{kadmin}\PYG{p}{:}
\end{sphinxVerbatim}


\subsubsection{modify\_policy}
\label{\detokenize{admin/admin_commands/kadmin_local:modify-policy}}\label{\detokenize{admin/admin_commands/kadmin_local:id14}}\begin{quote}

\sphinxAtStartPar
\sphinxstylestrong{modify\_policy} {[}\sphinxstyleemphasis{options}{]} \sphinxstyleemphasis{policy}
\end{quote}

\sphinxAtStartPar
Modifies the password policy named \sphinxstyleemphasis{policy}.  Options are as described
for \sphinxstylestrong{add\_policy}.

\sphinxAtStartPar
This command requires the \sphinxstylestrong{modify} privilege.

\sphinxAtStartPar
Alias: \sphinxstylestrong{modpol}


\subsubsection{delete\_policy}
\label{\detokenize{admin/admin_commands/kadmin_local:delete-policy}}\label{\detokenize{admin/admin_commands/kadmin_local:id15}}\begin{quote}

\sphinxAtStartPar
\sphinxstylestrong{delete\_policy} {[}\sphinxstylestrong{\sphinxhyphen{}force}{]} \sphinxstyleemphasis{policy}
\end{quote}

\sphinxAtStartPar
Deletes the password policy named \sphinxstyleemphasis{policy}.  Prompts for confirmation
before deletion.  The command will fail if the policy is in use by any
principals.

\sphinxAtStartPar
This command requires the \sphinxstylestrong{delete} privilege.

\sphinxAtStartPar
Alias: \sphinxstylestrong{delpol}

\sphinxAtStartPar
Example:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
kadmin: del\PYGZus{}policy guests
Are you sure you want to delete the policy \PYGZdq{}guests\PYGZdq{}?
(yes/no): yes
kadmin:
\end{sphinxVerbatim}


\subsubsection{get\_policy}
\label{\detokenize{admin/admin_commands/kadmin_local:get-policy}}\label{\detokenize{admin/admin_commands/kadmin_local:id16}}\begin{quote}

\sphinxAtStartPar
\sphinxstylestrong{get\_policy} {[} \sphinxstylestrong{\sphinxhyphen{}terse} {]} \sphinxstyleemphasis{policy}
\end{quote}

\sphinxAtStartPar
Displays the values of the password policy named \sphinxstyleemphasis{policy}.  With the
\sphinxstylestrong{\sphinxhyphen{}terse} flag, outputs the fields as quoted strings separated by
tabs.

\sphinxAtStartPar
This command requires the \sphinxstylestrong{inquire} privilege.

\sphinxAtStartPar
Alias: \sphinxstylestrong{getpol}

\sphinxAtStartPar
Examples:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{get\PYGZus{}policy} \PYG{n}{admin}
\PYG{n}{Policy}\PYG{p}{:} \PYG{n}{admin}
\PYG{n}{Maximum} \PYG{n}{password} \PYG{n}{life}\PYG{p}{:} \PYG{l+m+mi}{180} \PYG{n}{days} \PYG{l+m+mi}{00}\PYG{p}{:}\PYG{l+m+mi}{00}\PYG{p}{:}\PYG{l+m+mi}{00}
\PYG{n}{Minimum} \PYG{n}{password} \PYG{n}{life}\PYG{p}{:} \PYG{l+m+mi}{00}\PYG{p}{:}\PYG{l+m+mi}{00}\PYG{p}{:}\PYG{l+m+mi}{00}
\PYG{n}{Minimum} \PYG{n}{password} \PYG{n}{length}\PYG{p}{:} \PYG{l+m+mi}{6}
\PYG{n}{Minimum} \PYG{n}{number} \PYG{n}{of} \PYG{n}{password} \PYG{n}{character} \PYG{n}{classes}\PYG{p}{:} \PYG{l+m+mi}{2}
\PYG{n}{Number} \PYG{n}{of} \PYG{n}{old} \PYG{n}{keys} \PYG{n}{kept}\PYG{p}{:} \PYG{l+m+mi}{5}
\PYG{n}{Reference} \PYG{n}{count}\PYG{p}{:} \PYG{l+m+mi}{17}

\PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{get\PYGZus{}policy} \PYG{o}{\PYGZhy{}}\PYG{n}{terse} \PYG{n}{admin}
\PYG{n}{admin}     \PYG{l+m+mi}{15552000}  \PYG{l+m+mi}{0}    \PYG{l+m+mi}{6}    \PYG{l+m+mi}{2}    \PYG{l+m+mi}{5}    \PYG{l+m+mi}{17}
\PYG{n}{kadmin}\PYG{p}{:}
\end{sphinxVerbatim}

\sphinxAtStartPar
The “Reference count” is the number of principals using that policy.
With the LDAP KDC database module, the reference count field is not
meaningful.


\subsubsection{list\_policies}
\label{\detokenize{admin/admin_commands/kadmin_local:list-policies}}\label{\detokenize{admin/admin_commands/kadmin_local:id17}}\begin{quote}

\sphinxAtStartPar
\sphinxstylestrong{list\_policies} {[}\sphinxstyleemphasis{expression}{]}
\end{quote}

\sphinxAtStartPar
Retrieves all or some policy names.  \sphinxstyleemphasis{expression} is a shell\sphinxhyphen{}style
glob expression that can contain the wild\sphinxhyphen{}card characters \sphinxcode{\sphinxupquote{?}},
\sphinxcode{\sphinxupquote{*}}, and \sphinxcode{\sphinxupquote{{[}{]}}}.  All policy names matching the expression are
printed.  If no expression is provided, all existing policy names are
printed.

\sphinxAtStartPar
This command requires the \sphinxstylestrong{list} privilege.

\sphinxAtStartPar
Aliases: \sphinxstylestrong{listpols}, \sphinxstylestrong{get\_policies}, \sphinxstylestrong{getpols}.

\sphinxAtStartPar
Examples:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{kadmin}\PYG{p}{:}  \PYG{n}{listpols}
\PYG{n}{test}\PYG{o}{\PYGZhy{}}\PYG{n}{pol}
\PYG{n+nb}{dict}\PYG{o}{\PYGZhy{}}\PYG{n}{only}
\PYG{n}{once}\PYG{o}{\PYGZhy{}}\PYG{n}{a}\PYG{o}{\PYGZhy{}}\PYG{n+nb}{min}
\PYG{n}{test}\PYG{o}{\PYGZhy{}}\PYG{n}{pol}\PYG{o}{\PYGZhy{}}\PYG{n}{nopw}

\PYG{n}{kadmin}\PYG{p}{:}  \PYG{n}{listpols} \PYG{n}{t}\PYG{o}{*}
\PYG{n}{test}\PYG{o}{\PYGZhy{}}\PYG{n}{pol}
\PYG{n}{test}\PYG{o}{\PYGZhy{}}\PYG{n}{pol}\PYG{o}{\PYGZhy{}}\PYG{n}{nopw}
\PYG{n}{kadmin}\PYG{p}{:}
\end{sphinxVerbatim}


\subsubsection{ktadd}
\label{\detokenize{admin/admin_commands/kadmin_local:ktadd}}\label{\detokenize{admin/admin_commands/kadmin_local:id18}}\begin{quote}

\begin{DUlineblock}{0em}
\item[] \sphinxstylestrong{ktadd} {[}options{]} \sphinxstyleemphasis{principal}
\item[] \sphinxstylestrong{ktadd} {[}options{]} \sphinxstylestrong{\sphinxhyphen{}glob} \sphinxstyleemphasis{princ\sphinxhyphen{}exp}
\end{DUlineblock}
\end{quote}

\sphinxAtStartPar
Adds a \sphinxstyleemphasis{principal}, or all principals matching \sphinxstyleemphasis{princ\sphinxhyphen{}exp}, to a
keytab file.  Each principal’s keys are randomized in the process.
The rules for \sphinxstyleemphasis{princ\sphinxhyphen{}exp} are described in the \sphinxstylestrong{list\_principals}
command.

\sphinxAtStartPar
This command requires the \sphinxstylestrong{inquire} and \sphinxstylestrong{changepw} privileges.
With the \sphinxstylestrong{\sphinxhyphen{}glob} form, it also requires the \sphinxstylestrong{list} privilege.

\sphinxAtStartPar
The options are:
\begin{description}
\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}k{[}eytab{]}} \sphinxstyleemphasis{keytab}}
\sphinxAtStartPar
Use \sphinxstyleemphasis{keytab} as the keytab file.  Otherwise, the default keytab is
used.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}e} \sphinxstyleemphasis{enc}:\sphinxstyleemphasis{salt},…}
\sphinxAtStartPar
Uses the specified keysalt list for setting the new keys of the
principal.  See {\hyperref[\detokenize{admin/conf_files/kdc_conf:keysalt-lists}]{\sphinxcrossref{\DUrole{std,std-ref}{Keysalt lists}}}} in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}} for a
list of possible values.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}q}}
\sphinxAtStartPar
Display less verbose information.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}norandkey}}
\sphinxAtStartPar
Do not randomize the keys. The keys and their version numbers stay
unchanged.  This option cannot be specified in combination with the
\sphinxstylestrong{\sphinxhyphen{}e} option.

\end{description}

\sphinxAtStartPar
An entry for each of the principal’s unique encryption types is added,
ignoring multiple keys with the same encryption type but different
salt types.

\sphinxAtStartPar
Alias: \sphinxstylestrong{xst}

\sphinxAtStartPar
Example:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{ktadd} \PYG{o}{\PYGZhy{}}\PYG{n}{k} \PYG{o}{/}\PYG{n}{tmp}\PYG{o}{/}\PYG{n}{foo}\PYG{o}{\PYGZhy{}}\PYG{n}{new}\PYG{o}{\PYGZhy{}}\PYG{n}{keytab} \PYG{n}{host}\PYG{o}{/}\PYG{n}{foo}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}
\PYG{n}{Entry} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{host}\PYG{o}{/}\PYG{n}{foo}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{k}{with} \PYG{n}{kvno} \PYG{l+m+mi}{3}\PYG{p}{,}
     \PYG{n}{encryption} \PYG{n+nb}{type} \PYG{n}{aes256}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{96} \PYG{n}{added} \PYG{n}{to} \PYG{n}{keytab}
     \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{tmp}\PYG{o}{/}\PYG{n}{foo}\PYG{o}{\PYGZhy{}}\PYG{n}{new}\PYG{o}{\PYGZhy{}}\PYG{n}{keytab}
\PYG{n}{kadmin}\PYG{p}{:}
\end{sphinxVerbatim}


\subsubsection{ktremove}
\label{\detokenize{admin/admin_commands/kadmin_local:ktremove}}\label{\detokenize{admin/admin_commands/kadmin_local:id19}}\begin{quote}

\sphinxAtStartPar
\sphinxstylestrong{ktremove} {[}options{]} \sphinxstyleemphasis{principal} {[}\sphinxstyleemphasis{kvno} | \sphinxstyleemphasis{all} | \sphinxstyleemphasis{old}{]}
\end{quote}

\sphinxAtStartPar
Removes entries for the specified \sphinxstyleemphasis{principal} from a keytab.  Requires
no permissions, since this does not require database access.

\sphinxAtStartPar
If the string “all” is specified, all entries for that principal are
removed; if the string “old” is specified, all entries for that
principal except those with the highest kvno are removed.  Otherwise,
the value specified is parsed as an integer, and all entries whose
kvno match that integer are removed.

\sphinxAtStartPar
The options are:
\begin{description}
\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}k{[}eytab{]}} \sphinxstyleemphasis{keytab}}
\sphinxAtStartPar
Use \sphinxstyleemphasis{keytab} as the keytab file.  Otherwise, the default keytab is
used.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}q}}
\sphinxAtStartPar
Display less verbose information.

\end{description}

\sphinxAtStartPar
Alias: \sphinxstylestrong{ktrem}

\sphinxAtStartPar
Example:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{ktremove} \PYG{n}{kadmin}\PYG{o}{/}\PYG{n}{admin} \PYG{n+nb}{all}
\PYG{n}{Entry} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{kadmin}\PYG{o}{/}\PYG{n}{admin} \PYG{k}{with} \PYG{n}{kvno} \PYG{l+m+mi}{3} \PYG{n}{removed} \PYG{k+kn}{from} \PYG{n+nn}{keytab}
     \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab}
\PYG{n}{kadmin}\PYG{p}{:}
\end{sphinxVerbatim}


\subsubsection{lock}
\label{\detokenize{admin/admin_commands/kadmin_local:lock}}
\sphinxAtStartPar
Lock database exclusively.  Use with extreme caution!  This command
only works with the DB2 KDC database module.


\subsubsection{unlock}
\label{\detokenize{admin/admin_commands/kadmin_local:unlock}}
\sphinxAtStartPar
Release the exclusive database lock.


\subsubsection{list\_requests}
\label{\detokenize{admin/admin_commands/kadmin_local:list-requests}}
\sphinxAtStartPar
Lists available for kadmin requests.

\sphinxAtStartPar
Aliases: \sphinxstylestrong{lr}, \sphinxstylestrong{?}


\subsubsection{quit}
\label{\detokenize{admin/admin_commands/kadmin_local:quit}}
\sphinxAtStartPar
Exit program.  If the database was locked, the lock is released.

\sphinxAtStartPar
Aliases: \sphinxstylestrong{exit}, \sphinxstylestrong{q}


\subsection{HISTORY}
\label{\detokenize{admin/admin_commands/kadmin_local:history}}
\sphinxAtStartPar
The kadmin program was originally written by Tom Yu at MIT, as an
interface to the OpenVision Kerberos administration program.


\subsection{ENVIRONMENT}
\label{\detokenize{admin/admin_commands/kadmin_local:environment}}
\sphinxAtStartPar
See \DUrole{xref,std,std-ref}{kerberos(7)} for a description of Kerberos environment
variables.


\subsection{SEE ALSO}
\label{\detokenize{admin/admin_commands/kadmin_local:see-also}}
\sphinxAtStartPar
\DUrole{xref,std,std-ref}{kpasswd(1)}, {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}}, \DUrole{xref,std,std-ref}{kerberos(7)}

\sphinxstepscope


\section{kadmind}
\label{\detokenize{admin/admin_commands/kadmind:kadmind}}\label{\detokenize{admin/admin_commands/kadmind:kadmind-8}}\label{\detokenize{admin/admin_commands/kadmind::doc}}

\subsection{SYNOPSIS}
\label{\detokenize{admin/admin_commands/kadmind:synopsis}}
\sphinxAtStartPar
\sphinxstylestrong{kadmind}
{[}\sphinxstylestrong{\sphinxhyphen{}x} \sphinxstyleemphasis{db\_args}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}r} \sphinxstyleemphasis{realm}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}m}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}nofork}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}proponly}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}port} \sphinxstyleemphasis{port\sphinxhyphen{}number}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}P} \sphinxstyleemphasis{pid\_file}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}p} \sphinxstyleemphasis{kdb5\_util\_path}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}K} \sphinxstyleemphasis{kprop\_path}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}k} \sphinxstyleemphasis{kprop\_port}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}F} \sphinxstyleemphasis{dump\_file}{]}


\subsection{DESCRIPTION}
\label{\detokenize{admin/admin_commands/kadmind:description}}
\sphinxAtStartPar
kadmind starts the Kerberos administration server.  kadmind typically
runs on the primary Kerberos server, which stores the KDC database.
If the KDC database uses the LDAP module, the administration server
and the KDC server need not run on the same machine.  kadmind accepts
remote requests from programs such as {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} and
\DUrole{xref,std,std-ref}{kpasswd(1)} to administer the information in these database.

\sphinxAtStartPar
kadmind requires a number of configuration files to be set up in order
for it to work:
\begin{description}
\sphinxlineitem{{\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}}
\sphinxAtStartPar
The KDC configuration file contains configuration information for
the KDC and admin servers.  kadmind uses settings in this file to
locate the Kerberos database, and is also affected by the
\sphinxstylestrong{acl\_file}, \sphinxstylestrong{dict\_file}, \sphinxstylestrong{kadmind\_port}, and iprop\sphinxhyphen{}related
settings.

\sphinxlineitem{{\hyperref[\detokenize{admin/conf_files/kadm5_acl:kadm5-acl-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kadm5.acl}}}}}
\sphinxAtStartPar
kadmind’s ACL (access control list) tells it which principals are
allowed to perform administration actions.  The pathname to the
ACL file can be specified with the \sphinxstylestrong{acl\_file} {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}
variable; by default, it is {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LOCALSTATEDIR}}}}\sphinxcode{\sphinxupquote{/krb5kdc}}\sphinxcode{\sphinxupquote{/kadm5.acl}}.

\end{description}

\sphinxAtStartPar
After the server begins running, it puts itself in the background and
disassociates itself from its controlling terminal.

\sphinxAtStartPar
kadmind can be configured for incremental database propagation.
Incremental propagation allows replica KDC servers to receive
principal and policy updates incrementally instead of receiving full
dumps of the database.  This facility can be enabled in the
{\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}} file with the \sphinxstylestrong{iprop\_enable} option.  Incremental
propagation requires the principal \sphinxcode{\sphinxupquote{kiprop/PRIMARY\textbackslash{}@REALM}} (where
PRIMARY is the primary KDC’s canonical host name, and REALM the realm
name).  In release 1.13, this principal is automatically created and
registered into the datebase.


\subsection{OPTIONS}
\label{\detokenize{admin/admin_commands/kadmind:options}}\begin{description}
\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}r} \sphinxstyleemphasis{realm}}
\sphinxAtStartPar
specifies the realm that kadmind will serve; if it is not
specified, the default realm of the host is used.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}m}}
\sphinxAtStartPar
causes the master database password to be fetched from the
keyboard (before the server puts itself in the background, if not
invoked with the \sphinxstylestrong{\sphinxhyphen{}nofork} option) rather than from a file on
disk.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}nofork}}
\sphinxAtStartPar
causes the server to remain in the foreground and remain
associated to the terminal.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}proponly}}
\sphinxAtStartPar
causes the server to only listen and respond to Kerberos replica
incremental propagation polling requests.  This option can be used
to set up a hierarchical propagation topology where a replica KDC
provides incremental updates to other Kerberos replicas.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}port} \sphinxstyleemphasis{port\sphinxhyphen{}number}}
\sphinxAtStartPar
specifies the port on which the administration server listens for
connections.  The default port is determined by the
\sphinxstylestrong{kadmind\_port} configuration variable in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}P} \sphinxstyleemphasis{pid\_file}}
\sphinxAtStartPar
specifies the file to which the PID of kadmind process should be
written after it starts up.  This file can be used to identify
whether kadmind is still running and to allow init scripts to stop
the correct process.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}p} \sphinxstyleemphasis{kdb5\_util\_path}}
\sphinxAtStartPar
specifies the path to the kdb5\_util command to use when dumping the
KDB in response to full resync requests when iprop is enabled.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}K} \sphinxstyleemphasis{kprop\_path}}
\sphinxAtStartPar
specifies the path to the kprop command to use to send full dumps
to replicas in response to full resync requests.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}k} \sphinxstyleemphasis{kprop\_port}}
\sphinxAtStartPar
specifies the port by which the kprop process that is spawned by
kadmind connects to the replica kpropd, in order to transfer the
dump file during an iprop full resync request.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}F} \sphinxstyleemphasis{dump\_file}}
\sphinxAtStartPar
specifies the file path to be used for dumping the KDB in response
to full resync requests when iprop is enabled.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}x} \sphinxstyleemphasis{db\_args}}
\sphinxAtStartPar
specifies database\sphinxhyphen{}specific arguments.  See {\hyperref[\detokenize{admin/admin_commands/kadmin_local:dboptions}]{\sphinxcrossref{\DUrole{std,std-ref}{Database Options}}}} in {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} for supported arguments.

\end{description}


\subsection{ENVIRONMENT}
\label{\detokenize{admin/admin_commands/kadmind:environment}}
\sphinxAtStartPar
See \DUrole{xref,std,std-ref}{kerberos(7)} for a description of Kerberos environment
variables.

\sphinxAtStartPar
As of release 1.22, kadmind supports systemd socket activation via the
LISTEN\_PID and LISTEN\_FDS environment variables.  Sockets provided by
the caller must correspond to configured listener addresses (via the
\sphinxstylestrong{kadmind\_listen} or \sphinxstylestrong{kpasswd\_listen} variables or equivalents) or
they will be ignored.  Any configured listener addresses that do not
correspond to caller\sphinxhyphen{}provided sockets will be ignored if socket
activation is used.


\subsection{SEE ALSO}
\label{\detokenize{admin/admin_commands/kadmind:see-also}}
\sphinxAtStartPar
\DUrole{xref,std,std-ref}{kpasswd(1)}, {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}}, {\hyperref[\detokenize{admin/admin_commands/kdb5_util:kdb5-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_util}}}},
{\hyperref[\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_ldap\_util}}}}, {\hyperref[\detokenize{admin/conf_files/kadm5_acl:kadm5-acl-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kadm5.acl}}}}, \DUrole{xref,std,std-ref}{kerberos(7)}

\sphinxstepscope


\section{kdb5\_util}
\label{\detokenize{admin/admin_commands/kdb5_util:kdb5-util}}\label{\detokenize{admin/admin_commands/kdb5_util:kdb5-util-8}}\label{\detokenize{admin/admin_commands/kdb5_util::doc}}

\subsection{SYNOPSIS}
\label{\detokenize{admin/admin_commands/kdb5_util:synopsis}}\phantomsection\label{\detokenize{admin/admin_commands/kdb5_util:kdb5-util-synopsis}}
\sphinxAtStartPar
\sphinxstylestrong{kdb5\_util}
{[}\sphinxstylestrong{\sphinxhyphen{}r} \sphinxstyleemphasis{realm}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}d} \sphinxstyleemphasis{dbname}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}k} \sphinxstyleemphasis{mkeytype}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}kv} \sphinxstyleemphasis{mkeyVNO}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}M} \sphinxstyleemphasis{mkeyname}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}m}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}sf} \sphinxstyleemphasis{stashfilename}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}P} \sphinxstyleemphasis{password}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}x} \sphinxstyleemphasis{db\_args}{]}
\sphinxstyleemphasis{command} {[}\sphinxstyleemphasis{command\_options}{]}


\subsection{DESCRIPTION}
\label{\detokenize{admin/admin_commands/kdb5_util:description}}\label{\detokenize{admin/admin_commands/kdb5_util:kdb5-util-synopsis-end}}
\sphinxAtStartPar
kdb5\_util allows an administrator to perform maintenance procedures on
the KDC database.  Databases can be created, destroyed, and dumped to
or loaded from ASCII files.  kdb5\_util can create a Kerberos master
key stash file or perform live rollover of the master key.

\sphinxAtStartPar
When kdb5\_util is run, it attempts to acquire the master key and open
the database.  However, execution continues regardless of whether or
not kdb5\_util successfully opens the database, because the database
may not exist yet or the stash file may be corrupt.

\sphinxAtStartPar
Note that some KDC database modules may not support all kdb5\_util
commands.


\subsection{COMMAND\sphinxhyphen{}LINE OPTIONS}
\label{\detokenize{admin/admin_commands/kdb5_util:command-line-options}}\phantomsection\label{\detokenize{admin/admin_commands/kdb5_util:kdb5-util-options}}\begin{description}
\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}r} \sphinxstyleemphasis{realm}}
\sphinxAtStartPar
specifies the Kerberos realm of the database.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}d} \sphinxstyleemphasis{dbname}}
\sphinxAtStartPar
specifies the name under which the principal database is stored;
by default the database is that listed in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}.  The
password policy database and lock files are also derived from this
value.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}k} \sphinxstyleemphasis{mkeytype}}
\sphinxAtStartPar
specifies the key type of the master key in the database.  The
default is given by the \sphinxstylestrong{master\_key\_type} variable in
{\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}kv} \sphinxstyleemphasis{mkeyVNO}}
\sphinxAtStartPar
Specifies the version number of the master key in the database;
the default is 1.  Note that 0 is not allowed.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}M} \sphinxstyleemphasis{mkeyname}}
\sphinxAtStartPar
principal name for the master key in the database.  If not
specified, the name is determined by the \sphinxstylestrong{master\_key\_name}
variable in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}m}}
\sphinxAtStartPar
specifies that the master database password should be read from
the keyboard rather than fetched from a file on disk.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}sf} \sphinxstyleemphasis{stash\_file}}
\sphinxAtStartPar
specifies the stash filename of the master database password.  If
not specified, the filename is determined by the
\sphinxstylestrong{key\_stash\_file} variable in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}P} \sphinxstyleemphasis{password}}
\sphinxAtStartPar
specifies the master database password.  Using this option may
expose the password to other users on the system via the process
list.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}x} \sphinxstyleemphasis{db\_args}}
\sphinxAtStartPar
specifies database\sphinxhyphen{}specific options.  See {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} for
supported options.

\end{description}


\subsection{COMMANDS}
\label{\detokenize{admin/admin_commands/kdb5_util:commands}}\label{\detokenize{admin/admin_commands/kdb5_util:kdb5-util-options-end}}

\subsubsection{create}
\label{\detokenize{admin/admin_commands/kdb5_util:create}}\phantomsection\label{\detokenize{admin/admin_commands/kdb5_util:kdb5-util-create}}\begin{quote}

\sphinxAtStartPar
\sphinxstylestrong{create} {[}\sphinxstylestrong{\sphinxhyphen{}s}{]}
\end{quote}

\sphinxAtStartPar
Creates a new database.  If the \sphinxstylestrong{\sphinxhyphen{}s} option is specified, the stash
file is also created.  This command fails if the database already
exists.  If the command is successful, the database is opened just as
if it had already existed when the program was first run.


\subsubsection{destroy}
\label{\detokenize{admin/admin_commands/kdb5_util:destroy}}\label{\detokenize{admin/admin_commands/kdb5_util:kdb5-util-create-end}}\phantomsection\label{\detokenize{admin/admin_commands/kdb5_util:kdb5-util-destroy}}\begin{quote}

\sphinxAtStartPar
\sphinxstylestrong{destroy} {[}\sphinxstylestrong{\sphinxhyphen{}f}{]}
\end{quote}

\sphinxAtStartPar
Destroys the database, first overwriting the disk sectors and then
unlinking the files, after prompting the user for confirmation.  With
the \sphinxstylestrong{\sphinxhyphen{}f} argument, does not prompt the user.


\subsubsection{stash}
\label{\detokenize{admin/admin_commands/kdb5_util:stash}}\label{\detokenize{admin/admin_commands/kdb5_util:kdb5-util-destroy-end}}\phantomsection\label{\detokenize{admin/admin_commands/kdb5_util:kdb5-util-stash}}\begin{quote}

\sphinxAtStartPar
\sphinxstylestrong{stash} {[}\sphinxstylestrong{\sphinxhyphen{}f} \sphinxstyleemphasis{keyfile}{]}
\end{quote}

\sphinxAtStartPar
Stores the master principal’s keys in a stash file.  The \sphinxstylestrong{\sphinxhyphen{}f}
argument can be used to override the \sphinxstyleemphasis{keyfile} specified in
{\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}.


\subsubsection{dump}
\label{\detokenize{admin/admin_commands/kdb5_util:dump}}\label{\detokenize{admin/admin_commands/kdb5_util:kdb5-util-stash-end}}\phantomsection\label{\detokenize{admin/admin_commands/kdb5_util:kdb5-util-dump}}\begin{quote}

\sphinxAtStartPar
\sphinxstylestrong{dump} {[}\sphinxstylestrong{\sphinxhyphen{}b7}|\sphinxstylestrong{\sphinxhyphen{}r13}|\sphinxstylestrong{\sphinxhyphen{}r18}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}verbose}{]} {[}\sphinxstylestrong{\sphinxhyphen{}mkey\_convert}{]} {[}\sphinxstylestrong{\sphinxhyphen{}new\_mkey\_file}
\sphinxstyleemphasis{mkey\_file}{]} {[}\sphinxstylestrong{\sphinxhyphen{}rev}{]} {[}\sphinxstylestrong{\sphinxhyphen{}recurse}{]} {[}\sphinxstyleemphasis{filename}
{[}\sphinxstyleemphasis{principals}…{]}{]}
\end{quote}

\sphinxAtStartPar
Dumps the current Kerberos and KADM5 database into an ASCII file.  By
default, the database is dumped in current format, “kdb5\_util
load\_dump version 7”.  If filename is not specified, or is the string
“\sphinxhyphen{}”, the dump is sent to standard output.  Options:
\begin{description}
\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}b7}}
\sphinxAtStartPar
causes the dump to be in the Kerberos 5 Beta 7 format (“kdb5\_util
load\_dump version 4”).  This was the dump format produced on
releases prior to 1.2.2.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}r13}}
\sphinxAtStartPar
causes the dump to be in the Kerberos 5 1.3 format (“kdb5\_util
load\_dump version 5”).  This was the dump format produced on
releases prior to 1.8.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}r18}}
\sphinxAtStartPar
causes the dump to be in the Kerberos 5 1.8 format (“kdb5\_util
load\_dump version 6”).  This was the dump format produced on
releases prior to 1.11.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}verbose}}
\sphinxAtStartPar
causes the name of each principal and policy to be printed as it
is dumped.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}mkey\_convert}}
\sphinxAtStartPar
prompts for a new master key.  This new master key will be used to
re\sphinxhyphen{}encrypt principal key data in the dumpfile.  The principal keys
themselves will not be changed.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}new\_mkey\_file} \sphinxstyleemphasis{mkey\_file}}
\sphinxAtStartPar
the filename of a stash file.  The master key in this stash file
will be used to re\sphinxhyphen{}encrypt the key data in the dumpfile.  The key
data in the database will not be changed.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}rev}}
\sphinxAtStartPar
dumps in reverse order.  This may recover principals that do not
dump normally, in cases where database corruption has occurred.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}recurse}}
\sphinxAtStartPar
causes the dump to walk the database recursively (btree only).
This may recover principals that do not dump normally, in cases
where database corruption has occurred.  In cases of such
corruption, this option will probably retrieve more principals
than the \sphinxstylestrong{\sphinxhyphen{}rev} option will.

\sphinxAtStartPar
\DUrole{versionmodified,changed}{Changed in version 1.15: }Release 1.15 restored the functionality of the \sphinxstylestrong{\sphinxhyphen{}recurse}
option.

\sphinxAtStartPar
\DUrole{versionmodified,changed}{Changed in version 1.5: }The \sphinxstylestrong{\sphinxhyphen{}recurse} option ceased working until release 1.15,
doing a normal dump instead of a recursive traversal.

\end{description}


\subsubsection{load}
\label{\detokenize{admin/admin_commands/kdb5_util:load}}\label{\detokenize{admin/admin_commands/kdb5_util:kdb5-util-dump-end}}\phantomsection\label{\detokenize{admin/admin_commands/kdb5_util:kdb5-util-load}}\begin{quote}

\sphinxAtStartPar
\sphinxstylestrong{load} {[}\sphinxstylestrong{\sphinxhyphen{}b7}|\sphinxstylestrong{\sphinxhyphen{}r13}|\sphinxstylestrong{\sphinxhyphen{}r18}{]} {[}\sphinxstylestrong{\sphinxhyphen{}hash}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}verbose}{]} {[}\sphinxstylestrong{\sphinxhyphen{}update}{]} \sphinxstyleemphasis{filename}
\end{quote}

\sphinxAtStartPar
Loads a database dump from the named file into the named database.  If
no option is given to determine the format of the dump file, the
format is detected automatically and handled as appropriate.  Unless
the \sphinxstylestrong{\sphinxhyphen{}update} option is given, \sphinxstylestrong{load} creates a new database
containing only the data in the dump file, overwriting the contents of
any previously existing database.  Note that when using the LDAP KDC
database module, the \sphinxstylestrong{\sphinxhyphen{}update} flag is required.

\sphinxAtStartPar
Options:
\begin{description}
\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}b7}}
\sphinxAtStartPar
requires the database to be in the Kerberos 5 Beta 7 format
(“kdb5\_util load\_dump version 4”).  This was the dump format
produced on releases prior to 1.2.2.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}r13}}
\sphinxAtStartPar
requires the database to be in Kerberos 5 1.3 format (“kdb5\_util
load\_dump version 5”).  This was the dump format produced on
releases prior to 1.8.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}r18}}
\sphinxAtStartPar
requires the database to be in Kerberos 5 1.8 format (“kdb5\_util
load\_dump version 6”).  This was the dump format produced on
releases prior to 1.11.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}hash}}
\sphinxAtStartPar
stores the database in hash format, if using the DB2 database
type.  If this option is not specified, the database will be
stored in btree format.  This option is not recommended, as
databases stored in hash format are known to corrupt data and lose
principals.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}verbose}}
\sphinxAtStartPar
causes the name of each principal and policy to be printed as it
is dumped.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}update}}
\sphinxAtStartPar
records from the dump file are added to or updated in the existing
database.  Otherwise, a new database is created containing only
what is in the dump file and the old one destroyed upon successful
completion.

\end{description}


\subsubsection{ark}
\label{\detokenize{admin/admin_commands/kdb5_util:ark}}\label{\detokenize{admin/admin_commands/kdb5_util:kdb5-util-load-end}}\begin{quote}

\sphinxAtStartPar
\sphinxstylestrong{ark} {[}\sphinxstylestrong{\sphinxhyphen{}e} \sphinxstyleemphasis{enc}:\sphinxstyleemphasis{salt},…{]} \sphinxstyleemphasis{principal}
\end{quote}

\sphinxAtStartPar
Adds new random keys to \sphinxstyleemphasis{principal} at the next available key version
number.  Keys for the current highest key version number will be
preserved.  The \sphinxstylestrong{\sphinxhyphen{}e} option specifies the list of encryption and
salt types to be used for the new keys.


\subsubsection{add\_mkey}
\label{\detokenize{admin/admin_commands/kdb5_util:add-mkey}}\begin{quote}

\sphinxAtStartPar
\sphinxstylestrong{add\_mkey} {[}\sphinxstylestrong{\sphinxhyphen{}e} \sphinxstyleemphasis{etype}{]} {[}\sphinxstylestrong{\sphinxhyphen{}s}{]}
\end{quote}

\sphinxAtStartPar
Adds a new master key to the master key principal, but does not mark
it as active.  Existing master keys will remain.  The \sphinxstylestrong{\sphinxhyphen{}e} option
specifies the encryption type of the new master key; see
{\hyperref[\detokenize{admin/conf_files/kdc_conf:encryption-types}]{\sphinxcrossref{\DUrole{std,std-ref}{Encryption types}}}} in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}} for a list of possible
values.  The \sphinxstylestrong{\sphinxhyphen{}s} option stashes the new master key in the stash
file, which will be created if it doesn’t already exist.

\sphinxAtStartPar
After a new master key is added, it should be propagated to replica
servers via a manual or periodic invocation of {\hyperref[\detokenize{admin/admin_commands/kprop:kprop-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kprop}}}}.  Then,
the stash files on the replica servers should be updated with the
kdb5\_util \sphinxstylestrong{stash} command.  Once those steps are complete, the key
is ready to be marked active with the kdb5\_util \sphinxstylestrong{use\_mkey} command.


\subsubsection{use\_mkey}
\label{\detokenize{admin/admin_commands/kdb5_util:use-mkey}}\begin{quote}

\sphinxAtStartPar
\sphinxstylestrong{use\_mkey} \sphinxstyleemphasis{mkeyVNO} {[}\sphinxstyleemphasis{time}{]}
\end{quote}

\sphinxAtStartPar
Sets the activation time of the master key specified by \sphinxstyleemphasis{mkeyVNO}.
Once a master key becomes active, it will be used to encrypt newly
created principal keys.  If no \sphinxstyleemphasis{time} argument is given, the current
time is used, causing the specified master key version to become
active immediately.  The format for \sphinxstyleemphasis{time} is \DUrole{xref,std,std-ref}{getdate} string.

\sphinxAtStartPar
After a new master key becomes active, the kdb5\_util
\sphinxstylestrong{update\_princ\_encryption} command can be used to update all
principal keys to be encrypted in the new master key.


\subsubsection{list\_mkeys}
\label{\detokenize{admin/admin_commands/kdb5_util:list-mkeys}}\begin{quote}

\sphinxAtStartPar
\sphinxstylestrong{list\_mkeys}
\end{quote}

\sphinxAtStartPar
List all master keys, from most recent to earliest, in the master key
principal.  The output will show the kvno, enctype, and salt type for
each mkey, similar to the output of {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} \sphinxstylestrong{getprinc}.  A
\sphinxcode{\sphinxupquote{*}} following an mkey denotes the currently active master key.


\subsubsection{purge\_mkeys}
\label{\detokenize{admin/admin_commands/kdb5_util:purge-mkeys}}\begin{quote}

\sphinxAtStartPar
\sphinxstylestrong{purge\_mkeys} {[}\sphinxstylestrong{\sphinxhyphen{}f}{]} {[}\sphinxstylestrong{\sphinxhyphen{}n}{]} {[}\sphinxstylestrong{\sphinxhyphen{}v}{]}
\end{quote}

\sphinxAtStartPar
Delete master keys from the master key principal that are not used to
protect any principals.  This command can be used to remove old master
keys all principal keys are protected by a newer master key.
\begin{description}
\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}f}}
\sphinxAtStartPar
does not prompt for confirmation.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}n}}
\sphinxAtStartPar
performs a dry run, showing master keys that would be purged, but
not actually purging any keys.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}v}}
\sphinxAtStartPar
gives more verbose output.

\end{description}


\subsubsection{update\_princ\_encryption}
\label{\detokenize{admin/admin_commands/kdb5_util:update-princ-encryption}}\begin{quote}

\sphinxAtStartPar
\sphinxstylestrong{update\_princ\_encryption} {[}\sphinxstylestrong{\sphinxhyphen{}f}{]} {[}\sphinxstylestrong{\sphinxhyphen{}n}{]} {[}\sphinxstylestrong{\sphinxhyphen{}v}{]}
{[}\sphinxstyleemphasis{princ\sphinxhyphen{}pattern}{]}
\end{quote}

\sphinxAtStartPar
Update all principal records (or only those matching the
\sphinxstyleemphasis{princ\sphinxhyphen{}pattern} glob pattern) to re\sphinxhyphen{}encrypt the key data using the
active database master key, if they are encrypted using a different
version, and give a count at the end of the number of principals
updated.  If the \sphinxstylestrong{\sphinxhyphen{}f} option is not given, ask for confirmation
before starting to make changes.  The \sphinxstylestrong{\sphinxhyphen{}v} option causes each
principal processed to be listed, with an indication as to whether it
needed updating or not.  The \sphinxstylestrong{\sphinxhyphen{}n} option performs a dry run, only
showing the actions which would have been taken.


\subsubsection{tabdump}
\label{\detokenize{admin/admin_commands/kdb5_util:tabdump}}\begin{quote}

\sphinxAtStartPar
\sphinxstylestrong{tabdump} {[}\sphinxstylestrong{\sphinxhyphen{}H}{]} {[}\sphinxstylestrong{\sphinxhyphen{}c}{]} {[}\sphinxstylestrong{\sphinxhyphen{}e}{]} {[}\sphinxstylestrong{\sphinxhyphen{}n}{]} {[}\sphinxstylestrong{\sphinxhyphen{}o} \sphinxstyleemphasis{outfile}{]}
\sphinxstyleemphasis{dumptype}
\end{quote}

\sphinxAtStartPar
Dump selected fields of the database in a tabular format suitable for
reporting (e.g., using traditional Unix text processing tools) or
importing into relational databases.  The data format is tab\sphinxhyphen{}separated
(default), or optionally comma\sphinxhyphen{}separated (CSV), with a fixed number of
columns.  The output begins with a header line containing field names,
unless suppression is requested using the \sphinxstylestrong{\sphinxhyphen{}H} option.

\sphinxAtStartPar
The \sphinxstyleemphasis{dumptype} parameter specifies the name of an output table (see
below).

\sphinxAtStartPar
Options:
\begin{description}
\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}H}}
\sphinxAtStartPar
suppress writing the field names in a header line

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}c}}
\sphinxAtStartPar
use comma separated values (CSV) format, with minimal quoting,
instead of the default tab\sphinxhyphen{}separated (unquoted, unescaped) format

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}e}}
\sphinxAtStartPar
write empty hexadecimal string fields as empty fields instead of
as “\sphinxhyphen{}1”.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}n}}
\sphinxAtStartPar
produce numeric output for fields that normally have symbolic
output, such as enctypes and flag names.  Also requests output of
time stamps as decimal POSIX time\_t values.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}o} \sphinxstyleemphasis{outfile}}
\sphinxAtStartPar
write the dump to the specified output file instead of to standard
output

\end{description}

\sphinxAtStartPar
Dump types:
\begin{description}
\sphinxlineitem{\sphinxstylestrong{alias}}
\sphinxAtStartPar
principal alias information
\begin{description}
\sphinxlineitem{\sphinxstylestrong{aliasname}}
\sphinxAtStartPar
the name of the alias

\sphinxlineitem{\sphinxstylestrong{targetname}}
\sphinxAtStartPar
the target of the alias

\end{description}

\sphinxlineitem{\sphinxstylestrong{keydata}}
\sphinxAtStartPar
principal encryption key information, including actual key data
(which is still encrypted in the master key)
\begin{description}
\sphinxlineitem{\sphinxstylestrong{name}}
\sphinxAtStartPar
principal name

\sphinxlineitem{\sphinxstylestrong{keyindex}}
\sphinxAtStartPar
index of this key in the principal’s key list

\sphinxlineitem{\sphinxstylestrong{kvno}}
\sphinxAtStartPar
key version number

\sphinxlineitem{\sphinxstylestrong{enctype}}
\sphinxAtStartPar
encryption type

\sphinxlineitem{\sphinxstylestrong{key}}
\sphinxAtStartPar
key data as a hexadecimal string

\sphinxlineitem{\sphinxstylestrong{salttype}}
\sphinxAtStartPar
salt type

\sphinxlineitem{\sphinxstylestrong{salt}}
\sphinxAtStartPar
salt data as a hexadecimal string

\end{description}

\sphinxlineitem{\sphinxstylestrong{keyinfo}}
\sphinxAtStartPar
principal encryption key information (as in \sphinxstylestrong{keydata} above),
excluding actual key data

\sphinxlineitem{\sphinxstylestrong{princ\_flags}}
\sphinxAtStartPar
principal boolean attributes.  Flag names print as hexadecimal
numbers if the \sphinxstylestrong{\sphinxhyphen{}n} option is specified, and all flag positions
are printed regardless of whether or not they are set.  If \sphinxstylestrong{\sphinxhyphen{}n}
is not specified, print all known flag names for each principal,
but only print hexadecimal flag names if the corresponding flag is
set.
\begin{description}
\sphinxlineitem{\sphinxstylestrong{name}}
\sphinxAtStartPar
principal name

\sphinxlineitem{\sphinxstylestrong{flag}}
\sphinxAtStartPar
flag name

\sphinxlineitem{\sphinxstylestrong{value}}
\sphinxAtStartPar
boolean value (0 for clear, or 1 for set)

\end{description}

\sphinxlineitem{\sphinxstylestrong{princ\_lockout}}
\sphinxAtStartPar
state information used for tracking repeated password failures
\begin{description}
\sphinxlineitem{\sphinxstylestrong{name}}
\sphinxAtStartPar
principal name

\sphinxlineitem{\sphinxstylestrong{last\_success}}
\sphinxAtStartPar
time stamp of most recent successful authentication

\sphinxlineitem{\sphinxstylestrong{last\_failed}}
\sphinxAtStartPar
time stamp of most recent failed authentication

\sphinxlineitem{\sphinxstylestrong{fail\_count}}
\sphinxAtStartPar
count of failed attempts

\end{description}

\sphinxlineitem{\sphinxstylestrong{princ\_meta}}
\sphinxAtStartPar
principal metadata
\begin{description}
\sphinxlineitem{\sphinxstylestrong{name}}
\sphinxAtStartPar
principal name

\sphinxlineitem{\sphinxstylestrong{modby}}
\sphinxAtStartPar
name of last principal to modify this principal

\sphinxlineitem{\sphinxstylestrong{modtime}}
\sphinxAtStartPar
timestamp of last modification

\sphinxlineitem{\sphinxstylestrong{lastpwd}}
\sphinxAtStartPar
timestamp of last password change

\sphinxlineitem{\sphinxstylestrong{policy}}
\sphinxAtStartPar
policy object name

\sphinxlineitem{\sphinxstylestrong{mkvno}}
\sphinxAtStartPar
key version number of the master key that encrypts this
principal’s key data

\sphinxlineitem{\sphinxstylestrong{hist\_kvno}}
\sphinxAtStartPar
key version number of the history key that encrypts the key
history data for this principal

\end{description}

\sphinxlineitem{\sphinxstylestrong{princ\_stringattrs}}
\sphinxAtStartPar
string attributes (key/value pairs)
\begin{description}
\sphinxlineitem{\sphinxstylestrong{name}}
\sphinxAtStartPar
principal name

\sphinxlineitem{\sphinxstylestrong{key}}
\sphinxAtStartPar
attribute name

\sphinxlineitem{\sphinxstylestrong{value}}
\sphinxAtStartPar
attribute value

\end{description}

\sphinxlineitem{\sphinxstylestrong{princ\_tktpolicy}}
\sphinxAtStartPar
per\sphinxhyphen{}principal ticket policy data, including maximum ticket
lifetimes
\begin{description}
\sphinxlineitem{\sphinxstylestrong{name}}
\sphinxAtStartPar
principal name

\sphinxlineitem{\sphinxstylestrong{expiration}}
\sphinxAtStartPar
principal expiration date

\sphinxlineitem{\sphinxstylestrong{pw\_expiration}}
\sphinxAtStartPar
password expiration date

\sphinxlineitem{\sphinxstylestrong{max\_life}}
\sphinxAtStartPar
maximum ticket lifetime

\sphinxlineitem{\sphinxstylestrong{max\_renew\_life}}
\sphinxAtStartPar
maximum renewable ticket lifetime

\end{description}

\end{description}

\sphinxAtStartPar
Examples:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYGZdl{} kdb5\PYGZus{}util tabdump \PYGZhy{}o keyinfo.txt keyinfo
\PYGZdl{} cat keyinfo.txt
name        keyindex        kvno    enctype salttype        salt
K/M@EXAMPLE.COM     0       1       aes256\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha384\PYGZhy{}192      normal  \PYGZhy{}1
foo@EXAMPLE.COM     0       1       aes128\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha1\PYGZhy{}96 normal  \PYGZhy{}1
bar@EXAMPLE.COM     0       1       aes128\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha1\PYGZhy{}96 normal  \PYGZhy{}1
\PYGZdl{} sqlite3
sqlite\PYGZgt{} .mode tabs
sqlite\PYGZgt{} .import keyinfo.txt keyinfo
sqlite\PYGZgt{} select * from keyinfo where enctype like \PYGZsq{}aes256\PYGZhy{}\PYGZpc{}\PYGZsq{};
K/M@EXAMPLE.COM     1       1       aes256\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha384\PYGZhy{}192      normal  \PYGZhy{}1
sqlite\PYGZgt{} .quit
\PYGZdl{} awk \PYGZhy{}F\PYGZsq{}\PYGZbs{}t\PYGZsq{} \PYGZsq{}\PYGZdl{}4 \PYGZti{} /aes256\PYGZhy{}/ \PYGZob{} print \PYGZcb{}\PYGZsq{} keyinfo.txt
K/M@EXAMPLE.COM     1       1       aes256\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha384\PYGZhy{}192      normal  \PYGZhy{}1
\end{sphinxVerbatim}


\subsection{ENVIRONMENT}
\label{\detokenize{admin/admin_commands/kdb5_util:environment}}
\sphinxAtStartPar
See \DUrole{xref,std,std-ref}{kerberos(7)} for a description of Kerberos environment
variables.


\subsection{SEE ALSO}
\label{\detokenize{admin/admin_commands/kdb5_util:see-also}}
\sphinxAtStartPar
{\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}}, \DUrole{xref,std,std-ref}{kerberos(7)}

\sphinxstepscope


\section{kdb5\_ldap\_util}
\label{\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util}}\label{\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-8}}\label{\detokenize{admin/admin_commands/kdb5_ldap_util::doc}}

\subsection{SYNOPSIS}
\label{\detokenize{admin/admin_commands/kdb5_ldap_util:synopsis}}\phantomsection\label{\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-synopsis}}
\sphinxAtStartPar
\sphinxstylestrong{kdb5\_ldap\_util}
{[}\sphinxstylestrong{\sphinxhyphen{}D} \sphinxstyleemphasis{user\_dn} {[}\sphinxstylestrong{\sphinxhyphen{}w} \sphinxstyleemphasis{passwd}{]}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}H} \sphinxstyleemphasis{ldapuri}{]}
\sphinxstylestrong{command}
{[}\sphinxstyleemphasis{command\_options}{]}


\subsection{DESCRIPTION}
\label{\detokenize{admin/admin_commands/kdb5_ldap_util:description}}\label{\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-synopsis-end}}
\sphinxAtStartPar
kdb5\_ldap\_util allows an administrator to manage realms, Kerberos
services and ticket policies.


\subsection{COMMAND\sphinxhyphen{}LINE OPTIONS}
\label{\detokenize{admin/admin_commands/kdb5_ldap_util:command-line-options}}\phantomsection\label{\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-options}}\begin{description}
\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}r} \sphinxstyleemphasis{realm}}
\sphinxAtStartPar
Specifies the realm to be operated on.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}D} \sphinxstyleemphasis{user\_dn}}
\sphinxAtStartPar
Specifies the Distinguished Name (DN) of the user who has
sufficient rights to perform the operation on the LDAP server.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}w} \sphinxstyleemphasis{passwd}}
\sphinxAtStartPar
Specifies the password of \sphinxstyleemphasis{user\_dn}.  This option is not
recommended.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}H} \sphinxstyleemphasis{ldapuri}}
\sphinxAtStartPar
Specifies the URI of the LDAP server.

\end{description}

\sphinxAtStartPar
By default, kdb5\_ldap\_util operates on the default realm (as specified
in {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}}) and connects and authenticates to the LDAP
server in the same manner as :ref:kadmind(8)\textasciigrave{} would given the
parameters in {\hyperref[\detokenize{admin/conf_files/kdc_conf:dbdefaults}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}dbdefaults{]}}}}} in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}.


\subsection{COMMANDS}
\label{\detokenize{admin/admin_commands/kdb5_ldap_util:commands}}\label{\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-options-end}}

\subsubsection{create}
\label{\detokenize{admin/admin_commands/kdb5_ldap_util:create}}\phantomsection\label{\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-create}}\begin{quote}

\sphinxAtStartPar
\sphinxstylestrong{create}
{[}\sphinxstylestrong{\sphinxhyphen{}subtrees} \sphinxstyleemphasis{subtree\_dn\_list}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}sscope} \sphinxstyleemphasis{search\_scope}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}containerref} \sphinxstyleemphasis{container\_reference\_dn}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}k} \sphinxstyleemphasis{mkeytype}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}kv} \sphinxstyleemphasis{mkeyVNO}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}M} \sphinxstyleemphasis{mkeyname}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}m|\sphinxhyphen{}P} \sphinxstyleemphasis{password}|\sphinxstylestrong{\sphinxhyphen{}sf} \sphinxstyleemphasis{stashfilename}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}s}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}maxtktlife} \sphinxstyleemphasis{max\_ticket\_life}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}maxrenewlife} \sphinxstyleemphasis{max\_renewable\_ticket\_life}{]}
{[}\sphinxstyleemphasis{ticket\_flags}{]}
\end{quote}

\sphinxAtStartPar
Creates realm in directory. Options:
\begin{description}
\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}subtrees} \sphinxstyleemphasis{subtree\_dn\_list}}
\sphinxAtStartPar
Specifies the list of subtrees containing the principals of a
realm.  The list contains the DNs of the subtree objects separated
by colon (\sphinxcode{\sphinxupquote{:}}).

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}sscope} \sphinxstyleemphasis{search\_scope}}
\sphinxAtStartPar
Specifies the scope for searching the principals under the
subtree.  The possible values are 1 or one (one level), 2 or sub
(subtrees).

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}containerref} \sphinxstyleemphasis{container\_reference\_dn}}
\sphinxAtStartPar
Specifies the DN of the container object in which the principals
of a realm will be created.  If the container reference is not
configured for a realm, the principals will be created in the
realm container.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}k} \sphinxstyleemphasis{mkeytype}}
\sphinxAtStartPar
Specifies the key type of the master key in the database.  The
default is given by the \sphinxstylestrong{master\_key\_type} variable in
{\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}kv} \sphinxstyleemphasis{mkeyVNO}}
\sphinxAtStartPar
Specifies the version number of the master key in the database;
the default is 1.  Note that 0 is not allowed.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}M} \sphinxstyleemphasis{mkeyname}}
\sphinxAtStartPar
Specifies the principal name for the master key in the database.
If not specified, the name is determined by the
\sphinxstylestrong{master\_key\_name} variable in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}m}}
\sphinxAtStartPar
Specifies that the master database password should be read from
the TTY rather than fetched from a file on the disk.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}P} \sphinxstyleemphasis{password}}
\sphinxAtStartPar
Specifies the master database password. This option is not
recommended.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}sf} \sphinxstyleemphasis{stashfilename}}
\sphinxAtStartPar
Specifies the stash file of the master database password.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}s}}
\sphinxAtStartPar
Specifies that the stash file is to be created.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}maxtktlife} \sphinxstyleemphasis{max\_ticket\_life}}
\sphinxAtStartPar
(\DUrole{xref,std,std-ref}{getdate} string) Specifies maximum ticket life for
principals in this realm.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}maxrenewlife} \sphinxstyleemphasis{max\_renewable\_ticket\_life}}
\sphinxAtStartPar
(\DUrole{xref,std,std-ref}{getdate} string) Specifies maximum renewable life of
tickets for principals in this realm.

\sphinxlineitem{\sphinxstyleemphasis{ticket\_flags}}
\sphinxAtStartPar
Specifies global ticket flags for the realm.  Allowable flags are
documented in the description of the \sphinxstylestrong{add\_principal} command in
{\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}}.

\end{description}

\sphinxAtStartPar
Example:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{kdb5\PYGZus{}ldap\PYGZus{}util} \PYG{o}{\PYGZhy{}}\PYG{n}{D} \PYG{n}{cn}\PYG{o}{=}\PYG{n}{admin}\PYG{p}{,}\PYG{n}{o}\PYG{o}{=}\PYG{n}{org} \PYG{o}{\PYGZhy{}}\PYG{n}{H} \PYG{n}{ldaps}\PYG{p}{:}\PYG{o}{/}\PYG{o}{/}\PYG{n}{ldap}\PYG{o}{\PYGZhy{}}\PYG{n}{server1}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}
    \PYG{o}{\PYGZhy{}}\PYG{n}{r} \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{n}{create} \PYG{o}{\PYGZhy{}}\PYG{n}{subtrees} \PYG{n}{o}\PYG{o}{=}\PYG{n}{org} \PYG{o}{\PYGZhy{}}\PYG{n}{sscope} \PYG{n}{SUB}
\PYG{n}{Password} \PYG{k}{for} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{cn=admin,o=org}\PYG{l+s+s2}{\PYGZdq{}}\PYG{p}{:}
\PYG{n}{Initializing} \PYG{n}{database} \PYG{k}{for} \PYG{n}{realm} \PYG{l+s+s1}{\PYGZsq{}}\PYG{l+s+s1}{ATHENA.MIT.EDU}\PYG{l+s+s1}{\PYGZsq{}}
\PYG{n}{You} \PYG{n}{will} \PYG{n}{be} \PYG{n}{prompted} \PYG{k}{for} \PYG{n}{the} \PYG{n}{database} \PYG{n}{Master} \PYG{n}{Password}\PYG{o}{.}
\PYG{n}{It} \PYG{o+ow}{is} \PYG{n}{important} \PYG{n}{that} \PYG{n}{you} \PYG{n}{NOT} \PYG{n}{FORGET} \PYG{n}{this} \PYG{n}{password}\PYG{o}{.}
\PYG{n}{Enter} \PYG{n}{KDC} \PYG{n}{database} \PYG{n}{master} \PYG{n}{key}\PYG{p}{:}
\PYG{n}{Re}\PYG{o}{\PYGZhy{}}\PYG{n}{enter} \PYG{n}{KDC} \PYG{n}{database} \PYG{n}{master} \PYG{n}{key} \PYG{n}{to} \PYG{n}{verify}\PYG{p}{:}
\end{sphinxVerbatim}


\subsubsection{modify}
\label{\detokenize{admin/admin_commands/kdb5_ldap_util:modify}}\label{\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-create-end}}\phantomsection\label{\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-modify}}\begin{quote}

\sphinxAtStartPar
\sphinxstylestrong{modify}
{[}\sphinxstylestrong{\sphinxhyphen{}subtrees} \sphinxstyleemphasis{subtree\_dn\_list}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}sscope} \sphinxstyleemphasis{search\_scope}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}containerref} \sphinxstyleemphasis{container\_reference\_dn}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}maxtktlife} \sphinxstyleemphasis{max\_ticket\_life}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}maxrenewlife} \sphinxstyleemphasis{max\_renewable\_ticket\_life}{]}
{[}\sphinxstyleemphasis{ticket\_flags}{]}
\end{quote}

\sphinxAtStartPar
Modifies the attributes of a realm.  Options:
\begin{description}
\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}subtrees} \sphinxstyleemphasis{subtree\_dn\_list}}
\sphinxAtStartPar
Specifies the list of subtrees containing the principals of a
realm.  The list contains the DNs of the subtree objects separated
by colon (\sphinxcode{\sphinxupquote{:}}).  This list replaces the existing list.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}sscope} \sphinxstyleemphasis{search\_scope}}
\sphinxAtStartPar
Specifies the scope for searching the principals under the
subtrees.  The possible values are 1 or one (one level), 2 or sub
(subtrees).

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}containerref} \sphinxstyleemphasis{container\_reference\_dn} Specifies the DN of the}
\sphinxAtStartPar
container object in which the principals of a realm will be
created.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}maxtktlife} \sphinxstyleemphasis{max\_ticket\_life}}
\sphinxAtStartPar
(\DUrole{xref,std,std-ref}{getdate} string) Specifies maximum ticket life for
principals in this realm.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}maxrenewlife} \sphinxstyleemphasis{max\_renewable\_ticket\_life}}
\sphinxAtStartPar
(\DUrole{xref,std,std-ref}{getdate} string) Specifies maximum renewable life of
tickets for principals in this realm.

\sphinxlineitem{\sphinxstyleemphasis{ticket\_flags}}
\sphinxAtStartPar
Specifies global ticket flags for the realm.  Allowable flags are
documented in the description of the \sphinxstylestrong{add\_principal} command in
{\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}}.

\end{description}

\sphinxAtStartPar
Example:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{kdb5\PYGZus{}ldap\PYGZus{}util} \PYG{o}{\PYGZhy{}}\PYG{n}{r} \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{o}{\PYGZhy{}}\PYG{n}{D} \PYG{n}{cn}\PYG{o}{=}\PYG{n}{admin}\PYG{p}{,}\PYG{n}{o}\PYG{o}{=}\PYG{n}{org} \PYG{o}{\PYGZhy{}}\PYG{n}{H}
    \PYG{n}{ldaps}\PYG{p}{:}\PYG{o}{/}\PYG{o}{/}\PYG{n}{ldap}\PYG{o}{\PYGZhy{}}\PYG{n}{server1}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{n}{modify} \PYG{o}{+}\PYG{n}{requires\PYGZus{}preauth}
\PYG{n}{Password} \PYG{k}{for} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{cn=admin,o=org}\PYG{l+s+s2}{\PYGZdq{}}\PYG{p}{:}
\PYG{n}{shell}\PYG{o}{\PYGZpc{}}
\end{sphinxVerbatim}


\subsubsection{view}
\label{\detokenize{admin/admin_commands/kdb5_ldap_util:view}}\label{\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-modify-end}}\phantomsection\label{\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-view}}\begin{quote}

\sphinxAtStartPar
\sphinxstylestrong{view}
\end{quote}

\sphinxAtStartPar
Displays the attributes of a realm.

\sphinxAtStartPar
Example:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{kdb5\PYGZus{}ldap\PYGZus{}util} \PYG{o}{\PYGZhy{}}\PYG{n}{D} \PYG{n}{cn}\PYG{o}{=}\PYG{n}{admin}\PYG{p}{,}\PYG{n}{o}\PYG{o}{=}\PYG{n}{org} \PYG{o}{\PYGZhy{}}\PYG{n}{H} \PYG{n}{ldaps}\PYG{p}{:}\PYG{o}{/}\PYG{o}{/}\PYG{n}{ldap}\PYG{o}{\PYGZhy{}}\PYG{n}{server1}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}
    \PYG{o}{\PYGZhy{}}\PYG{n}{r} \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{n}{view}
\PYG{n}{Password} \PYG{k}{for} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{cn=admin,o=org}\PYG{l+s+s2}{\PYGZdq{}}\PYG{p}{:}
\PYG{n}{Realm} \PYG{n}{Name}\PYG{p}{:} \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}
\PYG{n}{Subtree}\PYG{p}{:} \PYG{n}{ou}\PYG{o}{=}\PYG{n}{users}\PYG{p}{,}\PYG{n}{o}\PYG{o}{=}\PYG{n}{org}
\PYG{n}{Subtree}\PYG{p}{:} \PYG{n}{ou}\PYG{o}{=}\PYG{n}{servers}\PYG{p}{,}\PYG{n}{o}\PYG{o}{=}\PYG{n}{org}
\PYG{n}{SearchScope}\PYG{p}{:} \PYG{n}{ONE}
\PYG{n}{Maximum} \PYG{n}{ticket} \PYG{n}{life}\PYG{p}{:} \PYG{l+m+mi}{0} \PYG{n}{days} \PYG{l+m+mi}{01}\PYG{p}{:}\PYG{l+m+mi}{00}\PYG{p}{:}\PYG{l+m+mi}{00}
\PYG{n}{Maximum} \PYG{n}{renewable} \PYG{n}{life}\PYG{p}{:} \PYG{l+m+mi}{0} \PYG{n}{days} \PYG{l+m+mi}{10}\PYG{p}{:}\PYG{l+m+mi}{00}\PYG{p}{:}\PYG{l+m+mi}{00}
\PYG{n}{Ticket} \PYG{n}{flags}\PYG{p}{:} \PYG{n}{DISALLOW\PYGZus{}FORWARDABLE} \PYG{n}{REQUIRES\PYGZus{}PWCHANGE}
\end{sphinxVerbatim}


\subsubsection{destroy}
\label{\detokenize{admin/admin_commands/kdb5_ldap_util:destroy}}\label{\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-view-end}}\phantomsection\label{\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-destroy}}\begin{quote}

\sphinxAtStartPar
\sphinxstylestrong{destroy} {[}\sphinxstylestrong{\sphinxhyphen{}f}{]}
\end{quote}

\sphinxAtStartPar
Destroys an existing realm. Options:
\begin{description}
\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}f}}
\sphinxAtStartPar
If specified, will not prompt the user for confirmation.

\end{description}

\sphinxAtStartPar
Example:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
shell\PYGZpc{} kdb5\PYGZus{}ldap\PYGZus{}util \PYGZhy{}r ATHENA.MIT.EDU \PYGZhy{}D cn=admin,o=org \PYGZhy{}H
    ldaps://ldap\PYGZhy{}server1.mit.edu destroy
Password for \PYGZdq{}cn=admin,o=org\PYGZdq{}:
Deleting KDC database of \PYGZsq{}ATHENA.MIT.EDU\PYGZsq{}, are you sure?
(type \PYGZsq{}yes\PYGZsq{} to confirm)? yes
OK, deleting database of \PYGZsq{}ATHENA.MIT.EDU\PYGZsq{}...
shell\PYGZpc{}
\end{sphinxVerbatim}


\subsubsection{list}
\label{\detokenize{admin/admin_commands/kdb5_ldap_util:list}}\label{\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-destroy-end}}\phantomsection\label{\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-list}}\begin{quote}

\sphinxAtStartPar
\sphinxstylestrong{list}
\end{quote}

\sphinxAtStartPar
Lists the names of realms under the container.

\sphinxAtStartPar
Example:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{kdb5\PYGZus{}ldap\PYGZus{}util} \PYG{o}{\PYGZhy{}}\PYG{n}{D} \PYG{n}{cn}\PYG{o}{=}\PYG{n}{admin}\PYG{p}{,}\PYG{n}{o}\PYG{o}{=}\PYG{n}{org} \PYG{o}{\PYGZhy{}}\PYG{n}{H}
    \PYG{n}{ldaps}\PYG{p}{:}\PYG{o}{/}\PYG{o}{/}\PYG{n}{ldap}\PYG{o}{\PYGZhy{}}\PYG{n}{server1}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{n+nb}{list}
\PYG{n}{Password} \PYG{k}{for} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{cn=admin,o=org}\PYG{l+s+s2}{\PYGZdq{}}\PYG{p}{:}
\PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}
\PYG{n}{OPENLDAP}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}
\PYG{n}{MEDIA}\PYG{o}{\PYGZhy{}}\PYG{n}{LAB}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}
\PYG{n}{shell}\PYG{o}{\PYGZpc{}}
\end{sphinxVerbatim}


\subsubsection{stashsrvpw}
\label{\detokenize{admin/admin_commands/kdb5_ldap_util:stashsrvpw}}\label{\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-list-end}}\phantomsection\label{\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-stashsrvpw}}\begin{quote}

\sphinxAtStartPar
\sphinxstylestrong{stashsrvpw}
{[}\sphinxstylestrong{\sphinxhyphen{}f} \sphinxstyleemphasis{filename}{]}
\sphinxstyleemphasis{name}
\end{quote}

\sphinxAtStartPar
Allows an administrator to store the password for service object in a
file so that KDC and Administration server can use it to authenticate
to the LDAP server.  Options:
\begin{description}
\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}f} \sphinxstyleemphasis{filename}}
\sphinxAtStartPar
Specifies the complete path of the service password file. By
default, \sphinxcode{\sphinxupquote{/usr/local/var/service\_passwd}} is used.

\sphinxlineitem{\sphinxstyleemphasis{name}}
\sphinxAtStartPar
Specifies the name of the object whose password is to be stored.
If {\hyperref[\detokenize{admin/admin_commands/krb5kdc:krb5kdc-8}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5kdc}}}} or {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} are configured for
simple binding, this should be the distinguished name it will
use as given by the \sphinxstylestrong{ldap\_kdc\_dn} or \sphinxstylestrong{ldap\_kadmind\_dn}
variable in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}.  If the KDC or kadmind is
configured for SASL binding, this should be the authentication
name it will use as given by the \sphinxstylestrong{ldap\_kdc\_sasl\_authcid} or
\sphinxstylestrong{ldap\_kadmind\_sasl\_authcid} variable.

\end{description}

\sphinxAtStartPar
Example:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{kdb5\PYGZus{}ldap\PYGZus{}util} \PYG{n}{stashsrvpw} \PYG{o}{\PYGZhy{}}\PYG{n}{f} \PYG{o}{/}\PYG{n}{home}\PYG{o}{/}\PYG{n}{andrew}\PYG{o}{/}\PYG{n}{conf\PYGZus{}keyfile}
    \PYG{n}{cn}\PYG{o}{=}\PYG{n}{service}\PYG{o}{\PYGZhy{}}\PYG{n}{kdc}\PYG{p}{,}\PYG{n}{o}\PYG{o}{=}\PYG{n}{org}
\PYG{n}{Password} \PYG{k}{for} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{cn=service\PYGZhy{}kdc,o=org}\PYG{l+s+s2}{\PYGZdq{}}\PYG{p}{:}
\PYG{n}{Re}\PYG{o}{\PYGZhy{}}\PYG{n}{enter} \PYG{n}{password} \PYG{k}{for} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{cn=service\PYGZhy{}kdc,o=org}\PYG{l+s+s2}{\PYGZdq{}}\PYG{p}{:}
\end{sphinxVerbatim}


\subsubsection{create\_policy}
\label{\detokenize{admin/admin_commands/kdb5_ldap_util:create-policy}}\label{\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-stashsrvpw-end}}\phantomsection\label{\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-create-policy}}\begin{quote}

\sphinxAtStartPar
\sphinxstylestrong{create\_policy}
{[}\sphinxstylestrong{\sphinxhyphen{}maxtktlife} \sphinxstyleemphasis{max\_ticket\_life}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}maxrenewlife} \sphinxstyleemphasis{max\_renewable\_ticket\_life}{]}
{[}\sphinxstyleemphasis{ticket\_flags}{]}
\sphinxstyleemphasis{policy\_name}
\end{quote}

\sphinxAtStartPar
Creates a ticket policy in the directory.  Options:
\begin{description}
\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}maxtktlife} \sphinxstyleemphasis{max\_ticket\_life}}
\sphinxAtStartPar
(\DUrole{xref,std,std-ref}{getdate} string) Specifies maximum ticket life for
principals.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}maxrenewlife} \sphinxstyleemphasis{max\_renewable\_ticket\_life}}
\sphinxAtStartPar
(\DUrole{xref,std,std-ref}{getdate} string) Specifies maximum renewable life of
tickets for principals.

\sphinxlineitem{\sphinxstyleemphasis{ticket\_flags}}
\sphinxAtStartPar
Specifies the ticket flags.  If this option is not specified, by
default, no restriction will be set by the policy.  Allowable
flags are documented in the description of the \sphinxstylestrong{add\_principal}
command in {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}}.

\sphinxlineitem{\sphinxstyleemphasis{policy\_name}}
\sphinxAtStartPar
Specifies the name of the ticket policy.

\end{description}

\sphinxAtStartPar
Example:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{kdb5\PYGZus{}ldap\PYGZus{}util} \PYG{o}{\PYGZhy{}}\PYG{n}{D} \PYG{n}{cn}\PYG{o}{=}\PYG{n}{admin}\PYG{p}{,}\PYG{n}{o}\PYG{o}{=}\PYG{n}{org} \PYG{o}{\PYGZhy{}}\PYG{n}{H} \PYG{n}{ldaps}\PYG{p}{:}\PYG{o}{/}\PYG{o}{/}\PYG{n}{ldap}\PYG{o}{\PYGZhy{}}\PYG{n}{server1}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}
    \PYG{o}{\PYGZhy{}}\PYG{n}{r} \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{n}{create\PYGZus{}policy} \PYG{o}{\PYGZhy{}}\PYG{n}{maxtktlife} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{1 day}\PYG{l+s+s2}{\PYGZdq{}}
    \PYG{o}{\PYGZhy{}}\PYG{n}{maxrenewlife} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{1 week}\PYG{l+s+s2}{\PYGZdq{}} \PYG{o}{\PYGZhy{}}\PYG{n}{allow\PYGZus{}postdated} \PYG{o}{+}\PYG{n}{needchange}
    \PYG{o}{\PYGZhy{}}\PYG{n}{allow\PYGZus{}forwardable} \PYG{n}{tktpolicy}
\PYG{n}{Password} \PYG{k}{for} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{cn=admin,o=org}\PYG{l+s+s2}{\PYGZdq{}}\PYG{p}{:}
\end{sphinxVerbatim}


\subsubsection{modify\_policy}
\label{\detokenize{admin/admin_commands/kdb5_ldap_util:modify-policy}}\label{\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-create-policy-end}}\phantomsection\label{\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-modify-policy}}\begin{quote}

\sphinxAtStartPar
\sphinxstylestrong{modify\_policy}
{[}\sphinxstylestrong{\sphinxhyphen{}maxtktlife} \sphinxstyleemphasis{max\_ticket\_life}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}maxrenewlife} \sphinxstyleemphasis{max\_renewable\_ticket\_life}{]}
{[}\sphinxstyleemphasis{ticket\_flags}{]}
\sphinxstyleemphasis{policy\_name}
\end{quote}

\sphinxAtStartPar
Modifies the attributes of a ticket policy.  Options are same as for
\sphinxstylestrong{create\_policy}.

\sphinxAtStartPar
Example:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{kdb5\PYGZus{}ldap\PYGZus{}util} \PYG{o}{\PYGZhy{}}\PYG{n}{D} \PYG{n}{cn}\PYG{o}{=}\PYG{n}{admin}\PYG{p}{,}\PYG{n}{o}\PYG{o}{=}\PYG{n}{org} \PYG{o}{\PYGZhy{}}\PYG{n}{H}
    \PYG{n}{ldaps}\PYG{p}{:}\PYG{o}{/}\PYG{o}{/}\PYG{n}{ldap}\PYG{o}{\PYGZhy{}}\PYG{n}{server1}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{o}{\PYGZhy{}}\PYG{n}{r} \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{n}{modify\PYGZus{}policy}
    \PYG{o}{\PYGZhy{}}\PYG{n}{maxtktlife} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{60 minutes}\PYG{l+s+s2}{\PYGZdq{}} \PYG{o}{\PYGZhy{}}\PYG{n}{maxrenewlife} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{10 hours}\PYG{l+s+s2}{\PYGZdq{}}
    \PYG{o}{+}\PYG{n}{allow\PYGZus{}postdated} \PYG{o}{\PYGZhy{}}\PYG{n}{requires\PYGZus{}preauth} \PYG{n}{tktpolicy}
\PYG{n}{Password} \PYG{k}{for} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{cn=admin,o=org}\PYG{l+s+s2}{\PYGZdq{}}\PYG{p}{:}
\end{sphinxVerbatim}


\subsubsection{view\_policy}
\label{\detokenize{admin/admin_commands/kdb5_ldap_util:view-policy}}\label{\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-modify-policy-end}}\phantomsection\label{\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-view-policy}}\begin{quote}

\sphinxAtStartPar
\sphinxstylestrong{view\_policy}
\sphinxstyleemphasis{policy\_name}
\end{quote}

\sphinxAtStartPar
Displays the attributes of the named ticket policy.

\sphinxAtStartPar
Example:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{kdb5\PYGZus{}ldap\PYGZus{}util} \PYG{o}{\PYGZhy{}}\PYG{n}{D} \PYG{n}{cn}\PYG{o}{=}\PYG{n}{admin}\PYG{p}{,}\PYG{n}{o}\PYG{o}{=}\PYG{n}{org} \PYG{o}{\PYGZhy{}}\PYG{n}{H} \PYG{n}{ldaps}\PYG{p}{:}\PYG{o}{/}\PYG{o}{/}\PYG{n}{ldap}\PYG{o}{\PYGZhy{}}\PYG{n}{server1}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}
    \PYG{o}{\PYGZhy{}}\PYG{n}{r} \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{n}{view\PYGZus{}policy} \PYG{n}{tktpolicy}
\PYG{n}{Password} \PYG{k}{for} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{cn=admin,o=org}\PYG{l+s+s2}{\PYGZdq{}}\PYG{p}{:}
\PYG{n}{Ticket} \PYG{n}{policy}\PYG{p}{:} \PYG{n}{tktpolicy}
\PYG{n}{Maximum} \PYG{n}{ticket} \PYG{n}{life}\PYG{p}{:} \PYG{l+m+mi}{0} \PYG{n}{days} \PYG{l+m+mi}{01}\PYG{p}{:}\PYG{l+m+mi}{00}\PYG{p}{:}\PYG{l+m+mi}{00}
\PYG{n}{Maximum} \PYG{n}{renewable} \PYG{n}{life}\PYG{p}{:} \PYG{l+m+mi}{0} \PYG{n}{days} \PYG{l+m+mi}{10}\PYG{p}{:}\PYG{l+m+mi}{00}\PYG{p}{:}\PYG{l+m+mi}{00}
\PYG{n}{Ticket} \PYG{n}{flags}\PYG{p}{:} \PYG{n}{DISALLOW\PYGZus{}FORWARDABLE} \PYG{n}{REQUIRES\PYGZus{}PWCHANGE}
\end{sphinxVerbatim}


\subsubsection{destroy\_policy}
\label{\detokenize{admin/admin_commands/kdb5_ldap_util:destroy-policy}}\label{\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-view-policy-end}}\phantomsection\label{\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-destroy-policy}}\begin{quote}

\sphinxAtStartPar
\sphinxstylestrong{destroy\_policy}
{[}\sphinxstylestrong{\sphinxhyphen{}force}{]}
\sphinxstyleemphasis{policy\_name}
\end{quote}

\sphinxAtStartPar
Destroys an existing ticket policy.  Options:
\begin{description}
\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}force}}
\sphinxAtStartPar
Forces the deletion of the policy object.  If not specified, the
user will be prompted for confirmation before deleting the policy.

\sphinxlineitem{\sphinxstyleemphasis{policy\_name}}
\sphinxAtStartPar
Specifies the name of the ticket policy.

\end{description}

\sphinxAtStartPar
Example:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
kdb5\PYGZus{}ldap\PYGZus{}util \PYGZhy{}D cn=admin,o=org \PYGZhy{}H ldaps://ldap\PYGZhy{}server1.mit.edu
    \PYGZhy{}r ATHENA.MIT.EDU destroy\PYGZus{}policy tktpolicy
Password for \PYGZdq{}cn=admin,o=org\PYGZdq{}:
This will delete the policy object \PYGZsq{}tktpolicy\PYGZsq{}, are you sure?
(type \PYGZsq{}yes\PYGZsq{} to confirm)? yes
** policy object \PYGZsq{}tktpolicy\PYGZsq{} deleted.
\end{sphinxVerbatim}


\subsubsection{list\_policy}
\label{\detokenize{admin/admin_commands/kdb5_ldap_util:list-policy}}\label{\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-destroy-policy-end}}\phantomsection\label{\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-list-policy}}\begin{quote}

\sphinxAtStartPar
\sphinxstylestrong{list\_policy}
\end{quote}

\sphinxAtStartPar
Lists ticket policies.

\sphinxAtStartPar
Example:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{kdb5\PYGZus{}ldap\PYGZus{}util} \PYG{o}{\PYGZhy{}}\PYG{n}{D} \PYG{n}{cn}\PYG{o}{=}\PYG{n}{admin}\PYG{p}{,}\PYG{n}{o}\PYG{o}{=}\PYG{n}{org} \PYG{o}{\PYGZhy{}}\PYG{n}{H} \PYG{n}{ldaps}\PYG{p}{:}\PYG{o}{/}\PYG{o}{/}\PYG{n}{ldap}\PYG{o}{\PYGZhy{}}\PYG{n}{server1}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}
    \PYG{o}{\PYGZhy{}}\PYG{n}{r} \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{n}{list\PYGZus{}policy}
\PYG{n}{Password} \PYG{k}{for} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{cn=admin,o=org}\PYG{l+s+s2}{\PYGZdq{}}\PYG{p}{:}
\PYG{n}{tktpolicy}
\PYG{n}{tmppolicy}
\PYG{n}{userpolicy}
\end{sphinxVerbatim}


\subsection{ENVIRONMENT}
\label{\detokenize{admin/admin_commands/kdb5_ldap_util:environment}}\label{\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-list-policy-end}}
\sphinxAtStartPar
See \DUrole{xref,std,std-ref}{kerberos(7)} for a description of Kerberos environment
variables.


\subsection{SEE ALSO}
\label{\detokenize{admin/admin_commands/kdb5_ldap_util:see-also}}
\sphinxAtStartPar
{\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}}, \DUrole{xref,std,std-ref}{kerberos(7)}

\sphinxstepscope


\section{krb5kdc}
\label{\detokenize{admin/admin_commands/krb5kdc:krb5kdc}}\label{\detokenize{admin/admin_commands/krb5kdc:krb5kdc-8}}\label{\detokenize{admin/admin_commands/krb5kdc::doc}}

\subsection{SYNOPSIS}
\label{\detokenize{admin/admin_commands/krb5kdc:synopsis}}
\sphinxAtStartPar
\sphinxstylestrong{krb5kdc}
{[}\sphinxstylestrong{\sphinxhyphen{}x} \sphinxstyleemphasis{db\_args}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}d} \sphinxstyleemphasis{dbname}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}k} \sphinxstyleemphasis{keytype}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}M} \sphinxstyleemphasis{mkeyname}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}p} \sphinxstyleemphasis{portnum}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}m}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}r} \sphinxstyleemphasis{realm}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}n}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}w} \sphinxstyleemphasis{numworkers}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}P} \sphinxstyleemphasis{pid\_file}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}T} \sphinxstyleemphasis{time\_offset}{]}


\subsection{DESCRIPTION}
\label{\detokenize{admin/admin_commands/krb5kdc:description}}
\sphinxAtStartPar
krb5kdc is the Kerberos version 5 Authentication Service and Key
Distribution Center (AS/KDC).


\subsection{OPTIONS}
\label{\detokenize{admin/admin_commands/krb5kdc:options}}
\sphinxAtStartPar
The \sphinxstylestrong{\sphinxhyphen{}r} \sphinxstyleemphasis{realm} option specifies the realm for which the server
should provide service.  This option may be specified multiple times
to serve multiple realms.  If no \sphinxstylestrong{\sphinxhyphen{}r} option is given, the default
realm (as specified in {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}}) will be served.

\sphinxAtStartPar
The \sphinxstylestrong{\sphinxhyphen{}d} \sphinxstyleemphasis{dbname} option specifies the name under which the
principal database can be found.  This option does not apply to the
LDAP database.

\sphinxAtStartPar
The \sphinxstylestrong{\sphinxhyphen{}k} \sphinxstyleemphasis{keytype} option specifies the key type of the master key
to be entered manually as a password when \sphinxstylestrong{\sphinxhyphen{}m} is given; the default
is \sphinxcode{\sphinxupquote{aes256\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha1\sphinxhyphen{}96}}.

\sphinxAtStartPar
The \sphinxstylestrong{\sphinxhyphen{}M} \sphinxstyleemphasis{mkeyname} option specifies the principal name for the
master key in the database (usually \sphinxcode{\sphinxupquote{K/M}} in the KDC’s realm).

\sphinxAtStartPar
The \sphinxstylestrong{\sphinxhyphen{}m} option specifies that the master database password should
be fetched from the keyboard rather than from a stash file.

\sphinxAtStartPar
The \sphinxstylestrong{\sphinxhyphen{}n} option specifies that the KDC does not put itself in the
background and does not disassociate itself from the terminal.

\sphinxAtStartPar
The \sphinxstylestrong{\sphinxhyphen{}P} \sphinxstyleemphasis{pid\_file} option tells the KDC to write its PID into
\sphinxstyleemphasis{pid\_file} after it starts up.  This can be used to identify whether
the KDC is still running and to allow init scripts to stop the correct
process.

\sphinxAtStartPar
The \sphinxstylestrong{\sphinxhyphen{}p} \sphinxstyleemphasis{portnum} option specifies the default UDP and TCP port
numbers which the KDC should listen on for Kerberos version 5
requests, as a comma\sphinxhyphen{}separated list.  This value overrides the port
numbers specified in the {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdcdefaults}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}kdcdefaults{]}}}}} section of
{\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}, but may be overridden by realm\sphinxhyphen{}specific values.
If no value is given from any source, the default port is 88.

\sphinxAtStartPar
The \sphinxstylestrong{\sphinxhyphen{}w} \sphinxstyleemphasis{numworkers} option tells the KDC to fork \sphinxstyleemphasis{numworkers}
processes to listen to the KDC ports and process requests in parallel.
The top level KDC process (whose pid is recorded in the pid file if
the \sphinxstylestrong{\sphinxhyphen{}P} option is also given) acts as a supervisor.  The supervisor
will relay SIGHUP signals to the worker subprocesses, and will
terminate the worker subprocess if the it is itself terminated or if
any other worker process exits.

\sphinxAtStartPar
The \sphinxstylestrong{\sphinxhyphen{}x} \sphinxstyleemphasis{db\_args} option specifies database\sphinxhyphen{}specific arguments.
See {\hyperref[\detokenize{admin/admin_commands/kadmin_local:dboptions}]{\sphinxcrossref{\DUrole{std,std-ref}{Database Options}}}} in {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} for
supported arguments.

\sphinxAtStartPar
The \sphinxstylestrong{\sphinxhyphen{}T} \sphinxstyleemphasis{offset} option specifies a time offset, in seconds, which
the KDC will operate under.  It is intended only for testing purposes.


\subsection{EXAMPLE}
\label{\detokenize{admin/admin_commands/krb5kdc:example}}
\sphinxAtStartPar
The KDC may service requests for multiple realms (maximum 32 realms).
The realms are listed on the command line.  Per\sphinxhyphen{}realm options that can
be specified on the command line pertain for each realm that follows
it and are superseded by subsequent definitions of the same option.

\sphinxAtStartPar
For example:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{krb5kdc} \PYG{o}{\PYGZhy{}}\PYG{n}{p} \PYG{l+m+mi}{2001} \PYG{o}{\PYGZhy{}}\PYG{n}{r} \PYG{n}{REALM1} \PYG{o}{\PYGZhy{}}\PYG{n}{p} \PYG{l+m+mi}{2002} \PYG{o}{\PYGZhy{}}\PYG{n}{r} \PYG{n}{REALM2} \PYG{o}{\PYGZhy{}}\PYG{n}{r} \PYG{n}{REALM3}
\end{sphinxVerbatim}

\sphinxAtStartPar
specifies that the KDC listen on port 2001 for REALM1 and on port 2002
for REALM2 and REALM3.  Additionally, per\sphinxhyphen{}realm parameters may be
specified in the {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}} file.  The location of this file
may be specified by the \sphinxstylestrong{KRB5\_KDC\_PROFILE} environment variable.
Per\sphinxhyphen{}realm parameters specified in this file take precedence over
options specified on the command line.  See the {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}
description for further details.


\subsection{ENVIRONMENT}
\label{\detokenize{admin/admin_commands/krb5kdc:environment}}
\sphinxAtStartPar
See \DUrole{xref,std,std-ref}{kerberos(7)} for a description of Kerberos environment
variables.

\sphinxAtStartPar
As of release 1.22, krb5kdc supports systemd socket activation via the
LISTEN\_PID and LISTEN\_FDS environment variables.  Sockets provided by
the caller must correspond to configured listener addresses (via the
\sphinxstylestrong{kdc\_listen} variable or equivalent) or they will be ignored.  Any
configured listener addresses that do not correspond to
caller\sphinxhyphen{}provided sockets will be ignored if socket activation is used.


\subsection{SEE ALSO}
\label{\detokenize{admin/admin_commands/krb5kdc:see-also}}
\sphinxAtStartPar
{\hyperref[\detokenize{admin/admin_commands/kdb5_util:kdb5-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_util}}}}, {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}, {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}},
{\hyperref[\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_ldap\_util}}}}, \DUrole{xref,std,std-ref}{kerberos(7)}

\sphinxstepscope


\section{kprop}
\label{\detokenize{admin/admin_commands/kprop:kprop}}\label{\detokenize{admin/admin_commands/kprop:kprop-8}}\label{\detokenize{admin/admin_commands/kprop::doc}}

\subsection{SYNOPSIS}
\label{\detokenize{admin/admin_commands/kprop:synopsis}}
\sphinxAtStartPar
\sphinxstylestrong{kprop}
{[}\sphinxstylestrong{\sphinxhyphen{}r} \sphinxstyleemphasis{realm}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}f} \sphinxstyleemphasis{file}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}d}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}P} \sphinxstyleemphasis{port}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}s} \sphinxstyleemphasis{keytab}{]}
\sphinxstyleemphasis{replica\_host}


\subsection{DESCRIPTION}
\label{\detokenize{admin/admin_commands/kprop:description}}
\sphinxAtStartPar
kprop is used to securely propagate a Kerberos V5 database dump file
from the primary Kerberos server to a replica Kerberos server, which is
specified by \sphinxstyleemphasis{replica\_host}.  The dump file must be created by
{\hyperref[\detokenize{admin/admin_commands/kdb5_util:kdb5-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_util}}}}.


\subsection{OPTIONS}
\label{\detokenize{admin/admin_commands/kprop:options}}\begin{description}
\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}r} \sphinxstyleemphasis{realm}}
\sphinxAtStartPar
Specifies the realm of the primary server.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}f} \sphinxstyleemphasis{file}}
\sphinxAtStartPar
Specifies the filename where the dumped principal database file is
to be found; by default the dumped database file is normally
{\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LOCALSTATEDIR}}}}\sphinxcode{\sphinxupquote{/krb5kdc}}\sphinxcode{\sphinxupquote{/replica\_datatrans}}.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}P} \sphinxstyleemphasis{port}}
\sphinxAtStartPar
Specifies the port to use to contact the {\hyperref[\detokenize{admin/admin_commands/kpropd:kpropd-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kpropd}}}} server
on the remote host.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}d}}
\sphinxAtStartPar
Prints debugging information.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}s} \sphinxstyleemphasis{keytab}}
\sphinxAtStartPar
Specifies the location of the keytab file.

\end{description}


\subsection{ENVIRONMENT}
\label{\detokenize{admin/admin_commands/kprop:environment}}
\sphinxAtStartPar
See \DUrole{xref,std,std-ref}{kerberos(7)} for a description of Kerberos environment
variables.


\subsection{SEE ALSO}
\label{\detokenize{admin/admin_commands/kprop:see-also}}
\sphinxAtStartPar
{\hyperref[\detokenize{admin/admin_commands/kpropd:kpropd-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kpropd}}}}, {\hyperref[\detokenize{admin/admin_commands/kdb5_util:kdb5-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_util}}}}, {\hyperref[\detokenize{admin/admin_commands/krb5kdc:krb5kdc-8}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5kdc}}}},
\DUrole{xref,std,std-ref}{kerberos(7)}

\sphinxstepscope


\section{kpropd}
\label{\detokenize{admin/admin_commands/kpropd:kpropd}}\label{\detokenize{admin/admin_commands/kpropd:kpropd-8}}\label{\detokenize{admin/admin_commands/kpropd::doc}}

\subsection{SYNOPSIS}
\label{\detokenize{admin/admin_commands/kpropd:synopsis}}
\sphinxAtStartPar
\sphinxstylestrong{kpropd}
{[}\sphinxstylestrong{\sphinxhyphen{}r} \sphinxstyleemphasis{realm}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}A} \sphinxstyleemphasis{admin\_server}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}a} \sphinxstyleemphasis{acl\_file}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}f} \sphinxstyleemphasis{replica\_dumpfile}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}F} \sphinxstyleemphasis{principal\_database}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}p} \sphinxstyleemphasis{kdb5\_util\_prog}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}P} \sphinxstyleemphasis{port}{]}
{[}\sphinxstylestrong{\textendash{}pid\sphinxhyphen{}file}=\sphinxstyleemphasis{pid\_file}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}D}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}d}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}s} \sphinxstyleemphasis{keytab\_file}{]}


\subsection{DESCRIPTION}
\label{\detokenize{admin/admin_commands/kpropd:description}}
\sphinxAtStartPar
The \sphinxstyleemphasis{kpropd} command runs on the replica KDC server.  It listens for
update requests made by the {\hyperref[\detokenize{admin/admin_commands/kprop:kprop-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kprop}}}} program.  If incremental
propagation is enabled, it periodically requests incremental updates
from the primary KDC.

\sphinxAtStartPar
When the replica receives a kprop request from the primary, kpropd
accepts the dumped KDC database and places it in a file, and then runs
{\hyperref[\detokenize{admin/admin_commands/kdb5_util:kdb5-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_util}}}} to load the dumped database into the active
database which is used by {\hyperref[\detokenize{admin/admin_commands/krb5kdc:krb5kdc-8}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5kdc}}}}.  This allows the primary
Kerberos server to use {\hyperref[\detokenize{admin/admin_commands/kprop:kprop-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kprop}}}} to propagate its database to
the replica servers.  Upon a successful download of the KDC database
file, the replica Kerberos server will have an up\sphinxhyphen{}to\sphinxhyphen{}date KDC
database.

\sphinxAtStartPar
Where incremental propagation is not used, kpropd is commonly invoked
out of inetd(8) as a nowait service.  This is done by adding a line to
the \sphinxcode{\sphinxupquote{/etc/inetd.conf}} file which looks like this:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{kprop}  \PYG{n}{stream}  \PYG{n}{tcp}  \PYG{n}{nowait}  \PYG{n}{root}  \PYG{o}{/}\PYG{n}{usr}\PYG{o}{/}\PYG{n}{local}\PYG{o}{/}\PYG{n}{sbin}\PYG{o}{/}\PYG{n}{kpropd}  \PYG{n}{kpropd}
\end{sphinxVerbatim}

\sphinxAtStartPar
kpropd can also run as a standalone daemon, backgrounding itself and
waiting for connections on port 754 (or the port specified with the
\sphinxstylestrong{\sphinxhyphen{}P} option if given).  Standalone mode is required for incremental
propagation.  Starting in release 1.11, kpropd automatically detects
whether it was run from inetd and runs in standalone mode if it is
not.  Prior to release 1.11, the \sphinxstylestrong{\sphinxhyphen{}S} option is required to run
kpropd in standalone mode; this option is now accepted for backward
compatibility but does nothing.

\sphinxAtStartPar
Incremental propagation may be enabled with the \sphinxstylestrong{iprop\_enable}
variable in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}.  If incremental propagation is
enabled, the replica periodically polls the primary KDC for updates, at
an interval determined by the \sphinxstylestrong{iprop\_replica\_poll} variable.  If the
replica receives updates, kpropd updates its log file with any updates
from the primary.  {\hyperref[\detokenize{admin/admin_commands/kproplog:kproplog-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kproplog}}}} can be used to view a summary of
the update entry log on the replica KDC.  If incremental propagation
is enabled, the principal \sphinxcode{\sphinxupquote{kiprop/replicahostname@REALM}} (where
\sphinxstyleemphasis{replicahostname} is the name of the replica KDC host, and \sphinxstyleemphasis{REALM} is
the name of the Kerberos realm) must be present in the replica’s
keytab file.

\sphinxAtStartPar
{\hyperref[\detokenize{admin/admin_commands/kproplog:kproplog-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kproplog}}}} can be used to force full replication when iprop is
enabled.


\subsection{OPTIONS}
\label{\detokenize{admin/admin_commands/kpropd:options}}\begin{description}
\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}r} \sphinxstyleemphasis{realm}}
\sphinxAtStartPar
Specifies the realm of the primary server.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}A} \sphinxstyleemphasis{admin\_server}}
\sphinxAtStartPar
Specifies the server to be contacted for incremental updates; by
default, the primary admin server is contacted.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}f} \sphinxstyleemphasis{file}}
\sphinxAtStartPar
Specifies the filename where the dumped principal database file is
to be stored; by default the dumped database file is {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LOCALSTATEDIR}}}}\sphinxcode{\sphinxupquote{/krb5kdc}}\sphinxcode{\sphinxupquote{/from\_master}}.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}F} \sphinxstyleemphasis{kerberos\_db}}
\sphinxAtStartPar
Path to the Kerberos database file, if not the default.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}p}}
\sphinxAtStartPar
Allows the user to specify the pathname to the {\hyperref[\detokenize{admin/admin_commands/kdb5_util:kdb5-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_util}}}}
program; by default the pathname used is {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{SBINDIR}}}}\sphinxcode{\sphinxupquote{/kdb5\_util}}.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}D}}
\sphinxAtStartPar
In this mode, kpropd will not detach itself from the current job
and run in the background.  Instead, it will run in the
foreground.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}d}}
\sphinxAtStartPar
Turn on debug mode.  kpropd will print out debugging messages
during the database propogation and will run in the foreground
(implies \sphinxstylestrong{\sphinxhyphen{}D}).

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}P}}
\sphinxAtStartPar
Allow for an alternate port number for kpropd to listen on.  This
is only useful in combination with the \sphinxstylestrong{\sphinxhyphen{}S} option.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}a} \sphinxstyleemphasis{acl\_file}}
\sphinxAtStartPar
Allows the user to specify the path to the kpropd.acl file; by
default the path used is {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LOCALSTATEDIR}}}}\sphinxcode{\sphinxupquote{/krb5kdc}}\sphinxcode{\sphinxupquote{/kpropd.acl}}.

\sphinxlineitem{\sphinxstylestrong{\textendash{}pid\sphinxhyphen{}file}=\sphinxstyleemphasis{pid\_file}}
\sphinxAtStartPar
In standalone mode, write the process ID of the daemon into
\sphinxstyleemphasis{pid\_file}.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}s} \sphinxstyleemphasis{keytab\_file}}
\sphinxAtStartPar
Path to a keytab to use for acquiring acceptor credentials.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}x} \sphinxstyleemphasis{db\_args}}
\sphinxAtStartPar
Database\sphinxhyphen{}specific arguments.  See {\hyperref[\detokenize{admin/admin_commands/kadmin_local:dboptions}]{\sphinxcrossref{\DUrole{std,std-ref}{Database Options}}}} in {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} for supported arguments.

\end{description}


\subsection{FILES}
\label{\detokenize{admin/admin_commands/kpropd:files}}\begin{description}
\sphinxlineitem{kpropd.acl}
\sphinxAtStartPar
Access file for kpropd; the default location is
\sphinxcode{\sphinxupquote{/usr/local/var/krb5kdc/kpropd.acl}}.  Each entry is a line
containing the principal of a host from which the local machine
will allow Kerberos database propagation via {\hyperref[\detokenize{admin/admin_commands/kprop:kprop-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kprop}}}}.

\end{description}


\subsection{ENVIRONMENT}
\label{\detokenize{admin/admin_commands/kpropd:environment}}
\sphinxAtStartPar
See \DUrole{xref,std,std-ref}{kerberos(7)} for a description of Kerberos environment
variables.


\subsection{SEE ALSO}
\label{\detokenize{admin/admin_commands/kpropd:see-also}}
\sphinxAtStartPar
{\hyperref[\detokenize{admin/admin_commands/kprop:kprop-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kprop}}}}, {\hyperref[\detokenize{admin/admin_commands/kdb5_util:kdb5-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_util}}}}, {\hyperref[\detokenize{admin/admin_commands/krb5kdc:krb5kdc-8}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5kdc}}}},
\DUrole{xref,std,std-ref}{kerberos(7)}, inetd(8)

\sphinxstepscope


\section{kproplog}
\label{\detokenize{admin/admin_commands/kproplog:kproplog}}\label{\detokenize{admin/admin_commands/kproplog:kproplog-8}}\label{\detokenize{admin/admin_commands/kproplog::doc}}

\subsection{SYNOPSIS}
\label{\detokenize{admin/admin_commands/kproplog:synopsis}}
\sphinxAtStartPar
\sphinxstylestrong{kproplog} {[}\sphinxstylestrong{\sphinxhyphen{}h}{]} {[}\sphinxstylestrong{\sphinxhyphen{}e} \sphinxstyleemphasis{num}{]} {[}\sphinxhyphen{}v{]}
\sphinxstylestrong{kproplog} {[}\sphinxhyphen{}R{]}


\subsection{DESCRIPTION}
\label{\detokenize{admin/admin_commands/kproplog:description}}
\sphinxAtStartPar
The kproplog command displays the contents of the KDC database update
log to standard output.  It can be used to keep track of incremental
updates to the principal database.  The update log file contains the
update log maintained by the {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} process on the primary
KDC server and the {\hyperref[\detokenize{admin/admin_commands/kpropd:kpropd-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kpropd}}}} process on the replica KDC
servers.  When updates occur, they are logged to this file.
Subsequently any KDC replica configured for incremental updates will
request the current data from the primary KDC and update their log
file with any updates returned.

\sphinxAtStartPar
The kproplog command requires read access to the update log file.  It
will display update entries only for the KDC it runs on.

\sphinxAtStartPar
If no options are specified, kproplog displays a summary of the update
log.  If invoked on the primary, kproplog also displays all of the
update entries.  If invoked on a replica KDC server, kproplog displays
only a summary of the updates, which includes the serial number of the
last update received and the associated time stamp of the last update.


\subsection{OPTIONS}
\label{\detokenize{admin/admin_commands/kproplog:options}}\begin{description}
\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}R}}
\sphinxAtStartPar
Reset the update log.  This forces full resynchronization.  If
used on a replica then that replica will request a full resync.
If used on the primary then all replicas will request full
resyncs.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}h}}
\sphinxAtStartPar
Display a summary of the update log.  This information includes
the database version number, state of the database, the number of
updates in the log, the time stamp of the first and last update,
and the version number of the first and last update entry.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}e} \sphinxstyleemphasis{num}}
\sphinxAtStartPar
Display the last \sphinxstyleemphasis{num} update entries in the log.  This is useful
when debugging synchronization between KDC servers.

\sphinxlineitem{\sphinxstylestrong{\sphinxhyphen{}v}}
\sphinxAtStartPar
Display individual attributes per update.  An example of the
output generated for one entry:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{Update} \PYG{n}{Entry}
   \PYG{n}{Update} \PYG{n}{serial} \PYG{c+c1}{\PYGZsh{} : 4}
   \PYG{n}{Update} \PYG{n}{operation} \PYG{p}{:} \PYG{n}{Add}
   \PYG{n}{Update} \PYG{n}{principal} \PYG{p}{:} \PYG{n}{test}\PYG{n+nd}{@EXAMPLE}\PYG{o}{.}\PYG{n}{COM}
   \PYG{n}{Update} \PYG{n}{size} \PYG{p}{:} \PYG{l+m+mi}{424}
   \PYG{n}{Update} \PYG{n}{committed} \PYG{p}{:} \PYG{k+kc}{True}
   \PYG{n}{Update} \PYG{n}{time} \PYG{n}{stamp} \PYG{p}{:} \PYG{n}{Fri} \PYG{n}{Feb} \PYG{l+m+mi}{20} \PYG{l+m+mi}{23}\PYG{p}{:}\PYG{l+m+mi}{37}\PYG{p}{:}\PYG{l+m+mi}{42} \PYG{l+m+mi}{2004}
   \PYG{n}{Attributes} \PYG{n}{changed} \PYG{p}{:} \PYG{l+m+mi}{6}
         \PYG{n}{Principal}
         \PYG{n}{Key} \PYG{n}{data}
         \PYG{n}{Password} \PYG{n}{last} \PYG{n}{changed}
         \PYG{n}{Modifying} \PYG{n}{principal}
         \PYG{n}{Modification} \PYG{n}{time}
         \PYG{n}{TL} \PYG{n}{data}
\end{sphinxVerbatim}

\end{description}


\subsection{ENVIRONMENT}
\label{\detokenize{admin/admin_commands/kproplog:environment}}
\sphinxAtStartPar
See \DUrole{xref,std,std-ref}{kerberos(7)} for a description of Kerberos environment
variables.


\subsection{SEE ALSO}
\label{\detokenize{admin/admin_commands/kproplog:see-also}}
\sphinxAtStartPar
{\hyperref[\detokenize{admin/admin_commands/kpropd:kpropd-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kpropd}}}}, \DUrole{xref,std,std-ref}{kerberos(7)}

\sphinxstepscope


\section{ktutil}
\label{\detokenize{admin/admin_commands/ktutil:ktutil}}\label{\detokenize{admin/admin_commands/ktutil:ktutil-1}}\label{\detokenize{admin/admin_commands/ktutil::doc}}

\subsection{SYNOPSIS}
\label{\detokenize{admin/admin_commands/ktutil:synopsis}}
\sphinxAtStartPar
\sphinxstylestrong{ktutil}


\subsection{DESCRIPTION}
\label{\detokenize{admin/admin_commands/ktutil:description}}
\sphinxAtStartPar
The ktutil command invokes a command interface from which an
administrator can read, write, or edit entries in a keytab.  (Kerberos
V4 srvtab files are no longer supported.)


\subsection{COMMANDS}
\label{\detokenize{admin/admin_commands/ktutil:commands}}

\subsubsection{list}
\label{\detokenize{admin/admin_commands/ktutil:list}}\begin{quote}

\sphinxAtStartPar
\sphinxstylestrong{list} {[}\sphinxstylestrong{\sphinxhyphen{}t}{]} {[}\sphinxstylestrong{\sphinxhyphen{}k}{]} {[}\sphinxstylestrong{\sphinxhyphen{}e}{]}
\end{quote}

\sphinxAtStartPar
Displays the current keylist.  If \sphinxstylestrong{\sphinxhyphen{}t}, \sphinxstylestrong{\sphinxhyphen{}k}, and/or \sphinxstylestrong{\sphinxhyphen{}e} are
specified, also display the timestamp, key contents, or enctype
(respectively).

\sphinxAtStartPar
Alias: \sphinxstylestrong{l}


\subsubsection{read\_kt}
\label{\detokenize{admin/admin_commands/ktutil:read-kt}}\begin{quote}

\sphinxAtStartPar
\sphinxstylestrong{read\_kt} \sphinxstyleemphasis{keytab}
\end{quote}

\sphinxAtStartPar
Read the Kerberos V5 keytab file \sphinxstyleemphasis{keytab} into the current keylist.

\sphinxAtStartPar
Alias: \sphinxstylestrong{rkt}


\subsubsection{write\_kt}
\label{\detokenize{admin/admin_commands/ktutil:write-kt}}\begin{quote}

\sphinxAtStartPar
\sphinxstylestrong{write\_kt} \sphinxstyleemphasis{keytab}
\end{quote}

\sphinxAtStartPar
Write the current keylist into the Kerberos V5 keytab file \sphinxstyleemphasis{keytab}.

\sphinxAtStartPar
Alias: \sphinxstylestrong{wkt}


\subsubsection{clear\_list}
\label{\detokenize{admin/admin_commands/ktutil:clear-list}}\begin{quote}

\sphinxAtStartPar
\sphinxstylestrong{clear\_list}
\end{quote}

\sphinxAtStartPar
Clear the current keylist.

\sphinxAtStartPar
Alias: \sphinxstylestrong{clear}


\subsubsection{delete\_entry}
\label{\detokenize{admin/admin_commands/ktutil:delete-entry}}\begin{quote}

\sphinxAtStartPar
\sphinxstylestrong{delete\_entry} \sphinxstyleemphasis{slot}
\end{quote}

\sphinxAtStartPar
Delete the entry in slot number \sphinxstyleemphasis{slot} from the current keylist.

\sphinxAtStartPar
Alias: \sphinxstylestrong{delent}


\subsubsection{add\_entry}
\label{\detokenize{admin/admin_commands/ktutil:add-entry}}\begin{quote}

\sphinxAtStartPar
\sphinxstylestrong{add\_entry} \{\sphinxstylestrong{\sphinxhyphen{}key}|\sphinxstylestrong{\sphinxhyphen{}password}\} \sphinxstylestrong{\sphinxhyphen{}p} \sphinxstyleemphasis{principal}
\sphinxstylestrong{\sphinxhyphen{}k} \sphinxstyleemphasis{kvno} {[}\sphinxstylestrong{\sphinxhyphen{}e} \sphinxstyleemphasis{enctype}{]} {[}\sphinxstylestrong{\sphinxhyphen{}f}|\sphinxstylestrong{\sphinxhyphen{}s} \sphinxstyleemphasis{salt}{]}
\end{quote}

\sphinxAtStartPar
Add \sphinxstyleemphasis{principal} to keylist using key or password.  If the \sphinxstylestrong{\sphinxhyphen{}f} flag
is specified, salt information will be fetched from the KDC; in this
case the \sphinxstylestrong{\sphinxhyphen{}e} flag may be omitted, or it may be supplied to force a
particular enctype.  If the \sphinxstylestrong{\sphinxhyphen{}f} flag is not specified, the \sphinxstylestrong{\sphinxhyphen{}e}
flag must be specified, and the default salt will be used unless
overridden with the \sphinxstylestrong{\sphinxhyphen{}s} option.

\sphinxAtStartPar
Alias: \sphinxstylestrong{addent}


\subsubsection{list\_requests}
\label{\detokenize{admin/admin_commands/ktutil:list-requests}}\begin{quote}

\sphinxAtStartPar
\sphinxstylestrong{list\_requests}
\end{quote}

\sphinxAtStartPar
Displays a listing of available commands.

\sphinxAtStartPar
Aliases: \sphinxstylestrong{lr}, \sphinxstylestrong{?}


\subsubsection{quit}
\label{\detokenize{admin/admin_commands/ktutil:quit}}\begin{quote}

\sphinxAtStartPar
\sphinxstylestrong{quit}
\end{quote}

\sphinxAtStartPar
Quits ktutil.

\sphinxAtStartPar
Aliases: \sphinxstylestrong{exit}, \sphinxstylestrong{q}


\subsection{EXAMPLE}
\label{\detokenize{admin/admin_commands/ktutil:example}}\begin{quote}

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{ktutil}\PYG{p}{:}  \PYG{n}{add\PYGZus{}entry} \PYG{o}{\PYGZhy{}}\PYG{n}{password} \PYG{o}{\PYGZhy{}}\PYG{n}{p} \PYG{n}{alice}\PYG{n+nd}{@BLEEP}\PYG{o}{.}\PYG{n}{COM} \PYG{o}{\PYGZhy{}}\PYG{n}{k} \PYG{l+m+mi}{1} \PYG{o}{\PYGZhy{}}\PYG{n}{e}
    \PYG{n}{aes128}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{96}
\PYG{n}{Password} \PYG{k}{for} \PYG{n}{alice}\PYG{n+nd}{@BLEEP}\PYG{o}{.}\PYG{n}{COM}\PYG{p}{:}
\PYG{n}{ktutil}\PYG{p}{:}  \PYG{n}{add\PYGZus{}entry} \PYG{o}{\PYGZhy{}}\PYG{n}{password} \PYG{o}{\PYGZhy{}}\PYG{n}{p} \PYG{n}{alice}\PYG{n+nd}{@BLEEP}\PYG{o}{.}\PYG{n}{COM} \PYG{o}{\PYGZhy{}}\PYG{n}{k} \PYG{l+m+mi}{1} \PYG{o}{\PYGZhy{}}\PYG{n}{e}
    \PYG{n}{aes256}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{96}
\PYG{n}{Password} \PYG{k}{for} \PYG{n}{alice}\PYG{n+nd}{@BLEEP}\PYG{o}{.}\PYG{n}{COM}\PYG{p}{:}
\PYG{n}{ktutil}\PYG{p}{:}  \PYG{n}{write\PYGZus{}kt} \PYG{n}{alice}\PYG{o}{.}\PYG{n}{keytab}
\PYG{n}{ktutil}\PYG{p}{:}
\end{sphinxVerbatim}
\end{quote}


\subsection{ENVIRONMENT}
\label{\detokenize{admin/admin_commands/ktutil:environment}}
\sphinxAtStartPar
See \DUrole{xref,std,std-ref}{kerberos(7)} for a description of Kerberos environment
variables.


\subsection{SEE ALSO}
\label{\detokenize{admin/admin_commands/ktutil:see-also}}
\sphinxAtStartPar
{\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}}, {\hyperref[\detokenize{admin/admin_commands/kdb5_util:kdb5-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_util}}}}, \DUrole{xref,std,std-ref}{kerberos(7)}

\sphinxstepscope


\section{k5srvutil}
\label{\detokenize{admin/admin_commands/k5srvutil:k5srvutil}}\label{\detokenize{admin/admin_commands/k5srvutil:k5srvutil-1}}\label{\detokenize{admin/admin_commands/k5srvutil::doc}}

\subsection{SYNOPSIS}
\label{\detokenize{admin/admin_commands/k5srvutil:synopsis}}
\sphinxAtStartPar
\sphinxstylestrong{k5srvutil} \sphinxstyleemphasis{operation}
{[}\sphinxstylestrong{\sphinxhyphen{}i}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}f} \sphinxstyleemphasis{filename}{]}
{[}\sphinxstylestrong{\sphinxhyphen{}e} \sphinxstyleemphasis{keysalts}{]}


\subsection{DESCRIPTION}
\label{\detokenize{admin/admin_commands/k5srvutil:description}}
\sphinxAtStartPar
k5srvutil allows an administrator to list keys currently in
a keytab, to obtain new keys for a principal currently in a keytab,
or to delete non\sphinxhyphen{}current keys from a keytab.

\sphinxAtStartPar
\sphinxstyleemphasis{operation} must be one of the following:
\begin{description}
\sphinxlineitem{\sphinxstylestrong{list}}
\sphinxAtStartPar
Lists the keys in a keytab, showing version number and principal
name.

\sphinxlineitem{\sphinxstylestrong{change}}
\sphinxAtStartPar
Uses the kadmin protocol to update the keys in the Kerberos
database to new randomly\sphinxhyphen{}generated keys, and updates the keys in
the keytab to match.  If a key’s version number doesn’t match the
version number stored in the Kerberos server’s database, then the
operation will fail.  If the \sphinxstylestrong{\sphinxhyphen{}i} flag is given, k5srvutil will
prompt for confirmation before changing each key.  If the \sphinxstylestrong{\sphinxhyphen{}k}
option is given, the old and new keys will be displayed.
Ordinarily, keys will be generated with the default encryption
types and key salts.  This can be overridden with the \sphinxstylestrong{\sphinxhyphen{}e}
option.  Old keys are retained in the keytab so that existing
tickets continue to work, but \sphinxstylestrong{delold} should be used after
such tickets expire, to prevent attacks against the old keys.

\sphinxlineitem{\sphinxstylestrong{delold}}
\sphinxAtStartPar
Deletes keys that are not the most recent version from the keytab.
This operation should be used some time after a change operation
to remove old keys, after existing tickets issued for the service
have expired.  If the \sphinxstylestrong{\sphinxhyphen{}i} flag is given, then k5srvutil will
prompt for confirmation for each principal.

\sphinxlineitem{\sphinxstylestrong{delete}}
\sphinxAtStartPar
Deletes particular keys in the keytab, interactively prompting for
each key.

\end{description}

\sphinxAtStartPar
In all cases, the default keytab is used unless this is overridden by
the \sphinxstylestrong{\sphinxhyphen{}f} option.

\sphinxAtStartPar
k5srvutil uses the {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} program to edit the keytab in
place.


\subsection{ENVIRONMENT}
\label{\detokenize{admin/admin_commands/k5srvutil:environment}}
\sphinxAtStartPar
See \DUrole{xref,std,std-ref}{kerberos(7)} for a description of Kerberos environment
variables.


\subsection{SEE ALSO}
\label{\detokenize{admin/admin_commands/k5srvutil:see-also}}
\sphinxAtStartPar
{\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}}, {\hyperref[\detokenize{admin/admin_commands/ktutil:ktutil-1}]{\sphinxcrossref{\DUrole{std,std-ref}{ktutil}}}}, \DUrole{xref,std,std-ref}{kerberos(7)}

\sphinxstepscope


\section{sserver}
\label{\detokenize{admin/admin_commands/sserver:sserver}}\label{\detokenize{admin/admin_commands/sserver:sserver-8}}\label{\detokenize{admin/admin_commands/sserver::doc}}

\subsection{SYNOPSIS}
\label{\detokenize{admin/admin_commands/sserver:synopsis}}
\sphinxAtStartPar
\sphinxstylestrong{sserver}
{[} \sphinxstylestrong{\sphinxhyphen{}p} \sphinxstyleemphasis{port} {]}
{[} \sphinxstylestrong{\sphinxhyphen{}S} \sphinxstyleemphasis{keytab} {]}
{[} \sphinxstyleemphasis{server\_port} {]}


\subsection{DESCRIPTION}
\label{\detokenize{admin/admin_commands/sserver:description}}
\sphinxAtStartPar
sserver and \DUrole{xref,std,std-ref}{sclient(1)} are a simple demonstration client/server
application.  When sclient connects to sserver, it performs a Kerberos
authentication, and then sserver returns to sclient the Kerberos
principal which was used for the Kerberos authentication.  It makes a
good test that Kerberos has been successfully installed on a machine.

\sphinxAtStartPar
The service name used by sserver and sclient is sample.  Hence,
sserver will require that there be a keytab entry for the service
\sphinxcode{\sphinxupquote{sample/hostname.domain.name@REALM.NAME}}.  This keytab is generated
using the {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} program.  The keytab file is usually
installed as {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{DEFKTNAME}}}}.

\sphinxAtStartPar
The \sphinxstylestrong{\sphinxhyphen{}S} option allows for a different keytab than the default.

\sphinxAtStartPar
sserver is normally invoked out of inetd(8), using a line in
\sphinxcode{\sphinxupquote{/etc/inetd.conf}} that looks like this:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{sample} \PYG{n}{stream} \PYG{n}{tcp} \PYG{n}{nowait} \PYG{n}{root} \PYG{o}{/}\PYG{n}{usr}\PYG{o}{/}\PYG{n}{local}\PYG{o}{/}\PYG{n}{sbin}\PYG{o}{/}\PYG{n}{sserver} \PYG{n}{sserver}
\end{sphinxVerbatim}

\sphinxAtStartPar
Since \sphinxcode{\sphinxupquote{sample}} is normally not a port defined in \sphinxcode{\sphinxupquote{/etc/services}},
you will usually have to add a line to \sphinxcode{\sphinxupquote{/etc/services}} which looks
like this:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{sample}          \PYG{l+m+mi}{13135}\PYG{o}{/}\PYG{n}{tcp}
\end{sphinxVerbatim}

\sphinxAtStartPar
When using sclient, you will first have to have an entry in the
Kerberos database, by using {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}}, and then you have to get
Kerberos tickets, by using \DUrole{xref,std,std-ref}{kinit(1)}.  Also, if you are running
the sclient program on a different host than the sserver it will be
connecting to, be sure that both hosts have an entry in /etc/services
for the sample tcp port, and that the same port number is in both
files.

\sphinxAtStartPar
When you run sclient you should see something like this:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{sendauth} \PYG{n}{succeeded}\PYG{p}{,} \PYG{n}{reply} \PYG{o+ow}{is}\PYG{p}{:}
\PYG{n}{reply} \PYG{n+nb}{len} \PYG{l+m+mi}{32}\PYG{p}{,} \PYG{n}{contents}\PYG{p}{:}
\PYG{n}{You} \PYG{n}{are} \PYG{n}{nlgilman}\PYG{n+nd}{@JIMI}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}
\end{sphinxVerbatim}


\subsection{COMMON ERROR MESSAGES}
\label{\detokenize{admin/admin_commands/sserver:common-error-messages}}\begin{enumerate}
\sphinxsetlistlabels{\arabic}{enumi}{enumii}{}{)}%
\item {} 
\sphinxAtStartPar
kinit returns the error:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{kinit}\PYG{p}{:} \PYG{n}{Client} \PYG{o+ow}{not} \PYG{n}{found} \PYG{o+ow}{in} \PYG{n}{Kerberos} \PYG{n}{database} \PYG{k}{while} \PYG{n}{getting}
       \PYG{n}{initial} \PYG{n}{credentials}
\end{sphinxVerbatim}

\sphinxAtStartPar
This means that you didn’t create an entry for your username in the
Kerberos database.

\item {} 
\sphinxAtStartPar
sclient returns the error:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{unknown} \PYG{n}{service} \PYG{n}{sample}\PYG{o}{/}\PYG{n}{tcp}\PYG{p}{;} \PYG{n}{check} \PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{services}
\end{sphinxVerbatim}

\sphinxAtStartPar
This means that you don’t have an entry in /etc/services for the
sample tcp port.

\item {} 
\sphinxAtStartPar
sclient returns the error:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{connect}\PYG{p}{:} \PYG{n}{Connection} \PYG{n}{refused}
\end{sphinxVerbatim}

\sphinxAtStartPar
This probably means you didn’t edit /etc/inetd.conf correctly, or
you didn’t restart inetd after editing inetd.conf.

\item {} 
\sphinxAtStartPar
sclient returns the error:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{sclient}\PYG{p}{:} \PYG{n}{Server} \PYG{o+ow}{not} \PYG{n}{found} \PYG{o+ow}{in} \PYG{n}{Kerberos} \PYG{n}{database} \PYG{k}{while} \PYG{n}{using}
         \PYG{n}{sendauth}
\end{sphinxVerbatim}

\sphinxAtStartPar
This means that the \sphinxcode{\sphinxupquote{sample/hostname@LOCAL.REALM}} service was not
defined in the Kerberos database; it should be created using
{\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}}, and a keytab file needs to be generated to make
the key for that service principal available for sclient.

\item {} 
\sphinxAtStartPar
sclient returns the error:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{sendauth} \PYG{n}{rejected}\PYG{p}{,} \PYG{n}{error} \PYG{n}{reply} \PYG{o+ow}{is}\PYG{p}{:}
    \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{No such file or directory}\PYG{l+s+s2}{\PYGZdq{}}
\end{sphinxVerbatim}

\sphinxAtStartPar
This probably means sserver couldn’t find the keytab file.  It was
probably not installed in the proper directory.

\end{enumerate}


\subsection{ENVIRONMENT}
\label{\detokenize{admin/admin_commands/sserver:environment}}
\sphinxAtStartPar
See \DUrole{xref,std,std-ref}{kerberos(7)} for a description of Kerberos environment
variables.


\subsection{SEE ALSO}
\label{\detokenize{admin/admin_commands/sserver:see-also}}
\sphinxAtStartPar
\DUrole{xref,std,std-ref}{sclient(1)}, \DUrole{xref,std,std-ref}{kerberos(7)}, services(5), inetd(8)

\sphinxstepscope


\chapter{MIT Kerberos defaults}
\label{\detokenize{mitK5defaults:mit-kerberos-defaults}}\label{\detokenize{mitK5defaults:mitk5defaults}}\label{\detokenize{mitK5defaults::doc}}

\section{General defaults}
\label{\detokenize{mitK5defaults:general-defaults}}

\begin{savenotes}\sphinxattablestart
\sphinxthistablewithglobalstyle
\centering
\begin{tabulary}{\linewidth}[t]{TTT}
\sphinxtoprule
\sphinxstyletheadfamily 
\sphinxAtStartPar
Description
&\sphinxstyletheadfamily 
\sphinxAtStartPar
Default
&\sphinxstyletheadfamily 
\sphinxAtStartPar
Environment
\\
\sphinxmidrule
\sphinxtableatstartofbodyhook
\sphinxAtStartPar
\DUrole{xref,std,std-ref}{keytab\_definition} file
&
\sphinxAtStartPar
{\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{DEFKTNAME}}}}
&
\sphinxAtStartPar
\sphinxstylestrong{KRB5\_KTNAME}
\\
\sphinxhline
\sphinxAtStartPar
Client \DUrole{xref,std,std-ref}{keytab\_definition} file
&
\sphinxAtStartPar
{\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{DEFCKTNAME}}}}
&
\sphinxAtStartPar
\sphinxstylestrong{KRB5\_CLIENT\_KTNAME}
\\
\sphinxhline
\sphinxAtStartPar
Kerberos config file {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}}
&
\sphinxAtStartPar
\sphinxcode{\sphinxupquote{/etc/krb5.conf}}\sphinxcode{\sphinxupquote{:}}{\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{SYSCONFDIR}}}}\sphinxcode{\sphinxupquote{/krb5.conf}}
&
\sphinxAtStartPar
\sphinxstylestrong{KRB5\_CONFIG}
\\
\sphinxhline
\sphinxAtStartPar
KDC config file {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}
&
\sphinxAtStartPar
{\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LOCALSTATEDIR}}}}\sphinxcode{\sphinxupquote{/krb5kdc}}\sphinxcode{\sphinxupquote{/kdc.conf}}
&
\sphinxAtStartPar
\sphinxstylestrong{KRB5\_KDC\_PROFILE}
\\
\sphinxhline
\sphinxAtStartPar
GSS mechanism config file
&
\sphinxAtStartPar
{\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{SYSCONFDIR}}}}\sphinxcode{\sphinxupquote{/gss/mech}}
&
\sphinxAtStartPar
\sphinxstylestrong{GSS\_MECH\_CONFIG}
\\
\sphinxhline
\sphinxAtStartPar
KDC database path (DB2)
&
\sphinxAtStartPar
{\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LOCALSTATEDIR}}}}\sphinxcode{\sphinxupquote{/krb5kdc}}\sphinxcode{\sphinxupquote{/principal}}
&\\
\sphinxhline
\sphinxAtStartPar
Master key \DUrole{xref,std,std-ref}{stash\_definition}
&
\sphinxAtStartPar
{\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LOCALSTATEDIR}}}}\sphinxcode{\sphinxupquote{/krb5kdc}}\sphinxcode{\sphinxupquote{/.k5.}}\sphinxstyleemphasis{realm}
&\\
\sphinxhline
\sphinxAtStartPar
Admin server ACL file {\hyperref[\detokenize{admin/conf_files/kadm5_acl:kadm5-acl-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kadm5.acl}}}}
&
\sphinxAtStartPar
{\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LOCALSTATEDIR}}}}\sphinxcode{\sphinxupquote{/krb5kdc}}\sphinxcode{\sphinxupquote{/kadm5.acl}}
&\\
\sphinxhline
\sphinxAtStartPar
OTP socket directory
&
\sphinxAtStartPar
{\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{RUNSTATEDIR}}}}\sphinxcode{\sphinxupquote{/krb5kdc}}
&\\
\sphinxhline
\sphinxAtStartPar
Plugin base directory
&
\sphinxAtStartPar
{\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LIBDIR}}}}\sphinxcode{\sphinxupquote{/krb5/plugins}}
&\\
\sphinxhline
\sphinxAtStartPar
\DUrole{xref,std,std-ref}{rcache\_definition} directory
&
\sphinxAtStartPar
\sphinxcode{\sphinxupquote{/var/tmp}}
&
\sphinxAtStartPar
\sphinxstylestrong{KRB5RCACHEDIR}
\\
\sphinxhline
\sphinxAtStartPar
Master key default enctype
&
\sphinxAtStartPar
\sphinxcode{\sphinxupquote{aes256\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha1\sphinxhyphen{}96}}
&\\
\sphinxhline
\sphinxAtStartPar
Default {\hyperref[\detokenize{admin/conf_files/kdc_conf:keysalt-lists}]{\sphinxcrossref{\DUrole{std,std-ref}{keysalt list}}}}
&
\sphinxAtStartPar
\sphinxcode{\sphinxupquote{aes256\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha1\sphinxhyphen{}96:normal aes128\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha1\sphinxhyphen{}96:normal}}
&\\
\sphinxhline
\sphinxAtStartPar
Permitted enctypes
&
\sphinxAtStartPar
\sphinxcode{\sphinxupquote{aes256\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha1\sphinxhyphen{}96 aes128\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha1\sphinxhyphen{}96 aes256\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha384\sphinxhyphen{}192 aes128\sphinxhyphen{}cts\sphinxhyphen{}hmac\sphinxhyphen{}sha256\sphinxhyphen{}128 des3\sphinxhyphen{}cbc\sphinxhyphen{}sha1 arcfour\sphinxhyphen{}hmac\sphinxhyphen{}md5 camellia256\sphinxhyphen{}cts\sphinxhyphen{}cmac camellia128\sphinxhyphen{}cts\sphinxhyphen{}cmac}}
&\\
\sphinxhline
\sphinxAtStartPar
KDC default port
&
\sphinxAtStartPar
88
&\\
\sphinxhline
\sphinxAtStartPar
Admin server port
&
\sphinxAtStartPar
749
&\\
\sphinxhline
\sphinxAtStartPar
Password change port
&
\sphinxAtStartPar
464
&\\
\sphinxbottomrule
\end{tabulary}
\sphinxtableafterendhook\par
\sphinxattableend\end{savenotes}


\section{Replica KDC propagation defaults}
\label{\detokenize{mitK5defaults:replica-kdc-propagation-defaults}}
\sphinxAtStartPar
This table shows defaults used by the {\hyperref[\detokenize{admin/admin_commands/kprop:kprop-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kprop}}}} and
{\hyperref[\detokenize{admin/admin_commands/kpropd:kpropd-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kpropd}}}} programs.


\begin{savenotes}\sphinxattablestart
\sphinxthistablewithglobalstyle
\centering
\begin{tabulary}{\linewidth}[t]{TTT}
\sphinxtoprule
\sphinxstyletheadfamily 
\sphinxAtStartPar
Description
&\sphinxstyletheadfamily 
\sphinxAtStartPar
Default
&\sphinxstyletheadfamily 
\sphinxAtStartPar
Environment
\\
\sphinxmidrule
\sphinxtableatstartofbodyhook
\sphinxAtStartPar
kprop database dump file
&
\sphinxAtStartPar
{\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LOCALSTATEDIR}}}}\sphinxcode{\sphinxupquote{/krb5kdc}}\sphinxcode{\sphinxupquote{/replica\_datatrans}}
&\\
\sphinxhline
\sphinxAtStartPar
kpropd temporary dump file
&
\sphinxAtStartPar
{\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LOCALSTATEDIR}}}}\sphinxcode{\sphinxupquote{/krb5kdc}}\sphinxcode{\sphinxupquote{/from\_master}}
&\\
\sphinxhline
\sphinxAtStartPar
kdb5\_util location
&
\sphinxAtStartPar
{\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{SBINDIR}}}}\sphinxcode{\sphinxupquote{/kdb5\_util}}
&\\
\sphinxhline
\sphinxAtStartPar
kprop location
&
\sphinxAtStartPar
{\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{SBINDIR}}}}\sphinxcode{\sphinxupquote{/kprop}}
&\\
\sphinxhline
\sphinxAtStartPar
kpropd ACL file
&
\sphinxAtStartPar
{\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LOCALSTATEDIR}}}}\sphinxcode{\sphinxupquote{/krb5kdc}}\sphinxcode{\sphinxupquote{/kpropd.acl}}
&\\
\sphinxhline
\sphinxAtStartPar
kprop port
&
\sphinxAtStartPar
754
&
\sphinxAtStartPar
KPROP\_PORT
\\
\sphinxbottomrule
\end{tabulary}
\sphinxtableafterendhook\par
\sphinxattableend\end{savenotes}


\section{Default paths for Unix\sphinxhyphen{}like systems}
\label{\detokenize{mitK5defaults:default-paths-for-unix-like-systems}}\label{\detokenize{mitK5defaults:paths}}
\sphinxAtStartPar
On Unix\sphinxhyphen{}like systems, some paths used by MIT krb5 depend on parameters
chosen at build time.  For a custom build, these paths default to
subdirectories of \sphinxcode{\sphinxupquote{/usr/local}}.  When MIT krb5 is integrated into an
operating system, the paths are generally chosen to match the
operating system’s filesystem layout.


\begin{savenotes}\sphinxattablestart
\sphinxthistablewithglobalstyle
\centering
\begin{tabulary}{\linewidth}[t]{TTTT}
\sphinxtoprule
\sphinxstyletheadfamily 
\sphinxAtStartPar
Description
&\sphinxstyletheadfamily 
\sphinxAtStartPar
Symbolic name
&\sphinxstyletheadfamily 
\sphinxAtStartPar
Custom build path
&\sphinxstyletheadfamily 
\sphinxAtStartPar
Typical OS path
\\
\sphinxmidrule
\sphinxtableatstartofbodyhook
\sphinxAtStartPar
User programs
&
\sphinxAtStartPar
BINDIR
&
\sphinxAtStartPar
\sphinxcode{\sphinxupquote{/usr/local/bin}}
&
\sphinxAtStartPar
\sphinxcode{\sphinxupquote{/usr/bin}}
\\
\sphinxhline
\sphinxAtStartPar
Libraries and plugins
&
\sphinxAtStartPar
LIBDIR
&
\sphinxAtStartPar
\sphinxcode{\sphinxupquote{/usr/local/lib}}
&
\sphinxAtStartPar
\sphinxcode{\sphinxupquote{/usr/lib}}
\\
\sphinxhline
\sphinxAtStartPar
Parent of KDC state dir
&
\sphinxAtStartPar
LOCALSTATEDIR
&
\sphinxAtStartPar
\sphinxcode{\sphinxupquote{/usr/local/var}}
&
\sphinxAtStartPar
\sphinxcode{\sphinxupquote{/var}}
\\
\sphinxhline
\sphinxAtStartPar
Parent of KDC runtime dir
&
\sphinxAtStartPar
RUNSTATEDIR
&
\sphinxAtStartPar
\sphinxcode{\sphinxupquote{/usr/local/var/run}}
&
\sphinxAtStartPar
\sphinxcode{\sphinxupquote{/run}}
\\
\sphinxhline
\sphinxAtStartPar
Administrative programs
&
\sphinxAtStartPar
SBINDIR
&
\sphinxAtStartPar
\sphinxcode{\sphinxupquote{/usr/local/sbin}}
&
\sphinxAtStartPar
\sphinxcode{\sphinxupquote{/usr/sbin}}
\\
\sphinxhline
\sphinxAtStartPar
Alternate krb5.conf dir
&
\sphinxAtStartPar
SYSCONFDIR
&
\sphinxAtStartPar
\sphinxcode{\sphinxupquote{/usr/local/etc}}
&
\sphinxAtStartPar
\sphinxcode{\sphinxupquote{/etc}}
\\
\sphinxhline
\sphinxAtStartPar
Default ccache name
&
\sphinxAtStartPar
DEFCCNAME
&
\sphinxAtStartPar
\sphinxcode{\sphinxupquote{FILE:/tmp/krb5cc\_\%\{uid\}}}
&
\sphinxAtStartPar
\sphinxcode{\sphinxupquote{FILE:/tmp/krb5cc\_\%\{uid\}}}
\\
\sphinxhline
\sphinxAtStartPar
Default keytab name
&
\sphinxAtStartPar
DEFKTNAME
&
\sphinxAtStartPar
\sphinxcode{\sphinxupquote{FILE:/etc/krb5.keytab}}
&
\sphinxAtStartPar
\sphinxcode{\sphinxupquote{FILE:/etc/krb5.keytab}}
\\
\sphinxhline
\sphinxAtStartPar
Default PKCS11 module
&
\sphinxAtStartPar
PKCS11\_MODNAME
&
\sphinxAtStartPar
\sphinxcode{\sphinxupquote{opensc\sphinxhyphen{}pkcs11.so}}
&
\sphinxAtStartPar
\sphinxcode{\sphinxupquote{opensc\sphinxhyphen{}pkcs11.so}}
\\
\sphinxbottomrule
\end{tabulary}
\sphinxtableafterendhook\par
\sphinxattableend\end{savenotes}

\sphinxAtStartPar
The default client keytab name (DEFCKTNAME) typically defaults to
\sphinxcode{\sphinxupquote{FILE:/usr/local/var/krb5/user/\%\{euid\}/client.keytab}} for a custom
build.  A native build will typically use a path which will vary
according to the operating system’s layout of \sphinxcode{\sphinxupquote{/var}}.

\sphinxstepscope


\chapter{Environment variables}
\label{\detokenize{admin/env_variables:environment-variables}}\label{\detokenize{admin/env_variables::doc}}
\sphinxAtStartPar
This content has moved to \DUrole{xref,std,std-ref}{kerberos(7)}.

\sphinxstepscope


\chapter{Troubleshooting}
\label{\detokenize{admin/troubleshoot:troubleshooting}}\label{\detokenize{admin/troubleshoot:troubleshoot}}\label{\detokenize{admin/troubleshoot::doc}}

\section{Trace logging}
\label{\detokenize{admin/troubleshoot:trace-logging}}\label{\detokenize{admin/troubleshoot:id1}}
\sphinxAtStartPar
Most programs using MIT krb5 1.9 or later can be made to provide
information about internal krb5 library operations using trace
logging.  To enable this, set the \sphinxstylestrong{KRB5\_TRACE} environment variable
to a filename before running the program.  On many operating systems,
the filename \sphinxcode{\sphinxupquote{/dev/stdout}} can be used to send trace logging output
to standard output.

\sphinxAtStartPar
Some programs do not honor \sphinxstylestrong{KRB5\_TRACE}, either because they use
secure library contexts (this generally applies to setuid programs and
parts of the login system) or because they take direct control of the
trace logging system using the API.

\sphinxAtStartPar
Here is a short example showing trace logging output for an invocation
of the \DUrole{xref,std,std-ref}{kvno(1)} command:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{env} \PYG{n}{KRB5\PYGZus{}TRACE}\PYG{o}{=}\PYG{o}{/}\PYG{n}{dev}\PYG{o}{/}\PYG{n}{stdout} \PYG{n}{kvno} \PYG{n}{krbtgt}\PYG{o}{/}\PYG{n}{KRBTEST}\PYG{o}{.}\PYG{n}{COM}
\PYG{p}{[}\PYG{l+m+mi}{9138}\PYG{p}{]} \PYG{l+m+mf}{1332348778.823276}\PYG{p}{:} \PYG{n}{Getting} \PYG{n}{credentials} \PYG{n}{user}\PYG{n+nd}{@KRBTEST}\PYG{o}{.}\PYG{n}{COM} \PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZgt{}}
    \PYG{n}{krbtgt}\PYG{o}{/}\PYG{n}{KRBTEST}\PYG{o}{.}\PYG{n}{COM}\PYG{n+nd}{@KRBTEST}\PYG{o}{.}\PYG{n}{COM} \PYG{n}{using} \PYG{n}{ccache}
    \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{me}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{/}\PYG{n}{build}\PYG{o}{/}\PYG{n}{testdir}\PYG{o}{/}\PYG{n}{ccache}
\PYG{p}{[}\PYG{l+m+mi}{9138}\PYG{p}{]} \PYG{l+m+mf}{1332348778.823381}\PYG{p}{:} \PYG{n}{Retrieving} \PYG{n}{user}\PYG{n+nd}{@KRBTEST}\PYG{o}{.}\PYG{n}{COM} \PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZgt{}}
    \PYG{n}{krbtgt}\PYG{o}{/}\PYG{n}{KRBTEST}\PYG{o}{.}\PYG{n}{COM}\PYG{n+nd}{@KRBTEST}\PYG{o}{.}\PYG{n}{COM} \PYG{k+kn}{from}
    \PYG{n+nn}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{me}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{/}\PYG{n}{build}\PYG{o}{/}\PYG{n}{testdir}\PYG{o}{/}\PYG{n}{ccache} \PYG{k}{with} \PYG{n}{result}\PYG{p}{:} \PYG{l+m+mi}{0}\PYG{o}{/}\PYG{n}{Unknown} \PYG{n}{code} \PYG{l+m+mi}{0}
\PYG{n}{krbtgt}\PYG{o}{/}\PYG{n}{KRBTEST}\PYG{o}{.}\PYG{n}{COM}\PYG{n+nd}{@KRBTEST}\PYG{o}{.}\PYG{n}{COM}\PYG{p}{:} \PYG{n}{kvno} \PYG{o}{=} \PYG{l+m+mi}{1}
\end{sphinxVerbatim}


\section{List of errors}
\label{\detokenize{admin/troubleshoot:list-of-errors}}

\subsection{Frequently seen errors}
\label{\detokenize{admin/troubleshoot:frequently-seen-errors}}\begin{enumerate}
\sphinxsetlistlabels{\arabic}{enumi}{enumii}{}{.}%
\item {} 
\sphinxAtStartPar
{\hyperref[\detokenize{admin/troubleshoot:init-creds-etype-nosupp}]{\sphinxcrossref{\DUrole{std,std-ref}{KDC has no support for encryption type while getting initial credentials}}}}

\item {} 
\sphinxAtStartPar
{\hyperref[\detokenize{admin/troubleshoot:cert-chain-etype-nosupp}]{\sphinxcrossref{\DUrole{std,std-ref}{credential verification failed: KDC has no support for encryption type}}}}

\item {} 
\sphinxAtStartPar
{\hyperref[\detokenize{admin/troubleshoot:err-cert-chain-cert-expired}]{\sphinxcrossref{\DUrole{std,std-ref}{Cannot create cert chain: certificate has expired}}}}

\end{enumerate}


\subsection{Errors seen by admins}
\label{\detokenize{admin/troubleshoot:errors-seen-by-admins}}\phantomsection\label{\detokenize{admin/troubleshoot:prop-failed-start}}\begin{enumerate}
\sphinxsetlistlabels{\arabic}{enumi}{enumii}{}{.}%
\item {} 
\sphinxAtStartPar
{\hyperref[\detokenize{admin/troubleshoot:kprop-no-route}]{\sphinxcrossref{\DUrole{std,std-ref}{kprop: No route to host while connecting to server}}}}

\item {} 
\sphinxAtStartPar
{\hyperref[\detokenize{admin/troubleshoot:kprop-con-refused}]{\sphinxcrossref{\DUrole{std,std-ref}{kprop: Connection refused while connecting to server}}}}

\item {} 
\sphinxAtStartPar
{\hyperref[\detokenize{admin/troubleshoot:kprop-sendauth-exchange}]{\sphinxcrossref{\DUrole{std,std-ref}{kprop: Server rejected authentication (during sendauth exchange) while authenticating to server}}}}

\end{enumerate}
\phantomsection\label{\detokenize{admin/troubleshoot:prop-failed-end}}

\bigskip\hrule\bigskip



\subsubsection{KDC has no support for encryption type while getting initial credentials}
\label{\detokenize{admin/troubleshoot:kdc-has-no-support-for-encryption-type-while-getting-initial-credentials}}\label{\detokenize{admin/troubleshoot:init-creds-etype-nosupp}}

\subsubsection{credential verification failed: KDC has no support for encryption type}
\label{\detokenize{admin/troubleshoot:credential-verification-failed-kdc-has-no-support-for-encryption-type}}\label{\detokenize{admin/troubleshoot:cert-chain-etype-nosupp}}
\sphinxAtStartPar
This most commonly happens when trying to use a principal with only
DES keys, in a release (MIT krb5 1.7 or later) which disables DES by
default.  DES encryption is considered weak due to its inadequate key
size.  If you cannot migrate away from its use, you can re\sphinxhyphen{}enable DES
by adding \sphinxcode{\sphinxupquote{allow\_weak\_crypto = true}} to the {\hyperref[\detokenize{admin/conf_files/krb5_conf:libdefaults}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}libdefaults{]}}}}}
section of {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}}.


\subsubsection{Cannot create cert chain: certificate has expired}
\label{\detokenize{admin/troubleshoot:cannot-create-cert-chain-certificate-has-expired}}\label{\detokenize{admin/troubleshoot:err-cert-chain-cert-expired}}
\sphinxAtStartPar
This error message indicates that PKINIT authentication failed because
the client certificate, KDC certificate, or one of the certificates in
the signing chain above them has expired.

\sphinxAtStartPar
If the KDC certificate has expired, this message appears in the KDC
log file, and the client will receive a “Preauthentication failed”
error.  (Prior to release 1.11, the KDC log file message erroneously
appears as “Out of memory”.  Prior to release 1.12, the client will
receive a “Generic error”.)

\sphinxAtStartPar
If the client or a signing certificate has expired, this message may
appear in {\hyperref[\detokenize{admin/troubleshoot:trace-logging}]{\sphinxcrossref{trace\_logging}}} output from \DUrole{xref,std,std-ref}{kinit(1)} or, starting in
release 1.12, as an error message from kinit or another program which
gets initial tickets.  The error message is more likely to appear
properly on the client if the principal entry has no long\sphinxhyphen{}term keys.


\subsubsection{kprop: No route to host while connecting to server}
\label{\detokenize{admin/troubleshoot:kprop-no-route-to-host-while-connecting-to-server}}\label{\detokenize{admin/troubleshoot:kprop-no-route}}
\sphinxAtStartPar
Make sure that the hostname of the replica KDC (as given to kprop) is
correct, and that any firewalls between the primary and the replica
allow a connection on port 754.


\subsubsection{kprop: Connection refused while connecting to server}
\label{\detokenize{admin/troubleshoot:kprop-connection-refused-while-connecting-to-server}}\label{\detokenize{admin/troubleshoot:kprop-con-refused}}
\sphinxAtStartPar
If the replica KDC is intended to run kpropd out of inetd, make sure
that inetd is configured to accept krb5\_prop connections.  inetd may
need to be restarted or sent a SIGHUP to recognize the new
configuration.  If the replica is intended to run kpropd in standalone
mode, make sure that it is running.


\subsubsection{kprop: Server rejected authentication (during sendauth exchange) while authenticating to server}
\label{\detokenize{admin/troubleshoot:kprop-server-rejected-authentication-during-sendauth-exchange-while-authenticating-to-server}}\label{\detokenize{admin/troubleshoot:kprop-sendauth-exchange}}
\sphinxAtStartPar
Make sure that:
\begin{enumerate}
\sphinxsetlistlabels{\arabic}{enumi}{enumii}{}{.}%
\item {} 
\sphinxAtStartPar
The time is synchronized between the primary and replica KDCs.

\item {} 
\sphinxAtStartPar
The master stash file was copied from the primary to the expected
location on the replica.

\item {} 
\sphinxAtStartPar
The replica has a keytab file in the default location containing a
\sphinxcode{\sphinxupquote{host}} principal for the replica’s hostname.

\end{enumerate}

\sphinxstepscope


\chapter{Advanced topics}
\label{\detokenize{admin/advanced/index:advanced-topics}}\label{\detokenize{admin/advanced/index::doc}}
\sphinxstepscope


\section{Retiring DES}
\label{\detokenize{admin/advanced/retiring-des:retiring-des}}\label{\detokenize{admin/advanced/retiring-des:id1}}\label{\detokenize{admin/advanced/retiring-des::doc}}
\sphinxAtStartPar
Version 5 of the Kerberos protocol was originally implemented using
the Data Encryption Standard (DES) as a block cipher for encryption.
While it was considered secure at the time, advancements in computational
ability have rendered DES vulnerable to brute force attacks on its 56\sphinxhyphen{}bit
keyspace.  As such, it is now considered insecure and should not be
used (\index{RFC@\spxentry{RFC}!RFC 6649@\spxentry{RFC 6649}}\sphinxhref{https://datatracker.ietf.org/doc/html/rfc6649.html}{\sphinxstylestrong{RFC 6649}}).


\subsection{History}
\label{\detokenize{admin/advanced/retiring-des:history}}
\sphinxAtStartPar
DES was used in the original Kerberos implementation, and was the
only cryptosystem in krb5 1.0.  Partial support for triple\sphinxhyphen{}DES (3DES) was
added in version 1.1, with full support following in version 1.2.
The Advanced Encryption Standard (AES), which supersedes DES, gained
partial support in version 1.3.0 of krb5 and full support in version 1.3.2.
However, deployments of krb5 using Kerberos databases created with older
versions of krb5 will not necessarily start using strong crypto for
ordinary operation without administrator intervention.

\sphinxAtStartPar
MIT krb5 began flagging deprecated encryption types with release 1.17,
and removed DES (single\sphinxhyphen{}DES) support in release 1.18.  As a
consequence, a release prior to 1.18 is required to perform these
migrations.


\subsection{Types of keys}
\label{\detokenize{admin/advanced/retiring-des:types-of-keys}}\begin{itemize}
\item {} 
\sphinxAtStartPar
The database master key:  This key is not exposed to user requests,
but is used to encrypt other key material stored in the kerberos
database.  The database master key is currently stored as \sphinxcode{\sphinxupquote{K/M}}
by default.

\item {} 
\sphinxAtStartPar
Password\sphinxhyphen{}derived keys:  User principals frequently have keys
derived from a password.  When a new password is set, the KDC
uses various string2key functions to generate keys in the database
for that principal.

\item {} 
\sphinxAtStartPar
Keytab keys:  Application server principals generally use random
keys which are not derived from a password.  When the database
entry is created, the KDC generates random keys of various enctypes
to enter in the database, which are conveyed to the application server
and stored in a keytab.

\item {} 
\sphinxAtStartPar
Session keys:  These are short\sphinxhyphen{}term keys generated by the KDC while
processing client requests, with an enctype selected by the KDC.

\end{itemize}

\sphinxAtStartPar
For details on the various enctypes and how enctypes are selected by the KDC
for session keys and client/server long\sphinxhyphen{}term keys, see {\hyperref[\detokenize{admin/enctypes:enctypes}]{\sphinxcrossref{\DUrole{std,std-ref}{Encryption types}}}}.
When using the {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} interface to generate new long\sphinxhyphen{}term keys,
the \sphinxstylestrong{\sphinxhyphen{}e} argument can be used to force a particular set of enctypes,
overriding the KDC default values.

\begin{sphinxadmonition}{note}{Note:}
\sphinxAtStartPar
When the KDC is selecting a session key, it has no knowledge about the
kerberos installation on the server which will receive the service ticket,
only what keys are in the database for the service principal.
In order to allow uninterrupted operation to
clients while migrating away from DES, care must be taken to ensure that
kerberos installations on application server machines are configured to
support newer encryption types before keys of those new encryption types
are created in the Kerberos database for those server principals.
\end{sphinxadmonition}


\subsection{Upgrade procedure}
\label{\detokenize{admin/advanced/retiring-des:upgrade-procedure}}
\sphinxAtStartPar
This procedure assumes that the KDC software has already been upgraded
to a modern version of krb5 that supports non\sphinxhyphen{}DES keys, so that the
only remaining task is to update the actual keys used to service requests.
The realm used for demonstrating this procedure, ZONE.MIT.EDU,
is an example of the worst\sphinxhyphen{}case scenario, where all keys in the realm
are DES.  The realm was initially created with a very old version of krb5,
and \sphinxstylestrong{supported\_enctypes} in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}} was set to a value
appropriate when the KDC was installed, but was not updated as the KDC
was upgraded:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{p}{[}\PYG{n}{realms}\PYG{p}{]}
        \PYG{n}{ZONE}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{o}{=} \PYG{p}{\PYGZob{}}
                \PYG{p}{[}\PYG{o}{.}\PYG{o}{.}\PYG{o}{.}\PYG{p}{]}
                \PYG{n}{master\PYGZus{}key\PYGZus{}type} \PYG{o}{=} \PYG{n}{des}\PYG{o}{\PYGZhy{}}\PYG{n}{cbc}\PYG{o}{\PYGZhy{}}\PYG{n}{crc}
                \PYG{n}{supported\PYGZus{}enctypes} \PYG{o}{=} \PYG{n}{des}\PYG{o}{\PYGZhy{}}\PYG{n}{cbc}\PYG{o}{\PYGZhy{}}\PYG{n}{crc}\PYG{p}{:}\PYG{n}{normal} \PYG{n}{des}\PYG{p}{:}\PYG{n}{normal} \PYG{n}{des}\PYG{p}{:}\PYG{n}{v4} \PYG{n}{des}\PYG{p}{:}\PYG{n}{norealm} \PYG{n}{des}\PYG{p}{:}\PYG{n}{onlyrealm} \PYG{n}{des}\PYG{p}{:}\PYG{n}{afs3}
        \PYG{p}{\PYGZcb{}}
\end{sphinxVerbatim}

\sphinxAtStartPar
This resulted in the keys for all principals in the realm being forced
to DES\sphinxhyphen{}only, unless specifically requested using {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}}.

\sphinxAtStartPar
Before starting the upgrade, all KDCs were running krb5 1.11,
and the database entries for some “high\sphinxhyphen{}value” principals were:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{p}{[}\PYG{n}{root}\PYG{n+nd}{@casio} \PYG{n}{krb5kdc}\PYG{p}{]}\PYG{c+c1}{\PYGZsh{} kadmin.local \PYGZhy{}r ZONE.MIT.EDU \PYGZhy{}q \PYGZsq{}getprinc krbtgt/ZONE.MIT.EDU\PYGZsq{}}
\PYG{p}{[}\PYG{o}{.}\PYG{o}{.}\PYG{o}{.}\PYG{p}{]}
\PYG{n}{Number} \PYG{n}{of} \PYG{n}{keys}\PYG{p}{:} \PYG{l+m+mi}{1}
\PYG{n}{Key}\PYG{p}{:} \PYG{n}{vno} \PYG{l+m+mi}{1}\PYG{p}{,} \PYG{n}{des}\PYG{o}{\PYGZhy{}}\PYG{n}{cbc}\PYG{o}{\PYGZhy{}}\PYG{n}{crc}\PYG{p}{:}\PYG{n}{v4}
\PYG{p}{[}\PYG{o}{.}\PYG{o}{.}\PYG{o}{.}\PYG{p}{]}
\PYG{p}{[}\PYG{n}{root}\PYG{n+nd}{@casio} \PYG{n}{krb5kdc}\PYG{p}{]}\PYG{c+c1}{\PYGZsh{} kadmin.local \PYGZhy{}r ZONE.MIT.EDU \PYGZhy{}q \PYGZsq{}getprinc kadmin/admin\PYGZsq{}}
\PYG{p}{[}\PYG{o}{.}\PYG{o}{.}\PYG{o}{.}\PYG{p}{]}
\PYG{n}{Number} \PYG{n}{of} \PYG{n}{keys}\PYG{p}{:} \PYG{l+m+mi}{1}
\PYG{n}{Key}\PYG{p}{:} \PYG{n}{vno} \PYG{l+m+mi}{15}\PYG{p}{,} \PYG{n}{des}\PYG{o}{\PYGZhy{}}\PYG{n}{cbc}\PYG{o}{\PYGZhy{}}\PYG{n}{crc}
\PYG{p}{[}\PYG{o}{.}\PYG{o}{.}\PYG{o}{.}\PYG{p}{]}
\PYG{p}{[}\PYG{n}{root}\PYG{n+nd}{@casio} \PYG{n}{krb5kdc}\PYG{p}{]}\PYG{c+c1}{\PYGZsh{} kadmin.local \PYGZhy{}r ZONE.MIT.EDU \PYGZhy{}q \PYGZsq{}getprinc kadmin/changepw\PYGZsq{}}
\PYG{p}{[}\PYG{o}{.}\PYG{o}{.}\PYG{o}{.}\PYG{p}{]}
\PYG{n}{Number} \PYG{n}{of} \PYG{n}{keys}\PYG{p}{:} \PYG{l+m+mi}{1}
\PYG{n}{Key}\PYG{p}{:} \PYG{n}{vno} \PYG{l+m+mi}{14}\PYG{p}{,} \PYG{n}{des}\PYG{o}{\PYGZhy{}}\PYG{n}{cbc}\PYG{o}{\PYGZhy{}}\PYG{n}{crc}
\PYG{p}{[}\PYG{o}{.}\PYG{o}{.}\PYG{o}{.}\PYG{p}{]}
\end{sphinxVerbatim}

\sphinxAtStartPar
The \sphinxcode{\sphinxupquote{krbtgt/REALM}} key appears to have never been changed since creation
(its kvno is 1), and all three database entries have only a des\sphinxhyphen{}cbc\sphinxhyphen{}crc key.


\subsubsection{The krbtgt key and KDC keys}
\label{\detokenize{admin/advanced/retiring-des:the-krbtgt-key-and-kdc-keys}}
\sphinxAtStartPar
Perhaps the biggest single\sphinxhyphen{}step improvement in the security of the cell
is gained by strengthening the key of the ticket\sphinxhyphen{}granting service principal,
\sphinxcode{\sphinxupquote{krbtgt/REALM}}—if this principal’s key is compromised, so is the
entire realm.  Since the server that will handle service tickets
for this principal is the KDC itself, it is easy to guarantee that it
will be configured to support any encryption types which might be
selected.  However, the default KDC behavior when creating new keys is to
remove the old keys, which would invalidate all existing tickets issued
against that principal, rendering the TGTs cached by clients useless.
Instead, a new key can be created with the old key retained, so that
existing tickets will still function until their scheduled expiry
(see {\hyperref[\detokenize{admin/database:changing-krbtgt-key}]{\sphinxcrossref{\DUrole{std,std-ref}{Changing the krbtgt key}}}}).

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{p}{[}\PYG{n}{root}\PYG{n+nd}{@casio} \PYG{n}{krb5kdc}\PYG{p}{]}\PYG{c+c1}{\PYGZsh{} enctypes=aes256\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha1\PYGZhy{}96:normal,\PYGZbs{}}
\PYG{o}{\PYGZgt{}} \PYG{n}{aes128}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{96}\PYG{p}{:}\PYG{n}{normal}\PYG{p}{,}\PYG{n}{des3}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{p}{:}\PYG{n}{normal}\PYG{p}{,}\PYG{n}{des}\PYG{o}{\PYGZhy{}}\PYG{n}{cbc}\PYG{o}{\PYGZhy{}}\PYG{n}{crc}\PYG{p}{:}\PYG{n}{normal}
\PYG{p}{[}\PYG{n}{root}\PYG{n+nd}{@casio} \PYG{n}{krb5kdc}\PYG{p}{]}\PYG{c+c1}{\PYGZsh{} kadmin.local \PYGZhy{}r ZONE.MIT.EDU \PYGZhy{}q \PYGZdq{}cpw \PYGZhy{}e \PYGZdl{}\PYGZob{}enctypes\PYGZcb{} \PYGZhy{}randkey \PYGZbs{}}
\PYG{o}{\PYGZgt{}} \PYG{o}{\PYGZhy{}}\PYG{n}{keepold} \PYG{n}{krbtgt}\PYG{o}{/}\PYG{n}{ZONE}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}\PYG{l+s+s2}{\PYGZdq{}}
\PYG{n}{Authenticating} \PYG{k}{as} \PYG{n}{principal} \PYG{n}{root}\PYG{o}{/}\PYG{n}{admin}\PYG{n+nd}{@ZONE}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{k}{with} \PYG{n}{password}\PYG{o}{.}
\PYG{n}{Key} \PYG{k}{for} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{krbtgt/ZONE.MIT.EDU@ZONE.MIT.EDU}\PYG{l+s+s2}{\PYGZdq{}} \PYG{n}{randomized}\PYG{o}{.}
\end{sphinxVerbatim}

\begin{sphinxadmonition}{note}{Note:}
\sphinxAtStartPar
The new \sphinxcode{\sphinxupquote{krbtgt@REALM}} key should be propagated to replica KDCs
immediately so that TGTs issued by the primary KDC can be used to
issue service tickets on replica KDCs.  Replica KDCs will refuse
requests using the new TGT kvno until the new krbtgt entry has
been propagated to them.
\end{sphinxadmonition}

\sphinxAtStartPar
It is necessary to explicitly specify the enctypes for the new database
entry, since \sphinxstylestrong{supported\_enctypes} has not been changed.  Leaving
\sphinxstylestrong{supported\_enctypes} unchanged makes a potential rollback operation
easier, since all new keys of new enctypes are the result of explicit
administrator action and can be easily enumerated.
Upgrading the krbtgt key should have minimal user\sphinxhyphen{}visible disruption other
than that described in the note above, since only clients which list the
new enctypes as supported will use them, per the procedure
in {\hyperref[\detokenize{admin/enctypes:session-key-selection}]{\sphinxcrossref{\DUrole{std,std-ref}{Session key selection}}}}.
Once the krbtgt key is updated, the session and ticket keys for user
TGTs will be strong keys, but subsequent requests
for service tickets will still get DES keys until the service principals
have new keys generated.  Application service
remains uninterrupted due to the key\sphinxhyphen{}selection procedure on the KDC.

\sphinxAtStartPar
After the change, the database entry is now:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{p}{[}\PYG{n}{root}\PYG{n+nd}{@casio} \PYG{n}{krb5kdc}\PYG{p}{]}\PYG{c+c1}{\PYGZsh{} kadmin.local \PYGZhy{}r ZONE.MIT.EDU \PYGZhy{}q \PYGZsq{}getprinc krbtgt/ZONE.MIT.EDU\PYGZsq{}}
\PYG{p}{[}\PYG{o}{.}\PYG{o}{.}\PYG{o}{.}\PYG{p}{]}
\PYG{n}{Number} \PYG{n}{of} \PYG{n}{keys}\PYG{p}{:} \PYG{l+m+mi}{5}
\PYG{n}{Key}\PYG{p}{:} \PYG{n}{vno} \PYG{l+m+mi}{2}\PYG{p}{,} \PYG{n}{aes256}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{96}
\PYG{n}{Key}\PYG{p}{:} \PYG{n}{vno} \PYG{l+m+mi}{2}\PYG{p}{,} \PYG{n}{aes128}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{96}
\PYG{n}{Key}\PYG{p}{:} \PYG{n}{vno} \PYG{l+m+mi}{2}\PYG{p}{,} \PYG{n}{des3}\PYG{o}{\PYGZhy{}}\PYG{n}{cbc}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}
\PYG{n}{Key}\PYG{p}{:} \PYG{n}{vno} \PYG{l+m+mi}{2}\PYG{p}{,} \PYG{n}{des}\PYG{o}{\PYGZhy{}}\PYG{n}{cbc}\PYG{o}{\PYGZhy{}}\PYG{n}{crc}
\PYG{n}{Key}\PYG{p}{:} \PYG{n}{vno} \PYG{l+m+mi}{1}\PYG{p}{,} \PYG{n}{des}\PYG{o}{\PYGZhy{}}\PYG{n}{cbc}\PYG{o}{\PYGZhy{}}\PYG{n}{crc}\PYG{p}{:}\PYG{n}{v4}
\PYG{p}{[}\PYG{o}{.}\PYG{o}{.}\PYG{o}{.}\PYG{p}{]}
\end{sphinxVerbatim}

\sphinxAtStartPar
Since the expected disruptions from rekeying the krbtgt principal are
minor, after a short testing period, it is
appropriate to rekey the other high\sphinxhyphen{}value principals, \sphinxcode{\sphinxupquote{kadmin/admin@REALM}}
and \sphinxcode{\sphinxupquote{kadmin/changepw@REALM}}. These are the service principals used for
changing user passwords and updating application keytabs.  The kadmin
and password\sphinxhyphen{}changing services are regular kerberized services, so the
session\sphinxhyphen{}key\sphinxhyphen{}selection algorithm described in {\hyperref[\detokenize{admin/enctypes:session-key-selection}]{\sphinxcrossref{\DUrole{std,std-ref}{Session key selection}}}}
applies.  It is particularly important to have strong session keys for
these services, since user passwords and new long\sphinxhyphen{}term keys are conveyed
over the encrypted channel.

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{p}{[}\PYG{n}{root}\PYG{n+nd}{@casio} \PYG{n}{krb5kdc}\PYG{p}{]}\PYG{c+c1}{\PYGZsh{} enctypes=aes256\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha1\PYGZhy{}96:normal,\PYGZbs{}}
\PYG{o}{\PYGZgt{}} \PYG{n}{aes128}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{96}\PYG{p}{:}\PYG{n}{normal}\PYG{p}{,}\PYG{n}{des3}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{p}{:}\PYG{n}{normal}
\PYG{p}{[}\PYG{n}{root}\PYG{n+nd}{@casio} \PYG{n}{krb5kdc}\PYG{p}{]}\PYG{c+c1}{\PYGZsh{} kadmin.local \PYGZhy{}r ZONE.MIT.EDU \PYGZhy{}q \PYGZdq{}cpw \PYGZhy{}e \PYGZdl{}\PYGZob{}enctypes\PYGZcb{} \PYGZhy{}randkey \PYGZbs{}}
\PYG{o}{\PYGZgt{}} \PYG{n}{kadmin}\PYG{o}{/}\PYG{n}{admin}\PYG{l+s+s2}{\PYGZdq{}}
\PYG{n}{Authenticating} \PYG{k}{as} \PYG{n}{principal} \PYG{n}{root}\PYG{o}{/}\PYG{n}{admin}\PYG{n+nd}{@ZONE}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{k}{with} \PYG{n}{password}\PYG{o}{.}
\PYG{n}{Key} \PYG{k}{for} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{kadmin/admin@ZONE.MIT.EDU}\PYG{l+s+s2}{\PYGZdq{}} \PYG{n}{randomized}\PYG{o}{.}
\PYG{p}{[}\PYG{n}{root}\PYG{n+nd}{@casio} \PYG{n}{krb5kdc}\PYG{p}{]}\PYG{c+c1}{\PYGZsh{} kadmin.local \PYGZhy{}r ZONE.MIT.EDU \PYGZhy{}q \PYGZdq{}cpw \PYGZhy{}e \PYGZdl{}\PYGZob{}enctypes\PYGZcb{} \PYGZhy{}randkey \PYGZbs{}}
\PYG{o}{\PYGZgt{}} \PYG{n}{kadmin}\PYG{o}{/}\PYG{n}{changepw}\PYG{l+s+s2}{\PYGZdq{}}
\PYG{n}{Authenticating} \PYG{k}{as} \PYG{n}{principal} \PYG{n}{root}\PYG{o}{/}\PYG{n}{admin}\PYG{n+nd}{@ZONE}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{k}{with} \PYG{n}{password}\PYG{o}{.}
\PYG{n}{Key} \PYG{k}{for} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{kadmin/changepw@ZONE.MIT.EDU}\PYG{l+s+s2}{\PYGZdq{}} \PYG{n}{randomized}\PYG{o}{.}
\end{sphinxVerbatim}

\sphinxAtStartPar
It is not necessary to retain a single\sphinxhyphen{}DES key for these services, since
password changes are not part of normal daily workflow, and disruption
from a client failure is likely to be minimal.  Furthermore, if a kerberos
client experiences failure changing a user password or keytab key,
this indicates that that client will become inoperative once services
are rekeyed to non\sphinxhyphen{}DES enctypes.  Such problems can be detected early
at this stage, giving more time for corrective action.


\subsubsection{Adding strong keys to application servers}
\label{\detokenize{admin/advanced/retiring-des:adding-strong-keys-to-application-servers}}
\sphinxAtStartPar
Before switching the default enctypes for new keys over to strong enctypes,
it may be desired to test upgrading a handful of services with the
new configuration before flipping the switch for the defaults.  This
still requires using the \sphinxstylestrong{\sphinxhyphen{}e} argument in {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} to get non\sphinxhyphen{}default
enctypes:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{p}{[}\PYG{n}{root}\PYG{n+nd}{@casio} \PYG{n}{krb5kdc}\PYG{p}{]}\PYG{c+c1}{\PYGZsh{} enctypes=aes256\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha1\PYGZhy{}96:normal,\PYGZbs{}}
\PYG{o}{\PYGZgt{}} \PYG{n}{aes128}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{96}\PYG{p}{:}\PYG{n}{normal}\PYG{p}{,}\PYG{n}{des3}\PYG{o}{\PYGZhy{}}\PYG{n}{cbc}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{p}{:}\PYG{n}{normal}\PYG{p}{,}\PYG{n}{des}\PYG{o}{\PYGZhy{}}\PYG{n}{cbc}\PYG{o}{\PYGZhy{}}\PYG{n}{crc}\PYG{p}{:}\PYG{n}{normal}
\PYG{p}{[}\PYG{n}{root}\PYG{n+nd}{@casio} \PYG{n}{krb5kdc}\PYG{p}{]}\PYG{c+c1}{\PYGZsh{} kadmin \PYGZhy{}r ZONE.MIT.EDU \PYGZhy{}p zephyr/zephyr@ZONE.MIT.EDU \PYGZhy{}k \PYGZhy{}t \PYGZbs{}}
\PYG{o}{\PYGZgt{}} \PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{zephyr}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab}  \PYG{o}{\PYGZhy{}}\PYG{n}{q} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{ktadd \PYGZhy{}e \PYGZdl{}}\PYG{l+s+si}{\PYGZob{}enctypes\PYGZcb{}}\PYG{l+s+s2}{ }\PYG{l+s+se}{\PYGZbs{}}
\PYG{l+s+s2}{\PYGZgt{} \PYGZhy{}k /etc/zephyr/krb5.keytab zephyr/zephyr@ZONE.MIT.EDU}\PYG{l+s+s2}{\PYGZdq{}}
\PYG{n}{Authenticating} \PYG{k}{as} \PYG{n}{principal} \PYG{n}{zephyr}\PYG{o}{/}\PYG{n}{zephyr}\PYG{n+nd}{@ZONE}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{k}{with} \PYG{n}{keytab} \PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{zephyr}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab}\PYG{o}{.}
\PYG{n}{Entry} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{zephyr}\PYG{o}{/}\PYG{n}{zephyr}\PYG{n+nd}{@ZONE}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{k}{with} \PYG{n}{kvno} \PYG{l+m+mi}{4}\PYG{p}{,} \PYG{n}{encryption} \PYG{n+nb}{type} \PYG{n}{aes256}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{96} \PYG{n}{added} \PYG{n}{to} \PYG{n}{keytab} \PYG{n}{WRFILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{zephyr}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab}\PYG{o}{.}
\PYG{n}{Entry} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{zephyr}\PYG{o}{/}\PYG{n}{zephyr}\PYG{n+nd}{@ZONE}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{k}{with} \PYG{n}{kvno} \PYG{l+m+mi}{4}\PYG{p}{,} \PYG{n}{encryption} \PYG{n+nb}{type} \PYG{n}{aes128}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{96} \PYG{n}{added} \PYG{n}{to} \PYG{n}{keytab} \PYG{n}{WRFILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{zephyr}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab}\PYG{o}{.}
\PYG{n}{Entry} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{zephyr}\PYG{o}{/}\PYG{n}{zephyr}\PYG{n+nd}{@ZONE}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{k}{with} \PYG{n}{kvno} \PYG{l+m+mi}{4}\PYG{p}{,} \PYG{n}{encryption} \PYG{n+nb}{type} \PYG{n}{des3}\PYG{o}{\PYGZhy{}}\PYG{n}{cbc}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1} \PYG{n}{added} \PYG{n}{to} \PYG{n}{keytab} \PYG{n}{WRFILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{zephyr}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab}\PYG{o}{.}
\PYG{n}{Entry} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{zephyr}\PYG{o}{/}\PYG{n}{zephyr}\PYG{n+nd}{@ZONE}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{k}{with} \PYG{n}{kvno} \PYG{l+m+mi}{4}\PYG{p}{,} \PYG{n}{encryption} \PYG{n+nb}{type} \PYG{n}{des}\PYG{o}{\PYGZhy{}}\PYG{n}{cbc}\PYG{o}{\PYGZhy{}}\PYG{n}{crc} \PYG{n}{added} \PYG{n}{to} \PYG{n}{keytab} \PYG{n}{WRFILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{zephyr}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab}\PYG{o}{.}
\end{sphinxVerbatim}

\sphinxAtStartPar
Be sure to remove the old keys from the application keytab, per best
practice.

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{p}{[}\PYG{n}{root}\PYG{n+nd}{@casio} \PYG{n}{krb5kdc}\PYG{p}{]}\PYG{c+c1}{\PYGZsh{} k5srvutil \PYGZhy{}f /etc/zephyr/krb5.keytab delold}
\PYG{n}{Authenticating} \PYG{k}{as} \PYG{n}{principal} \PYG{n}{zephyr}\PYG{o}{/}\PYG{n}{zephyr}\PYG{n+nd}{@ZONE}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{k}{with} \PYG{n}{keytab} \PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{zephyr}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab}\PYG{o}{.}
\PYG{n}{Entry} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{zephyr}\PYG{o}{/}\PYG{n}{zephyr}\PYG{n+nd}{@ZONE}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{k}{with} \PYG{n}{kvno} \PYG{l+m+mi}{3} \PYG{n}{removed} \PYG{k+kn}{from} \PYG{n+nn}{keytab} \PYG{n}{WRFILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{zephyr}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab}\PYG{o}{.}
\end{sphinxVerbatim}


\subsubsection{Adding strong keys by default}
\label{\detokenize{admin/advanced/retiring-des:adding-strong-keys-by-default}}
\sphinxAtStartPar
Once the high\sphinxhyphen{}visibility services have been rekeyed, it is probably
appropriate to change {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}} to generate keys with the new
encryption types by default.  This enables server administrators to generate
new enctypes with the \sphinxstylestrong{change} subcommand of {\hyperref[\detokenize{admin/admin_commands/k5srvutil:k5srvutil-1}]{\sphinxcrossref{\DUrole{std,std-ref}{k5srvutil}}}},
and causes user password
changes to add new encryption types for their entries.  It will probably
be necessary to implement administrative controls to cause all user
principal keys to be updated in a reasonable period of time, whether
by forcing password changes or a password synchronization service that
has access to the current password and can add the new keys.

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{p}{[}\PYG{n}{realms}\PYG{p}{]}
        \PYG{n}{ZONE}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{o}{=} \PYG{p}{\PYGZob{}}
                \PYG{n}{supported\PYGZus{}enctypes} \PYG{o}{=} \PYG{n}{aes256}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{96}\PYG{p}{:}\PYG{n}{normal} \PYG{n}{aes128}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{96}\PYG{p}{:}\PYG{n}{normal} \PYG{n}{des3}\PYG{o}{\PYGZhy{}}\PYG{n}{cbc}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{p}{:}\PYG{n}{normal} \PYG{n}{des3}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{p}{:}\PYG{n}{normal} \PYG{n}{des}\PYG{o}{\PYGZhy{}}\PYG{n}{cbc}\PYG{o}{\PYGZhy{}}\PYG{n}{crc}\PYG{p}{:}\PYG{n}{normal}
\end{sphinxVerbatim}

\begin{sphinxadmonition}{note}{Note:}
\sphinxAtStartPar
The krb5kdc process must be restarted for these changes to take effect.
\end{sphinxadmonition}

\sphinxAtStartPar
At this point, all service administrators can update their services and the
servers behind them to take advantage of strong cryptography.
If necessary, the server’s krb5 installation should be configured and/or
upgraded to a version supporting non\sphinxhyphen{}DES keys.  See {\hyperref[\detokenize{admin/enctypes:enctypes}]{\sphinxcrossref{\DUrole{std,std-ref}{Encryption types}}}} for
krb5 version and configuration settings.
Only when the service is configured to accept non\sphinxhyphen{}DES keys should
the key version number be incremented and new keys generated
(\sphinxcode{\sphinxupquote{k5srvutil change \&\& k5srvutil delold}}).

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{n}{root}\PYG{n+nd}{@dr}\PYG{o}{\PYGZhy{}}\PYG{n}{willy}\PYG{p}{:}\PYG{o}{\PYGZti{}}\PYG{c+c1}{\PYGZsh{} k5srvutil change}
\PYG{n}{Authenticating} \PYG{k}{as} \PYG{n}{principal} \PYG{n}{host}\PYG{o}{/}\PYG{n}{dr}\PYG{o}{\PYGZhy{}}\PYG{n}{willy}\PYG{o}{.}\PYG{n}{xvm}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}\PYG{n+nd}{@ZONE}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{k}{with} \PYG{n}{keytab} \PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab}\PYG{o}{.}
\PYG{n}{Entry} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{host}\PYG{o}{/}\PYG{n}{dr}\PYG{o}{\PYGZhy{}}\PYG{n}{willy}\PYG{o}{.}\PYG{n}{xvm}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}\PYG{n+nd}{@ZONE}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{k}{with} \PYG{n}{kvno} \PYG{l+m+mi}{3}\PYG{p}{,} \PYG{n}{encryption} \PYG{n+nb}{type} \PYG{n}{AES}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{256} \PYG{n}{CTS} \PYG{n}{mode} \PYG{k}{with} \PYG{l+m+mi}{96}\PYG{o}{\PYGZhy{}}\PYG{n}{bit} \PYG{n}{SHA}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{1} \PYG{n}{HMAC} \PYG{n}{added} \PYG{n}{to} \PYG{n}{keytab} \PYG{n}{WRFILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab}\PYG{o}{.}
\PYG{n}{Entry} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{host}\PYG{o}{/}\PYG{n}{dr}\PYG{o}{\PYGZhy{}}\PYG{n}{willy}\PYG{o}{.}\PYG{n}{xvm}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}\PYG{n+nd}{@ZONE}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{k}{with} \PYG{n}{kvno} \PYG{l+m+mi}{3}\PYG{p}{,} \PYG{n}{encryption} \PYG{n+nb}{type} \PYG{n}{AES}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{128} \PYG{n}{CTS} \PYG{n}{mode} \PYG{k}{with} \PYG{l+m+mi}{96}\PYG{o}{\PYGZhy{}}\PYG{n}{bit} \PYG{n}{SHA}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{1} \PYG{n}{HMAC} \PYG{n}{added} \PYG{n}{to} \PYG{n}{keytab} \PYG{n}{WRFILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab}\PYG{o}{.}
\PYG{n}{Entry} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{host}\PYG{o}{/}\PYG{n}{dr}\PYG{o}{\PYGZhy{}}\PYG{n}{willy}\PYG{o}{.}\PYG{n}{xvm}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}\PYG{n+nd}{@ZONE}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{k}{with} \PYG{n}{kvno} \PYG{l+m+mi}{3}\PYG{p}{,} \PYG{n}{encryption} \PYG{n+nb}{type} \PYG{n}{Triple} \PYG{n}{DES} \PYG{n}{cbc} \PYG{n}{mode} \PYG{k}{with} \PYG{n}{HMAC}\PYG{o}{/}\PYG{n}{sha1} \PYG{n}{added} \PYG{n}{to} \PYG{n}{keytab} \PYG{n}{WRFILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab}\PYG{o}{.}
\PYG{n}{Entry} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{host}\PYG{o}{/}\PYG{n}{dr}\PYG{o}{\PYGZhy{}}\PYG{n}{willy}\PYG{o}{.}\PYG{n}{xvm}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}\PYG{n+nd}{@ZONE}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{k}{with} \PYG{n}{kvno} \PYG{l+m+mi}{3}\PYG{p}{,} \PYG{n}{encryption} \PYG{n+nb}{type} \PYG{n}{DES} \PYG{n}{cbc} \PYG{n}{mode} \PYG{k}{with} \PYG{n}{CRC}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{32} \PYG{n}{added} \PYG{n}{to} \PYG{n}{keytab} \PYG{n}{WRFILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab}\PYG{o}{.}
\PYG{n}{root}\PYG{n+nd}{@dr}\PYG{o}{\PYGZhy{}}\PYG{n}{willy}\PYG{p}{:}\PYG{o}{\PYGZti{}}\PYG{c+c1}{\PYGZsh{} klist \PYGZhy{}e \PYGZhy{}k \PYGZhy{}t /etc/krb5.keytab}
\PYG{n}{Keytab} \PYG{n}{name}\PYG{p}{:} \PYG{n}{WRFILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab}
\PYG{n}{KVNO} \PYG{n}{Timestamp}         \PYG{n}{Principal}
\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}} \PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}} \PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}
   \PYG{l+m+mi}{2} \PYG{l+m+mi}{10}\PYG{o}{/}\PYG{l+m+mi}{10}\PYG{o}{/}\PYG{l+m+mi}{12} \PYG{l+m+mi}{17}\PYG{p}{:}\PYG{l+m+mi}{03}\PYG{p}{:}\PYG{l+m+mi}{59} \PYG{n}{host}\PYG{o}{/}\PYG{n}{dr}\PYG{o}{\PYGZhy{}}\PYG{n}{willy}\PYG{o}{.}\PYG{n}{xvm}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}\PYG{n+nd}{@ZONE}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{p}{(}\PYG{n}{DES} \PYG{n}{cbc} \PYG{n}{mode} \PYG{k}{with} \PYG{n}{CRC}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{32}\PYG{p}{)}
   \PYG{l+m+mi}{3} \PYG{l+m+mi}{12}\PYG{o}{/}\PYG{l+m+mi}{12}\PYG{o}{/}\PYG{l+m+mi}{12} \PYG{l+m+mi}{15}\PYG{p}{:}\PYG{l+m+mi}{31}\PYG{p}{:}\PYG{l+m+mi}{19} \PYG{n}{host}\PYG{o}{/}\PYG{n}{dr}\PYG{o}{\PYGZhy{}}\PYG{n}{willy}\PYG{o}{.}\PYG{n}{xvm}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}\PYG{n+nd}{@ZONE}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{p}{(}\PYG{n}{AES}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{256} \PYG{n}{CTS} \PYG{n}{mode} \PYG{k}{with} \PYG{l+m+mi}{96}\PYG{o}{\PYGZhy{}}\PYG{n}{bit} \PYG{n}{SHA}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{1} \PYG{n}{HMAC}\PYG{p}{)}
   \PYG{l+m+mi}{3} \PYG{l+m+mi}{12}\PYG{o}{/}\PYG{l+m+mi}{12}\PYG{o}{/}\PYG{l+m+mi}{12} \PYG{l+m+mi}{15}\PYG{p}{:}\PYG{l+m+mi}{31}\PYG{p}{:}\PYG{l+m+mi}{19} \PYG{n}{host}\PYG{o}{/}\PYG{n}{dr}\PYG{o}{\PYGZhy{}}\PYG{n}{willy}\PYG{o}{.}\PYG{n}{xvm}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}\PYG{n+nd}{@ZONE}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{p}{(}\PYG{n}{AES}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{128} \PYG{n}{CTS} \PYG{n}{mode} \PYG{k}{with} \PYG{l+m+mi}{96}\PYG{o}{\PYGZhy{}}\PYG{n}{bit} \PYG{n}{SHA}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{1} \PYG{n}{HMAC}\PYG{p}{)}
   \PYG{l+m+mi}{3} \PYG{l+m+mi}{12}\PYG{o}{/}\PYG{l+m+mi}{12}\PYG{o}{/}\PYG{l+m+mi}{12} \PYG{l+m+mi}{15}\PYG{p}{:}\PYG{l+m+mi}{31}\PYG{p}{:}\PYG{l+m+mi}{19} \PYG{n}{host}\PYG{o}{/}\PYG{n}{dr}\PYG{o}{\PYGZhy{}}\PYG{n}{willy}\PYG{o}{.}\PYG{n}{xvm}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}\PYG{n+nd}{@ZONE}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{p}{(}\PYG{n}{Triple} \PYG{n}{DES} \PYG{n}{cbc} \PYG{n}{mode} \PYG{k}{with} \PYG{n}{HMAC}\PYG{o}{/}\PYG{n}{sha1}\PYG{p}{)}
   \PYG{l+m+mi}{3} \PYG{l+m+mi}{12}\PYG{o}{/}\PYG{l+m+mi}{12}\PYG{o}{/}\PYG{l+m+mi}{12} \PYG{l+m+mi}{15}\PYG{p}{:}\PYG{l+m+mi}{31}\PYG{p}{:}\PYG{l+m+mi}{19} \PYG{n}{host}\PYG{o}{/}\PYG{n}{dr}\PYG{o}{\PYGZhy{}}\PYG{n}{willy}\PYG{o}{.}\PYG{n}{xvm}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}\PYG{n+nd}{@ZONE}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{p}{(}\PYG{n}{DES} \PYG{n}{cbc} \PYG{n}{mode} \PYG{k}{with} \PYG{n}{CRC}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{32}\PYG{p}{)}
\PYG{n}{root}\PYG{n+nd}{@dr}\PYG{o}{\PYGZhy{}}\PYG{n}{willy}\PYG{p}{:}\PYG{o}{\PYGZti{}}\PYG{c+c1}{\PYGZsh{} k5srvutil delold}
\PYG{n}{Authenticating} \PYG{k}{as} \PYG{n}{principal} \PYG{n}{host}\PYG{o}{/}\PYG{n}{dr}\PYG{o}{\PYGZhy{}}\PYG{n}{willy}\PYG{o}{.}\PYG{n}{xvm}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}\PYG{n+nd}{@ZONE}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{k}{with} \PYG{n}{keytab} \PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab}\PYG{o}{.}
\PYG{n}{Entry} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{host}\PYG{o}{/}\PYG{n}{dr}\PYG{o}{\PYGZhy{}}\PYG{n}{willy}\PYG{o}{.}\PYG{n}{xvm}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}\PYG{n+nd}{@ZONE}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{k}{with} \PYG{n}{kvno} \PYG{l+m+mi}{2} \PYG{n}{removed} \PYG{k+kn}{from} \PYG{n+nn}{keytab} \PYG{n}{WRFILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab}\PYG{o}{.}
\end{sphinxVerbatim}

\sphinxAtStartPar
When a single service principal is shared by multiple backend servers in
a load\sphinxhyphen{}balanced environment, it may be necessary to schedule downtime
or adjust the population in the load\sphinxhyphen{}balanced pool in order to propagate
the updated keytab to all hosts in the pool with minimal service interruption.


\subsubsection{Removing DES keys from usage}
\label{\detokenize{admin/advanced/retiring-des:removing-des-keys-from-usage}}
\sphinxAtStartPar
This situation remains something of a testing or transitory state,
as new DES keys are still being generated, and will be used if requested
by a client.  To make more progress removing DES from the realm, the KDC
should be configured to not generate such keys by default.

\begin{sphinxadmonition}{note}{Note:}
\sphinxAtStartPar
An attacker posing as a client can implement a brute force attack against
a DES key for any principal, if that key is in the current (highest\sphinxhyphen{}kvno)
key list.  This attack is only possible if \sphinxstylestrong{allow\_weak\_crypto = true}
is enabled on the KDC.  Setting the \sphinxstylestrong{+requires\_preauth} flag on a
principal forces this attack to be an online attack, much slower than
the offline attack otherwise available to the attacker.  However, setting
this flag on a service principal is not always advisable; see the entry in
{\hyperref[\detokenize{admin/admin_commands/kadmin_local:add-principal}]{\sphinxcrossref{\DUrole{std,std-ref}{add\_principal}}}} for details.
\end{sphinxadmonition}

\sphinxAtStartPar
The following KDC configuration will not generate DES keys by default:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{p}{[}\PYG{n}{realms}\PYG{p}{]}
        \PYG{n}{ZONE}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{o}{=} \PYG{p}{\PYGZob{}}
                \PYG{n}{supported\PYGZus{}enctypes} \PYG{o}{=} \PYG{n}{aes256}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{96}\PYG{p}{:}\PYG{n}{normal} \PYG{n}{aes128}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{96}\PYG{p}{:}\PYG{n}{normal} \PYG{n}{des3}\PYG{o}{\PYGZhy{}}\PYG{n}{cbc}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{p}{:}\PYG{n}{normal} \PYG{n}{des3}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{p}{:}\PYG{n}{normal}
\end{sphinxVerbatim}

\begin{sphinxadmonition}{note}{Note:}
\sphinxAtStartPar
As before, the KDC process must be restarted for this change to take
effect.  It is best practice to update kdc.conf on all KDCs, not just the
primary, to avoid unpleasant surprises should the primary fail and a
replica need to be promoted.
\end{sphinxadmonition}

\sphinxAtStartPar
It is now appropriate to remove the legacy single\sphinxhyphen{}DES key from the
\sphinxcode{\sphinxupquote{krbtgt/REALM}} entry:

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{p}{[}\PYG{n}{root}\PYG{n+nd}{@casio} \PYG{n}{krb5kdc}\PYG{p}{]}\PYG{c+c1}{\PYGZsh{} kadmin.local \PYGZhy{}r ZONE.MIT.EDU \PYGZhy{}q \PYGZdq{}cpw \PYGZhy{}randkey \PYGZhy{}keepold \PYGZbs{}}
\PYG{o}{\PYGZgt{}} \PYG{n}{krbtgt}\PYG{o}{/}\PYG{n}{ZONE}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}\PYG{l+s+s2}{\PYGZdq{}}
\PYG{n}{Authenticating} \PYG{k}{as} \PYG{n}{principal} \PYG{n}{host}\PYG{o}{/}\PYG{n}{admin}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{k}{with} \PYG{n}{password}\PYG{o}{.}
\PYG{n}{Key} \PYG{k}{for} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{krbtgt/ZONE.MIT.EDU@ZONE.MIT.EDU}\PYG{l+s+s2}{\PYGZdq{}} \PYG{n}{randomized}\PYG{o}{.}
\end{sphinxVerbatim}

\sphinxAtStartPar
After the maximum ticket lifetime has passed, the old database entry
should be removed.

\begin{sphinxVerbatim}[commandchars=\\\{\}]
\PYG{p}{[}\PYG{n}{root}\PYG{n+nd}{@casio} \PYG{n}{krb5kdc}\PYG{p}{]}\PYG{c+c1}{\PYGZsh{} kadmin.local \PYGZhy{}r ZONE.MIT.EDU \PYGZhy{}q \PYGZsq{}purgekeys krbtgt/ZONE.MIT.EDU\PYGZsq{}}
\PYG{n}{Authenticating} \PYG{k}{as} \PYG{n}{principal} \PYG{n}{root}\PYG{o}{/}\PYG{n}{admin}\PYG{n+nd}{@ZONE}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{k}{with} \PYG{n}{password}\PYG{o}{.}
\PYG{n}{Old} \PYG{n}{keys} \PYG{k}{for} \PYG{n}{principal} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{krbtgt/ZONE.MIT.EDU@ZONE.MIT.EDU}\PYG{l+s+s2}{\PYGZdq{}} \PYG{n}{purged}\PYG{o}{.}
\end{sphinxVerbatim}

\sphinxAtStartPar
After the KDC is restarted with the new \sphinxstylestrong{supported\_enctypes},
all user password changes and application keytab updates will not
generate DES keys by default.

\begin{sphinxVerbatim}[commandchars=\\\{\}]
contents\PYGZhy{}vnder\PYGZhy{}pressvre:\PYGZti{}\PYGZgt{} kpasswd zonetest@ZONE.MIT.EDU
Password for zonetest@ZONE.MIT.EDU:  [enter old password]
Enter new password:                  [enter new password]
Enter it again:                      [enter new password]
Password changed.
contents\PYGZhy{}vnder\PYGZhy{}pressvre:\PYGZti{}\PYGZgt{} kadmin \PYGZhy{}r ZONE.MIT.EDU \PYGZhy{}q \PYGZsq{}getprinc zonetest\PYGZsq{}
[...]
Number of keys: 3
Key: vno 9, aes256\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha1\PYGZhy{}96
Key: vno 9, aes128\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha1\PYGZhy{}96
Key: vno 9, des3\PYGZhy{}cbc\PYGZhy{}sha1
[...]

[kaduk@glossolalia \PYGZti{}]\PYGZdl{} kadmin \PYGZhy{}p kaduk@ZONE.MIT.EDU \PYGZhy{}r ZONE.MIT.EDU \PYGZhy{}k \PYGZbs{}
\PYGZgt{} \PYGZhy{}t kaduk\PYGZhy{}zone.keytab \PYGZhy{}q \PYGZsq{}ktadd \PYGZhy{}k kaduk\PYGZhy{}zone.keytab kaduk@ZONE.MIT.EDU\PYGZsq{}
Authenticating as principal kaduk@ZONE.MIT.EDU with keytab kaduk\PYGZhy{}zone.keytab.
Entry for principal kaduk@ZONE.MIT.EDU with kvno 3, encryption type aes256\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha1\PYGZhy{}96 added to keytab WRFILE:kaduk\PYGZhy{}zone.keytab.
Entry for principal kaduk@ZONE.MIT.EDU with kvno 3, encryption type aes128\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha1\PYGZhy{}96 added to keytab WRFILE:kaduk\PYGZhy{}zone.keytab.
Entry for principal kaduk@ZONE.MIT.EDU with kvno 3, encryption type des3\PYGZhy{}cbc\PYGZhy{}sha1 added to keytab WRFILE:kaduk\PYGZhy{}zone.keytab.
\end{sphinxVerbatim}

\sphinxAtStartPar
Once all principals have been re\sphinxhyphen{}keyed, DES support can be disabled on the
KDC (\sphinxstylestrong{allow\_weak\_crypto = false}), and client machines can remove
\sphinxstylestrong{allow\_weak\_crypto = true} from their {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}} configuration
files, completing the migration.  \sphinxstylestrong{allow\_weak\_crypto} takes precedence over
all places where DES enctypes could be explicitly configured.  DES keys will
not be used, even if they are present, when \sphinxstylestrong{allow\_weak\_crypto = false}.


\subsubsection{Support for legacy services}
\label{\detokenize{admin/advanced/retiring-des:support-for-legacy-services}}
\sphinxAtStartPar
If there remain legacy services which do not support non\sphinxhyphen{}DES enctypes
(such as older versions of AFS), \sphinxstylestrong{allow\_weak\_crypto} must remain
enabled on the KDC.  Client machines need not have this setting,
though—applications which require DES can use API calls to allow
weak crypto on a per\sphinxhyphen{}request basis, overriding the system krb5.conf.
However, having \sphinxstylestrong{allow\_weak\_crypto} set on the KDC means that any
principals which have a DES key in the database could still use those
keys.  To minimize the use of DES in the realm and restrict it to just
legacy services which require DES, it is necessary to remove all other
DES keys.  The realm has been configured such that at password and
keytab change, no DES keys will be generated by default.  The task
then reduces to requiring user password changes and having server
administrators update their service keytabs.  Administrative outreach
will be necessary, and if the desire to eliminate DES is sufficiently
strong, the KDC administrators may choose to randkey any principals
which have not been rekeyed after some timeout period, forcing the
user to contact the helpdesk for access.


\subsection{The Database Master Key}
\label{\detokenize{admin/advanced/retiring-des:the-database-master-key}}
\sphinxAtStartPar
This procedure does not alter \sphinxcode{\sphinxupquote{K/M@REALM}}, the key used to encrypt key
material in the Kerberos database.  (This is the key stored in the stash file
on the KDC if stash files are used.)  However, the security risk of
a single\sphinxhyphen{}DES key for \sphinxcode{\sphinxupquote{K/M}} is minimal, given that access to material
encrypted in \sphinxcode{\sphinxupquote{K/M}} (the Kerberos database) is generally tightly controlled.
If an attacker can gain access to the encrypted database, they likely
have access to the stash file as well, rendering the weak cryptography
broken by non\sphinxhyphen{}cryptographic means.  As such, upgrading \sphinxcode{\sphinxupquote{K/M}} to a stronger
encryption type is unlikely to be a high\sphinxhyphen{}priority task.

\sphinxAtStartPar
Is is possible to upgrade the master key used for the database, if
desired.  Using {\hyperref[\detokenize{admin/admin_commands/kdb5_util:kdb5-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_util}}}}’s \sphinxstylestrong{add\_mkey}, \sphinxstylestrong{use\_mkey}, and
\sphinxstylestrong{update\_princ\_encryption} commands, a new master key can be added
and activated for use on new key material, and the existing entries
converted to the new master key.

\sphinxstepscope


\chapter{Various links}
\label{\detokenize{admin/various_envs:various-links}}\label{\detokenize{admin/various_envs::doc}}

\section{Whitepapers}
\label{\detokenize{admin/various_envs:whitepapers}}\begin{enumerate}
\sphinxsetlistlabels{\arabic}{enumi}{enumii}{}{.}%
\item {} 
\sphinxAtStartPar
\sphinxurl{https://kerberos.org/software/whitepapers.html}

\end{enumerate}


\section{Tutorials}
\label{\detokenize{admin/various_envs:tutorials}}\begin{enumerate}
\sphinxsetlistlabels{\arabic}{enumi}{enumii}{}{.}%
\item {} 
\sphinxAtStartPar
Fulvio Ricciardi  \textless{}\sphinxurl{https://www.kerberos.org/software/tutorial.html}\textgreater{}\_

\end{enumerate}


\section{Troubleshooting}
\label{\detokenize{admin/various_envs:troubleshooting}}\begin{enumerate}
\sphinxsetlistlabels{\arabic}{enumi}{enumii}{}{.}%
\item {} 
\sphinxAtStartPar
\sphinxurl{https://wiki.ncsa.illinois.edu/display/ITS/Windows+Kerberos+Troubleshooting}

\item {} 
\sphinxAtStartPar
\sphinxurl{https://www.shrubbery.net/solaris9ab/SUNWaadm/SYSADV6/p27.html}

\item {} 
\sphinxAtStartPar
\sphinxurl{https://docs.oracle.com/cd/E19253-01/816-4557/trouble-1/index.html}

\item {} 
\sphinxAtStartPar
\sphinxurl{https://docs.microsoft.com/en-us/previous-versions/tn-archive/bb463167(v=technet.10})\#EBAA

\item {} 
\sphinxAtStartPar
\sphinxurl{https://bugs.launchpad.net/ubuntu/+source/libpam-heimdal/+bug/86528}

\end{enumerate}



\renewcommand{\indexname}{Index}
\printindex
\end{document}