- *dn* and *containerdn* should be within the subtrees or
principal container configured in the realm.
-Example:
-
- ::
+Example::
kadmin: addprinc jennifer
WARNING: no policy specified for "jennifer@ATHENA.MIT.EDU";
Keeps the existing keys in the database. This flag is usually not
necessary except perhaps for ``krbtgt`` principals.
-Example:
-
- ::
+Example::
kadmin: cpw systest
Enter password for principal systest@BLEEP.COM:
Alias: **getprinc**
-Examples:
-
- ::
+Examples::
kadmin: getprinc tlyu/admin
Principal: tlyu/admin@BLEEP.COM
Alias: **listprincs**, **get_principals**, **get_princs**
-Example:
-
- ::
+Example::
kadmin: listprincs test*
test3@SECURE-TEST.OV.COM
with commas (',') only. To clear the allowed key/salt policy use
a value of '-'.
-Example:
-
- ::
+Example::
kadmin: add_policy -maxlife "2 days" -minlength 5 guests
kadmin:
Alias: **delpol**
-Example:
-
- ::
+Example::
kadmin: del_policy guests
Are you sure you want to delete the policy "guests"?
Alias: getpol
-Examples:
-
- ::
+Examples::
kadmin: get_policy admin
Policy: admin
Aliases: **listpols**, **get_policies**, **getpols**.
-Examples:
-
- ::
+Examples::
kadmin: listpols
test-pol
ignoring multiple keys with the same encryption type but different
salt types.
-Example:
-
- ::
+Example::
kadmin: ktadd -k /tmp/foo-new-keytab host/foo.mit.edu
Entry for principal host/foo.mit.edu@ATHENA.MIT.EDU with kvno 3,
**-q**
Display less verbose information.
-Example:
-
- ::
+Example::
kadmin: ktremove kadmin/admin all
Entry for principal kadmin/admin with kvno 3 removed from keytab
documented in the description of the **add_principal** command in
:ref:`kadmin(1)`.
-Example:
-
- ::
+Example::
kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
create -subtrees o=org -sscope SUB -r ATHENA.MIT.EDU
documented in the description of the **add_principal** command in
:ref:`kadmin(1)`.
-Example:
-
- ::
+Example::
shell% kdb5_ldap_util -D cn=admin,o=org -H
ldaps://ldap-server1.mit.edu modify +requires_preauth -r
**-r** *realm*
Specifies the Kerberos realm of the database.
-Example:
-
- ::
+Example::
kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
view -r ATHENA.MIT.EDU
**-r** *realm*
Specifies the Kerberos realm of the database.
-Example:
-
- ::
+Example::
shell% kdb5_ldap_util -D cn=admin,o=org -H
ldaps://ldap-server1.mit.edu destroy -r ATHENA.MIT.EDU
Lists the name of realms.
-Example:
-
- ::
+Example::
shell% kdb5_ldap_util -D cn=admin,o=org -H
ldaps://ldap-server1.mit.edu list
Specifies Distinguished Name (DN) of the service object whose
password is to be stored in file.
-Example:
-
- ::
+Example::
kdb5_ldap_util stashsrvpw -f /home/andrew/conf_keyfile
cn=service-kdc,o=org
*policy_name*
Specifies the name of the ticket policy.
-Example:
-
- ::
+Example::
kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
create_policy -r ATHENA.MIT.EDU -maxtktlife "1 day"
Modifies the attributes of a ticket policy. Options are same as for
**create_policy**.
-Example:
-
- ::
+Example::
kdb5_ldap_util -D cn=admin,o=org -H
ldaps://ldap-server1.mit.edu modify_policy -r ATHENA.MIT.EDU
*policy_name*
Specifies the name of the ticket policy.
-Example:
-
- ::
+Example::
kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
view_policy -r ATHENA.MIT.EDU tktpolicy
*policy_name*
Specifies the name of the ticket policy.
-Example:
-
- ::
+Example::
kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
destroy_policy -r ATHENA.MIT.EDU tktpolicy
**-r** *realm*
Specifies the Kerberos realm of the database.
-Example:
-
- ::
+Example::
kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
list_policy -r ATHENA.MIT.EDU
Where incremental propagation is not used, kpropd is commonly invoked
out of inetd(8) as a nowait service. This is done by adding a line to
-the ``/etc/inetd.conf`` file which looks like this:
-
- ::
+the ``/etc/inetd.conf`` file which looks like this::
kprop stream tcp nowait root /usr/local/sbin/kpropd kpropd
**-v**
Display individual attributes per update. An example of the
- output generated for one entry:
-
- ::
+ output generated for one entry::
Update Entry
Update serial # : 4
be specified on the command line pertain for each realm that follows
it and are superseded by subsequent definitions of the same option.
-For example:
-
- ::
+For example::
krb5kdc -p 2001 -r REALM1 -p 2002 -r REALM2 -r REALM3
The **-S** option allows for a different keytab than the default.
sserver is normally invoked out of inetd(8), using a line in
-``/etc/inetd.conf`` that looks like this:
-
- ::
+``/etc/inetd.conf`` that looks like this::
sample stream tcp nowait root /usr/local/sbin/sserver sserver
Since ``sample`` is normally not a port defined in ``/etc/services``,
you will usually have to add a line to ``/etc/services`` which looks
-like this:
-
- ::
+like this::
sample 13135/tcp
for the sample tcp port, and that the same port number is in both
files.
-When you run sclient you should see something like this:
-
- ::
+When you run sclient you should see something like this::
sendauth succeeded, reply is:
reply len 32, contents:
COMMON ERROR MESSAGES
---------------------
-1) kinit returns the error:
-
- ::
+1) kinit returns the error::
kinit: Client not found in Kerberos database while getting
- initial credentials
+ initial credentials
This means that you didn't create an entry for your username in the
Kerberos database.
-2) sclient returns the error:
-
- ::
+2) sclient returns the error::
unknown service sample/tcp; check /etc/services
This means that you don't have an entry in /etc/services for the
sample tcp port.
-3) sclient returns the error:
-
- ::
+3) sclient returns the error::
connect: Connection refused
This probably means you didn't edit /etc/inetd.conf correctly, or
you didn't restart inetd after editing inetd.conf.
-4) sclient returns the error:
-
- ::
+4) sclient returns the error::
sclient: Server not found in Kerberos database while using
- sendauth
+ sendauth
This means that the ``sample/hostname@LOCAL.REALM`` service was not
defined in the Kerberos database; it should be created using
:ref:`kadmin(1)`, and a keytab file needs to be generated to make
the key for that service principal available for sclient.
-5) sclient returns the error:
-
- ::
+5) sclient returns the error::
sendauth rejected, error reply is:
"No such file or directory"
------
Empty lines and lines starting with the sharp sign (``#``) are
-ignored. Lines containing ACL entries have the format:
-
- ::
+ignored. Lines containing ACL entries have the format::
principal permissions [target_principal [restrictions] ]
EXAMPLE
-------
-Here is an example of a kadm5.acl file.
-
- ::
+Here is an example of a kadm5.acl file::
*/admin@ATHENA.MIT.EDU * # line 1
joeadmin@ATHENA.MIT.EDU ADMCIL # line 2
the console and to the system log under the facility LOG_DAEMON with
default severity of LOG_INFO; and the logging messages from the
administrative server will be appended to the file
-``/var/adm/kadmin.log`` and sent to the device ``/dev/tty04``.
-
- ::
+``/var/adm/kadmin.log`` and sent to the device ``/dev/tty04``. ::
[logging]
kdc = CONSOLE
passed to the RADIUS server. Otherwise, the realm will be
included. The default value is ``true``.
-In the following example, requests are sent to a remote server via UDP.
-
- ::
+In the following example, requests are sent to a remote server via UDP::
[otp]
MyRemoteTokenType = {
An implicit default token type named ``DEFAULT`` is defined for when
the per-principal configuration does not specify a token type. Its
configuration is shown below. You may override this token type to
-something applicable for your situation.
-
- ::
+something applicable for your situation::
[otp]
DEFAULT = {
realm-specific value over-rides, does not add to, a generic
[kdcdefaults] specification. The search order is:
-1. realm-specific subsection of [realms],
-
- ::
+1. realm-specific subsection of [realms]::
[realms]
EXAMPLE.COM = {
pkinit_anchors = FILE:/usr/local/example.com.crt
}
-2. generic value in the [kdcdefaults] section.
-
- ::
+2. generic value in the [kdcdefaults] section::
[kdcdefaults]
pkinit_anchors = DIR:/usr/local/generic_trusted_cas/
take lists of enctype-salttype ("keysalt") pairs, known as *keysalt
lists*. Each keysalt pair is an enctype name followed by a salttype
name, in the format *enc*:*salt*. Individual keysalt list members are
-separated by comma (",") characters or space characters. For example:
-
- ::
+separated by comma (",") characters or space characters. For example::
kadmin -e aes256-cts:normal,aes128-cts:normal
Sample kdc.conf File
--------------------
-Here's an example of a kdc.conf file:
-
- ::
+Here's an example of a kdc.conf file::
[kdcdefaults]
kdc_ports = 88
The krb5.conf file is set up in the style of a Windows INI file.
Sections are headed by the section name, in square brackets. Each
-section may contain zero or more relations, of the form:
-
- ::
+section may contain zero or more relations, of the form::
foo = bar
-or
- ::
+or::
fubar = {
foo = bar
configuration file nor any other configuration file will be checked
for any other values for this tag.
-For example, if you have the following lines:
- ::
+For example, if you have the following lines::
foo = bar*
foo = baz
then the second value of ``foo`` (``baz``) would never be read.
The krb5.conf file can include other files using either of the
-following directives at the beginning of a line:
-
- ::
+following directives at the beginning of a line::
include FILENAME
includedir DIRNAME
The krb5.conf file can specify that configuration should be obtained
from a loadable module, rather than the file itself, using the
following directive at the beginning of a line before any section
-headers:
-
- ::
+headers::
module MODULEPATH:RESIDUAL
default realm, this rule is not applicable and the conversion
will fail.
- For example:
- ::
+ For example::
[realms]
ATHENA.MIT.EDU = {
provides the corresponding domain name relation, unless an explicit domain
name relation is provided. The Kerberos realm may be
identified either in the realms_ section or using DNS SRV records.
-Host names and domain names should be in lower case. For example:
-
- ::
+Host names and domain names should be in lower case. For example::
[domain_realm]
crash.mit.edu = TEST.ATHENA.MIT.EDU
use the ``ES.NET`` realm as an intermediate realm. ANL has a sub
realm of ``TEST.ANL.GOV`` which will authenticate with ``NERSC.GOV``
but not ``PNL.GOV``. The [capaths] section for ``ANL.GOV`` systems
-would look like this:
-
- ::
+would look like this::
[capaths]
ANL.GOV = {
}
The [capaths] section of the configuration file used on ``NERSC.GOV``
-systems would look like this:
-
- ::
+systems would look like this::
[capaths]
NERSC.GOV = {
or an option that is used by some Kerberos V5 application[s]. The
value of the tag defines the default behaviors for that application.
-For example:
- ::
+For example::
[appdefaults]
telnet = {
A realm-specific value overrides, not adds to, a generic
[libdefaults] specification. The search order is:
-1. realm-specific subsection of [libdefaults]:
-
- ::
+1. realm-specific subsection of [libdefaults]::
[libdefaults]
EXAMPLE.COM = {
pkinit_anchors = FILE:/usr/local/example.com.crt
}
-2. realm-specific value in the [realms] section,
-
- ::
+2. realm-specific value in the [realms] section::
[realms]
OTHERREALM.ORG = {
pkinit_anchors = FILE:/usr/local/otherrealm.org.crt
}
-3. generic value in the [libdefaults] section.
-
- ::
+3. generic value in the [libdefaults] section::
[libdefaults]
pkinit_anchors = DIR:/usr/local/generic_trusted_cas/
* digitalSignature
* keyEncipherment
- Examples:
-
- ::
+ Examples::
pkinit_cert_match = ||<SUBJECT>.*DoE.*<SAN>.*@EXAMPLE.COM
pkinit_cert_match = &&<EKU>msScLogin,clientAuth<ISSUER>.*DoE.*
Sample krb5.conf file
---------------------
-Here is an example of a generic krb5.conf file:
-
- ::
+Here is an example of a generic krb5.conf file::
[libdefaults]
default_realm = ATHENA.MIT.EDU
Principal "david@ATHENA.MIT.EDU" created.
kadmin:
-If you want to delete a principal ::
+If you want to delete a principal::
kadmin: delprinc jennifer
Are you sure you want to delete the principal
so. By default, MIT Kerberos clients will also then do reverse DNS
resolution (looking up the hostname associated with the IPv4 or IPv6
address using ``getnameinfo()``) of the hostname. Using the
-:ref:`krb5.conf(5)` setting
+:ref:`krb5.conf(5)` setting::
- ::
-
- [libdefaults]
- rdns = false
+ [libdefaults]
+ rdns = false
will disable reverse DNS lookup on clients. The default setting is
"true".
Applications can choose to use a default hostname component in their
service principal name when accepting authentication, which avoids
some sorts of hostname mismatches. Because not all relevant
-applications do this yet, using the :ref:`krb5.conf(5)` setting
-
- ::
+applications do this yet, using the :ref:`krb5.conf(5)` setting::
- [libdefaults]
- ignore_acceptor_hostname = true
+ [libdefaults]
+ ignore_acceptor_hostname = true
will allow the Kerberos library to override the application's choice
of service principal hostname and will allow a server program to
to verify the credentials can call :c:func:`krb5_verify_init_creds`.
Here is an example of code to obtain and verify TGT credentials, given
strings *princname* and *password* for the client principal name and
-password:
-
- ::
+password::
krb5_error_code ret;
krb5_creds creds;
parameter (which can be a null pointer). Use the function
:c:func:`krb5_get_init_creds_opt_alloc` to allocate an options
structure, and :c:func:`krb5_get_init_creds_opt_free` to free it. For
-example:
-
- ::
+example::
krb5_error_code ret;
krb5_get_init_creds_opt *opt = NULL;
obtained by parsing ``@``\ *realmname*). Authentication will take
place using anonymous PKINIT; if successful, the client principal of
the resulting tickets will be
-``WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS``. Here is an example:
-
- ::
+``WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS``. Here is an example::
krb5_get_init_creds_opt_set_anonymous(opt, 1);
ret = krb5_build_principal(context, &client_princ, strlen(myrealm),
Text-based applications can use a built-in text prompter
implementation by supplying :c:func:`krb5_prompter_posix` as the
*prompter* parameter and a null pointer as the *data* parameter. For
-example:
-
- ::
+example::
ret = krb5_get_init_creds_password(context, &creds, client_princ,
NULL, krb5_prompter_posix, NULL, 0,
Example
#######
-Here is an example of using a responder callback:
-
- ::
+Here is an example of using a responder callback::
static krb5_error_code
my_responder(krb5_context context, void *data,
pointer). Use :c:func:`krb5_verify_init_creds_opt_init` to initialize
the caller-allocated options structure, and
:c:func:`krb5_verify_init_creds_opt_set_ap_req_nofail` to set the
-"nofail" option. For example:
-
- ::
+"nofail" option. For example::
krb5_verify_init_creds_opt vopt;
(See :ref:`abbreviation`.)
-Example ::
+Example::
Set the default expiration date to July 27, 2012 at 20:30
default_principal_expiration = 20120727203000
**-f**
Shows the flags present in the credentials, using the following
- abbreviations:
-
- ::
+ abbreviations::
F Forwardable
f forwarded
installation that was installed in a non-standard location. For example,
a Kerberos installation that is installed in ``/opt/krb5/`` but uses
libraries in ``/usr/local/lib/`` for text localization would produce
-the following output:
-
- ::
+the following output::
shell% krb5-config --libs krb5
-L/opt/krb5/lib -Wl,-rpath -Wl,/opt/krb5/lib -L/usr/local/lib -lkrb5 -lk5crypto -lcom_err
contains the name of a principal that is authorized to access the
account.
-For example:
- ::
+For example::
jqpublic@USC.EDU
jqpublic/secure@USC.EDU
defined the source cache name is set to ``krb5cc_<source uid>``.
The target cache name is automatically set to ``krb5cc_<target
uid>.(gen_sym())``, where gen_sym generates a new number such that
- the resulting cache does not already exist. For example:
-
- ::
+ the resulting cache does not already exist. For example::
krb5cc_1984.2
**-e** *command* [*args* ...]
ksu proceeds exactly the same as if it was invoked without the
**-e** option, except instead of executing the target shell, ksu
- executes the specified command. Example of usage:
-
- ::
+ executes the specified command. Example of usage::
ksu bob -e ls -lag
list of commands that the principal is authorized to execute. A
principal name followed by a ``*`` means that the user is
authorized to execute any command. Thus, in the following
- example:
-
- ::
+ example::
jqpublic@USC.EDU ls mail /local/kerberos/klist
jqpublic/secure@USC.EDU *
thus all options intended for ksu must precede **-a**.
The **-a** option can be used to simulate the **-e** option if
- used as follows:
-
- ::
+ used as follows::
-a -c [command [arguments]].
called to obtain the names of "legal shells". Note that the
target user's shell is obtained from the passwd file.
-Sample configuration:
- ::
+Sample configuration::
KSU_OPTS = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /usr/ucb /local/bin"
``alice@KRBTEST.COM`` if the server principal is within that realm,
the principal ``alice/root@EXAMPLE.COM`` if the server host is within
a servers subdomain, and the principal ``alice/mail@EXAMPLE.COM`` when
-accessing the IMAP service on ``mail.example.com``:
-
- ::
+accessing the IMAP service on ``mail.example.com``::
alice@KRBTEST.COM realm=KRBTEST.COM
alice/root@EXAMPLE.COM host=*.servers.example.com
--------
Suppose the user ``alice`` had a .k5login file in her home directory
-containing just the following line:
-
- ::
+containing just the following line::
bob@FOOBAR.ORG
Let us further suppose that ``alice`` is a system administrator.
Alice and the other system administrators would have their principals
-in root's .k5login file on each host:
-
- ::
+in root's .k5login file on each host::
alice@BLEEP.COM
projects / thirdparty / krb5.git / commitdiff
