comma-separated list. This value overrides the UDP port numbers
specified in the :ref:`kdcdefaults` section of :ref:`kdc.conf(5)`, but
may be overridden by realm-specific values. If no value is given from
-any source, the default ports are 88 and 750.
+any source, the default port is 88.
The **-w** *numworkers* option tells the KDC to fork *numworkers*
processes to listen to the KDC ports and process requests in parallel.
ATHENA.MIT.EDU = {
kdc = kerberos.mit.edu
kdc = kerberos-1.mit.edu
- kdc = kerberos-2.mit.edu:750
+ kdc = kerberos-2.mit.edu
admin_server = kerberos.mit.edu
master_kdc = kerberos.mit.edu
}
An example kdc.conf file::
[kdcdefaults]
- kdc_ports = 88,750
+ kdc_ports = 88
[realms]
ATHENA.MIT.EDU = {
Default :ref:`keysalt list<Keysalt_lists>` |defkeysalts|
Permitted enctypes |defetypes|
KDC default port 88
-Second KDC default port 750
Admin server port 749
Password change port 464
========================================== ============================= ====================
[kdcdefaults]
- kdc_ports = 750,88
+ kdc_ports = 88
[realms]
ATHENA.MIT.EDU = {
database_name = /usr/local/var/krb5kdc/principal
acl_file = /usr/local/var/krb5kdc/kadm5.acl
key_stash_file = /usr/local/var/krb5kdc/.k5.ATHENA.MIT.EDU
- kdc_ports = 750,88
+ kdc_ports = 88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
}
-#
-# Note --- if you are using Kerberos V4 clients and you either (a)
-# haven't converted all your KDC's over to use V5, or (b) are worried
-# about inter-realm interoperability with other KDC's that are still
-# using V4, then you will have to switch the definition of kerberos and
-# kerberos-sec.
-#
-# The issue is that the official port assignement for the "kerberos"
-# port is port 88, yet the unofficial port that has been used for
-# Kerberos V4 is port 750. The V5 KDC will respond to requests made on
-# either port, and if V4 compatibility is turned on, it will respond to
-# V4 requests on either port as well.
-#
-#
-# Hence, it is safe to switch the definitions of kerberos and
-# kerberos-sec; both should be defined, though, and one should be port
-# 88 and one should be port 750.
-#
kerberos 88/udp kdc # Kerberos authentication--udp
kerberos 88/tcp kdc # Kerberos authentication--tcp
-kerberos-sec 750/udp # Kerberos authentication--udp
-kerberos-sec 750/tcp # Kerberos authentication--tcp
kerberos_master 751/udp # Kerberos authentication
kerberos_master 751/tcp # Kerberos authentication
kerberos-adm 749/tcp # Kerberos 5 admin/changepw
#define KDCRCACHE "dfl:krb5kdc_rcache"
#define KDC_PORTNAME "kerberos" /* for /etc/services or equiv. */
-#define KDC_SECONDARY_PORTNAME "kerberos-sec" /* For backwards */
-/* compatibility with */
-/* port 750 clients */
#define KRB5_DEFAULT_PORT 88
-#define KRB5_DEFAULT_SEC_PORT 750
#define DEFAULT_KPASSWD_PORT 464
-#define DEFAULT_KDC_UDP_PORTLIST "88,750"
+#define DEFAULT_KDC_UDP_PORTLIST "88"
#define DEFAULT_KDC_TCP_PORTLIST "88"
/*
static krb5_error_code
locate_srv_conf_1(krb5_context context, const krb5_data *realm,
const char * name, struct serverlist *serverlist,
- k5_transport transport, int udpport, int sec_udpport)
+ k5_transport transport, int udpport)
{
const char *realm_srv_names[4];
char **hostlist, *host, *port, *cp;
int i;
Tprintf ("looking in krb5.conf for realm %s entry %s; ports %d,%d\n",
- realm->data, name, ntohs (udpport), ntohs (sec_udpport));
+ realm->data, name, ntohs(udpport));
if ((host = malloc(realm->length + 1)) == NULL)
return ENOMEM;
}
for (i=0; hostlist[i]; i++) {
- int p1, p2;
+ int port_num;
k5_transport this_transport = transport;
char *uri_path = NULL;
/* L is unsigned, don't need to check <0. */
if (l > 65535)
return EINVAL;
- p1 = htons (l);
- p2 = 0;
+ port_num = htons(l);
} else if (this_transport == HTTPS) {
- p1 = htons(443);
- p2 = 0;
+ port_num = htons(443);
} else {
- p1 = udpport;
- p2 = sec_udpport;
+ port_num = udpport;
}
/* If the hostname was in brackets, strip those off now. */
*cp = '\0';
}
- code = add_host_to_list(serverlist, host, p1, this_transport,
+ code = add_host_to_list(serverlist, host, port_num, this_transport,
AF_UNSPEC, uri_path);
- /* Second port is for IPv4 UDP only, and should possibly go away as
- * it was originally a krb4 compatibility measure. */
- if (code == 0 && p2 != 0 &&
- (this_transport == TCP_OR_UDP || this_transport == UDP)) {
- code = add_host_to_list(serverlist, host, p2, UDP, AF_INET,
- uri_path);
- }
if (code)
goto cleanup;
}
#ifdef TEST
static krb5_error_code
krb5_locate_srv_conf(krb5_context context, const krb5_data *realm,
- const char *name, struct serverlist *al, int udpport,
- int sec_udpport)
+ const char *name, struct serverlist *al, int udpport)
{
krb5_error_code ret;
- ret = locate_srv_conf_1(context, realm, name, al, TCP_OR_UDP, udpport,
- sec_udpport);
+ ret = locate_srv_conf_1(context, realm, name, al, TCP_OR_UDP, udpport);
if (ret)
return ret;
if (al->nservers == 0) /* Couldn't resolve any KDC names */
k5_transport transport)
{
const char *profname;
- int dflport1, dflport2 = 0;
+ int dflport = 0;
struct servent *serv;
switch (svc) {
have old, crufty, wrong settings that this is probably
better. */
kdc_ports:
- dflport1 = htons(KRB5_DEFAULT_PORT);
- dflport2 = htons(KRB5_DEFAULT_SEC_PORT);
+ dflport = htons(KRB5_DEFAULT_PORT);
break;
case locate_service_master_kdc:
profname = KRB5_CONF_MASTER_KDC;
goto kdc_ports;
case locate_service_kadmin:
profname = KRB5_CONF_ADMIN_SERVER;
- dflport1 = htons(DEFAULT_KADM5_PORT);
+ dflport = htons(DEFAULT_KADM5_PORT);
break;
case locate_service_krb524:
profname = KRB5_CONF_KRB524_SERVER;
serv = getservbyname("krb524", "udp");
- dflport1 = serv ? serv->s_port : htons(4444);
+ dflport = serv ? serv->s_port : htons(4444);
break;
case locate_service_kpasswd:
profname = KRB5_CONF_KPASSWD_SERVER;
- dflport1 = htons(DEFAULT_KPASSWD_PORT);
+ dflport = htons(DEFAULT_KPASSWD_PORT);
break;
default:
return EBUSY; /* XXX */
}
return locate_srv_conf_1(context, realm, profname, serverlist, transport,
- dflport1, dflport2);
+ dflport);
}
#ifdef KRB5_DNS_LOOKUP
* If P=3, Total = 3*U + T + 14.
* If P=4, Total = 4*U + T + 30.
*
- * Note that if you try to reach two ports (e.g., both 88 and 750) on
- * one server, it counts as two.
+ * Note that if you try to reach two ports on one server, it counts as two.
*
* There is one exception to the above rules. Whenever a TCP connection is
* established, we wait up to ten seconds for it to finish or fail before
switch (how) {
case LOOKUP_CONF:
- err = krb5_locate_srv_conf(ctx, &realm, "kdc", &sl,
- htons(88), htons(750));
+ err = krb5_locate_srv_conf(ctx, &realm, "kdc", &sl, htons(88));
break;
case LOOKUP_DNS:
[realms]
DEFAULT_REALM.TST = {
- kdc = FIRST.KDC.HOST:750
+ kdc = FIRST.KDC.HOST
kdc = SECOND.KDC.HOST:88
admin_server = FIRST.KDC.HOST
default_domain = MIT.EDU
ATHENA.MIT.EDU = {
kdc = kerberos.mit.edu
kdc = kerberos\-1.mit.edu
- kdc = kerberos\-2.mit.edu:750
+ kdc = kerberos\-2.mit.edu
admin_server = kerberos.mit.edu
master_kdc = kerberos.mit.edu
}
comma\-separated list. This value overrides the UDP port numbers
specified in the \fIkdcdefaults\fP section of \fIkdc.conf(5)\fP, but
may be overridden by realm\-specific values. If no value is given from
-any source, the default ports are 88 and 750.
+any source, the default port is 88.
.sp
The \fB\-w\fP \fInumworkers\fP option tells the KDC to fork \fInumworkers\fP
processes to listen to the KDC ports and process requests in parallel.
[realms]
ATHENA.MIT.EDU = {
server = KERBEROS.MIT.EDU:88
- server = KERBEROS1.MIT.EDU:750
- server = KERBEROS2.MIT.EDU:750
+ server = KERBEROS1.MIT.EDU
+ server = KERBEROS2.MIT.EDU
admin = KERBEROS.MIT.EDU
etype = DES-MD5
}
projects / thirdparty / krb5.git / commitdiff
