krb.conf(4)krb.conf(4)NAMEkrb.conf - Contains configuration information that describes the
default realm of the host, the administration server, and Kerberos
servers for known realms
SYNOPSIS
/krb5/krb.conf
DESCRIPTION
The /krb5/krb.conf file is a text file that contains configuration
information that describes the default realm of the host, the adminis‐
tration server, and Kerberos servers for known realms. It lists the
host computer's default realm and maps known realms to their primary
and secondary Kerberos servers by host name and network location.
NOTES
For inter-realm authentication, you must add an entry that maps the
foreign realm to its host Kerberos server.
If you can configure your Kerberos server system names using the
default naming conventions (that is, the ordering convention or the DNS
rotary convention), you do not need to configure and maintain a
krb.conf file.
If the krb.conf file is not found, is blank, or does not list a valid
default realm, the Tru64 UNIX operating system converts the host's
domain name to upper-case letters and uses that as the default realm
name. If the server information is missing from the configuration file,
the Tru64 UNIX operating system attempts to locate the server when the
default naming conventions are in place.
The order of entries in the krb.conf file is important because the file
is used to identify the intended order of redundant Kerberos servers.
Applications that use the file read the entries one at a time in the
entry order when attempting to connect to a Kerberos server. Redundant
Kerberos servers are used when another Kerberos server is unavailable
or a network timeout has occurred (for example, during the authentica‐
tion sequence when the network connection between the client and a Ker‐
beros server is interrupted.)
To create comments, use the number sign (#). Any characters after a
number sign (#) are ignored to the end of line. Blank lines and any
leading or trailing white space on a line are also ignored.
The first line of a krb.conf file is the host computer's default realm.
This is followed by a line that identifies the primary Kerberos server,
another line that identifies the secondary Kerberos server, and addi‐
tional lines that identify realms where inter-realm authentication is
performed.
Entries for the primary and secondary Kerberos servers have the follow‐
ing fields, where each field on a line must be separated by a space or
a tab: The first field is the realm name. By convention, realm names
are in uppercase letters to distinguish them visually from domain
names. Realm names are case sensitive; you must type the correct case
for the realm name if your site does not follow the uppercase conven‐
tion. The second field is the fully qualified domain name (FQDN) of
the host Kerberos server for that realm. The remaining field can be
used to specify the keywords in the following table to configure the
host as a primary Kerberos server or to support TCP.
────────────────────────────────────────────────────────────────
Keyword Description
────────────────────────────────────────────────────────────────
admin server Specifies that the server is a primary Kerberos
server for the realm. (Do not use this keyword
if the server is a secondary server.)
tcp/port# Specifies that TCP is the communication protocol
between servers. UDP is the default communica‐
tion protocol and does not need to be specified.
If you specify TCP, you can specify the port to
use to communicate with the Kerberos server. To
specify a port value, use a numeric value or a
service name listed in /etc/services, such as
tcp/88 or tcp/kerberos5.
────────────────────────────────────────────────────────────────
EXAMPLES
The following is an example, of a krb.conf file:
BIZ.COM BIZ.COM shoe.biz.com admin server BIZ.COM sneakers.biz.com
BIZ.COM boot.biz.com FOOTWEAR.BIZ.COM leather.footwear.biz.com admin
server BABYSHOE.BIZ.COM infant.babyshoe.biz.com admin server
The entries in this krb.conf file are the names of the following realms
and servers: Line one identifies BIZ.COM as the default realm. Line
two identifies shoe.biz.com the primary Kerberos server. Lines three
and four identify sneakers.biz.com and boot.biz.com as the secondary
Kerberos servers. Lines five and six identify FOOTWEAR.BIZ.COM and
BABYSHOE.BIZ.COM as realms where inter-realm authentication is per‐
formed.
SEE ALSO
Files: krb.realms(4)krb.conf(4)