krb.conf - Contains configuration information that
describes the default realm of the host, the administration
server, and Kerberos servers for known realms
/krb5/krb.conf
The /krb5/krb.conf file is a text file that contains configuration
information that describes the default realm of
the host, the administration server, and Kerberos servers
for known realms. It lists the host computer's default
realm and maps known realms to their primary and secondary
Kerberos servers by host name and network location.
For inter-realm authentication, you must add an entry that
maps the foreign realm to its host Kerberos server.
If you can configure your Kerberos server system names
using the default naming conventions (that is, the ordering
convention or the DNS rotary convention), you do not
need to configure and maintain a krb.conf file.
If the krb.conf file is not found, is blank, or does not
list a valid default realm, the Tru64 UNIX operating system
converts the host's domain name to upper-case letters
and uses that as the default realm name. If the server
information is missing from the configuration file, the
Tru64 UNIX operating system attempts to locate the server
when the default naming conventions are in place.
The order of entries in the krb.conf file is important
because the file is used to identify the intended order of
redundant Kerberos servers. Applications that use the file
read the entries one at a time in the entry order when
attempting to connect to a Kerberos server. Redundant Kerberos
servers are used when another Kerberos server is
unavailable or a network timeout has occurred (for example,
during the authentication sequence when the network
connection between the client and a Kerberos server is
interrupted.)
To create comments, use the number sign (#). Any characters
after a number sign (#) are ignored to the end of
line. Blank lines and any leading or trailing white space
on a line are also ignored.
The first line of a krb.conf file is the host computer's
default realm. This is followed by a line that identifies
the primary Kerberos server, another line that identifies
the secondary Kerberos server, and additional lines that
identify realms where inter-realm authentication is performed.
Entries for the primary and secondary Kerberos servers
have the following fields, where each field on a line must
be separated by a space or a tab: The first field is the
realm name. By convention, realm names are in uppercase
letters to distinguish them visually from domain names.
Realm names are case sensitive; you must type the correct
case for the realm name if your site does not follow the
uppercase convention. The second field is the fully qualified
domain name (FQDN) of the host Kerberos server for
that realm. The remaining field can be used to specify
the keywords in the following table to configure the host
as a primary Kerberos server or to support TCP.
----------------------------------------------------------------
Keyword Description
----------------------------------------------------------------
admin server Specifies that the server is a primary Kerberos
server for the realm. (Do not use this keyword
if the server is a secondary server.)
tcp/port# Specifies that TCP is the communication protocol
between servers. UDP is the default communication
protocol and does not need to be specified.
If you specify TCP, you can specify the port to
use to communicate with the Kerberos server. To
specify a port value, use a numeric value or a
service name listed in /etc/services, such as
tcp/88 or tcp/kerberos5.
----------------------------------------------------------------
The following is an example, of a krb.conf file:
BIZ.COM BIZ.COM shoe.biz.com admin server BIZ.COM sneakers.biz.com
BIZ.COM boot.biz.com FOOTWEAR.BIZ.COM
leather.footwear.biz.com admin server BABYSHOE.BIZ.COM
infant.babyshoe.biz.com admin server
The entries in this krb.conf file are the names of the
following realms and servers: Line one identifies BIZ.COM
as the default realm. Line two identifies shoe.biz.com
the primary Kerberos server. Lines three and four identify
sneakers.biz.com and boot.biz.com as the secondary
Kerberos servers. Lines five and six identify
FOOTWEAR.BIZ.COM and BABYSHOE.BIZ.COM as realms where
inter-realm authentication is performed.
Files: krb.realms(4)
krb.conf(4)
[ Back ] |
