# $Id: krb5.conf,v 1.28 2008/06/17 16:35:24 root Exp $ # This is the Kerberos V5 configuration file, /etc/krb5.conf. # It is centrally maintained and distributed by SCS Facilities staff. # To get a change made to this file, send mail to # # The master version is maintained in CVS on BREADFRUIT.SRV.CS.CMU.EDU # From there, it is distributed via SUP to KDC's and other "special" # systems, and also to the master distribution server, DIST.FAC.CS.CMU.EDU. # From the DIST, it is distributed via SUP to all machines running the # standard Facilities-supported computing environment. # # NB: The MIT profile parser requires that comments start in column 0 [appdefaults] # Obtain forwardable tickets by default forwardable = yes # Ask for tickets with no addresses. # This is commented out for the moment, because the old MIT krb524d # cannot convert addressless tickets. It should be enabled once we've # finished upgrading all KDC's to heimdal 0.6. #no-addresses = yes [libdefaults] # Default/local realm default_realm = CS.CMU.EDU # Max time difference between KDC and app servers clockskew = 300 # Max time to wait for a reply from the KDC kdc_timeout = 5 # Default ticket lifetime to request. # This is set large, so we end up using the limits in the kdb ticket_lifetime = 1y # Obtain forwardable tickets by default forwardable = yes # Use SRV records to find config information for unknown realms # Note that this is overridden by the entries in the [realms] section srv_lookup = yes dns_lookup_kdc = yes # Do NOT use TXT records for host-to-realm mapping dns_lookup_realm = no # When deciding what addresses to ask for in a ticket, list all of the # addresses belonging to any interface on this host. scan_interfaces = yes # Make kinit, etc also get krb4 tickets krb4_get_tickets = yes # Our workstations run ekgd, an egd-compatible service which provides # bits from a DES-based keyed PRNG egd_socket = /etc/egd-pool # For now, default to des-cbc-crc only, so we don't issue a des-cbc-md5 # session key, which the old MIT krb524d can't convert. This should go # away once we've finished upgrading all KDC's to heimdal 0.6. default_etypes = des-cbc-crc default_etypes_des = des-cbc-crc # These appear to be for MIT krb5's benefit default_tgs_enctypes = des-cbc-crc default_tkt_enctypes = des-cbc-crc checksum_type = 1 # Compensate for client/KDC time slew # Have to leave this disabled, because it seems to break things #kdc_timesync = yes # If you are behind a NAT, you may want to set this to the IP address # your packets appear to come from, which is usually the same as the # NAT's public address. Sadly, there is presently no mechanism for # per-machine overrides of the settings in krb5.conf. # extra_addresses = ip.address.of.nat # Don't try to convert V4 instances to V5 using DNS resolution v4_instance_resolve = false # On machines running old Oracle krb5 code, you may want to uncomment # this, as Oracle doesn't understand the new FILE ccache format #fcache_version = 3 [logging] # These need to be here, because they don't look in kdc.conf :-( default = SYSLOG:NOTICE:DAEMON hpropd = SYSLOG:INFO:LOCAL2 [realms] # OK; here's the policy regarding adding realms to this section... # Ordinarily, we only care about realms to which we have a cross-realm # path, or which our users are likely to authenticate to directly. # Even then, entries may be omitted if they contain no non-default # information. Particularly, entries must be present for: # - realms with non-default V4 principal name conversion rules # - realms whose servers cannot be found via DNS # Any V5 realm with which we share a cross-realm key should be listed. # Of course, the local realm must appear. # Entries are sorted in logical realm name order, with the rightmost # domain name component being the most significant. The exception is # that CMU realms are listed first, and the local realm first of all. CS.CMU.EDU = { # Carnegie Mellon University -- School of Computer Science kdc = kerberos.cs.cmu.edu kdc = kerberos-2.srv.cs.cmu.edu admin_server = kerberos.cs.cmu.edu # V4 instance conversion in CS.CMU.EDU is very simple -- there is none. # We use long instance names in V4, and always have, so most principals # simply don't need conversion. The exception is imap, because some # bozo (jgm?) felt it would be good to explicitly specify that SASL krb4 # authentication MUST use _short_ instance names. While we applaud the # attempt to remove ambiguity in the specification, we feel the choice # was incorrect. It also makes our lives more annoying, because it means # we must enumerate all the IMAP servers. And also Sieve servers, POP # servers, the mupdate server, and.... You get the idea. Fortunately, # there are few of these, at least for now. # The effect of the following is to turn on host instance translation for # the specific SASL-using protocols, and disable it for everything else. # Note that we must explicitly list even the default settings, since the # presence of any v4_name_convert section completely replaces the built-in # defaults. v4_name_convert = { host = { imap = imap pop = pop lmtp = lmtp mupdate = mupdate sieve = sieve } plain = { ftp = ftp rcmd = host hprop = hprop iprop = iprop ldap = ldap smtp = smtp } } # And this part lists the specific hosts which require instance conversion v4_instance_convert = { # mupdate server guaizao = guaizao.srv.cs.cmu.edu # production imap frontends imap = imap.srv.cs.cmu.edu pawpaw = pawpaw.srv.cs.cmu.edu swinglea = swinglea.srv.cs.cmu.edu # beta imap frontends imap-beta = imap-beta.srv.cs.cmu.edu carya = carya.srv.cs.cmu.edu lychee = lychee.srv.cs.cmu.edu # imap backends beriba = beriba.srv.cs.cmu.edu gooseberry = gooseberry.srv.cs.cmu.edu lemon = lemon.srv.cs.cmu.edu loquat = loquat.srv.cs.cmu.edu papaya = papaya.srv.cs.cmu.edu pomelo = pomelo.srv.cs.cmu.edu raspberry = raspberry.srv.cs.cmu.edu salix = salix.srv.cs.cmu.edu starfruit = starfruit.srv.cs.cmu.edu ugli = ugli.srv.cs.cmu.edu # smtp servers chokecherry = chokecherry.srv.cs.cmu.edu crunchberry = crunchberry.srv.cs.cmu.edu jackfruit = jackfruit.srv.cs.cmu.edu # private servers alpha-cygni = alpha-cygni.fac.cs.cmu.edu } } AD.CMU.EDU = { # Carnegie Mellon University -- Computing Services (Windows root) kdc = ad-dc-01.ad.cmu.edu kdc = ad-dc-02.ad.cmu.edu admin_server = ad-dc-01.ad.cmu.edu admin_server = ad-dc-02.ad.cmu.edu default_domain = ad.cmu.edu } ANDREW.AD.CMU.EDU = { # Carnegie Mellon University -- Pittsburgh Campus (Windows) kdc = pgh-dcw-01.andrew.ad.cmu.edu kdc = pgh-dcw-02.andrew.ad.cmu.edu admin_server = pgh-dcw-01.andrew.ad.cmu.edu admin_server = pgh-dcw-02.andrew.ad.cmu.edu default_domain = andrew.ad.cmu.edu } ANDREW.CMU.EDU = { # Carnegie Mellon University -- Pittsburgh Campus kdc = vice2.fs.andrew.cmu.edu kdc = vice7.fs.andrew.cmu.edu kdc = vice11.fs.andrew.cmu.edu kdc = new-vice12.fs.andrew.cmu.edu kdc = vice28.fs.andrew.cmu.edu admin_server = vice28.fs.andrew.cmu.edu # V4 instance conversion is complicated for ANDREW.CMU.EDU, because they # use short instances and have so many domains. default_domain = andrew.cmu.edu v4_domains = andrew.cmu.edu net.cmu.edu cc.cmu.edu wash.acs.cmu.edu fs.andrew.cmu.edu res.cmu.edu rem.cmu.edu ww.andrew.cmu.edu weh.andrew.cmu.edu bh.andrew.cmu.edu cfa.andrew.cmu.edu cyert.andrew.cmu.edu mg.andrew.cmu.edu not.nt.cmu.edu online.web.cmu.edu web.cmu.edu ini.cmu.edu heinz.cmu.edu gsia.cmu.edu cheme.cmu.edu me.cmu.edu csw.cmu.edu hss.cmu.edu hl.andrew.cmu.edu mmp.andrew.cmu.edu mercury.andrew.cmu.edu nas.cmu.edu math.cmu.edu test-net.cmu.edu cmu.net ab.cmu.net phys.cmu.edu carnegietechschools.org as.cmu.edu mi.andrew.cmu.edu ote.cmu.edu fms.bap.cmu.edu tepper.cmu.edu } ATL.CMU.EDU = { # Carnegie Mellon University -- Andrew Test Lab kdc = afs1.atl.cmu.edu kdc = afs2.atl.cmu.edu admin_server = afs1.atl.cmu.edu default_domain = atl.cmu.edu } CLUB.CC.CMU.EDU = { # Carnegie Mellon University -- Computer Club kdc = kerberos.club.cc.cmu.edu kdc = kerberos-1.club.cc.cmu.edu admin_server = kerberos-admin.club.cc.cmu.edu default_domain = club.cc.cmu.edu v4_domains = club.cc.cmu.edu } TEST.CS.CMU.EDU = { kdc = fluffy.srv.cs.cmu.edu admin_server = fluffy.srv.cs.cmu.edu } ECE.CMU.EDU = { # Carnegie Mellon University -- Electrical and Computer Engineering Dept. # NB: This realm has a SRV record, but it is wrong! Apparently there is # a political reason why some bozo gets to publish SRV records which do # not in fact point to the ECE.CMU.EDU KDC's. kdc = kerberos-1.ece.cmu.edu kdc = kerberos-2.ece.cmu.edu kdc = kerberos-3.ece.cmu.edu kdc = kerberos-4.ece.cmu.edu admin_server = krbadmin.ece.cmu.edu default_domain = ece.cmu.edu v4_domains = cit.cmu.edu epp.cmu.edu pdl.cmu.edu eris.pdl.cmu.edu ece.cmu.edu v4_name_convert = { host = { access = access } } v4_instance_convert = { canaima = canaima.me.cmu.edu central = central.cit.cmu.edu cit = cit.cmu.edu ece = ece.cmu.edu ece.ece.cmu.edu = ece.cmu.edu krypton = krypton.mems.cmu.edu spectral = spectral.me.cmu.edu stefan = stefan.me.cmu.edu viper = viper.andrew.cmu.edu dew = dew.epp.cmu.edu pimento = pimento.nmrc.bio.cmu.edu arjuna = arjuna.ce.cmu.edu karna = karna.ce.cmu.edu timoshenko = timoshenko.ce.cmu.edu goodier = goodier.ce.cmu.edu } } QATAR.CMU.EDU = { # Carnegie Mellon University -- Qatar Campus kdc = afs1.qatar.cmu.edu kdc = afs2.qatar.cmu.edu admin_server = afs1.qatar.cmu.edu default_domain = qatar.cmu.edu } ATL.WIN.CMU.EDU = { # Carnegie Mellon University -- Andrew Test Lab (Windows) kdc = atl-ad1.atl.win.cmu.edu kdc = atl-ad2.atl.win.cmu.edu admin_server = atl-ad1.atl.win.cmu.edu admin_server = atl-ad2.atl.win.cmu.edu default_domain = atl.win.cmu.edu } QATAR.WIN.CMU.EDU = { # Carnegie Mellon University -- Qatar Campus (Windows) kdc = qatar-ad1.qatar.win.cmu.edu kdc = qatar-ad2.qatar.win.cmu.edu admin_server = qatar-ad1.qatar.win.cmu.edu admin_server = qatar-ad2.qatar.win.cmu.edu default_domain = qatar.win.cmu.edu } ATHENA.MIT.EDU = { # Massachusetts Institute of Technology kdc = kerberos.mit.edu kdc = kerberos-2.mit.edu admin_server = kerberos.mit.edu default_domain = mit.edu v4_domains = mit.edu } CITI.UMICH.EDU = { # University of Michigan - Center for Information Technology Integration # has SRV records in DNS } GRAND.CENTRAL.ORG = { # Has SRV records in DNS for KDC's only admin_server = kerberos1.central.org default_domain = central.org v4_domains = central.org } DEMENTIA.ORG = { # Has SRV records in DNS default_domain = dementia.org v4_domains = dementia.org } HACKISH.ORG = { # Has SRV records in DNS default_domain = hackish.org v4_domains = hackish.org } NADA.KTH.SE = { # Has SRV records in DNS for KDC's only admin_server = kerberos.nada.kth.se default_domain = nada.kth.se v4_domains = nada.kth.se pdc.kth.se } STACKEN.KTH.SE = { kdc = kerberos.stacken.kth.se kdc = kerberos-1.stacken.kth.se admin_server = kerberos.stacken.kth.se default_domain = stacken.kth.se v4_domains = stacken.kth.se } SICS.SE = { kdc = rama.sics.se admin_server = rama.sics.se default_domain = sics.se v4_domains = sics.se } # XXX other domains for which we have cross-realm keys: # MERIT.EDU PSC.EDU DCE.PSC.EDU dce.psc.edu CS.UWM.EDU THEKEEP.ORG [domain_realm] # This section contains complete mappings for CS.CMU.EDU and ANDREW.CMU.EDU, # because they are so complicated. For anything else, we just list the # exceptions. .cs.cmu.edu = CS.CMU.EDU .ri.cmu.edu = CS.CMU.EDU .edrc.cmu.edu = CS.CMU.EDU .ices.cmu.edu = CS.CMU.EDU .distance.cmu.edu = CS.CMU.EDU .etc.cmu.edu = CS.CMU.EDU .btec.cmu.edu = CS.CMU.EDU .isri.cmu.edu = CS.CMU.EDU .ml.cmu.edu = CS.CMU.EDU .hcii.cmu.edu = CS.CMU.EDU .se.cs.cmu.edu = ANDREW.CMU.EDU .evol.ri.cmu.edu = ANDREW.CMU.EDU .andrew.cmu.edu = ANDREW.CMU.EDU .cc.cmu.edu = ANDREW.CMU.EDU .res.cmu.edu = ANDREW.CMU.EDU .epp.cmu.edu = ANDREW.CMU.EDU .as.cmu.edu = ANDREW.CMU.EDU .hss.cmu.edu = ANDREW.CMU.EDU .lcl.cmu.edu = ANDREW.CMU.EDU .phil.cmu.edu = ANDREW.CMU.EDU .phys.cmu.edu = ANDREW.CMU.EDU .cfa.cmu.edu = ANDREW.CMU.EDU .math.cmu.edu = ANDREW.CMU.EDU .net.cmu.edu = ANDREW.CMU.EDU .psy.cmu.edu = ANDREW.CMU.EDU .arc.cmu.edu = ANDREW.CMU.EDU .ce.cmu.edu = ANDREW.CMU.EDU .library.cmu.edu = ANDREW.CMU.EDU .cees.cmu.edu = ANDREW.CMU.EDU .cheme.cmu.edu = ANDREW.CMU.EDU .gsia.cmu.edu = ANDREW.CMU.EDU .heinz.cmu.edu = ANDREW.CMU.EDU .ini.cmu.edu = ANDREW.CMU.EDU .me.cmu.edu = ANDREW.CMU.EDU .csw.cmu.edu = ANDREW.CMU.EDU .web.cmu.edu = ANDREW.CMU.EDU .online.web.cmu.edu = ANDREW.CMU.EDU .cmu.net = ANDREW.CMU.EDU .ab.cmu.net = ANDREW.CMU.EDU .wrct.org = ANDREW.CMU.EDU .fms.bap.cmu.edu = ANDREW.CMU.EDU # This doesn't look like an exception, but it is, because # .cc.cmu.edu is mapped to ANDREW.CMU.EDU above. .club.cc.cmu.edu = CLUB.CC.CMU.EDU .pdl.cmu.edu = ECE.CMU.EDU # A few unusual realms .mit.edu = ATHENA.MIT.EDU .central.org = GRAND.CENTRAL.ORG .pdc.kth.se = NADA.KTH.SE # A few specific host mappings cmu.edu = ANDREW.CMU.EDU marconi.ece.cmu.edu = ANDREW.CMU.EDU cs.cmu.edu = CS.CMU.EDU ri.cmu.edu = CS.CMU.EDU edrc.cmu.edu = CS.CMU.EDU ices.cmu.edu = CS.CMU.EDU scs.cmu.edu = CS.CMU.EDU euro-prime.ecom.cmu.edu = CS.CMU.EDU kim.cylab.cmu.edu = CS.CMU.EDU euro.ecom.cmu.edu = CS.CMU.EDU peso.ecom.cmu.edu = CS.CMU.EDU collagen.stc.cmu.edu = CS.CMU.EDU dew.epp.cmu.edu = ECE.CMU.EDU arjuna.ce.cmu.edu = ECE.CMU.EDU dementia.org = DEMENTIA.ORG