[kdc] # See allowed values in krb5_openlog(3) man page. logging = FILE:/var/log/heimdal-kdc.log # detach = boolean # Gives an upper limit on the size of the requests that the kdc is # willing to handle. # max-request = integer # Turn off the requirement for pre-autentication in the initial AS- # REQ for all principals. The use of pre-authentication makes it # more difficult to do offline password attacks. You might want to # turn it off if you have clients that don't support pre-authenti- # cation. Since the version 4 protocol doesn't support any pre- # authentication, serving version 4 clients is just about the same # as not requiring pre-athentication. The default is to require # pre-authentication. Adding the require-preauth per principal is # a more flexible way of handling this. # require-preauth = boolean # Specifies the set of ports the KDC should listen on. It is given # as a white-space separated list of services or port numbers. # ports = 88,750 # The list of addresses to listen for requests on. By default, the # kdc will listen on all the locally configured addresses. If only # a subset is desired, or the automatic detection fails, this # option might be used. # addresses = list of ip addresses # respond to Kerberos 4 requests # enable-kerberos4 = false # respond to Kerberos 4 requests from foreign realms. This is a # known security hole and should not be enabled unless you under- # stand the consequences and are willing to live with them. # enable-kerberos4-cross-realm = false # respond to 524 requests # enable-524 = value of enable-kerberos4 # Makes the kdc listen on port 80 and handle requests encapsulated # in HTTP. # enable-http = boolean # What realm this server should act as when dealing with version 4 # requests. The database can contain any number of realms, but # since the version 4 protocol doesn't contain a realm for the # server, it must be explicitly specified. The default is whatever # is returned by krb_get_lrealm(). This option is only availabe if # the KDC has been compiled with version 4 support. # v4-realm = string # Enable kaserver emulation (in case it's compiled in). # enable-kaserver = false # Check the addresses in the ticket when processing TGS requests. # check-ticket-addresses = true # Permit tickets with no addresses. This option is only # relevent when check-ticket-addresses is TRUE. # allow-null-ticket-addresses = true # Permit anonymous tickets with no addresses. # allow-anonymous = boolean # Always verify the transited policy, ignoring the # disable-transited-check flag if set in the KDC client request. # transited-policy = {always-check,allow-per-principal,always-honour-request} # Encode AS-Rep as TGS-Rep to be bug-compatible with old DCE # code. The Heimdal clients allow both. # encode_as_rep_as_tgs_rep = boolean # How long before password/principal expiration the KDC should # start sending out warning messages. # kdc_warn_pwexpire = time # Specifies the set of ports the KDC should listen on. It is given # as a white-space separated list of services or port numbers. # kdc_ports = 88,750 # [password_quality] # check_library = LIBRARY # check_function = FUNCTION # min_length = value # [kadmin] # default_keys = list of strings # use_v4_salt = boolean