Krb5.conf

From InteropWiki

Jump to: navigation, search
[edit]

My First Attempt

This is the my first krb5.conf that actually worked when authenticating against Active Directory.

  • Active Directory Servers are thsdc1 and thsdc2
  • Domain is TREMONT and Realm is TREMONT.LOCAL 
[logging]
        default = SYSLOG:INFO:LOCAL1

[libdefaults]
        default_realm = TREMONT.LOCAL
        clock_skew = 300

# The following krb5.conf variables are only for MIT Kerberos.
        krb4_config = /etc/krb.conf
        krb4_realms = /etc/krb.realms
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true

# The following encryption type specification will be used by MIT Kerberos
# if uncommented.  In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.

#       default_tgs_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5
#       default_tkt_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5
#       permitted_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5

## For Windows 2000 ADS
default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5

# The following libdefaults parameters are only for Heimdal Kerberos.
        v4_instance_resolve = false
        v4_name_convert = {
                host = {
                        rcmd = host
                        ftp = ftp
                }
                plain = {
                        something = something-else
                }
        }
        fcc-mit-ticketflags = true

[realms]
        TREMONT.LOCAL = {
                kdc = thsdc1
                kdc = thsdc2
                kpasswd_server = thsdc1
                admin_server = thsdc1
        }
[domain_realm]
        .tremont.local = TREMONT.LOCAL
        tremont.local = TREMONT.LOCAL
[login]
        krb4_convert = true
        krb4_get_tickets = false
[edit]

From Microsoft

Mentioned in Windows Security and Directory Services for UNIX Guide: Volume 2 pages 293-294 (or 301-302 in the PDF). 

[libdefaults]
   ticket_lifetime = 24000
   default_realm = EXAMPLE.COM
   dns_lookup_realm = false
   dns_lookup_kdc = false
   default_tkt_enctypes = des-cbc-md5 des-cbc-crc
   default_tgs_enctypes = des-cbc-md5 des-cbc-crc
[realms]
   EXAMPLE.COM = {
      kdc = kdc1.example.com:88
      kdc = kdc2.example.com:88
     admin_server = kdc1.example.com:749
     kpasswd_server = kdc1.example.com:464
     kpasswd_protocol = SET_CHANGE
     default_domain = example.com
     }
[domain_realm]
     *.example.com = EXAMPLE.COM
      .example.com = EXAMPLE.COM
Retrieved from "http://michael.susens-schurter.com/interop/Krb5.conf"
Personal tools