# krb5conf v5.7 (without afs) on node authtest-sl-7.fnal.gov automatic update 06Apr2023 # Fermilab krb5.conf v5.7 for Linux # ########################################################################## # For EL6 and EL7 users: # # The list of Fermilab KDCs between the BEGINTAG/ENDTAG-KDCLIST # comment lists will be replaced with local KDC list from the # file /etc/krb5.kdclist (if found). # # HowTo for System Administrators: # # Use a local KDC search list to reduce the load on the primary KDC # particularly if a semi-dedicated Slave KDC is located in your subnets. # # Re-order the FNAL.GOV KDC list located between the #BEGINTAG/#ENDTAG lines. # Then save this section of krb5.conf as the file /etc/krb5.kdclist # (including the #BEGINTAG/#ENDTAG lines). # # This will preserve your KDC order during future krb5.conf upgrades. ########################################################################### [libdefaults] default_realm = FNAL.GOV dns_lookup_kdc = true forwardable = true ticket_lifetime = 26h default_lifetime = 7d renew_lifetime = 7d allow_weak_crypto = false default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 [logging] kdc = SYSLOG:info:local1 admin_server = SYSLOG:info:local2 default = SYSLOG:err:auth [appdefaults] retain_ccache = false forwardable = true renewable = true encrypt = true kadmin = { forwardable = false } [domain_realm] #### Accelerator nodes to FERMI.WIN for Linux/OS X users #### ad-videoip.fnal.gov = FERMI.WIN.FNAL.GOV adfs.fnal.gov = FERMI.WIN.FNAL.GOV adweb.fnal.gov = FERMI.WIN.FNAL.GOV beams-cisco.fnal.gov = FERMI.WIN.FNAL.GOV beams-cvs.fnal.gov = FERMI.WIN.FNAL.GOV beams-license.fnal.gov = FERMI.WIN.FNAL.GOV beams-msd-srv.fnal.gov = FERMI.WIN.FNAL.GOV beams-sbe.fnal.gov = FERMI.WIN.FNAL.GOV beams-ts.fnal.gov = FERMI.WIN.FNAL.GOV beams-utility.fnal.gov = FERMI.WIN.FNAL.GOV earl.fnal.gov = FERMI.WIN.FNAL.GOV www-bdnew.fnal.gov = FERMI.WIN.FNAL.GOV www-inteng.fnal.gov = FERMI.WIN.FNAL.GOV beamssrv1.fnal.gov = FERMI.WIN.FNAL.GOV ad-c-samba.fnal.gov = FERMI.WIN.FNAL.GOV ad-c-samba-2.fnal.gov = FERMI.WIN.FNAL.GOV ad-cartoon-smb.fnal.gov = FERMI.WIN.FNAL.GOV beams-fmp.fnal.gov = FERMI.WIN.FNAL.GOV shareit.fnal.gov = FERMI.WIN.FNAL.GOV adopstrain.fnal.gov = FERMI.WIN.FNAL.GOV ad-prt.fnal.gov = FERMI.WIN.FNAL.GOV ad-vcenter.fnal.gov = FERMI.WIN.FNAL.GOV ad-wsus.fnal.gov = FERMI.WIN.FNAL.GOV beams-sandbox.fnal.gov = FERMI.WIN.FNAL.GOV beams-spfs-2.fnal.gov = FERMI.WIN.FNAL.GOV beams-wds.fnal.gov = FERMI.WIN.FNAL.GOV muondept.fnal.gov = FERMI.WIN.FNAL.GOV search.fnal.gov = FERMI.WIN.FNAL.GOV www-ilcdcb.fnal.gov = FERMI.WIN.FNAL.GOV ################## Lab defaults ########################### .fnal.gov = FNAL.GOV .cdms-soudan.org = FNAL.GOV .deemz.net = FNAL.GOV .dhcp.fnal.gov = FNAL.GOV .minos-soudan.org = FNAL.GOV .win.fnal.gov = WIN.FNAL.GOV .fermi.win.fnal.gov = FERMI.WIN.FNAL.GOV .services.fnal.gov = SERVICES.FNAL.GOV .winbeta.fnal.gov = WINBETA.FNAL.GOV .fermibeta.winbeta.fnal.gov = FERMIBETA.WINBETA.FNAL.GOV .fermitest.fnal.gov = FERMITEST.FNAL.GOV .fnlsix.net = FNAL.GOV i-krb-2.fnal.gov = PILOT.FNAL.GOV i-krb-20.fnal.gov = PILOT.FNAL.GOV i-krb-22.fnal.gov = PILOT.FNAL.GOV i-krb-pilot-test1.fnal.gov = PILOT.FNAL.GOV i-krb-pilot-test2.fnal.gov = PILOT.FNAL.GOV i-krb-pilot-test3.fnal.gov = PILOT.FNAL.GOV ############ Friends and family (by request) ############### .cs.ttu.edu = FNAL.GOV .geol.uniovi.es = FNAL.GOV .harvard.edu = FNAL.GOV .hpcc.ttu.edu = FNAL.GOV .infn.it = FNAL.GOV .knu.ac.kr = FNAL.GOV .lns.mit.edu = FNAL.GOV .ph.liv.ac.uk = FNAL.GOV .pha.jhu.edu = FNAL.GOV .phys.ttu.edu = FNAL.GOV .phys.ualberta.ca = FNAL.GOV .physics.lsa.umich.edu = FNAL.GOV .physics.ucla.edu = FNAL.GOV .physics.ucsb.edu = FNAL.GOV .physics.utoronto.ca = FNAL.GOV .rl.ac.uk = FNAL.GOV .rockefeller.edu = FNAL.GOV .rutgers.edu = FNAL.GOV .sdsc.edu = FNAL.GOV .sinica.edu.tw = FNAL.GOV .tsukuba.jp.hep.net = FNAL.GOV .ucsd.edu = FNAL.GOV .unl.edu = FNAL.GOV .in2p3.fr = FNAL.GOV .wisc.edu = FNAL.GOV .pic.org.es = FNAL.GOV .kisti.re.kr = FNAL.GOV mojo.lunet.edu = FNAL.GOV ############ NFS servers #################################### cdfserver1.fnal.gov = FERMI.WIN.FNAL.GOV cdserver.fnal.gov = FERMI.WIN.FNAL.GOV dirserver1.fnal.gov = FERMI.WIN.FNAL.GOV eshserver1.fnal.gov = FERMI.WIN.FNAL.GOV lsserver.fnal.gov = FERMI.WIN.FNAL.GOV numiserver.fnal.gov = FERMI.WIN.FNAL.GOV ppdserver.fnal.gov = FERMI.WIN.FNAL.GOV pseekits.fnal.gov = FERMI.WIN.FNAL.GOV tdserver1.fnal.gov = FERMI.WIN.FNAL.GOV bluemig-cd.fnal.gov = FERMI.WIN.FNAL.GOV bluemig-lss.fnal.gov = FERMI.WIN.FNAL.GOV sdss-nas-0.fnal.gov = FERMI.WIN.FNAL.GOV fg-nas-0.fnal.gov = FERMI.WIN.FNAL.GOV rhea-1-test.fnal.gov = FERMI.WIN.FNAL.GOV minos-nas-0.fnal.gov = FERMI.WIN.FNAL.GOV blue1.fnal.gov = FERMI.WIN.FNAL.GOV blue2.fnal.gov = FERMI.WIN.FNAL.GOV fgnas0.fnal.gov = FERMI.WIN.FNAL.GOV ############ NFS servers (uncomment in Mac version only)##### #d0server4.fnal.gov = FERMI.WIN.FNAL.GOV #d0server6.fnal.gov = FERMI.WIN.FNAL.GOV #filesrv01.fnal.gov = FERMI.WIN.FNAL.GOV #filesrv02.fnal.gov = FERMI.WIN.FNAL.GOV #homesrv01.fnal.gov = FERMI.WIN.FNAL.GOV #tdfiler.fnal.gov = FERMI.WIN.FNAL.GOV #rhea-2-test.fnal.gov = FERMI.WIN.FNAL.GOV ############################################################# ################## SSO Servers ############################ pingdev.fnal.gov = FERMI.WIN.FNAL.GOV pingprod.fnal.gov = FERMI.WIN.FNAL.GOV [realms] CERN.CH = { kdc = cerndc.cern.ch:88 master_kdc = cerndc.cern.ch:88 default_domain = cern.ch kpasswd_server = afskrb5m.cern.ch admin_server = afskrb5m.cern.ch v4_name_convert = { host = { rcmd = host } } } EXTENCI.ORG = { kdc = kerberos.extenci.org:88 admin_server = kerberos.extenci.org:749 master_kdc = kerberos.extenci.org:88 default_domain = extenci.org } FERMIBETA.WINBETA.FNAL.GOV = { kdc = fbdc1.fermibeta.winbeta.fnal.gov:88 kdc = fbdc2.fermibeta.winbeta.fnal.gov:88 master_kdc = fbdc1.fermibeta.winbeta.fnal.gov:88 admin_server = fbdc1.fermibeta.winbeta.fnal.gov default_domain = fnal.gov } FERMITEST.FNAL.GOV = { kdc = ftdc3.fermitest.fnal.gov:88 kdc = ftdc2.fermitest.fnal.gov:88 default_domain = fnal.gov master_kdc = ftdc3.fermitest.fnal.gov:88 admin_server = ftdc3.fermitest.fnal.gov } FERMI.WIN.FNAL.GOV = { kdc = elmo.fermi.win.fnal.gov:88 kdc = fdfcc3.fermi.win.fnal.gov:88 kdc = oscar.fermi.win.fnal.gov:88 kdc = zoe.fermi.win.fnal.gov:88 kdc = sully.fermi.win.fnal.gov:88 master_kdc = elmo.fermi.win.fnal.gov:88 admin_server = elmo.fermi.win.fnal.gov default_domain = fnal.gov } ########################################################################## # The list of Fermilab KDCs # # HowTo for System Administrators: # # Use a local KDC search list to reduce the load on the primary KDC # particularly if a semi-dedicated Slave KDC is located in your subnets. # # Re-order the FNAL.GOV KDC list lines. # Then save this section of krb5.conf # Or put a new definition of the realm under a seperate file read after this ########################################################################### FNAL.GOV = { #BEGINTAG-KDCLIST kdc = krb-fnal-fcc3.fnal.gov:88 kdc = krb-fnal-2.fnal.gov:88 kdc = krb-fnal-3.fnal.gov:88 kdc = krb-fnal-1.fnal.gov:88 kdc = krb-fnal-4.fnal.gov:88 kdc = krb-fnal-enstore.fnal.gov:88 kdc = krb-fnal-fg2.fnal.gov:88 kdc = krb-fnal-cms188.fnal.gov:88 kdc = krb-fnal-cms204.fnal.gov:88 kdc = krb-fnal-d0online.fnal.gov:88 kdc = krb-fnal-nova-fd.fnal.gov:88 #ENDTAG-KDCLIST master_kdc = krb-fnal-admin.fnal.gov:88 admin_server = krb-fnal-admin.fnal.gov default_domain = fnal.gov auth_to_local = RULE:[1:$1@$0](.*@FERMI\.WIN\.FNAL\.GOV)s/@.*// auth_to_local = DEFAULT } PILOT.FNAL.GOV = { kdc = i-krb-2.fnal.gov:88 kdc = i-krb-20.fnal.gov:88 kdc = i-krb-22.fnal.gov:88 master_kdc = i-krb-2.fnal.gov:88 admin_server = i-krb-2.fnal.gov default_domain = fnal.gov } PSC.EDU = { kdc = kerberos-1.psc.edu kdc = kerberos-2.psc.edu kdc = kerberos-3.psc.edu admin_server = kerberos-1.psc.edu master_kdc = kerberos-1.psc.edu default_domain = psc.edu ticket_lifetime = 30h } SERVICES.FNAL.GOV = { kdc = ldapdc1.services.fnal.gov:88 kdc = ldapdc2.services.fnal.gov:88 master_kdc = ldapdc1.services.fnal.gov:88 admin_server = ldapdc1.services.fnal.gov default_domain = fnal.gov } SLAC.STANFORD.EDU = { kdc = k5auth1.slac.stanford.edu:88 kdc = k5auth2.slac.stanford.edu:88 kdc = k5auth3.slac.stanford.edu:88 master_kdc = k5auth1.slac.stanford.edu:88 admin_server = k5admin.slac.stanford.edu kpasswd_server = k5passwd.slac.stanford.edu default_domain = slac.stanford.edu } UCHICAGO.EDU = { kdc = kerberos-0.uchicago.edu kdc = kerberos-1.uchicago.edu kdc = kerberos-2.uchicago.edu admin_server = kerberos.uchicago.edu default_domain = uchicago.edu } WINBETA.FNAL.GOV = { kdc = wbdc1.winbeta.fnal.gov:88 kdc = wbdc2.winbeta.fnal.gov:88 master_kdc = wbdc1.winbeta.fnal.gov:88 admin_server = wbdc1.winbeta.fnal.gov default_domain = fnal.gov } WIN.FNAL.GOV = { kdc = littlebird.win.fnal.gov:88 kdc = bigbird.win.fnal.gov:88 master_kdc = littlebird.win.fnal.gov:88 admin_server = littlebird.win.fnal.gov default_domain = fnal.gov } [capaths] # FNAL.GOV and PILOT.FNAL.GOV are the MIT Kerberos Domains # FNAL.GOV is production and PILOT is for testing # The FERMI Windows domain uses the WIN.FNAL.GOV root realm # with the FERMI.WIN.FNAL.GOV sub-realm where machines and users # reside. The WINBETA and FERMIBETA domains are the equivalent # testing realms for the FERMIBETA domain. The 2-way direct # trust structure of this complex is as follows: # # FNAL.GOV <=> PILOT.FNAL.GOV # FNAL.GOV <=> FERMI.WIN.FERMI.GOV # PILOT.FNAL.GOV <=> FERMIBETA.WINBETA.FNAL.GOV # HOW TO INTERPRET THIS SECTION # If a person with credentials in REALMA can get credentials in: # REALMB - directly # REALMC - through REALMB #REALMA = { # REALMC = REALMB # REALMB = . #} FNAL.GOV = { FERMI.WIN.FNAL.GOV = . WIN.FNAL.GOV = . PILOT.FNAL.GOV = . } PILOT.FNAL.GOV = { FNAL.GOV = . FERMIBETA.WINBETA.FNAL.GOV = . WINBETA.FNAL.GOV = . } FERMIBETA.WINBETA.FNAL.GOV = { WINBETA.FNAL.GOV = . PILOT.FNAL.GOV = . } FERMI.WIN.FNAL.GOV = { WIN.FNAL.GOV = . FNAL.GOV = . }