# krb5.conf v5_6 for Windows [libdefaults] default_realm = FNAL.GOV dns_lookup_kdc = true forwardable = true ticket_lifetime = 26h default_lifetime = 7d renew_lifetime = 7d allow_weak_crypto = false default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 [logging] kdc = SYSLOG:info:local1 admin_server = SYSLOG:info:local2 default = SYSLOG:err:auth [appdefaults] retain_ccache = false forwardable = true renewable = true encrypt = true kadmin = { forwardable = false } [domain_realm] #### Accelerator nodes to FERMI.WIN for Linux/OS X users #### ad-videoip.fnal.gov = FERMI.WIN.FNAL.GOV adfs.fnal.gov = FERMI.WIN.FNAL.GOV adweb.fnal.gov = FERMI.WIN.FNAL.GOV beams-cisco.fnal.gov = FERMI.WIN.FNAL.GOV beams-cvs.fnal.gov = FERMI.WIN.FNAL.GOV beams-license.fnal.gov = FERMI.WIN.FNAL.GOV beams-msd-srv.fnal.gov = FERMI.WIN.FNAL.GOV beams-sbe.fnal.gov = FERMI.WIN.FNAL.GOV beams-ts.fnal.gov = FERMI.WIN.FNAL.GOV beams-utility.fnal.gov = FERMI.WIN.FNAL.GOV earl.fnal.gov = FERMI.WIN.FNAL.GOV www-bdnew.fnal.gov = FERMI.WIN.FNAL.GOV www-inteng.fnal.gov = FERMI.WIN.FNAL.GOV beamssrv1.fnal.gov = FERMI.WIN.FNAL.GOV ad-c-samba.fnal.gov = FERMI.WIN.FNAL.GOV ad-c-samba-2.fnal.gov = FERMI.WIN.FNAL.GOV ad-cartoon-smb.fnal.gov = FERMI.WIN.FNAL.GOV beams-fmp.fnal.gov = FERMI.WIN.FNAL.GOV shareit.fnal.gov = FERMI.WIN.FNAL.GOV adopstrain.fnal.gov = FERMI.WIN.FNAL.GOV ad-prt.fnal.gov = FERMI.WIN.FNAL.GOV ad-vcenter.fnal.gov = FERMI.WIN.FNAL.GOV ad-wsus.fnal.gov = FERMI.WIN.FNAL.GOV beams-sandbox.fnal.gov = FERMI.WIN.FNAL.GOV beams-spfs-2.fnal.gov = FERMI.WIN.FNAL.GOV beams-wds.fnal.gov = FERMI.WIN.FNAL.GOV muondept.fnal.gov = FERMI.WIN.FNAL.GOV search.fnal.gov = FERMI.WIN.FNAL.GOV www-ilcdcb.fnal.gov = FERMI.WIN.FNAL.GOV ################## Lab defaults ########################### .fnal.gov = FNAL.GOV .cdms-soudan.org = FNAL.GOV .deemz.net = FNAL.GOV .dhcp.fnal.gov = FNAL.GOV .minos-soudan.org = FNAL.GOV .win.fnal.gov = WIN.FNAL.GOV .fermi.win.fnal.gov = FERMI.WIN.FNAL.GOV .services.fnal.gov = SERVICES.FNAL.GOV .winbeta.fnal.gov = WINBETA.FNAL.GOV .fermibeta.winbeta.fnal.gov = FERMIBETA.WINBETA.FNAL.GOV .fermitest.fnal.gov = FERMITEST.FNAL.GOV .fnlsix.net = FNAL.GOV i-krb-2.fnal.gov = PILOT.FNAL.GOV i-krb-20.fnal.gov = PILOT.FNAL.GOV i-krb-22.fnal.gov = PILOT.FNAL.GOV i-krb-pilot-test1.fnal.gov = PILOT.FNAL.GOV i-krb-pilot-test2.fnal.gov = PILOT.FNAL.GOV i-krb-pilot-test3.fnal.gov = PILOT.FNAL.GOV ############ Friends and family (by request) ############### .cs.ttu.edu = FNAL.GOV .geol.uniovi.es = FNAL.GOV .harvard.edu = FNAL.GOV .hpcc.ttu.edu = FNAL.GOV .infn.it = FNAL.GOV .knu.ac.kr = FNAL.GOV .lns.mit.edu = FNAL.GOV .ph.liv.ac.uk = FNAL.GOV .pha.jhu.edu = FNAL.GOV .phys.ttu.edu = FNAL.GOV .phys.ualberta.ca = FNAL.GOV .physics.lsa.umich.edu = FNAL.GOV .physics.ucla.edu = FNAL.GOV .physics.ucsb.edu = FNAL.GOV .physics.utoronto.ca = FNAL.GOV .rl.ac.uk = FNAL.GOV .rockefeller.edu = FNAL.GOV .rutgers.edu = FNAL.GOV .sdsc.edu = FNAL.GOV .sinica.edu.tw = FNAL.GOV .tsukuba.jp.hep.net = FNAL.GOV .ucsd.edu = FNAL.GOV .unl.edu = FNAL.GOV .in2p3.fr = FNAL.GOV .wisc.edu = FNAL.GOV .pic.org.es = FNAL.GOV .kisti.re.kr = FNAL.GOV mojo.lunet.edu = FNAL.GOV ############ NFS servers #################################### cdfserver1.fnal.gov = FERMI.WIN.FNAL.GOV cdserver.fnal.gov = FERMI.WIN.FNAL.GOV dirserver1.fnal.gov = FERMI.WIN.FNAL.GOV eshserver1.fnal.gov = FERMI.WIN.FNAL.GOV lsserver.fnal.gov = FERMI.WIN.FNAL.GOV numiserver.fnal.gov = FERMI.WIN.FNAL.GOV ppdserver.fnal.gov = FERMI.WIN.FNAL.GOV pseekits.fnal.gov = FERMI.WIN.FNAL.GOV tdserver1.fnal.gov = FERMI.WIN.FNAL.GOV bluemig-cd.fnal.gov = FERMI.WIN.FNAL.GOV bluemig-lss.fnal.gov = FERMI.WIN.FNAL.GOV sdss-nas-0.fnal.gov = FERMI.WIN.FNAL.GOV fg-nas-0.fnal.gov = FERMI.WIN.FNAL.GOV rhea-1-test.fnal.gov = FERMI.WIN.FNAL.GOV rhea-2-test.fnal.gov = FERMI.WIN.FNAL.GOV minos-nas-0.fnal.gov = FERMI.WIN.FNAL.GOV blue1.fnal.gov = FERMI.WIN.FNAL.GOV blue2.fnal.gov = FERMI.WIN.FNAL.GOV fgnas0.fnal.gov = FERMI.WIN.FNAL.GOV ############ NFS servers (uncomment in Mac version only)##### #d0server4.fnal.gov = FERMI.WIN.FNAL.GOV #d0server6.fnal.gov = FERMI.WIN.FNAL.GOV #filesrv01.fnal.gov = FERMI.WIN.FNAL.GOV #filesrv02.fnal.gov = FERMI.WIN.FNAL.GOV #homesrv01.fnal.gov = FERMI.WIN.FNAL.GOV #tdfiler.fnal.gov = FERMI.WIN.FNAL.GOV ############################################################# ################## SSO Servers ############################ pingdev.fnal.gov = FERMI.WIN.FNAL.GOV pingprod.fnal.gov = FERMI.WIN.FNAL.GOV [realms] CERN.CH = { kdc = cerndc.cern.ch:88 master_kdc = cerndc.cern.ch:88 default_domain = cern.ch kpasswd_server = afskrb5m.cern.ch admin_server = afskrb5m.cern.ch v4_name_convert = { host = { rcmd = host } } } EXTENCI.ORG = { kdc = kerberos.extenci.org:88 admin_server = kerberos.extenci.org:749 master_kdc = kerberos.extenci.org:88 default_domain = extenci.org } FERMIBETA.WINBETA.FNAL.GOV = { kdc = fbdc1.fermibeta.winbeta.fnal.gov:88 kdc = fbdc2.fermibeta.winbeta.fnal.gov:88 master_kdc = fbdc1.fermibeta.winbeta.fnal.gov:88 admin_server = fbdc1.fermibeta.winbeta.fnal.gov default_domain = fnal.gov } FERMITEST.FNAL.GOV = { kdc = ftdc3.fermitest.fnal.gov:88 kdc = ftdc2.fermitest.fnal.gov:88 default_domain = fnal.gov master_kdc = ftdc3.fermitest.fnal.gov:88 admin_server = ftdc3.fermitest.fnal.gov } FERMI.WIN.FNAL.GOV = { kdc = elmo.fermi.win.fnal.gov:88 kdc = fdfcc3.fermi.win.fnal.gov:88 kdc = oscar.fermi.win.fnal.gov:88 kdc = zoe.fermi.win.fnal.gov:88 kdc = sully.fermi.win.fnal.gov:88 master_kdc = elmo.fermi.win.fnal.gov:88 admin_server = elmo.fermi.win.fnal.gov default_domain = fnal.gov } FNAL.GOV = { #BEGINTAG-KDCLIST kdc = krb-fnal-fcc3.fnal.gov:88 kdc = krb-fnal-2.fnal.gov:88 kdc = krb-fnal-3.fnal.gov:88 kdc = krb-fnal-1.fnal.gov:88 kdc = krb-fnal-4.fnal.gov:88 kdc = krb-fnal-enstore.fnal.gov:88 kdc = krb-fnal-fg2.fnal.gov:88 kdc = krb-fnal-cms188.fnal.gov:88 kdc = krb-fnal-cms204.fnal.gov:88 kdc = krb-fnal-d0online.fnal.gov:88 kdc = krb-fnal-nova-fd.fnal.gov:88 #ENDTAG-KDCLIST master_kdc = krb-fnal-admin.fnal.gov:88 admin_server = krb-fnal-admin.fnal.gov default_domain = fnal.gov } PILOT.FNAL.GOV = { kdc = i-krb-2.fnal.gov:88 kdc = i-krb-20.fnal.gov:88 kdc = i-krb-22.fnal.gov:88 master_kdc = i-krb-2.fnal.gov:88 admin_server = i-krb-2.fnal.gov default_domain = fnal.gov } PSC.EDU = { kdc = kerberos-1.psc.edu kdc = kerberos-2.psc.edu kdc = kerberos-3.psc.edu admin_server = kerberos-1.psc.edu master_kdc = kerberos-1.psc.edu default_domain = psc.edu ticket_lifetime = 30h } SERVICES.FNAL.GOV = { kdc = ldapdc1.services.fnal.gov:88 kdc = ldapdc2.services.fnal.gov:88 master_kdc = ldapdc1.services.fnal.gov:88 admin_server = ldapdc1.services.fnal.gov default_domain = fnal.gov } SLAC.STANFORD.EDU = { kdc = k5auth1.slac.stanford.edu:88 kdc = k5auth2.slac.stanford.edu:88 kdc = k5auth3.slac.stanford.edu:88 master_kdc = k5auth1.slac.stanford.edu:88 admin_server = k5admin.slac.stanford.edu kpasswd_server = k5passwd.slac.stanford.edu default_domain = slac.stanford.edu } UCHICAGO.EDU = { kdc = kerberos-0.uchicago.edu kdc = kerberos-1.uchicago.edu kdc = kerberos-2.uchicago.edu admin_server = kerberos.uchicago.edu default_domain = uchicago.edu } WINBETA.FNAL.GOV = { kdc = wbdc1.winbeta.fnal.gov:88 kdc = wbdc2.winbeta.fnal.gov:88 master_kdc = wbdc1.winbeta.fnal.gov:88 admin_server = wbdc1.winbeta.fnal.gov default_domain = fnal.gov } WIN.FNAL.GOV = { kdc = littlebird.win.fnal.gov:88 kdc = bigbird.win.fnal.gov:88 master_kdc = littlebird.win.fnal.gov:88 admin_server = littlebird.win.fnal.gov default_domain = fnal.gov } [capaths] # FNAL.GOV and PILOT.FNAL.GOV are the MIT Kerberos Domains # FNAL.GOV is production and PILOT is for testing # The FERMI Windows domain uses the WIN.FNAL.GOV root realm # with the FERMI.WIN.FNAL.GOV sub-realm where machines and users # reside. The WINBETA and FERMIBETA domains are the equivalent # testing realms for the FERMIBETA domain. The 2-way direct # trust structure of this complex is as follows: # # FNAL.GOV <=> PILOT.FNAL.GOV # FNAL.GOV <=> FERMI.WIN.FERMI.GOV # PILOT.FNAL.GOV <=> FERMIBETA.WINBETA.FNAL.GOV # HOW TO INTERPRET THIS SECTION # If a person with credentials in REALMA can get credentials in: # REALMB - directly # REALMC - through REALMB #REALMA = { # REALMC = REALMB # REALMB = . #} FNAL.GOV = { FERMI.WIN.FNAL.GOV = . WIN.FNAL.GOV = . PILOT.FNAL.GOV = . } PILOT.FNAL.GOV = { FNAL.GOV = . FERMIBETA.WINBETA.FNAL.GOV = . WINBETA.FNAL.GOV = . } FERMIBETA.WINBETA.FNAL.GOV = { WINBETA.FNAL.GOV = . PILOT.FNAL.GOV = . } FERMI.WIN.FNAL.GOV = { WIN.FNAL.GOV = . FNAL.GOV = . } ####################### CHANGE LOG ######################################## ## V2.1 Added capaths section with transitive trusts, removed ## checksum_type from libdefaults ## V2.1a Added domain definitions for the Windows realms ## V2.2 Added units (m=minutes) to ticket_lifetime in [libdefaults], ## added e898 AFS remapping to [instancemapping] section and ## removed old pam definitions from [appdefaults] section which ## just had a forwardable=true statement ## V2.3 Removed krb4_convert_524 statement from pam settings in ## [appdefaults] section to speed up logins ## V2.4 Added CERN definitions to [realms] section ## V2.5 Changed in [libdetaults], copied some items from [appdefaults] ## so library finds them, set credentials cache type to 4 and ## removed the default_*_enctypes. ## V2.6 Added missing ":88" to the admin_server definitions ## V2.7 Removed the 2.6 change, and re-enabled the default_*_enctypes ## in [libdefauls] as these are needed to make Cryptocards work for now ## V2.7a Added kisti.re.kr mapping to FNAL.GOV in [domain_realm] section ## XXX Added mappings for the new KCA servers to the [domain.realm] section ## so FERMI.WIN.FNAL.GOV principals can be used on Linux/UNIX nodes ## V2.8 Added mappings for AD nodes to FERMI.WIN for Linux/OS X users ## V2.9 Adjusted list of KDCs in FERMI.WIN.FNAL.GOV and added Master and ## Admin server definitions for this realm ## V2.10 Added section to [realms] for SERVICES domain ## ..a Fixed above added line to [domain_realms] section as well ## V2.11 Added mapping for fnlsix.net (IPv6 test domain) to FNAL.GOV realm ## V2.12 Added section to [realms] for FERMITEST domain ## V2.13 Added entries to [domain_realm] requested by AD ## V2.14 Added mappings for Windows file servres to [domain_realm] in ## response to Incident #25262 ## V2.15 Added 3DES to default encoding types and allow Weak Encryption in ## [libdefaults], added commented tag lines around FNAL KDC list ## - prepare for changing encryption type from DES to 3DES in future ## - for RHEL 6 and Ubuntu, allow Weak Encryption types for now ## - tag KDC list to allow local edits to be retained on updates ## V3.0 Version update to V2.15 now that installation scripts have been ## considerably changed to drop obsolete stuff and support locally ## saved FNAL.GOV KDC list ## V3.1 Emergency fix to [appdefaults] section to remove comments from ## lines in pam section since PAM handles these badly causing very ## long login times; also added kadmin section to set forwardable ## to false for kadmin tickets ## V4.0 Several major and minor changes, nence new major version ## - expansion of Slave KDC fleet means re-working the default KDC ## search list to re-order and add new slaves in [realms] ## - remove krb4 tickets, no longer needed [appdefaults] pam ## and login subsections ## - add/remove systems to [domain_realms] for Accelerator Div ## - check and fix non-FNAL.GOV realms in [realms] making sure ## the Windows domains all have Master KDC and Admin Server ## definitions ## - Add PILOT Slave i-krb-20 (planned, not yet ready) ## V4.1 Added permitted_enctypes line to the [libdefaults] section ## to provide better compatibility of Kerberized applications ## with our KDC plant. Also removed a number of AD systems ## from the [realms] section (no longer needed). ## V4.1a Fixed typo in krb-fnal-d0online ## V4.1b Removed krb5_convert_524 = false lines from the pam/login ## definitions in [appdefaults] section as these upset PAM ## and cause login/screensaver-exit delays ## V4.2 Added PSC.EDU and EXTENCI.ORG to [realms] section ## V4.3 Changed CERN.CH defintions in [realms] to point to ## Active Directory KDCs ## V4.4 Corrections to the order of the definitions in the [capaths] ## section ## V4.5 Added Nova Far Detector KDC and re-wrote HowTo instructions ## for system administrators. ## V4.6 Changes (additiions/deletions) in list of Accelerator Division ## servers in [domain_realm] section ## V4.7 Change default search order to put FCC3 Slave first and move ## Master KDC further down in search order ## ## V4.8 Added i-krb-20 and i-krb-22 in domain_realm section ## Added i-krb-22 as a skave KDC in PILOT realm ## ## V5.0 Added strong encryption types to default_tgs_enctypes ## default_tkt_enctypes and permitted_enctypes in preparation ## to Kerberos Upgrade ## ## V5.0a Removed i-krb-3 from KDC list ## ## V5.1 Added SLAC realm definition ## Added "krb4_convert_524 = false" and "krb4_use_as_req = false" to pam ## section in appdefaults ## Removed lines with "aklog" ## ## V5.3 Removed i-krb-6/8/17 from the list of KDCs ## Edited [capath] section to reflect direct(only) trust between Windows domain and MIT realm ## Added pingdev.fnal.gov and prinprod.fnal.gov to [domain_realm] section ## Removed non-existent dns records from [domain_realm] section ## Added NFS servers to [domain_realm] section (for Mac OS only) ## Removed [instancemapping] section since there is no Fermi AFS ## ## V5.4 Updated list of Domain Controllers under FERMI.WIN.FNAL.GOV ## Removed herry.fermi.win.fnal.gov ## Added fdfcc3.fermi.win.fnal.gov ## Moved sully.fermi.win.fnal.gov to the bottom of the list ## ## V5.5 Updated [libdefaults] area ## Moved information around to be grouped together to clarify which options are related to eachother ## Default realm is moved to the top ## added dns_lookup_kdc = true to permit unconfigured Realms to be fetched from DNS ## grouped together ticket information ## set ticket_lifetime to 26h instead of 1560m ## grouped encryption types together, including allow_weak_crypto = true ## Removed ccache_type = 4, autologin = true, forward = true, renewable = true, encrypt = true ## Removed options are no longer valid ## Updated [appdefaults] area ## Removed default_lifetime = 7d, autologin = true, forward = true, ## Also removed telnet, rcp, rsh, rlogin, login, kinit, ftpd, and pam ## Applications removed are no longer used or necessary ## ## V5.6 Updated [libdefaults] area ## Changed allow_weak_crypto to false ## Removed DES and 3DES cyphers from all enctypes ##