The configuration file has the same syntax as
krb5.conf(5), but will be read before
/etc/krb5.conf, so it may override settings found there. Options specific to the KDC only are found in the “[kdc]” section. All the command-line options can preferably be added in the configuration file. The only difference is the pre-authentication flag, which has to be specified as:
require-preauth = no
(in fact you can specify the option as
--require-preauth=no).
And there are some configuration options which do not have command-line equivalents:
enable-digest = boolean
turn on support for digest processing in the KDC. The default is FALSE.
check-ticket-addresses = boolean
Check the addresses in the ticket when processing TGS requests. The default is TRUE.
allow-null-ticket-addresses = boolean
Permit tickets with no addresses. This option is only relevant when check-ticket-addresses is TRUE.
allow-anonymous = boolean
Permit anonymous tickets with no addresses.
max-kdc-datagram-reply-length = number
Maximum packet size the UDP rely that the KDC will transmit, instead the KDC sends back a reply telling the client to use TCP instead.
transited-policy = always-check | allow-per-principal | always-honour-request
This controls how KDC requests with the
disable-transited-check flag are handled. It can be one of:
always-check
Always check transited encoding, this is the default.
allow-per-principal
Currently this is identical to always-check. In a future release, it will be possible to mark a principal as able to handle unchecked requests.
always-honour-request
Always do what the client asked. In a future release, it will be possible to force a check per principal.
encode_as_rep_as_tgs_rep = boolean
Encode AS-Rep as TGS-Rep to be bug-compatible with old DCE code. The Heimdal clients allow both.
kdc_warn_pwexpire = time
How long before password/principal expiration the KDC should start sending out warning messages.
The configuration file is only read when the
kdc is started. If changes made to the configuration file are to take effect, the
kdc needs to be restarted.
An example of a config file:
[kdc]
require-preauth = no
v4-realm = FOO.SE