; AD : This Kerberos configuration is for CERN's Active Directory realm. ; ; /etc/krb5.conf ; This file is maintained via ncm-krb5clt(1), local changes may be lost. ; If you need to add your realm, look at the "template" file ; in /usr/lib/ncm/config/krb5clt/etc_krb5.conf.tpl ; or get in touch with project-elfms@cern.ch [libdefaults] default_realm = CERN.CH ticket_lifetime = 25h renew_lifetime = 120h forwardable = true proxiable = true ;DONT - will fail in preauth for pkinit ;default_tkt_enctypes = arcfour-hmac-md5 aes256-cts aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc ;allow_weak_crypto = true [realms] CERN.CH = { default_domain = cern.ch kpasswd_server = cerndc.cern.ch admin_server = cerndc.cern.ch kdc = cerndc.cern.ch pkinit_anchors = FILE:/etc/pki/tls/certs/CERN-bundle.pem pkinit_identities = PKCS11:libaetpkss.so pkinit_eku_checking = kpServerAuth pkinit_kdc_hostname = cerndc.cern.ch pkinit_cert_match =&&msScLogin,digitalSignature v4_name_convert = { host = { rcmd = host } } } ; the external institutes info is completely static for now and comes ; straight from the NCM template FNAL.GOV = { default_domain = fnal.gov admin_server = krb-fnal-admin.fnal.gov kdc = krb-fnal-1.fnal.gov:88 kdc = krb-fnal-2.fnal.gov:88 kdc = krb-fnal-3.fnal.gov:88 } KFKI.HU = { kdc = kerberos.kfki.hu admin_server = kerberos.kfki.hu } HEP.MAN.AC.UK = { kdc = afs4.hep.man.ac.uk kdc = afs1.hep.man.ac.uk kdc = afs2.hep.man.ac.uk kdc = afs3.hep.man.ac.uk admin_server = afs4.hep.man.ac.uk kpasswd_server = afs4.hep.man.ac.uk default_domain = hep.man.ac.uk } CERN = { kdc = cerndc.cern.ch } [domain_realm] .cern.ch = CERN.CH .fnal.gov = FNAL.GOV .kfki.hu = KFKI.HU .hep.man.ac.uk = HEP.MAN.AC.UK [appdefaults] ; options for Red Hat pam_krb5-2 pam = { external = true krb4_convert = false krb4_convert_524 = false krb4_use_as_req = false ticket_lifetime = 25h }