# krb5conf v1.9 with afs ### ### This krb5.conf template is intended for use with Fermi ### Kerberos v1_2 and later. Earlier versions may choke on the ### "auth_to_local = " lines unless they are commented out. ### The installation process should do all the right things in ### any case, but if you are reading this and haven't updated ### your kerberos product to v1_2 or later, you really should! ### [libdefaults] ticket_lifetime = 1560 default_realm = FNAL.GOV checksum_type = 1 ccache_type = 3 default_tgs_enctypes = des-cbc-crc default_tkt_enctypes = des-cbc-crc # Proxy Gateway replace xxx.xxx.xxx.xxx with IP of gateway # proxy_gateway = xxx.xxx.xxx.xxx [realms] FNAL.GOV = { kdc = krb-fnal-1.fnal.gov:88 kdc = krb-fnal-2.fnal.gov:88 kdc = krb-fnal-3.fnal.gov:88 kdc = krb-fnal-4.fnal.gov:88 kdc = krb-fnal-5.fnal.gov:88 kdc = krb-fnal-6.fnal.gov:88 admin_server = krb-fnal-admin.fnal.gov default_domain = fnal.gov } WIN.FNAL.GOV = { kdc = littlebird.win.fnal.gov:88 kdc = bigbird.win.fnal.gov:88 default_domain = fnal.gov } FERMI.WIN.FNAL.GOV = { kdc = bert.fermi.win.fnal.gov:88 kdc = elmo.fermi.win.fnal.gov:88 kdc = grover.fermi.win.fnal.gov:88 kdc = oscar.fermi.win.fnal.gov:88 default_domain = fnal.gov } UCHICAGO.EDU = { kdc = kerberos-0.uchicago.edu kdc = kerberos-1.uchicago.edu kdc = kerberos-2.uchicago.edu admin_server = kerberos.uchicago.edu default_domain = uchicago.edu } [instancemapping] afs = { cron/* = "" cms/* = "" afs/* = "" } [logging] kdc = SYSLOG:info:local1 admin_server = SYSLOG:info:local2 default = SYSLOG:err:auth [domain_realm] # Fermilab's (non-windows-centric) domains .cdms-soudan.org = FNAL.GOV .deemz.net = FNAL.GOV .minos-soudan.org = FNAL.GOV # Friends and family (by request) .cs.ttu.edu = FNAL.GOV .geol.uniovi.es = FNAL.GOV .harvard.edu = FNAL.GOV .hpcc.ttu.edu = FNAL.GOV .infn.it = FNAL.GOV .knu.ac.kr = FNAL.GOV .lns.mit.edu = FNAL.GOV .ph.liv.ac.uk = FNAL.GOV .pha.jhu.edu = FNAL.GOV .phys.ttu.edu = FNAL.GOV .phys.ualberta.ca = FNAL.GOV .physics.lsa.umich.edu = FNAL.GOV .physics.ucla.edu = FNAL.GOV .physics.ucsb.edu = FNAL.GOV .physics.utoronto.ca = FNAL.GOV .rl.ac.uk = FNAL.GOV .rockefeller.edu = FNAL.GOV .rutgers.edu = FNAL.GOV .sdsc.edu = FNAL.GOV .sinica.edu.tw = FNAL.GOV .tsukuba.jp.hep.net = FNAL.GOV .ucsd.edu = FNAL.GOV # The whole "top half" is replaced during "ups installAsRoot krb5conf", so: # It would probably be a bad idea to change anything on or above this line # If you need to add any .domains or hosts, put them here [domain_realm] mojo.lunet.edu = FNAL.GOV [appdefaults] default_lifetime = 7d retain_ccache = false autologin = true forward = true forwardable = true renewable = true encrypt = true krb5_aklog_path = /usr/krb5/bin/aklog telnet = { } rcp = { forward = true encrypt = false allow_fallback = true } rsh = { allow_fallback = true } rlogin = { allow_fallback = false } login = { forwardable = true krb5_run_aklog = true krb5_get_tickets = true krb4_get_tickets = false krb4_convert = false } kinit = { forwardable = true krb5_run_aklog = true } pam = { debug = false ticket_lifetime = 100000 renew_lifetime = 100000 forwardable = true krb4_convert = true # True gets AFS tokens afs_cells = fnal.gov # AFS token for right cell } rshd = { krb5_run_aklog = true } ftpd = { krb5_run_aklog = true default_lifetime = 10h }