krb5.conf.erb 8.26 KB
Newer Older
Adam Lewenberg's avatar
Adam Lewenberg committed
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
# /etc/krb5.conf -- Kerberos V5 general configuration.
#
# This is the standard Kerberos v5 configuration file for all of our
# servers.  It is based on the Stanford-wide configuration, the canonical
# version of which is in /usr/pubsw/etc/krb5.conf.
#
# This configuration allows any enctypes.  Some systems with really old
# Kerberos software may have to limit to triple-DES and DES.

[appdefaults]
    default_lifetime      = 25hrs
    krb4_convert          = false
    krb4_convert_524      = false

    ksu = {
        forwardable       = false
    }

    pam = {
        minimum_uid       = 100
        search_k5login    = true
        forwardable       = true
    }

    pam-afs-session = {
        minimum_uid       = 100
    }

    libkafs = {
        IR.STANFORD.EDU = {
            afs-use-524   = no
        }
    }

    passwd_change = {
        passwd_file       = /afs/ir.stanford.edu/service/etc/passwd.all
        server            = password-change.stanford.edu
        port              = 4443
        service_principal = service/password-change@stanford.edu
    }

    wallet = {
        wallet_server     = wallet.stanford.edu
    }

[libdefaults]
    default_realm         = stanford.edu
    ticket_lifetime       = 25h
    renew_lifetime        = 7d
    forwardable           = true
    noaddresses           = true
    allow_weak_crypto     = true
53
54
55
<% if (@prefer_tcp) then -%>
    udp_preference_limit  = 1
<% end -%>
Adam Lewenberg's avatar
Adam Lewenberg committed
56
57
58

[realms]
    stanford.edu = {
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
<%
if (@krb_env == 'uat') then
-%>
        kdc            = kerberos-uat.stanford.edu:88
        master_kdc     = kerberos-uat.stanford.edu:88
        admin_server   = kerberos-uat.stanford.edu
        kpasswd_server = kerberos-uat.stanford.edu
<%
elsif (@krb_env == 'test') then
-%>
        kdc            = kerberos-test.stanford.edu:88
        master_kdc     = kerberos-test.stanford.edu:88
        admin_server   = kerberos-test.stanford.edu
        kpasswd_server = kerberos-test.stanford.edu
<%
else
  if (@drSite) then
-%>
        kdc            = kerberos-liv.stanford.edu:88
<%
  end
-%>
        kdc            = krb5auth1.stanford.edu:88
Adam Lewenberg's avatar
Adam Lewenberg committed
82
83
84
85
86
        kdc            = krb5auth2.stanford.edu:88
        kdc            = krb5auth3.stanford.edu:88
        master_kdc     = krb5auth1.stanford.edu:88
        admin_server   = krb5-admin.stanford.edu
        kpasswd_server = krb5-admin.stanford.edu
87
88
89
<%
end
-%>
Adam Lewenberg's avatar
Adam Lewenberg committed
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
        default_domain = stanford.edu
        kadmind_port   = 749
    }
    heimdal.stanford.edu = {
        kdc            = kerberos-dev.stanford.edu:88
        master_kdc     = kerberos-dev.stanford.edu:88
        admin_server   = kerberos-dev.stanford.edu
        kpasswd_server = kerberos-dev.stanford.edu
        kadmind_port   = 749
    }
    WIN.STANFORD.EDU = {
        kdc            = mothra.win.stanford.edu:88
        kdc            = rodan.win.stanford.edu:88
        kpasswd_server = mothra.win.stanford.edu
    }
Adam Lewenberg's avatar
Adam Lewenberg committed
105
106
107
    WINUAT.STANFORD.EDU = {
        kdc            = winuatdc1.winuat.stanford.edu:88
        kpasswd_server = winuatdc1.winuat.stanford.edu
Adam Lewenberg's avatar
Adam Lewenberg committed
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
    }
    NT.STANFORD.EDU = {
        kdc            = ntdc2.nt.stanford.edu:88
        kdc            = ntdc3.nt.stanford.edu:88
        kpasswd_server = ntdc2.nt.stanford.edu
    }
    GUEST.STANFORD.EDU = {
        kdc            = guestdc0.guest.stanford.edu:88
        kdc            = guestdc1.guest.stanford.edu:88
        kpasswd_server = guestdc0.guest.stanford.edu
        default_domain = guest.stanford.edu
    }
    GUESTUAT.STANFORD.EDU = {
        kdc            = guestuatdc0.guestuat.stanford.edu:88
        kdc            = guestuatdc1.guestuat.stanford.edu:88
        kpasswd_server = guestuatdc0.guestuat.stanford.edu
        default_domain = guestuat.stanford.edu
    }
    CS.STANFORD.EDU = {
        kdc            = cs-kdc-1.stanford.edu:88
        kdc            = cs-kdc-2.stanford.edu:88
        kdc            = cs-kdc-3.stanford.edu:88
        admin_server   = cs-kdc-1.stanford.edu:749
    }
    SLAC.STANFORD.EDU = {
        kdc            = k5auth1.slac.stanford.edu:88
        kdc            = k5auth2.slac.stanford.edu:88
        kdc            = k5auth3.slac.stanford.edu:88
        admin_server   = k5admin.slac.stanford.edu
        kpasswd_server = k5passwd.slac.stanford.edu
        default_domain = slac.stanford.edu
    }
    WIN.SLAC.STANFORD.EDU = {
141
142
143
144
145
        kdc            = dc01.slac.stanford.edu:88
        kdc            = dc02.slac.stanford.edu:88
        kdc            = dc03.slac.stanford.edu:88
        master_kdc     = dc01.slac.stanford.edu:88
        admin_server   = dc01.slac.stanford.edu
Adam Lewenberg's avatar
Adam Lewenberg committed
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
        default_domain = win.slac.stanford.edu
    }
    ATHENA.MIT.EDU = {
        kdc            = kerberos.mit.edu:88
        kdc            = kerberos-1.mit.edu:88
        kdc            = kerberos-2.mit.edu:88
        kdc            = kerberos-3.mit.edu:88
        admin_server   = kerberos.mit.edu
        default_domain = mit.edu
    }
    ISC.ORG = {
        kdc            = k1.isc.org:88
        kdc            = k2.isc.org:88
        admin_server   = k1.isc.org:749
        default_domain = isc.org
    }
    OPENLDAP.ORG = {
        kdc            = kerberos.openldap.org
        default_domain = openldap.org
    }
    SUCHDAMAGE.ORG = {
        kdc            = kerberos.suchdamage.org:88
        admin_server   = kerberos.suchdamage.org:749
        default_domain = suchdamage.org
    }
    VIX.COM = {
        kdc            = kerberos-0.vix.com:88
        kdc            = kerberos-1.vix.com:88
        kdc            = kerberos-2.vix.com:88
        admin_server   = kerberos-0.vix.com:749
        default_domain = vix.com
    }
    ZEPA.NET = {
        kdc            = kerberos.zepa.net
        kdc            = kerberos-too.zepa.net
        admin_server   = kerberos.zepa.net
    }

[domain_realm]
    stanford.edu                = stanford.edu
    .stanford.edu               = stanford.edu
    .dc.stanford.org            = stanford.edu
    .sunet                      = stanford.edu
    .eyrie.org                  = stanford.edu
    .killfile.org               = stanford.edu
    .lpch.net                   = stanford.edu
    .lpch.org                   = stanford.edu
    .oit.duke.edu               = stanford.edu
    win.stanford.edu            = WIN.STANFORD.EDU
    .win.stanford.edu           = WIN.STANFORD.EDU
196
197
    atragon.stanford.edu        = WIN.STANFORD.EDU
    itcert.stanford.edu         = WIN.STANFORD.EDU
Adam Lewenberg's avatar
Adam Lewenberg committed
198
199
200
201
202
203
204
    daper.stanford.edu          = IT.WIN.STANFORD.EDU
    gsbworkspace.stanford.edu   = IT.WIN.STANFORD.EDU
    infraappprod.stanford.edu   = IT.WIN.STANFORD.EDU
    radmed.stanford.edu         = IT.WIN.STANFORD.EDU
    windows-new.stanford.edu    = IT.WIN.STANFORD.EDU
    windows.stanford.edu        = IT.WIN.STANFORD.EDU
    workspace.stanford.edu      = IT.WIN.STANFORD.EDU
Adam Lewenberg's avatar
Adam Lewenberg committed
205
206
    winuat.stanford.edu         = WINUAT.STANFORD.EDU
    .winuat.stanford.edu        = WINUAT.STANFORD.EDU
207
208
    msweb2.stanford.edu         = EX.MS.STANFORD.EDU
    windows-ms.stanford.edu     = EX.MS.STANFORD.EDU
Adam Lewenberg's avatar
Adam Lewenberg committed
209
210
211
    nt.stanford.edu             = NT.STANFORD.EDU
    .nt.stanford.edu            = NT.STANFORD.EDU
    ntcert1.stanford.edu        = NT.STANFORD.EDU
212
213
    ntweb2.stanford.edu         = TYR.NT.STANFORD.EDU
    windows-nt.stanford.edu     = TYR.NT.STANFORD.EDU
Adam Lewenberg's avatar
Adam Lewenberg committed
214
215
216
217
218
219
220
221
222
223
    guest.stanford.edu          = GUEST.STANFORD.EDU
    .guest.stanford.edu         = GUEST.STANFORD.EDU
    guest-mgmt.stanford.edu     = GUEST.STANFORD.EDU
    guest-mgmt2.stanford.edu    = GUEST.STANFORD.EDU
    guestidmweb.stanford.edu    = GUEST.STANFORD.EDU
    guestuat.stanford.edu       = GUESTUAT.STANFORD.EDU
    .guestuat.stanford.edu      = GUESTUAT.STANFORD.EDU
    guestuat-mgmt.stanford.edu  = GUESTUAT.STANFORD.EDU
    guestuatidmweb.stanford.edu = GUESTUAT.STANFORD.EDU
    .slac.stanford.edu          = SLAC.STANFORD.EDU
224
    .win.slac.stanford.edu      = WIN.SLAC.STANFORD.EDU
Adam Lewenberg's avatar
Adam Lewenberg committed
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
    .isc.org                    = ISC.ORG
    mit.edu                     = ATHENA.MIT.EDU
    .mit.edu                    = ATHENA.MIT.EDU
    openldap.org                = OPENLDAP.ORG
    .openldap.org               = OPENLDAP.ORG
    whoi.edu                    = ATHENA.MIT.EDU
    .whoi.edu                   = ATHENA.MIT.EDU
    .vix.com                    = VIX.COM
    zepa.net                    = ZEPA.NET
    .zepa.net                   = ZEPA.NET

[logging]
    kdc          = SYSLOG:NOTICE
    admin_server = SYSLOG:NOTICE
    default      = SYSLOG:NOTICE