Skip Menu |

From: Blake Frantz <>
To: "" <>
Subject: Documentation__kdc.conf vs man kdc.conf, etc
Date: Tue, 16 Oct 2012 04:03:49 +0000
Download (untitled) / with headers
text/plain 2.2KiB

There appears to be inconsistency between man kdc.conf and with respect to the sections allowed in kdc.conf.

man kdc.conf says:


The following sections are currently used in the kdc.conf file:

Contains parameters which control the overall behaviour of the KDC.

Contains subsections keyed by Kerberos realm names which describe per-realm KDC parameters.

While says:


The kdc.conf file may contain the following sections:

[kdcdefaults] Default values for KDC behavior
[realms] Realm-specific database configuration and settings
[dbdefaults] Default database settings
[dbmodules] Per-database settings
[logging] Controls how Kerberos daemons perform logging


Given the above, we can see that states three additional sections are permitted in kdc.conf that man does not list.

Additionally, with respect to krb5.conf, says:

The krb5.conf file may contain the following sections:

[libdefaults] Settings used by the Kerberos V5 library
[realms] Realm-specific contact information and settings
[domain_realm] Maps server hostnames to Kerberos realms
[capaths] Authentication paths for non-hierarchical cross-realm
[appdefaults] Settings used by some Kerberos V5 applications
[plugins] Controls plugin module registration

If the sections for kdc.conf and krb5.conf, as given by, are taken as a set, it seems neither file is allowed to have the [login] section.

Finally, with respect to kdc.conf, is it recommended to put the [plugins] section in krb5.conf instead of kdc.conf on a KDC, as implied by in the above URLs?

Thanks for your time.


This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.
In any recent Kerberos release, the KDC and related programs (kadmind,
kdb5_util, etc.) merge the contents of krb5.conf and kdc.conf, while
other programs (kinit, klist, etc.) read only krb5.conf. Any profile
sections can appear in either file, or in both.

During the past year, we've been reorganizing the documentation of
krb5.conf and kdc.conf to put KDC-related relations in the kdc.conf
documentation and general-purpose relations in the other. The man pages
in the forthcoming 1.11 release should reflect what's currently on the

The [login] section is only used by the krb5-aware login program, which
has been unbundled from the krb5 package into the krb5-appl package. So
we don't document it any more.

We do not have a particular recommendation for whether KDC-related
plugin module registrations appear in kdc.conf or krb5.conf. The
[plugins] section is documented in krb5.conf because it is relevant to
all Kerberos programs and not just KDC-related programs.