PKI Pre-Installation Guide
Version 2.0.0
Page 32
The IP address or fully qualified domain name for the Windows Domain Controller described in
section 3.2.2, item 1 should be used for the
kdc
and
default_domain
fields in the
[realms]
section
of the example below.
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = #####_DOMAIN.NAME.MIL_#####
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 12h
default_etypes = arcfour-hmac-md5 des-cbc-md5 des-cbc-crc
default_etypes_des = arcfour-hmac-md5 des-cbc-md5 des-cbc-crc
default_tgt_enctypes = arcfour-hmac-md5 DES-CBC-MD5 DES-CBC-CRC
default_tgs_enctypes = arcfour-hmac-md5 DES-CBC-MD5 DES-CBC-CRC
[appdefaults]
[realms]
Each supported Kerberos Realm needs to be listed in this section; repeat all of
the following for each realm.
#####_DOMAIN.NAME.MIL_##### = {
KDCs can be listed in either ip address or fully qualified domain name. More
than one KDC can be listed. If the first KDC cannot be contacted, then the next
KDC is contacted. This process repeats until all KDCs are contacted. Note that
if multiple KDCs are used, certificate chains will need to be present in the MFP
for all KDCs.
kdc = tcp/#####_ip_address_or_name_of_domain_controller_#####
default_domain = #####_same_as_kdc_#####
pkinit_require_eku = false
pkinit_require_krbtgt_otherName = false
Microsoft implemented to “draft” versions of the IETF Kerberos PKINIT
specifications. This resulted in some slight differences between software
supporting the final IETF specification and those supporting the Microsoft
implementations. This configuration flag informs the firmware to use the
Microsoft format for PKINIT protocol commands.
pkinit_win2k = yes
pkinit_win2k_require_binding = no
}
[domain_realm]
Define a mapping between domain names found in the user’s certificate and
the Kerberos realm. The lines with “.” allow for matching with names before
suffix – i.e. “dc1.mil” matches “.mil” but not “mil”. It is acceptable to map
multiple domain names to the same realm.
.mil = #####_DOMAIN.NAME.MIL_#####