[libdefaults] section

ap_req_checksum_type
Specifies the default checksum type to use in an application request when a DES encryption type is in use. The default when not specified is rsa-md5. This value is ignored when the encryption type is using a DES3, AES, or DESD key.
ccache_type
Specifies the format of the credentials cache file as an integer value between 1 and 4. The default is 3.
check_delegate
Specifies whether the runtime should check the OK-AS-DELEGATE flag in service tickets. Specify 1 to check the flag and 0 to ignore the flag. If checking is enabled and the service ticket returned by the key distribution center (KDC) does not have the OK-AS-DELEGATE flag set, the gss_init_sec_context() function does not enable delegation for the target principal. The default is to enable checking.
clockskew
Specifies the maximum clock difference in seconds. The default is 300 (5 minutes). A Kerberos request is rejected if the difference between the server time and the request timestamp exceeds the clock skew value.
clock_offset
Specifies a fixed offset in minutes between network time and the system clock. The specified offset is added to the system clock to obtain the network time. The default is 0. The value specified by clock_offset will be overridden by the KDC time offset if kdc_timesync is set to 1.
default_keytab_name
Specifies the default key table type and name. The KRB5_KTNAME environment variable overrides this specification. The default is /etc/skrb/krb5.keytab.
default_realm
Specifies the default realm.
default_tgs_enctypes
Specifies one or more encryption types separated by commas and specified in most-preferred to least-preferred order. The KDC will select the first supported encryption type for the session key of service tickets. The default value if not specifies is:
  • aes256-cts-hmac-sha1-96
  • aes128-cts-hmac-sha1-96
  • des3-cbc-sha1-kd
default_tkt_enctypes
Specifies one or more encryption types separated by commas and specified in most-preferred to least-preferred order. The KDC will select the first supported encryption type for the session key of the initial ticket-granting tickets. The default value if not specifies is:
  • aes256-cts-hmac-sha1-96
  • aes128-cts-hmac-sha1-96
  • des3-cbc-sha1-kd
fipslevel
Specifies the FIPS level that commands and applications that will be required to adhere to when participating in Kerberos protocol exchanges.
-1
No FIPS level change will be attempted. This the default.
0
FIPS mode is disabled.
1
FIPS140-2
2
SP800-131A with exception
3
SP800-131A without exception
kdc_default_options
Specifies the default options used when requesting an initial ticket from the KDC as follows:
  • 0x00000010 = KDC_OPT_RENEWABLE_OK
  • 0x10000000 = KDC_OPT_PROXIABLE
  • 0x40000000 = KDC_OPT_FORWARDABLE

Multiple options may be specified by ORing the values together. The default is 0x00000010.

kdc_req_checksum_type
Specifies the default checksum type to use in a KDC request when a DES encryption type is in use. The default when not specified is rsa-md5. This value is ignored when the encryption type is using a DES3, AES, or DESD key.
kdc_timesync
Specifies whether or not to synchronize the local time is with the KDC time. Specify 1 to synchronize the time and 0 not to synchronize the time. Do not specify 1 if the local system is running a time daemon that synchronizes the clock. The default is 0.

The time synchronization occurs when an initial ticket-granting-ticket is obtained from the KDC.

kdc_use_tcp
Set this value to 1 to use TCP stream connections instead of UDP datagrams when sending a request to the KDC. If a TCP connection cannot be established with the KDC, the runtime retries by sending a UDP datagram to the KDC. Set this value to 0 to always use UDP datagrams. The default is 0.
kpasswd_use_tcp
Set this value to 1 to use TCP stream connections instead of UDP datagrams when sending a request to the password change server. If a TCP connection cannot be established with the server, the runtime tries again by sending a UDP datagram to the password change server. Set this value to 0 to always use UDP datagrams. The default is 1.
ldap_server
Specifies the location of the LDAP server. The value consists of the host name and the port, separated by a colon. If the port is omitted, it defaults to 389.
rsa_md4_des_compat
Beta versions of Kerberos Version 5 computed the checksum incorrectly for the rsa-md4-des checksum type. Specify 1 to use the old algorithm for compatibility with these beta versions of Kerberos Version 5. The default is to use the new algorithm.
rsa_md5_des_compat
Beta versions of Kerberos Version 5 computed the checksum incorrectly for the rsa-md5-des checksum type. Specify 1 to use the old algorithm for compatibility with these beta versions of Kerberos Version 5. The default is to use the new algorithm.
safe_checksum_type
Specifies the default checksum type for a safe request. The default is rsa-md5-des. The specified checksum type must be compatible with the session key encryption type if the checksum uses an encrypted hash. When a DES3 or AES encryption key is used, this value is ignored. The following shows the checksum types that use an encrypted hash and the required session key encryption type:
Checksum Type Encryption Type
descbc des-cbc-crc
rsa-md4-des des-cbc-md4
rsa-md5-des des-cbc-md5
hmac-sha1-des3 des3-cbc-sha1
hmac-sha1-96-aes128 aes128-cts-hmac-sha1-96
hmac-sha1-96-aes256 aes256-ctc-hmac-sha1-96
Start of changeStart of changehmac-sha256-128-aes128End of changeEnd of change Start of changeaes128-cts-hmac-sha256-128End of change
Start of changeStart of changehmac-sha384-192-aes256End of changeEnd of change Start of changeaes256-cts-hmac-sha384-192End of change
use_dns_lookup
Set this value to 1 to use the domain name service (DNS) name server to locate the KDC and to resolve host names. The KDC is located using SRV records, and host names are resolved to realm names using TXT records. The [realms] and [domain_realm] sections are used if the resolution is unsuccessful using the DNS name server. Set this value to 0 to bypass the DNS lookup step. The default is 0. The priority value for SRV records is used to order the service records. Entries with the same priority are randomly selected each time the client needs to contact a Kerberos server.
use_dvipa_override
Set this value to 1 to allow the principal in the incoming service ticket to override the principal specified on the krb5_rd_req, krb5_rd_req_verify or gss_accept_sec_context API call provided only the instance (host name) of the two principals is different. If the primary or realm portion of both principals are different or either principal is a nonstandard service principal (does not have an instance or has 2 or more instances) then the incoming ticket is rejected. The application will require access to the encryption keys for the principal in the incoming service ticket (either via a keytab file or via the KDC if KRB5_SERVER_KEYTAB is set) to decrypt the ticket. Ensure the Kerberos server is running on all system images where the application runs when the value is set to 1. Set this value to 0 to only allow incoming service tickets that match the service principal specified on the krb5_rd_req, krb5_rd_req_verify or gss_accept_sec_context API call. The default is 0.
use_ldap_lookup
Set this value to 1 to use the Lightweight Directory Access Protocol (LDAP) directory to locate the KDC and to resolve host names. The [realms] and [domain_realm] sections are used if the resolution is unsuccessful. Set this value to 0 to bypass the LDAP lookup step. The default is 0. If both LDAP and DNS are used, LDAP is checked first, followed by DNS. The ldap_server value must also be specified to use LDAP lookup. LDAP directory entries are randomly selected each time the client needs to contact a Kerberos server.