# krb5conf v5_1 for Macintosh OS X 17Nov2014 # V2.1 Added capaths section with transitive trusts, removed # checksum_type from libdefaults # V2.1a Added domain definitions for the Windows realms # V2.2 Added units (m=minutes) to ticket_lifetime in [libdefaults], # added e898 AFS remapping to [instancemapping] section and # removed old pam definitions from [appdefaults] section which # just had a forwardable=true statement # V2.3 Removed krb4_convert_524 statement from pam settings in # [appdefaults] section to speed up logins # V2.4 Added CERN definitions to [realms] section # V2.5 Changed in [libdetaults], copied some items from [appdefaults] # so library finds them, set credentials cache type to 4 and # removed the default_*_enctypes. # V2.6 Added missing ":88" to the admin_server definitions # V2.7 Removed the 2.6 change, and re-enabled the default_*_enctypes # in [libdefauls] as these are needed to make Cryptocards work for now # V2.7a Added kisti.re.kr mapping to FNAL.GOV in [domain_realm] section # XXX Added mappings for the new KCA servers to the [domain.realm] section # so FERMI.WIN.FNAL.GOV principals can be used on Linux/UNIX nodes # V2.8 Added mappings for AD nodes to FERMI.WIN for Linux/OS X users # V2.9 Adjusted list of KDCs in FERMI.WIN.FNAL.GOV and added Master and # Admin server definitions for this realm # V2.10 Added section to [realms] for SERVICES domain # ..a Fixed above added line to [domain_realms] section as well # V2.11 Added mapping for fnlsix.net (IPv6 test domain) to FNAL.GOV realm # V2.12 Added section to [realms] for FERMITEST domain # V2.13 Added entries to [domain_realm] requested by AD # V2.14 Added mappings for Windows file servres to [domain_realm] in # response to Incident #25262 # V2.15 Added 3DES to default encoding types and allow Weak Encryption in # [libdefaults], added commented tag lines around FNAL KDC list # - prepare for changing encryption type from DES to 3DES in future # - for RHEL 6 and Ubuntu, allow Weak Encryption types for now # - tag KDC list to allow local edits to be retained on updates # V3.0 Version update to V2.15 now that installation scripts have been # considerably changed to drop obsolete stuff and support locally # saved FNAL.GOV KDC list # V3.1 Emergency fix to [appdefaults] section to remove comments from # lines in pam section since PAM handles these badly causing very # long login times; also added kadmin section to set forwardable # to false for kadmin tickets # V4.0 Several major and minor changes, nence new major version # - expansion of Slave KDC fleet means re-working the default KDC # search list to re-order and add new slaves in [realms] # - remove krb4 tickets, no longer needed [appdefaults] pam # and login subsections # - add/remove systems to [domain_realms] for Accelerator Div # - check and fix non-FNAL.GOV realms in [realms] making sure # the Windows domains all have Master KDC and Admin Server # definitions # - Add PILOT Slave i-krb-20 (planned, not yet ready) # V4.1 Added permitted_enctypes line to the [libdefaults] section # to provide better compatibility of Kerberized applications # with our KDC plant. Also removed a number of AD systems # from the [realms] section (no longer needed). # V4.1a Fixed typo in krb-fnal-d0online # V4.1b Removed krb5_convert_524 = false lines from the pam/login # definitions in [appdefaults] section as these upset PAM # and cause login/screensaver-exit delays # V4.2 Added PSC.EDU and EXTENCI.ORG to [realms] section # V4.3 Changed CERN.CH defintions in [realms] to point to # Active Directory KDCs # V4.4 Corrections to the order of the definitions in the [capaths] # section # V4.5 Added Nova Far Detector KDC and re-wrote HowTo instructions # for system administrators. # V4.6 Changes (additiions/deletions) in list of Accelerator Division # servers in [domain_realm] section # V4.7 Change default search order to put FCC3 Slave first and move # Master KDC further down in search order # # V4.8 Added i-krb-20 and i-krb-22 in domain_realm section # Added i-krb-22 as a skave KDC in PILOT realm # # V5.0 Added strong encryption types to default_tgs_enctypes # default_tkt_enctypes and permitted_enctypes in preparation # to Kerberos Upgrade # # V5.0a Removed i-krb-3 from KDC list # # V5.1 Added SLAC realm definition # Added "krb4_convert_524 = false" and "krb4_use_as_req = false" to pam # section in appdefaults # Removed lines with "aklog" ### ### This krb5.conf template is intended for use with Fermi ### Kerberos v1_2 and later. Earlier versions may choke on the ### "auth_to_local = " lines unless they are commented out. ### The installation process should do all the right things in ### any case, but if you are reading this and haven't updated ### your kerberos product to v1_2 or later, you really should! ### # # The list of Fermilab KDCs between the BEGINTAG/ENDTAG-KDCLIST # comment lists will be replaced with local KDC list from the # file /etc/krb5.kdclist (if found). # # HowTo for System Administrators: # # Use a local KDC search list to reduce the load on the primary KDC # particularly if a semi-dedicated Slave KDC is located in your subnets. # # Re-order the FNAL.GOV KDC list located between the #BEGINTAG/#ENDTAG lines. # Then save this section of krb5.conf as the file /etc/krb5.kdclist # (including the #BEGINTAG/#ENDTAG lines). # # This will preserve your KDC order during future krb5.conf upgrades. # [libdefaults] ticket_lifetime = 1560m #default_realm = FNAL.GOV default_realm = CERN.CH ccache_type = 4 default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 des-cbc-crc arcfour-hmac-md5 default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 des-cbc-crc arcfour-hmac-md5 permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 des-cbc-crc arcfour-hmac-md5 default_lifetime = 7d renew_lifetime = 7d autologin = true forward = true forwardable = true renewable = true encrypt = true allow_weak_crypto = true chpw_prompt = true [realms] FNAL.GOV = { #BEGINTAG-KDCLIST kdc = krb-fnal-fcc3.fnal.gov:88 kdc = krb-fnal-2.fnal.gov:88 kdc = krb-fnal-3.fnal.gov:88 kdc = krb-fnal-1.fnal.gov:88 kdc = krb-fnal-4.fnal.gov:88 kdc = krb-fnal-enstore.fnal.gov:88 kdc = krb-fnal-fg1.fnal.gov:88 kdc = krb-fnal-fg2.fnal.gov:88 kdc = krb-fnal-cms188.fnal.gov:88 kdc = krb-fnal-cms204.fnal.gov:88 kdc = krb-fnal-d0online.fnal.gov:88 kdc = krb-fnal-cdfonline.fnal.gov:88 kdc = krb-fnal-nova-fd.fnal.gov:88 kdc = krb-fnal-soudan.fnal.gov:88 # The krb-fnal-5/6/7 CNAME's still exist and will continue to exist # but are deprecated in favor of krb-fnal-d0online/cdfonline/soudan #ENDTAG-KDCLIST master_kdc = krb-fnal-admin.fnal.gov:88 admin_server = krb-fnal-admin.fnal.gov default_domain = fnal.gov } WIN.FNAL.GOV = { kdc = littlebird.win.fnal.gov:88 kdc = bigbird.win.fnal.gov:88 master_kdc = littlebird.win.fnal.gov:88 admin_server = littlebird.win.fnal.gov default_domain = fnal.gov } FERMI.WIN.FNAL.GOV = { kdc = sully.fermi.win.fnal.gov:88 kdc = elmo.fermi.win.fnal.gov:88 kdc = oscar.fermi.win.fnal.gov:88 kdc = zoe.fermi.win.fnal.gov:88 kdc = herry.fermi.win.fnal.gov:88 master_kdc = elmo.fermi.win.fnal.gov:88 admin_server = elmo.fermi.win.fnal.gov default_domain = fnal.gov } SERVICES.FNAL.GOV = { kdc = ldapdc1.services.fnal.gov:88 kdc = ldapdc2.services.fnal.gov:88 master_kdc = ldapdc1.services.fnal.gov:88 admin_server = ldapdc1.services.fnal.gov default_domain = fnal.gov } UCHICAGO.EDU = { kdc = kerberos-0.uchicago.edu kdc = kerberos-1.uchicago.edu kdc = kerberos-2.uchicago.edu admin_server = kerberos.uchicago.edu default_domain = uchicago.edu } PILOT.FNAL.GOV = { kdc = i-krb-2.fnal.gov:88 kdc = i-krb-20.fnal.gov:88 kdc = i-krb-22.fnal.gov:88 master_kdc = i-krb-2.fnal.gov:88 admin_server = i-krb-2.fnal.gov default_domain = fnal.gov } WINBETA.FNAL.GOV = { kdc = wbdc1.winbeta.fnal.gov:88 kdc = wbdc2.winbeta.fnal.gov:88 master_kdc = wbdc1.winbeta.fnal.gov:88 admin_server = wbdc1.winbeta.fnal.gov default_domain = fnal.gov } FERMIBETA.WINBETA.FNAL.GOV = { kdc = fbdc1.fermibeta.winbeta.fnal.gov:88 kdc = fbdc2.fermibeta.winbeta.fnal.gov:88 master_kdc = fbdc1.fermibeta.winbeta.fnal.gov:88 admin_server = fbdc1.fermibeta.winbeta.fnal.gov default_domain = fnal.gov } FERMITEST.FNAL.GOV = { kdc = ftdc3.fermitest.fnal.gov:88 kdc = ftdc2.fermitest.fnal.gov:88 default_domain = fnal.gov master_kdc = ftdc3.fermitest.fnal.gov:88 admin_server = ftdc3.fermitest.fnal.gov } CERN.CH = { kdc = cerndc.cern.ch:88 master_kdc = cerndc.cern.ch:88 default_domain = cern.ch kpasswd_server = afskrb5m.cern.ch #kpasswd_server = cerndc.cern.ch admin_server = afskrb5m.cern.ch #admin_server = cerndc.cern.ch v4_name_convert = { host = { rcmd = host } } } PSC.EDU = { kdc = kerberos-1.psc.edu kdc = kerberos-2.psc.edu kdc = kerberos-3.psc.edu admin_server = kerberos-1.psc.edu master_kdc = kerberos-1.psc.edu default_domain = psc.edu ticket_lifetime = 30h } EXTENCI.ORG = { kdc = kerberos.extenci.org:88 admin_server = kerberos.extenci.org:749 master_kdc = kerberos.extenci.org:88 default_domain = extenci.org } SLAC.STANFORD.EDU = { kdc = k5auth1.slac.stanford.edu:88 k5auth2.slac.stanford.edu:88 k5auth3.slac.stanford.edu:88 master_kdc = k5auth1.slac.stanford.edu:88 admin_server = k5admin.slac.stanford.edu kpasswd_server = k5passwd.slac.stanford.edu default_domain = slac.stanford.edu } KFKI.HU = { admin_server = kerberos.kfki.hu kdc = kerberos.kfki.hu } IN2P3.FR = { default_domain = in2p3.fr kpasswd_server = kerberos-admin.in2p3.fr admin_server = kerberos-admin.in2p3.fr kdc = kerberos-1.in2p3.fr kerberos-2.in2p3.fr kerberos-3.in2p3.fr } HEP.MAN.AC.UK = { default_domain = hep.man.ac.uk kpasswd_server = afs4.hep.man.ac.uk admin_server = afs4.hep.man.ac.uk kdc = afs1.hep.man.ac.uk afs2.hep.man.ac.uk afs3.hep.man.ac.uk afs4.hep.man.ac.uk } CLASSE.CORNELL.EDU = { kdc = dc1.classe.cornell.edu dc2.classe.cornell.edu dc4.classe.cornell.edu admin_server = dc1.classe.cornell.edu default_domain = classe.cornell.edu auth_to_local = RULE:[1:$1@$0](.*@LNS.CORNELL.EDU)s/@.*// auth_to_local = DEFAULT } LNS.CORNELL.EDU = { kdc = kerberos.lns.cornell.edu kerberos-1.lns.cornell.edu admin_server = kerberos.lns.cornell.edu default_domain = lns.cornell.edu auth_to_local = RULE:[1:$1@$0](.*@CLASSE.CORNELL.EDU)s/@.*// auth_to_local = DEFAULT } [instancemapping] afs = { cron/* = "" cms/* = "" afs/* = "" e898/* = "" } [capaths] # FNAL.GOV and PILOT.FNAL.GOV are the MIT Kerberos Domains # FNAL.GOV is production and PILOT is for testing # The FERMI Windows domain uses the WIN.FNAL.GOV root realm # with the FERMI.WIN.FNAL.GOV sub-realm where machines and users # reside. The WINBETA and FERMIBETA domains are the equivalent # testing realms for the FERMIBETA domain. The 2-way transitive # trust structure of this complex is as follows: # # FNAL.GOV <=> PILOT.FNAL.GOV # FNAL.GOV <=> WIN.FERMI.GOV <=> FERMI.WIN.FERMI.GOV # PILOT.FNAL.GOV <=> WINBETA.FNAL.GOV <=> FERMIBETA.WINBETA.FNAL.GOV FNAL.GOV = { FERMI.WIN.FNAL.GOV = WIN.FNAL.GOV WIN.FNAL.GOV = FNAL.GOV FERMIBETA.WINBETA.FNAL.GOV = WINBETA.FNAL.GOV WINBETA.FNAL.GOV = PILOT.FNAL.GOV PILOT.FNAL.GOV = FNAL.GOV } PILOT.FNAL.GOV = { FERMI.WIN.FNAL.GOV = WIN.FNAL.GOV WIN.FNAL.GOV = FNAL.GOV FNAL.GOV = PILOT.FNAL.GOV FERMIBETA.WINBETA.FNAL.GOV = WINBETA.FNAL.GOV WINBETA.FNAL.GOV = PILOT.FNAL.GOV } WIN.FNAL.GOV = { FERMI.WIN.FNAL.GOV = WIN.FNAL.GOV FERMIBETA.WINBETA.FNAL.GOV = WINBETA.FNAL.GOV WINBETA.FNAL.GOV = PILOT.FNAL.GOV PILOT.FNAL.GOV = FNAL.GOV FNAL.GOV = WIN.FNAL.GOV } WINBETA.FNAL.GOV = { FERMIBETA.WINBETA.FNAL.GOV = WINBETA.FNAL.GOV FNAL.GOV = PILOT.FNAL.GOV FERMI.WIN.FNAL.GOV = WIN.FNAL.GOV WIN.FNAL.GOV = PILOT.FNAL.GOV PILOT.FNAL.GOV = WINBETA.FNAL.GOV } [logging] kdc = SYSLOG:info:local1 admin_server = SYSLOG:info:local2 default = SYSLOG:err:auth [domain_realm] # Fermilab's (non-windows-centric) domains .fnal.gov = FNAL.GOV .cdms-soudan.org = FNAL.GOV .deemz.net = FNAL.GOV .dhcp.fnal.gov = FNAL.GOV .minos-soudan.org = FNAL.GOV i-krb-2.fnal.gov = PILOT.FNAL.GOV i-krb-20.fnal.gov = PILOT.FNAL.GOV i-krb-22.fnal.gov = PILOT.FNAL.GOV i-krb-pilot-test1.fnal.gov = PILOT.FNAL.GOV i-krb-pilot-test2.fnal.gov = PILOT.FNAL.GOV i-krb-pilot-test3.fnal.gov = PILOT.FNAL.GOV .win.fnal.gov = WIN.FNAL.GOV .fermi.win.fnal.gov = FERMI.WIN.FNAL.GOV .services.fnal.gov = SERVICES.FNAL.GOV .winbeta.fnal.gov = WINBETA.FNAL.GOV .fermibeta.winbeta.fnal.gov = FERMIBETA.WINBETA.FNAL.GOV .fermitest.fnal.gov = FERMITEST.FNAL.GOV .fnlsix.net = FNAL.GOV # Fermilab's KCA servers so FERMI.WIN principals work in FNAL.GOV realm # winserver.fnal.gov = FERMI.WIN.FNAL.GOV # winserver2.fnal.gov = FERMI.WIN.FNAL.GOV # File servers in FERMI.WIN for Linux/Mac OS X users cdserver.fnal.gov = FERMI.WIN.FNAL.GOV bluemig-cdf.fnal.gov = FERMI.WIN.FNAL.GOV bluemig-cd.fnal.gov = FERMI.WIN.FNAL.GOV eshserver1.fnal.gov = FERMI.WIN.FNAL.GOV bluemig-lss.fnal.gov = FERMI.WIN.FNAL.GOV bluemig-numi.fnal.gov = FERMI.WIN.FNAL.GOV sdss-nas-0.fnal.gov = FERMI.WIN.FNAL.GOV fg-nas-0.fnal.gov = FERMI.WIN.FNAL.GOV minos-nas-1.fnal.gov = FERMI.WIN.FNAL.GOV rhea-1-test.fnal.gov = FERMI.WIN.FNAL.GOV rhea-2-test.fnal.gov = FERMI.WIN.FNAL.GOV lsserver.fnal.gov = FERMI.WIN.FNAL.GOV pseekits.fnal.gov = FERMI.WIN.FNAL.GOV numiserver.fnal.gov = FERMI.WIN.FNAL.GOV cdfserver1.fnal.gov = FERMI.WIN.FNAL.GOV minos-nas-0.fnal.gov = FERMI.WIN.FNAL.GOV blue1.fnal.gov = FERMI.WIN.FNAL.GOV blue2.fnal.gov = FERMI.WIN.FNAL.GOV fgnas0.fnal.gov = FERMI.WIN.FNAL.GOV ppdserver.fnal.gov = FERMI.WIN.FNAL.GOV bluemig-1.fnal.gov = FERMI.WIN.FNAL.GOV bluemig-0.fnal.gov = FERMI.WIN.FNAL.GOV dirserver1.fnal.gov = FERMI.WIN.FNAL.GOV tdserver1.fnal.gov = FERMI.WIN.FNAL.GOV # Accelerator nodes to FERMI.WIN for Linux/OS X users ad-radius-c.fnal.gov = FERMI.WIN.FNAL.GOV ad-radius-g.fnal.gov = FERMI.WIN.FNAL.GOV ad-videoip.fnal.gov = FERMI.WIN.FNAL.GOV adfs.fnal.gov = FERMI.WIN.FNAL.GOV adweb.fnal.gov = FERMI.WIN.FNAL.GOV bdcryoserv1.fnal.gov = FERMI.WIN.FNAL.GOV bdcryoserv2.fnal.gov = FERMI.WIN.FNAL.GOV beams-cisco.fnal.gov = FERMI.WIN.FNAL.GOV beams-cvs.fnal.gov = FERMI.WIN.FNAL.GOV beams-license.fnal.gov = FERMI.WIN.FNAL.GOV beams-msd-srv.fnal.gov = FERMI.WIN.FNAL.GOV beams-nav-srv-a.fnal.gov = FERMI.WIN.FNAL.GOV beams-nav-srv-b.fnal.gov = FERMI.WIN.FNAL.GOV beams-print.fnal.gov = FERMI.WIN.FNAL.GOV beams-sbe.fnal.gov = FERMI.WIN.FNAL.GOV beams-sccm.fnal.gov = FERMI.WIN.FNAL.GOV beams-sda.fnal.gov = FERMI.WIN.FNAL.GOV beams-sql-srv-2.fnal.gov = FERMI.WIN.FNAL.GOV beams-ts.fnal.gov = FERMI.WIN.FNAL.GOV beams-utility.fnal.gov = FERMI.WIN.FNAL.GOV beams-vm-srv-2.fnal.gov = FERMI.WIN.FNAL.GOV cosmo.fnal.gov = FERMI.WIN.FNAL.GOV earl.fnal.gov = FERMI.WIN.FNAL.GOV mdbcryo.fnal.gov = FERMI.WIN.FNAL.GOV www-bdnew.fnal.gov = FERMI.WIN.FNAL.GOV www-dsview.fnal.gov = FERMI.WIN.FNAL.GOV www-inteng.fnal.gov = FERMI.WIN.FNAL.GOV www-opsdev.fnal.gov = FERMI.WIN.FNAL.GOV adgroups.fnal.gov = FERMI.WIN.FNAL.GOV adusers.fnal.gov = FERMI.WIN.FNAL.GOV beamssrv1.fnal.gov = FERMI.WIN.FNAL.GOV ad-c-samba.fnal.gov = FERMI.WIN.FNAL.GOV ad-c-samba-2.fnal.gov = FERMI.WIN.FNAL.GOV ad-cartoon-smb.fnal.gov = FERMI.WIN.FNAL.GOV beams-fmp.fnal.gov = FERMI.WIN.FNAL.GOV www-groups.fnal.gov = FERMI.WIN.FNAL.GOV www-users.fnal.gov = FERMI.WIN.FNAL.GOV shareit.fnal.gov = FERMI.WIN.FNAL.GOV softwiki.fnal.gov = FERMI.WIN.FNAL.GOV ad-cluster.fnal.gov = FERMI.WIN.FNAL.GOV ad-cluster-1.fnal.gov = FERMI.WIN.FNAL.GOV ad-cluster-2.fnal.gov = FERMI.WIN.FNAL.GOV adopstrain.fnal.gov = FERMI.WIN.FNAL.GOV ad-prt.fnal.gov = FERMI.WIN.FNAL.GOV ad-sec.fnal.gov = FERMI.WIN.FNAL.GOV ad-vcenter.fnal.gov = FERMI.WIN.FNAL.GOV ad-wsus.fnal.gov = FERMI.WIN.FNAL.GOV beams-sandbox.fnal.gov = FERMI.WIN.FNAL.GOV beams-spfs-2.fnal.gov = FERMI.WIN.FNAL.GOV beams-wds.fnal.gov = FERMI.WIN.FNAL.GOV lqlar-panel.fnal.gov = FERMI.WIN.FNAL.GOV mtacryo.fnal.gov = FERMI.WIN.FNAL.GOV muondept.fnal.gov = FERMI.WIN.FNAL.GOV search.fnal.gov = FERMI.WIN.FNAL.GOV www-bardeenfellow.fnal.gov = FERMI.WIN.FNAL.GOV www-cryo.fnal.gov = FERMI.WIN.FNAL.GOV www-fmi.fnal.gov = FERMI.WIN.FNAL.GOV www-hampshire.fnal.gov = FERMI.WIN.FNAL.GOV www-ilcdcb.fnal.gov = FERMI.WIN.FNAL.GOV www-preacc.fnal.gov = FERMI.WIN.FNAL.GOV www-recycler.fnal.gov = FERMI.WIN.FNAL.GOV www-srfsafety.fnal.gov = FERMI.WIN.FNAL.GOV # Friends and family (by request) .cs.ttu.edu = FNAL.GOV .geol.uniovi.es = FNAL.GOV .harvard.edu = FNAL.GOV .hpcc.ttu.edu = FNAL.GOV .infn.it = FNAL.GOV .knu.ac.kr = FNAL.GOV .lns.mit.edu = FNAL.GOV .ph.liv.ac.uk = FNAL.GOV .pha.jhu.edu = FNAL.GOV .phys.ttu.edu = FNAL.GOV .phys.ualberta.ca = FNAL.GOV .physics.lsa.umich.edu = FNAL.GOV .physics.ucla.edu = FNAL.GOV .physics.ucsb.edu = FNAL.GOV .physics.utoronto.ca = FNAL.GOV .rl.ac.uk = FNAL.GOV .rockefeller.edu = FNAL.GOV .rutgers.edu = FNAL.GOV .sdsc.edu = FNAL.GOV .sinica.edu.tw = FNAL.GOV .tsukuba.jp.hep.net = FNAL.GOV .ucsd.edu = FNAL.GOV .unl.edu = FNAL.GOV .in2p3.fr = FNAL.GOV .wisc.edu = FNAL.GOV .pic.org.es = FNAL.GOV .kisti.re.kr = FNAL.GOV # The whole "top half" is replaced during "ups installAsRoot krb5conf", so: # It would probably be a bad idea to change anything on or above this line # If you need to add any .domains or hosts, put them here [domain_realm] mojo.lunet.edu = FNAL.GOV .cern.ch = CERN.CH lxplus.cern.ch = CERN.CH .hep.man.ac.uk = HEP.MAN.AC.UK .classe.cornell.edu = CLASSE.CORNELL.EDU classe.cornell.edu = CLASSE.CORNELL.EDU .lns.cornell.edu = LNS.CORNELL.EDU lns.cornell.edu = LNS.CORNELL.EDU [appdefaults] default_lifetime = 7d retain_ccache = false autologin = true forward = true forwardable = true renewable = true encrypt = true krb5_aklog_path = /usr/local/bin/aklog telnet = { } rcp = { forward = true encrypt = false allow_fallback = true } rsh = { allow_fallback = true } rlogin = { allow_fallback = false } login = { forwardable = true krb5_get_tickets = true krb4_get_tickets = false krb4_convert = false krb5_run_aklog = true } kinit = { forwardable = true renewable = true krb5_run_aklog = true } kadmin = { forwardable = false } rshd = { krb5_run_aklog = true } ftpd = { default_lifetime = 10h krb5_run_aklog = true } pam = { external = true debug = false forwardable = true renewable = true renew_lifetime = 7d ticket_lifetime = 1560m krb4_convert = false krb4_convert_524 = false krb4_use_as_req = false #afs_cells = fnal.gov afs_cells = cern.ch krb5_run_aklog = true }