Add kerberos krb5.conf example

resolves https://bugzilla.suse.com/show_bug.cgi?id=1127596
SUSE · Aug 14, 2019 · 674aeff · cjschroder · Aug 15, 2019 · 674aeff
1 parent 51fd415
commit 674aeff
Showing 1 changed file with 43 additions and 1 deletion.
diff --git a/xml/security_kerberos.xml b/xml/security_kerberos.xml
@@ -783,7 +783,8 @@ group:          files</screen>
        The <filename>/etc/krb5.conf</filename> and
        <filename>/var/lib/kerberos/krb5kdc/kdc.conf</filename> configuration
        files must be adjusted for your scenario. These files contain all
-       information on the KDC.
+       information on the KDC. See
+       <xref linkend="sec-security-kerberos-admin-kdc-configure"/>.
       </para>
      </formalpara>
     </step>
@@ -844,6 +845,47 @@ group:          files</screen>
      </formalpara>
     </step>
    </procedure>
+
+   <sect3 xml:id="sec-security-kerberos-admin-kdc-configure">
+       <title>Configuring the Server</title>
+       <para>
+           Configuring a &krb; server is highly variable, dependent on your
+           network architecture, DNS and DHCP configuration, realms, and 
+           many other considerations. You must have a default realm, and domain-
+           to-realm mappings. The following example demonstrates a minimal
+           configuration. This is not a copy-and-paste example; see
+           <link xlink:href="https://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_files/index.html"/>
+           for detailed information on &krb; configuration.
+       </para>
+       <example xml:id="sec-security-kerberos-example-config">
+           <title>Example KDC Configuration, <filename>/etc/krb5.conf</filename></title>
+               <screen>[libdefaults]
+ dns_canonicalize_hostname = false
+ rdns = false
+ default_realm = &exampledomain;
+ ticket_lifetime = 24h
+ renew_lifetime = 7d
+
+[realms]
+  &exampledomain; = {
+  kdc = kdc.&exampledomain;.:88
+  admin_server = kdc.&exampledomain;
+  default_domain = &exampledomain;
+ }
+
+ [logging]
+ kdc = FILE:/var/log/krb5kdc.log
+ admin_server = FILE:/var/log/kadmind.log
+ default = SYSLOG:NOTICE:DAEMON
+
+[domain_realm]
+ .&exampledomain; = &exampledomain;
+ &exampledomain; = &exampledomain;
+</screen>
+</example>
+
+</sect3>
+
    <sect3 xml:id="sec-security-kerberos-admin-kdc-database">
     <title>Setting Up the Database</title>
     <para>