WARN.CONF(5) File Formats and Configurations WARN.CONF(5)

NAME


warn.conf - Kerberos warning configuration file

SYNOPSIS


/etc/krb5/warn.conf


DESCRIPTION


The warn.conf file contains configuration information specifying how
users will be warned by the ktkt_warnd daemon about ticket
expiration. In addition, this file can be used to auto-renew the
user's Ticket-Granting Ticket (TGT) instead of warning the user.
Credential expiration warnings and auto-renew results are sent, by
means of syslog, to auth.notice.


Each Kerberos client host must have a warn.conf file in order for
users on that host to get Kerberos warnings from the client. Entries
in the warn.conf file must have the following format:

principal [renew[:opt1,...optN]] syslog|terminal time


or:

principal [renew[:opt1,...optN]] mail time [email address]


principal
Specifies the principal name to be warned. The
asterisk (*) wildcard can be used to specify groups
of principals.


renew
Automatically renew the credentials (TGT) until
renewable lifetime expires. This is equivalent to
the user running kinit -R.

The renew options include:

log-success
Log the result of the renew attempt
on success using the specified method
(syslog|terminal|mail).


log-failure
Log the result of the renew attempt
on failure using the specified method
(syslog|terminal|mail). Some renew
failure conditions are: TGT renewable
lifetime has expired, the KDCs are
unavailable, or the cred cache file
has been removed.


log
Same as specifying both log-success
and log-failure.


Note -

If no log options are given, no logging is done.


syslog
Sends the warnings to the system's syslog. Depending
on the /etc/syslog.conf file, syslog entries are
written to the /var/adm/messages file and/or
displayed on the terminal.


terminal
Sends the warnings to display on the terminal.


mail
Sends the warnings as email to the address specified
by email_address.


time
Specifies how much time before the TGT expires when
a warning should be sent. The default time value is
seconds, but you can specify h (hours) and m
(minutes) after the number to specify other time
values.


email_address
Specifies the email address at which to send the
warnings. This field must be specified only with the
mail field.


EXAMPLES


Example 1: Specifying Warnings




The following warn.conf entry


* syslog 5m


specifies that warnings will be sent to the syslog five minutes
before the expiration of the TGT for all principals. The form of the
message is:


jdb@EXAMPLE.COM: your kerberos credentials expire in 5 minutes


Example 2: Specifying Renewal




The following warn.conf entry:


* renew:log terminal 30m


...specifies that renew results will be sent to the user's terminal
30 minutes before the expiration of the TGT for all principals. The
form of the message (on renew success) is:


myname@EXAMPLE.COM: your kerberos credentials have been renewed


FILES


/usr/lib/krb5/ktkt_warnd
Kerberos warning daemon


ATTRIBUTES


See attributes(7) for descriptions of the following attributes:


+--------------------+-----------------+
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+--------------------+-----------------+
|Interface Stability | Evolving |
+--------------------+-----------------+

SEE ALSO


kdestroy(1), kinit(1), syslog.conf(5), utmpx(5), attributes(7),
kerberos(7), pam_krb5(7), ktkt_warnd(8)

NOTES


The auto-renew of the TGT is attempted only if the user is logged-in,
as determined by examining utmpx(5).

November 22, 2021 WARN.CONF(5)
tribblix@gmail.com :: GitHub :: Privacy