[libdefaults] default_realm = TEST.H5L.SE no-addresses = TRUE allow_weak_crypto = TRUE rdns = false fcache_strict_checking = false name_canon_rules = as-is:realm=TEST.H5L.SE [appdefaults] pkinit_anchors = FILE:@objdir@/pkinit-anchor.pem pkinit_pool = FILE:@objdir@/pkinit-anchor.pem [realms] TEST.H5L.SE = { kdc = localhost:@port@ pkinit_win2k = @w2k@ } [kdc] check-ticket-addresses = no warn_ticket_addresses = yes num-kdc-processes = 1 strict-nametypes = true enable-pkinit = true pkinit_identity = PEM-FILE:@objdir@/user-issuer.pem pkinit_anchors = PEM-FILE:@objdir@/pkinit-anchor.pem pkinit_mappings_file = @srcdir@/pki-mapping # Locate kdc plugins for testing plugin_dir = @objdir@/../../kdc/.libs enable-pkinit = true pkinit_identity = PEM-FILE:@objdir@/user-issuer.pem pkinit_anchors = PEM-FILE:@objdir@/pkinit-anchor.pem pkinit_mappings_file = @srcdir@/pki-mapping pkinit_max_life_from_cert = 5d database = { dbname = @objdir@/current-db realm = TEST.H5L.SE mkey_file = @objdir@/mkey.file log_file = @objdir@/log.current-db.log } negotiate_token_validator = { keytab = FILE:@objdir@/kt } realms = { TEST.H5L.SE = { kx509 = { user = { include_pkinit_san = true subject_name = CN=${principal-name-without-realm},DC=test,DC=h5l,DC=se ekus = 1.3.6.1.5.5.7.3.2 ca = PEM-FILE:@objdir@/user-issuer.pem } hostbased_service = { HTTP = { include_dnsname_san = true ekus = 1.3.6.1.5.5.7.3.1 ca = PEM-FILE:@objdir@/server-issuer.pem } } client = { ekus = 1.3.6.1.5.5.7.3.2 ca = PEM-FILE:@objdir@/user-issuer.pem } server = { ekus = 1.3.6.1.5.5.7.3.1 ca = PEM-FILE:@objdir@/server-issuer.pem } mixed = { ekus = 1.3.6.1.5.5.7.3.1 ekus = 1.3.6.1.5.5.7.3.2 ca = PEM-FILE:@objdir@/mixed-issuer.pem } } } } [hdb] db-dir = @objdir@ [bx509] realms = { TEST.H5L.SE = { # Default (no cert exts requested) user = { # Use an issuer for user certs: ca = PEM-FILE:@objdir@/user-issuer.pem subject_name = CN=${principal-name-without-realm},DC=test,DC=h5l,DC=se ekus = 1.3.6.1.5.5.7.3.2 include_pkinit_san = true } hostbased_service = { # Only for HTTP services HTTP = { # Use an issuer for server certs: ca = PEM-FILE:@objdir@/server-issuer.pem include_dnsname_san = true # Don't bother with a template } } # Non-default certs (extensions requested) # # Use no templates -- get empty subject names, # use SANs. # # Use appropriate issuers. client = { ca = PEM-FILE:@objdir@/user-issuer.pem } server = { ca = PEM-FILE:@objdir@/server-issuer.pem } mixed = { ca = PEM-FILE:@objdir@/mixed-issuer.pem } } } [get-tgt] no_addresses = true allow_addresses = true realms = { TEST.H5L.SE = { # Default (no cert exts requested) client = { # Use an issuer for user certs: ca = PEM-FILE:@objdir@/user-issuer.pem subject_name = CN=${principal-name-without-realm},DC=test,DC=h5l,DC=se ekus = 1.3.6.1.5.5.7.3.2 include_pkinit_san = true allow_extra_lifetime = true max_cert_lifetime = 7d force_cert_lifetime = 2d } user = { # Use an issuer for user certs: ca = PEM-FILE:@objdir@/user-issuer.pem subject_name = CN=${principal-name-without-realm},DC=test,DC=h5l,DC=se ekus = 1.3.6.1.5.5.7.3.2 include_pkinit_san = true allow_extra_lifetime = true max_cert_lifetime = 7d force_cert_lifetime = 2d } hostbased_service = { # Only for HTTP services HTTP = { # Use an issuer for server certs: ca = PEM-FILE:@objdir@/server-issuer.pem include_dnsname_san = true # Don't bother with a template } } # Non-default certs (extensions requested) # # Use no templates -- get empty subject names, # use SANs. # # Use appropriate issuers. client = { ca = PEM-FILE:@objdir@/user-issuer.pem } server = { ca = PEM-FILE:@objdir@/server-issuer.pem } mixed = { ca = PEM-FILE:@objdir@/mixed-issuer.pem } } } [logging] kdc = 0-/FILE:@objdir@/messages.log bx509d = 0-/FILE:@objdir@/messages.log default = 0-/FILE:@objdir@/messages.log [domain_realm] . = TEST.H5L.SE