warn.conf(4) File Formats warn.conf(4)NAMEwarn.conf - Kerberos warning configuration file
SYNOPSIS
/etc/krb5/warn.conf
DESCRIPTION
The warn.conf file contains configuration information specifying how
users will be warned by the ktkt_warnd daemon about ticket expiration.
In addition, this file can be used to auto-renew the user's Ticket-
Granting Ticket (TGT) instead of warning the user. Credential expira‐
tion warnings and auto-renew results are sent, by means of syslog, to
auth.notice.
Each Kerberos client host must have a warn.conf file in order for users
on that host to get Kerberos warnings from the client. Entries in the
warn.conf file must have the following format:
principal [renew[:opt1,...optN]] syslog|terminal time
or:
principal [renew[:opt1,...optN]] mail time [email address]
principal Specifies the principal name to be warned. The asterisk
(*) wildcard can be used to specify groups of princi‐
pals.
renew Automatically renew the credentials (TGT) until renew‐
able lifetime expires. This is equivalent to the user
running kinit -R.
The renew options include:
log-success
Log the result of the renew attempt on success
using the specified method (syslog|terminal|mail).
log-failure
Log the result of the renew attempt on failure
using the specified method (syslog|terminal|mail).
Some renew failure conditions are: TGT renewable
lifetime has expired, the KDCs are unavailable, or
the cred cache file has been removed.
log
Same as specifing both log-success and log-failure.
Note - If no log options are given, no logging is
done.
syslog Sends the warnings to the system's syslog. Depending on
the /etc/syslog.conf file, syslog entries are written
to the /var/adm/messages file and/or displayed on the
terminal.
terminal Sends the warnings to display on the terminal.
mail Sends the warnings as email to the address specified by
email_address.
time Specifies how much time before the TGT expires when a
warning should be sent. The default time value is sec‐
onds, but you can specify h (hours) and m (minutes)
after the number to specify other time values.
email_address Specifies the email address at which to send the warn‐
ings. This field must be specified only with the mail
field.
EXAMPLES
Example 1: Specifying Warnings
The following warn.conf entry
* syslog 5m
specifies that warnings will be sent to the syslog five minutes before
the expiration of the TGT for all principals. The form of the message
is:
jdb@ACME.COM: your kerberos credentials expire in 5 minutes
Example 2: Specifying Renewal
The following warn.conf entry:
* renew:log terminal 30m
...specifies that renew results will be sent to the user's terminal 30
minutes before the expiration of the TGT for all principals. The form
of the message (on renew success) is:
myname@ACME.COM: your kerberos credentials have been renewed
FILES
/usr/lib/krb5/ktkt_warnd Kerberos warning daemon
ATTRIBUTES
See attributes(5) for descriptions of the following attributes:
┌─────────────────────────────┬─────────────────────────────┐
│ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
├─────────────────────────────┼─────────────────────────────┤
│Interface Stability │Evolving │
└─────────────────────────────┴─────────────────────────────┘
SEE ALSOkinit(1), kdestroy(1), ktkt_warnd(1M), syslog.conf(4), utmpx(4),
attributes(5), kerberos(5), pam_krb5(5)NOTES
The auto-renew of the TGT is attempted only if the user is logged-in,
as determined by examining utmpx(4).
SunOS 5.10 30 Mar 2005 warn.conf(4)