warn.conf - Kerberos warning configuration file
The warn.conf file contains configuration information specifying how
users will be warned by the ktkt_warnd daemon about ticket expiration.
In addition, this file can be used to auto-renew the user's Ticket-Granting
Ticket (TGT) instead of warning the user. Credential expiration warnings and
auto-renew results are sent, by means of syslog, to auth.notice.
Each Kerberos client host must have a warn.conf file in
order for users on that host to get Kerberos warnings from the client.
Entries in the warn.conf file must have the following format:
principal [renew[:opt1,...optN]] syslog|terminal time
principal [renew[:opt1,...optN]] mail time [email address]
Specifies the principal name to be warned. The asterisk
(*) wildcard can be used to specify groups of principals.
Automatically renew the credentials (TGT) until renewable
lifetime expires. This is equivalent to the user running kinit
The renew options include:
Log the result of the renew attempt on success using the
specified method (syslog|terminal|mail).
Log the result of the renew attempt on failure using the
specified method (syslog|terminal|mail). Some renew
failure conditions are: TGT renewable lifetime has expired, the KDCs are
unavailable, or the cred cache file has been removed.
Same as specifying both log-success and
If no log options are given, no logging is done.
Sends the warnings to the system's syslog. Depending on
the /etc/syslog.conf file, syslog entries are written to the
/var/adm/messages file and/or displayed on the terminal.
Sends the warnings to display on the terminal.
Sends the warnings as email to the address specified by
Specifies how much time before the TGT expires
when a warning should be sent. The default time value is seconds, but you can
specify h (hours) and m (minutes) after the number to specify
other time values.
Specifies the email address at which to send the
warnings. This field must be specified only with the mail field.
Example 1 Specifying Warnings
The following warn.conf entry
* syslog 5m
specifies that warnings will be sent to the syslog five minutes
before the expiration of the TGT for all principals. The form of the
jdb@EXAMPLE.COM: your kerberos credentials expire in 5 minutes
Example 2 Specifying Renewal
The following warn.conf entry:
* renew:log terminal 30m
...specifies that renew results will be sent to the user's
terminal 30 minutes before the expiration of the TGT for all principals. The
form of the message (on renew success) is:
myname@EXAMPLE.COM: your kerberos credentials have been renewed
Kerberos warning daemon
See attributes(7) for descriptions of the following attributes:
The auto-renew of the TGT is attempted only if the user is logged-in, as
determined by examining utmpx(5).