'\" te
.\" Copyright 1987, 1989 by the Student Information Processing Board of the Massachusetts Institute of Technology. For copying and distribution information, please see the file kerberosv5/mit-sipb-copyright.h.
.\" Portions Copyright (c) 2004, 2012, Oracle and/or its affiliates. All rights reserved.
.TH warn.conf 4 "1 Jun 2012" "SunOS 5.11" "File Formats"
.SH NAME
warn.conf \- Kerberos warning configuration file
.SH SYNOPSIS
.LP
.nf
/etc/krb5/warn.conf
.fi

.LP
.nf
/var/user/$USER/krb-warn.conf
.fi

.SH DESCRIPTION
.sp
.LP
The \fBktkt_warnd\fR(1M) configuration files contain configuration information specifying how users will be warned by the \fBktkt_warnd\fR daemon about ticket expiration. In addition, these files can be used to auto-renew the user's Ticket-Granting Ticket (TGT) instead of warning the user. Credential expiration warnings and auto-renew results are sent, by means of \fBsyslog\fR, to \fBauth.notice\fR.
.sp
.LP
If the user's configuration file, \fB/var/user/$USER/krb-warn.conf\fR, does not exist, \fB/etc/krb5/warn.conf\fR will be used.
.sp
.LP
If each user does not have a configuration file, each Kerberos client host must have an \fB/etc/krb5/warn.conf\fR file in order for users on that host to get Kerberos warnings from the client. Entries in the configuration files must have the following format:
.sp
.in +2
.nf
\fIprincipal\fR|* [renew:\fIopt1\fR,...\fIoptN\fR] syslog|terminal \fItime\fR
.fi
.in -2

.sp
.LP
or:
.sp
.in +2
.nf
\fIprincipal\fR|* [renew[:\fIopt1\fR,...\fIoptN\fR]] mail \fItime\fR &|\fIemail address\fR
.fi
.in -2

.sp
.ne 2
.mk
.na
\fB\fIprincipal\fR\fR
.ad
.sp .6
.RS 4n
Specifies the principal name to be warned. The asterisk (\fB*\fR) wildcard can be used to specify groups of principals.
.RE

.sp
.ne 2
.mk
.na
\fB\fBrenew\fR\fR
.ad
.sp .6
.RS 4n
Automatically renew the credentials (TGT) until renewable lifetime expires. This is equivalent to the user running \fBkinit\fR \fB-R\fR.
.sp
The renew options include:
.sp
.ne 2
.mk
.na
\fB\fBlog-success\fR\fR
.ad
.sp .6
.RS 4n
Log the result of the renew attempt on success using the specified method (\fBsyslog\fR|\fBterminal\fR|\fBmail\fR).
.RE

.sp
.ne 2
.mk
.na
\fB\fBlog-failure\fR\fR
.ad
.sp .6
.RS 4n
Log the result of the renew attempt on failure using the specified method (\fBsyslog\fR|\fBterminal\fR|\fBmail\fR). Some renew failure conditions are: TGT renewable lifetime has expired, the KDCs are unavailable, or the cred cache file has been removed.
.RE

.sp
.ne 2
.mk
.na
\fB\fBlog\fR\fR
.ad
.sp .6
.RS 4n
Same as specifing both \fBlog-success\fR and \fBlog-failure\fR.
.RE

.LP
Note - 
.sp
.RS 2
If no log options are given, no logging is done.
.RE
.RE

.sp
.ne 2
.mk
.na
\fB\fBsyslog\fR\fR
.ad
.sp .6
.RS 4n
Sends the warnings to the system's syslog. Depending on the \fB/etc/syslog.conf\fR file, syslog entries are written to the \fB/var/adm/messages\fR file and/or displayed on the terminal.
.RE

.sp
.ne 2
.mk
.na
\fB\fBterminal\fR\fR
.ad
.sp .6
.RS 4n
Sends the warnings to display on the terminal.
.RE

.sp
.ne 2
.mk
.na
\fB\fBmail\fR\fR
.ad
.sp .6
.RS 4n
Sends the warnings as email to the address specified by \fIemail_address\fR.
.RE

.sp
.ne 2
.mk
.na
\fB\fItime\fR\fR
.ad
.sp .6
.RS 4n
Specifies how much time before the \fBTGT\fR expires when a warning should be sent. The default time value is seconds, but you can specify \fBh\fR (hours) and \fBm\fR (minutes) after the number to specify other time values.
.RE

.sp
.ne 2
.mk
.na
\fB\fB&\fR\fR
.ad
.sp .6
.RS 4n
Map the principal name to the Unix name and use that as a local mail address to mail the message. The expected default mappings can be changed by means of \fBauth_to_local_names\fR and \fBauth_to_local\fR in \fBkrb5.conf\fR(4).
.RE

.sp
.ne 2
.mk
.na
\fB\fIemail_address\fR\fR
.ad
.sp .6
.RS 4n
Specifies the email address at which to send the warnings. This field must be specified only with the \fBmail\fR field.
.RE

.SH EXAMPLES
.LP
\fBExample 1 \fRSpecifying Warnings
.sp
.LP
The following \fBwarn.conf\fR entry

.sp
.in +2
.nf
\fB* syslog 5m\fR 
.fi
.in -2
.sp

.sp
.LP
specifies that warnings will be sent to the syslog five minutes before the expiration of the \fBTGT\fR for all principals. The form of the message is:

.sp
.in +2
.nf
jdb@ACME.COM: your kerberos credentials expire in 5 minutes
.fi
.in -2
.sp

.LP
\fBExample 2 \fRSpecifying Renewal
.sp
.LP
The following \fBwarn.conf\fR entry:

.sp
.in +2
.nf
* renew:log terminal 30m
.fi
.in -2

.sp
.LP
\&...specifies that renew results will be sent to the user's terminal 30 minutes before the expiration of the TGT for all principals. The form of the message (on renew success) is:

.sp
.in +2
.nf
myname@ACME.COM: your kerberos credentials have been renewed
.fi
.in -2

.LP
\fBExample 3 \fREmailing Each User
.sp
.LP
The following \fBwarn.conf\fR entry specifies that each user is emailed 30 minutes before his or her credential expires.

.sp
.in +2
.nf
* mail 30m &
.fi
.in -2
.sp

.SH FILES
.sp
.ne 2
.mk
.na
\fB\fB/usr/lib/krb5/ktkt_warnd\fR\fR
.ad
.sp .6
.RS 4n
Kerberos warning daemon
.RE

.SH ATTRIBUTES
.sp
.LP
See \fBattributes\fR(5) for descriptions of the following attributes:
.sp

.sp
.TS
tab() box;
cw(2.75i) |cw(2.75i) 
lw(2.75i) |lw(2.75i) 
.
ATTRIBUTE TYPEATTRIBUTE VALUE
_
Interface StabilityCommitted
.TE

.SH SEE ALSO
.sp
.LP
\fBkinit\fR(1), \fBkdestroy\fR(1), \fBgsscred\fR(1M), \fBktkt_warnd\fR(1M), \fBkrb5.conf\fR(4), \fBsyslog.conf\fR(4), \fButmpx\fR(4), \fBattributes\fR(5), \fBkerberos\fR(5), \fBpam_krb5\fR(5)
.SH NOTES
.sp
.LP
The auto-renew of the TGT is attempted only if the user is logged-in, as determined by examining \fButmpx\fR(4).