chromium/components/policy/resources/templates/policy_definitions/Kerberos/KerberosAccounts.yaml

caption: Configure Kerberos accounts
desc: |-
  Adds prefilled Kerberos accounts. If the Kerberos credentials match the login credentials, an account can be configured to reuse the login credentials by specifying '<ph name="LOGIN_EMAIL_PLACEHOLDER">${LOGIN_EMAIL}</ph>' and <ph name="PASSWORD_PLACEHOLDER">${PASSWORD}</ph>' for principal and password, respectively, so that the Kerberos ticket can be retrieved automatically, unless two-factor authentication is configured. Users cannot modify accounts added via this policy.

            If this policy is enabled, the list of accounts defined by the policy is added to the Kerberos Accounts settings.

            If this policy is disabled or not set, no accounts are added to the Kerberos Accounts settings and all accounts previously added with this policy are removed. Users may still add accounts manually if the 'Users can add Kerberos accounts' policy is enabled.
example_value:
- password: ${PASSWORD}
  principal: ${LOGIN_EMAIL}
- principal: [email protected]
  remember_password_from_policy: true
- krb5conf:
  - '[libdefaults]'
  - '  default_tgs_enctypes = aes256-cts-hmac-sha1-96'
  - '  default_tkt_enctypes = aes256-cts-hmac-sha1-96'
  - '  permitted_enctypes = aes256-cts-hmac-sha1-96'
  - '  default_realm = REALM.COM'
  - ''
  - '[realms]'
  - '  REALM.COM = {'
  - '    kdc = us-west.realm.com'
  - '    master_kdc = us-west.realm.com'
  - '    kpasswd_server = us-west.realm.com'
  - '  }'
  password: p4zzw0rd!
  principal: [email protected]
features:
  dynamic_refresh: true
  per_profile: false
owners:
- [email protected]
- file://chrome/browser/ash/kerberos/OWNERS
schema:
  items:
    properties:
      krb5conf:
        description: Kerberos configuration (one line per array item), see
          https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html.
        items:
          type: string
        type: array
      password:
        description: Kerberos password. The placeholder
          <ph name="PASSWORD_PLACEHOLDER">${PASSWORD}</ph> is replaced by the
          login password.
        sensitiveValue: true
        type: string
      principal:
        description: User principal 'user@realm'. The placeholder
          <ph name="LOGIN_ID_PLACEHOLDER">${LOGIN_ID}</ph> is replaced by the
          username 'user'. The placeholder
          <ph name="LOGIN_EMAIL_PLACEHOLDER">${LOGIN_EMAIL}</ph> is replaced by
          the full principal 'user@realm'.
        pattern: ^(?:[^@]+@[^@]+)|(?:\${LOGIN_ID})|(?:\${LOGIN_EMAIL})$
        type: string
      remember_password_from_policy:
        description: Whether to remember the Kerberos password value set in this
          policy item. If not set or set to true, the password is remembered. If
          set to false, the password is not remembered. Ignored if the password
          field is not specified for this account. This field is supported since
          ChromeOS version 116.
        type: boolean
      # Note that the `remember_password` field has been deprecated in favor of
      # the `remember_password_from_policy` field, which defaults to a different
      # value.
    required:
    - principal
    type: object
  type: array
supported_on:
- chrome_os:87-
tags:
- website-sharing
type: dict