caption: Configure Kerberos accounts
desc: |-
Adds prefilled Kerberos accounts. If the Kerberos credentials match the login credentials, an account can be configured to reuse the login credentials by specifying '<ph name="LOGIN_EMAIL_PLACEHOLDER">${LOGIN_EMAIL}</ph>' and <ph name="PASSWORD_PLACEHOLDER">${PASSWORD}</ph>' for principal and password, respectively, so that the Kerberos ticket can be retrieved automatically, unless two-factor authentication is configured. Users cannot modify accounts added via this policy.
If this policy is enabled, the list of accounts defined by the policy is added to the Kerberos Accounts settings.
If this policy is disabled or not set, no accounts are added to the Kerberos Accounts settings and all accounts previously added with this policy are removed. Users may still add accounts manually if the 'Users can add Kerberos accounts' policy is enabled.
example_value:
- password: ${PASSWORD}
principal: ${LOGIN_EMAIL}
- principal: [email protected]
remember_password_from_policy: true
- krb5conf:
- '[libdefaults]'
- ' default_tgs_enctypes = aes256-cts-hmac-sha1-96'
- ' default_tkt_enctypes = aes256-cts-hmac-sha1-96'
- ' permitted_enctypes = aes256-cts-hmac-sha1-96'
- ' default_realm = REALM.COM'
- ''
- '[realms]'
- ' REALM.COM = {'
- ' kdc = us-west.realm.com'
- ' master_kdc = us-west.realm.com'
- ' kpasswd_server = us-west.realm.com'
- ' }'
password: p4zzw0rd!
principal: [email protected]
features:
dynamic_refresh: true
per_profile: false
owners:
- [email protected]
- file://chrome/browser/ash/kerberos/OWNERS
schema:
items:
properties:
krb5conf:
description: Kerberos configuration (one line per array item), see
https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html.
items:
type: string
type: array
password:
description: Kerberos password. The placeholder
<ph name="PASSWORD_PLACEHOLDER">${PASSWORD}</ph> is replaced by the
login password.
sensitiveValue: true
type: string
principal:
description: User principal 'user@realm'. The placeholder
<ph name="LOGIN_ID_PLACEHOLDER">${LOGIN_ID}</ph> is replaced by the
username 'user'. The placeholder
<ph name="LOGIN_EMAIL_PLACEHOLDER">${LOGIN_EMAIL}</ph> is replaced by
the full principal 'user@realm'.
pattern: ^(?:[^@]+@[^@]+)|(?:\${LOGIN_ID})|(?:\${LOGIN_EMAIL})$
type: string
remember_password_from_policy:
description: Whether to remember the Kerberos password value set in this
policy item. If not set or set to true, the password is remembered. If
set to false, the password is not remembered. Ignored if the password
field is not specified for this account. This field is supported since
ChromeOS version 116.
type: boolean
# Note that the `remember_password` field has been deprecated in favor of
# the `remember_password_from_policy` field, which defaults to a different
# value.
required:
- principal
type: object
type: array
supported_on:
- chrome_os:87-
tags:
- website-sharing
type: dict