[appdefaults]

Each tag in the [appdefaults] section names a Kerberos V5 application or an option that is used by some Kerberos V5 application[s]. The value of the tag defines the default behaviors for that application.

For example:

     [appdefaults]
         telnet = {
             ATHENA.MIT.EDU = {
                  option1 = false
             }
         }
         telnet = {
             option1 = true
             option2 = true
         }
         ATHENA.MIT.EDU = {
             option2 = false
         }
         option2 = true
     

The above four ways of specifying the value of an option are shown in order of decreasing precedence. In this example, if telnet is running in the realm EXAMPLE.COM, it should, by default, have option1 and option2 set to true. However, a telnet program in the realm ATHENA.MIT.EDU should have option1 set to false and option2 set to true. Any other programs in ATHENA.MIT.EDU should have option2 set to false by default. Any programs running in other realms should have option2 set to true.

The list of specifiable options for each application may be found in that application's man pages. The application defaults specified here are overridden by those specified in the [realms] section.

A special application name (afs_krb5) is used by the krb524 service to know whether new format AFS tokens based on Kerberos 5 can be used rather than the older format which used a converted Kerberos 4 ticket. The new format allows for cross-realm authentication without introducing a security hole. It is used by default. Older AFS servers (before OpenAFS 1.2.8) will not support the new format. If servers in your cell do not support the new format, you will need to add an afs_krb5 relation to the appdefaults section. The following config file shows how to disable new format AFS tickets for the afs.example.com cell in the EXAMPLE.COM realm.

     [appdefaults]
         afs_krb5 = {
             EXAMPLE.COM = {
                 afs/afs.example.com = false
             }
         }