#
# http://dovecot.org/list/dovecot/2005-April/006874.html
#

[libdefaults]
 clockskew = 300
# default_realm = DOMAIN
 default_realm = AD.DOMAIN.TLD
# default_etypes = des-cbc-crc
# default_etypes_des = des-cbc-crc
# dns_lookup_realm = false
# dns_lookup_kdc = false
#default_tkt_enctypes = des-cbc-md5
#default_tgs_enctypes = des-cbc-md5

[realms]
AD.DOMAIN.TLD = {
 kdc = tcp/dc.ad.domain.tld:88
 default_domain = DOMAIN
 kpasswd_server = dc.ad.domain.tld
# admin_server = kerberos.example.com:749
}

[domain_realm]
 .AD.DOMAIN.TLD = DOMAIN
# AD.DOMAIN.TLD = DOMAIN

[logging]
 default = SYSLOG:NOTICE:DAEMON
 kdc = FILE:/var/log/krb5kdc.log
 kadmind = FILE:/var/log/kadmind.log
 admin_server = FILE:/var/log/kadmind.log

[appdefaults]
pam = {
 ticket_lifetime = 1d
# renew_lifetime = 1d
 renew_lifetime = 86500
 forwardable = true
 proxiable = false
 retain_after_close = false
 minimum_uid = 0
 debug = false
}

#You can test Kerberos authentication with the command "kinit username@YOUR.AD.DOMAIN"