The warn.conf file contains configuration information specifying how users will be warned by the ktkt_warnd daemon about ticket expiration on a Kerberos client. Credential expiration warnings are sent, by means of syslog, to auth.notice. All other warning messages are sent to daemon.notice.
Each Kerberos client host must have a warn.conf file in order for users on that host to get Kerberos warnings from the client. Entries in the warn.conf file must have the following format:
principal syslog | terminal | mail time [email_address]
Specifies the principal name to be warned. The asterisk (*) wildcard can be used to specify groups of principals.
Sends the warnings to the system's syslog. Depending on the /etc/syslog.conf file, syslog entries are written to the /var/adm/messages file and/or displayed on the terminal.
Sends the warnings to display on the terminal.
Sends the warnings as email to the address specified by email_address.
Specifies how much time before the TGT expires when a warning should be sent. The default time value is seconds, but you can specify h (hours) and m (minutes) after the number to specify other time values.
Specifies the email address at which to send the warnings. This field must be specified only with the mail field.
The following warn.conf entry
* syslog 5m
specifies that warnings will be sent to the syslog five minutes before the expiration of the TGT for all principals. The form of the message is:
jdb@ACME.COM: your kerberos credentials expire in 5 minutes