[36585] in Kerberos
Re: Does /etc/krb5.conf have to be present and identical on all
daemon@ATHENA.MIT.EDU (Russ Allbery)
Wed Oct 29 16:39:17 2014
From: Russ Allbery <eagle@eyrie.org>
To: Rufe Glick <rufe.glick@gmail.com>
In-Reply-To: <1509874084.20141029143952@gmail.com> (Rufe Glick's message of
"Wed, 29 Oct 2014 14:39:52 -0400")
Date: Wed, 29 Oct 2014 13:39:07 -0700
Message-ID: <8738a6pq50.fsf@hope.eyrie.org>
MIME-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Rufe Glick <rufe.glick@gmail.com> writes:
> I'm trying to understand the inner workings of Kerberos here. The
> following question has arisen: Does /etc/krb5.conf have to be present
> and indentical on all Kerberos infrastructure participants?
No, not really.
All participants should probably agree on some things, such as the KDCs
for the realm and probably the domain to realm mapping rules. You
normally want them to agree on other things, such as the default ticket
lifetime to request or whether tickets are normally forwardable, so it's
common to synchronize this file. But it's not at all required.
In particular, if you have a realm set up with SRV and TXT records in DNS,
it's quite possible to have a zero-configuration Kerberos client that
simply pulls the information it needs from DNS queries. (Although I think
the Kerberos libraries generally like to have the file exist, even if it's
empty.)
--
Russ Allbery (eagle@eyrie.org) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
