[36928] in Kerberos
Re: specifying an alternate realm/krb5.conf configuration for
daemon@ATHENA.MIT.EDU (Ben H)
Fri Apr 24 18:13:32 2015
MIME-Version: 1.0
In-Reply-To: <CALNT6MUDJ8o_9ANo8GzP1SZNc3Jb5a2yYjwmkUFW9MC9AZiL+A@mail.gmail.com>
Date: Fri, 24 Apr 2015 17:13:00 -0500
Message-ID: <CAAd7auZArgt5ks8cnar91oWrmqPCDY-ON4P6GhvLvxJviswRdQ@mail.gmail.com>
From: Ben H <bhendin@gmail.com>
To: Todd Grayson <tgrayson@cloudera.com>
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Not exactly, though the answer to that use case might be the same.
My use case is that my system was (is) a client of REALMA.COM.
Now, I want to run a KDC on this same system to serve out REALMB.COM
So, I can't change my /etc/krb5.conf file or else I would loose access to
REALMA.COM
I configure my kdc.conf file for REALMB, but when I start up krb5kdc I get:
Starting Kerberos 5 KDC: krb5kdc: cannot initialize realm REALMA.COM - see
log file for details
I can get it working by doing two things:
1) modify my krb5.conf file for REALMB instead - if I do this, then my
client functionality to REALMA breaks
2) Set KRB5REALM=REALMB in /etc/sysconfig/krb5kdc
#2 is working for me, and is maybe the correct answer to this question.
I was just surprised that the krb5kdc service would look to read data from
krb5.conf instead of kdc.conf and, if it needs to do so, I would expect
there is a better way to tell it to use an alternate file.
I realize this isn't a common use scenario.
On Fri, Apr 24, 2015 at 4:07 PM, Todd Grayson <tgrayson@cloudera.com> wrote:
> Are you trying to run multiple realms (and db's) on the same KDC?
>
> On Fri, Apr 24, 2015 at 2:59 PM, Ben H <bhendin@gmail.com> wrote:
>
>> Sorry, I did mean kdc.conf - and on my implementation it is
>> in /var/kerberos/krb5kdc.
>>
>> I do understand:
>> kdc.conf = server config
>> krb5.conf = client config
>>
>> But apparently when krb5kdc starts it also queries some data from
>> /etc/krb5.conf (the default realm at least).
>>
>> I want it to look to a location other than /etc/krb5.conf for realm
>> information (or anything else it might need from that file).
>>
>> thanks!
>>
>>
>> On Fri, Apr 24, 2015 at 2:55 PM, Brandon Allbery <ballbery@sinenomine.net
>> >
>> wrote:
>>
>> > On Fri, 2015-04-24 at 14:44 -0500, Ben H wrote:
>> > > Some searching I did indicated the possible existence of a "profile"
>> > > directive in kdc5.conf to point to a different krb5.conf, but that
>> > > didn't
>> > > seem to work.
>> >
>> > It's just kdc.conf (not kdc5.conf) and it's usually kept in the KDC
>> > private directory (/var/krb5kdc is common).
>> >
>> > --
>> > brandon s allbery kf8nh sine nomine associates
>> > allbery.b@gmail.com
>> ballbery@sinenomine.net
>> > unix openafs kerberos infrastructure xmonad
>> http://sinenomine.net
>> >
>> > ________________________________________________
>> > Kerberos mailing list Kerberos@mit.edu
>> > https://mailman.mit.edu/mailman/listinfo/kerberos
>> >
>> ________________________________________________
>> Kerberos mailing list Kerberos@mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>
>
>
> --
> Todd Grayson
> Customer Operations Engineering
>
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
