[36932] in Kerberos
Re: specifying an alternate realm/krb5.conf configuration for
daemon@ATHENA.MIT.EDU (Ben H)
Fri Apr 24 19:16:31 2015
MIME-Version: 1.0
In-Reply-To: <553AC78A.7080306@mit.edu>
Date: Fri, 24 Apr 2015 18:16:21 -0500
Message-ID: <CAAd7auaAcO5MY97=P_YWt2i8jHJ5snhgYyyam0Ow6Dh2q2LAzg@mail.gmail.com>
From: Ben H <bhendin@gmail.com>
To: Greg Hudson <ghudson@mit.edu>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
So it sounds like you're still saying that the contents of my krb5.conf
file will be read by krb5kdc and there is a good chance that something
specified in my krb5.conf (for my client implementation) may override or
merge with my server config *possibly* disrupt my KDC?
This is probably unlikely though since the setting normally set on the two
files (apart from default realm) tend to be either a client or server
setting, no?
I'm testing everything on one box right now, and when I want to use my
local KDC I do:
export KRB5_CONFIG=/etc/localmit_krb5.conf
and things seem to work. To switch back using my external KDC (AD), I
simply unset the variable.
Realizing this is an edge case, does this sound the best way, or would
there be a more supported way?
On Fri, Apr 24, 2015 at 5:45 PM, Greg Hudson <ghudson@mit.edu> wrote:
> On 04/24/2015 03:44 PM, Ben H wrote:
> > From a client perspective, if I want to switch to using a different
> > krb5.conf file, I just use:
> >
> > export KRB5_CONFIG=/etc/alternate-krb5.conf
> >
> > But the server will always try to use /etc/krb5.conf
>
> The expected behavior is:
>
> * Every process uses $KRB5_CONFIG, defaulting to /etc/krb5.conf.
>
> * KDC-ish processes (krb5kdc, kadmind, kdb5_util, etc.) also use
> $KRB5_KDC_PROFILE, defaulting to something like /var/krb5kdc/kdc.conf.
> If both files exist, the contents are merged, with the values from
> krb5.conf usually taking precedence (but we're not 100% consistent about
> that).
>
> krb5kdc accepts a -r flag telling it what realm(s) to serve, so you may
> not need to point it at a config file giving a different default_realm
> value.
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
