a suggestion for reducing use of kdc.conf

Nathaniel McCallum npmccallum at redhat.com
Tue May 7 08:47:36 EDT 2013


On Tue, 2013-04-23 at 12:32 -0500, Will Fiveash wrote:
> On Tue, Apr 23, 2013 at 08:46:45AM -0400, Nathaniel McCallum wrote:
> > On Wed, 2013-04-17 at 23:09 -0400, Greg Hudson wrote:
> > > On 04/17/2013 07:53 PM, Will Fiveash wrote:
> > > > Is there any interest in weaning people off of configuring kdc.conf?
> > > 
> > > I don't think so.  In many environments, it makes sense to have the KDC
> > > host's krb5.conf be the regular client config file, and then have the
> > > KDC settings in kdc.conf.
> > 
> > This is even *more* true with the upcoming OTP KDC plugin.
> 
> The MIT docs state that all KDC specific parameters can be placed in
> either kdc.conf or krb5.conf.  Will this still be true after the OTP KDC
> plugin is integrated?

Yes, but you would have a potential weakness if you placed your RADIUS
secrets in a world-readable file.

Nathaniel




More information about the krbdev mailing list