Does /etc/krb5.conf have to be present and identical on all Kerberos infrastructure participants?

Booker Bense bbense at gmail.com
Wed Nov 5 14:47:03 EST 2014


I realize this will probably just muddy the waters, but they are waters you
have to muddy at some point to
effectively use kerberos.

One of the key things to realize about kerberos is that the fundamental
unit of "membership" in a realm is the
process, not the machine or user. A process is in the realm. Machines and
users just happen to be different roles
the process can take.

You can set the krb5.conf of any process to any file you like. Every
process on your machine can be in a different
realm. It's not simple or easy, but it is possible. The contents of
krb5.conf are defaults for the krb5_context of the process[1].
There are other ways to set those defaults, ( DNS SRV records are one. ).
However, all the process in the same
realm ultimately have to share the same values that define a realm in the
krb5_context of that process and any processes
that share those defining values are in the same realm regardless of where
the process is actually running.

- Booker C. Bense

[1]-  a process can have more than one krb5_context, but let's not get too
crazy.


More information about the Kerberos mailing list