Does /etc/krb5.conf have to be present and identical on all Kerberos infrastructure participants?

Russ Allbery eagle at eyrie.org
Wed Oct 29 16:39:07 EDT 2014


Rufe Glick <rufe.glick at gmail.com> writes:

> I'm trying to understand the inner workings of Kerberos here. The
> following question has arisen: Does /etc/krb5.conf have to be present
> and indentical on all Kerberos infrastructure participants?

No, not really.

All participants should probably agree on some things, such as the KDCs
for the realm and probably the domain to realm mapping rules.  You
normally want them to agree on other things, such as the default ticket
lifetime to request or whether tickets are normally forwardable, so it's
common to synchronize this file.  But it's not at all required.

In particular, if you have a realm set up with SRV and TXT records in DNS,
it's quite possible to have a zero-configuration Kerberos client that
simply pulls the information it needs from DNS queries.  (Although I think
the Kerberos libraries generally like to have the file exist, even if it's
empty.)

-- 
Russ Allbery (eagle at eyrie.org)              <http://www.eyrie.org/~eagle/>


More information about the Kerberos mailing list