Does /etc/krb5.conf have to be present and identical on all Kerberos infrastructure participants?

Nico Williams nico at cryptonector.com
Wed Oct 29 18:34:57 EDT 2014


On Wed, Oct 29, 2014 at 3:39 PM, Russ Allbery <eagle at eyrie.org> wrote:
> Rufe Glick <rufe.glick at gmail.com> writes:
>> I'm trying to understand the inner workings of Kerberos here. The
>> following question has arisen: Does /etc/krb5.conf have to be present
>> and indentical on all Kerberos infrastructure participants?
>
> No, not really.
>
> All participants should probably agree on some things, such as the KDCs
> for the realm and probably the domain to realm mapping rules.  You
> normally want them to agree on other things, such as the default ticket
> lifetime to request or whether tickets are normally forwardable, so it's
> common to synchronize this file.  But it's not at all required.

They can just agree to use DNS for most things.

There are some things that you can't securely discover w/o DNSSEC, of
which the main one is:

 - "default_realm" (if you need it, which generally implementations do)

Other things have sane defaults: domain_realm, capaths, ...

> In particular, if you have a realm set up with SRV and TXT records in DNS,
> it's quite possible to have a zero-configuration Kerberos client that
> simply pulls the information it needs from DNS queries.  (Although I think
> the Kerberos libraries generally like to have the file exist, even if it's
> empty.)

Yes.

Nico
--


More information about the Kerberos mailing list