Does /etc/krb5.conf have to be present and identical on all Kerberos infrastructure participants?
Nico Williams
nico at cryptonector.com
Wed Oct 29 18:34:57 EDT 2014
On Wed, Oct 29, 2014 at 3:39 PM, Russ Allbery <eagle at eyrie.org> wrote:
> Rufe Glick <rufe.glick at gmail.com> writes:
>> I'm trying to understand the inner workings of Kerberos here. The
>> following question has arisen: Does /etc/krb5.conf have to be present
>> and indentical on all Kerberos infrastructure participants?
>
> No, not really.
>
> All participants should probably agree on some things, such as the KDCs
> for the realm and probably the domain to realm mapping rules. You
> normally want them to agree on other things, such as the default ticket
> lifetime to request or whether tickets are normally forwardable, so it's
> common to synchronize this file. But it's not at all required.
They can just agree to use DNS for most things.
There are some things that you can't securely discover w/o DNSSEC, of
which the main one is:
- "default_realm" (if you need it, which generally implementations do)
Other things have sane defaults: domain_realm, capaths, ...
> In particular, if you have a realm set up with SRV and TXT records in DNS,
> it's quite possible to have a zero-configuration Kerberos client that
> simply pulls the information it needs from DNS queries. (Although I think
> the Kerberos libraries generally like to have the file exist, even if it's
> empty.)
Yes.
Nico
--
More information about the Kerberos
mailing list