specifying an alternate realm/krb5.conf configuration for kdc5.conf

Ben H bhendin at gmail.com
Fri Apr 24 18:13:00 EDT 2015


Not exactly, though the answer to that use case might be the same.

My use case is that my system was (is) a client of REALMA.COM.
Now, I want to run a KDC on this same system to serve out REALMB.COM

So, I can't change my /etc/krb5.conf file or else I would loose access to
REALMA.COM

I configure my kdc.conf file for REALMB, but when I start up krb5kdc I get:

Starting Kerberos 5 KDC: krb5kdc: cannot initialize realm REALMA.COM - see
log file for details

I can get it working by doing two things:
1) modify my krb5.conf file for REALMB instead - if I do this, then my
client functionality to REALMA breaks
2) Set KRB5REALM=REALMB in /etc/sysconfig/krb5kdc

#2 is working for me, and is maybe the correct answer to this question.
I was just surprised that the krb5kdc service would look to read data from
krb5.conf instead of kdc.conf and, if it needs to do so, I would expect
there is a better way to tell it to use an alternate file.

I realize this isn't a common use scenario.



On Fri, Apr 24, 2015 at 4:07 PM, Todd Grayson <tgrayson at cloudera.com> wrote:

> Are you trying to run multiple realms (and db's) on the same KDC?
>
> On Fri, Apr 24, 2015 at 2:59 PM, Ben H <bhendin at gmail.com> wrote:
>
>> Sorry, I did mean kdc.conf - and on my implementation it is
>> in /var/kerberos/krb5kdc.
>>
>> I do understand:
>> kdc.conf = server config
>> krb5.conf = client config
>>
>> But apparently when krb5kdc starts it also queries some data from
>> /etc/krb5.conf (the default realm at least).
>>
>> I want it to look to a location other than /etc/krb5.conf for realm
>> information (or anything else it might need from that file).
>>
>> thanks!
>>
>>
>> On Fri, Apr 24, 2015 at 2:55 PM, Brandon Allbery <ballbery at sinenomine.net
>> >
>> wrote:
>>
>> > On Fri, 2015-04-24 at 14:44 -0500, Ben H wrote:
>> > > Some searching I did indicated the possible existence of a "profile"
>> > > directive in kdc5.conf to point to a different krb5.conf, but that
>> > > didn't
>> > > seem to work.
>> >
>> > It's just kdc.conf (not kdc5.conf) and it's usually kept in the KDC
>> > private directory (/var/krb5kdc is common).
>> >
>> > --
>> > brandon s allbery kf8nh                           sine nomine associates
>> > allbery.b at gmail.com
>> ballbery at sinenomine.net
>> > unix openafs kerberos infrastructure xmonad
>> http://sinenomine.net
>> >
>> > ________________________________________________
>> > Kerberos mailing list           Kerberos at mit.edu
>> > https://mailman.mit.edu/mailman/listinfo/kerberos
>> >
>> ________________________________________________
>> Kerberos mailing list           Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>
>
>
> --
> Todd Grayson
> Customer Operations Engineering
>
>


More information about the Kerberos mailing list