specifying an alternate realm/krb5.conf configuration for kdc5.conf

Todd Grayson tgrayson at cloudera.com
Fri Apr 24 18:33:59 EDT 2015


Interesting, yeah I think you self resolved with what you did with
KRB5REALM.

On Fri, Apr 24, 2015 at 4:13 PM, Ben H <bhendin at gmail.com> wrote:

> Not exactly, though the answer to that use case might be the same.
>
> My use case is that my system was (is) a client of REALMA.COM.
> Now, I want to run a KDC on this same system to serve out REALMB.COM
>
> So, I can't change my /etc/krb5.conf file or else I would loose access to
> REALMA.COM
>
> I configure my kdc.conf file for REALMB, but when I start up krb5kdc I
> get:
>
> Starting Kerberos 5 KDC: krb5kdc: cannot initialize realm REALMA.COM -
> see log file for details
>
> I can get it working by doing two things:
> 1) modify my krb5.conf file for REALMB instead - if I do this, then my
> client functionality to REALMA breaks
> 2) Set KRB5REALM=REALMB in /etc/sysconfig/krb5kdc
>
> #2 is working for me, and is maybe the correct answer to this question.
> I was just surprised that the krb5kdc service would look to read data
> from krb5.conf instead of kdc.conf and, if it needs to do so, I would
> expect there is a better way to tell it to use an alternate file.
>
> I realize this isn't a common use scenario.
>
>
>
> On Fri, Apr 24, 2015 at 4:07 PM, Todd Grayson <tgrayson at cloudera.com>
> wrote:
>
>> Are you trying to run multiple realms (and db's) on the same KDC?
>>
>> On Fri, Apr 24, 2015 at 2:59 PM, Ben H <bhendin at gmail.com> wrote:
>>
>>> Sorry, I did mean kdc.conf - and on my implementation it is
>>> in /var/kerberos/krb5kdc.
>>>
>>> I do understand:
>>> kdc.conf = server config
>>> krb5.conf = client config
>>>
>>> But apparently when krb5kdc starts it also queries some data from
>>> /etc/krb5.conf (the default realm at least).
>>>
>>> I want it to look to a location other than /etc/krb5.conf for realm
>>> information (or anything else it might need from that file).
>>>
>>> thanks!
>>>
>>>
>>> On Fri, Apr 24, 2015 at 2:55 PM, Brandon Allbery <
>>> ballbery at sinenomine.net>
>>> wrote:
>>>
>>> > On Fri, 2015-04-24 at 14:44 -0500, Ben H wrote:
>>> > > Some searching I did indicated the possible existence of a "profile"
>>> > > directive in kdc5.conf to point to a different krb5.conf, but that
>>> > > didn't
>>> > > seem to work.
>>> >
>>> > It's just kdc.conf (not kdc5.conf) and it's usually kept in the KDC
>>> > private directory (/var/krb5kdc is common).
>>> >
>>> > --
>>> > brandon s allbery kf8nh                           sine nomine
>>> associates
>>> > allbery.b at gmail.com
>>> ballbery at sinenomine.net
>>> > unix openafs kerberos infrastructure xmonad
>>> http://sinenomine.net
>>> >
>>> > ________________________________________________
>>> > Kerberos mailing list           Kerberos at mit.edu
>>> > https://mailman.mit.edu/mailman/listinfo/kerberos
>>> >
>>> ________________________________________________
>>> Kerberos mailing list           Kerberos at mit.edu
>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>>
>>
>>
>>
>> --
>> Todd Grayson
>> Customer Operations Engineering
>>
>>
>


-- 
Todd Grayson
Customer Operations Engineering


More information about the Kerberos mailing list