specifying an alternate realm/krb5.conf configuration for kdc5.conf

Todd Grayson tgrayson at cloudera.com
Fri Apr 24 19:30:18 EDT 2015 

I'm trying to follow the client need for default_realm vs having additional
kerberos REALM entries present in your [realms] section of your krb5.conf.
If there was no default_realm defined, what does the client do
(see default_realm at
web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html ).

Are the clients keying of off default_realm because they are java based? Or
is there some form of forced short principal name configuration that is
causing this? If java; provide the krb5.conf you want java clients to use
in the [JAVA_HOME]/jre/lib/security path.  The JGSS checks there first.


On Fri, Apr 24, 2015 at 5:16 PM, Ben H <bhendin at gmail.com> wrote:

> So it sounds like you're still saying that the contents of my krb5.conf
> file will be read by krb5kdc and there is a good chance that something
> specified in my krb5.conf (for my client implementation) may override or
> merge with my server config *possibly* disrupt my KDC?
>
> This is probably unlikely though since the setting normally set on the two
> files (apart from default realm) tend to be either a client or server
> setting, no?
>
> I'm testing everything on one box right now, and when I want to use my
> local KDC I do:
>
> export KRB5_CONFIG=/etc/localmit_krb5.conf
>
> and things seem to work.  To switch back using my external KDC (AD), I
> simply unset the variable.
>
> Realizing this is an edge case, does this sound the best way, or would
> there be a more supported way?
>
>
>
>
>
> On Fri, Apr 24, 2015 at 5:45 PM, Greg Hudson <ghudson at mit.edu> wrote:
>
> > On 04/24/2015 03:44 PM, Ben H wrote:
> > > From a client perspective, if I want to switch to using a different
> > > krb5.conf file, I just use:
> > >
> > > export KRB5_CONFIG=/etc/alternate-krb5.conf
> > >
> > > But the server will always try to use /etc/krb5.conf
> >
> > The expected behavior is:
> >
> > * Every process uses $KRB5_CONFIG, defaulting to /etc/krb5.conf.
> >
> > * KDC-ish processes (krb5kdc, kadmind, kdb5_util, etc.) also use
> > $KRB5_KDC_PROFILE, defaulting to something like /var/krb5kdc/kdc.conf.
> > If both files exist, the contents are merged, with the values from
> > krb5.conf usually taking precedence (but we're not 100% consistent about
> > that).
> >
> > krb5kdc accepts a -r flag telling it what realm(s) to serve, so you may
> > not need to point it at a config file giving a different default_realm
> > value.
> >
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>



-- 
Todd Grayson
Customer Operations Engineering

More information about the Kerberos mailing list