logging stanza in krb5.conf?
Ken Hornstein
kenh at cmf.nrl.navy.mil
Thu Apr 17 07:15:37 EDT 2025
>All,
>
>Maybe this is a docbug, but we had the following stanza in our krb5.conf,
>on our KDC's running MIT krb5 1.21.3 (FreeBSD pkg).
>
>[logging]
> kdc = FILE:/var/log/krb5kdc
> admin_server = FILE:/var/log/kadmin
> default = FILE:/var/log/krb5
>
>And I recently discovered that the krb5kdc process wasn't reading/honoring
>those files, unless the statements were in kdc.conf.
I use different logging stanzas, but I do NOT put those in kdc.conf and things
work just fine (and I am running 1.21.3). Well, technically, they aren't
in krb5.conf either; they are in a file in /etc/krb5.conf.d but that's
because on RHEL systems the first line of the vendor krb5.conf file is:
includedir /etc/krb5.conf.d
But RHEL systems also include a [logging] stanza in /etc/krb5.conf.d
that has a KDC line, so they think it's supposed to work as well.
My reading of the code is that both krb5.conf and kdc.conf are merged
internally at startup and the documentation agrees with me. From:
https://web.mit.edu/kerberos/krb5-1.21/doc/admin/conf_files/kdc_conf.html
Relations documented here may also be specified in krb5.conf; for the
KDC programs mentioned, krb5.conf and kdc.conf will be merged into a
single configuration profile.
So it's supposed to work in krb5.conf, and it does work for me. I do not
know why it doesn't work for you.
--Ken
More information about the Kerberos
mailing list