[Freeipa-users] What is the use of /etc/krb5.conf?
Martin Babinsky
mbabinsk at redhat.com
Tue Nov 8 16:56:06 UTC 2016
On 11/08/2016 05:13 PM, Ask Stack wrote:
> I thought /etc/krb5.conf controls which kerberos server the clients talk
> to.
>
> As a test, I removed /etc/krb5.conf and rebooted the client. After
> reboot, I can still log in and "kinit user" .
> Removing /etc/krb5.keytab, however would stop user from logging in and
> sssd to start.
>
>
>
/etc/krb5.conf configures Kerberos client library: it instructs the
client about which realm it should use, whether to use dns discovery or
use static list of KDC and mapping between DNS domains and realms.
Read `man krb5.conf' for more info.
sssd stores plenty of information about Kerberos realm in its own
configuration (realm, DNS discovery etc.) so it can authenticate the
user even without valid krb5.conf (as you observed).
However, to pull in user info from authoritative source (IPA LDAP), sssd
authenticates against IPA as the host principal using /etc/krb5.keytab,
that's why it stopped working and refused to start after you removed it.
--
Martin^3 Babinsky
More information about the Freeipa-users
mailing list