Do we really want to tell people to set up krb5.conf that way?
Andrew Bartlett
abartlet at samba.org
Mon May 14 21:31:05 MDT 2012
On Mon, 2012-05-14 at 12:38 -0700, Richard Sharpe wrote:
> Hi folks,
>
> I notice that at this web site:
> http://wiki.samba.org/index.php/Samba_%26_Active_Directory we say
> something like:
>
> Setup /etc/krb5.conf like this:
> -------------------------
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> default_realm = WINDOWS.JARA23.CO.UK
> dns_lookup_realm = false
> dns_lookup_kdc = false
> My problem with this is that if the customer adds new parts of the
> forest, or things change, they will have problems troubleshooting.
>
> Why do we not simply tell them to delete /etc/krb5.conf (because the
> defaults work) or tell them to set dns_lookup_realm = true and
> dns_lookup_kdc = true and only manually set up those realms that are
> not part of their AD forest.
>
> What am I missing here?
Indeed, this is very poor advise. Except in exceptional situation, the
smb.conf as trimmed off above is all that should ever be set.
Please trim the wiki example, which seems to have been an organic effort
from our valued contributors, but which isn't the best approach.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical
mailing list