Do we really want to tell people to set up krb5.conf that way?

Richard Sharpe realrichardsharpe at gmail.com
Mon May 14 13:38:09 MDT 2012


Hi folks,

I notice that at this web site:
http://wiki.samba.org/index.php/Samba_%26_Active_Directory we say
something like:

Setup /etc/krb5.conf like this:
-------------------------
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = WINDOWS.JARA23.CO.UK
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes

[realms]
WINDOWS.JARA23.CO.UK = {
   kdc = server.windows.jara23.co.uk
   admin_server = server.windows.jara23.co.uk
   default_domain = windows.jara23.co.uk
}

[domain_realm]
.kerberos.server = WINDOWS.JARA23.CO.UK
.windows.jara23.co.uk = WINDOWS.JARA23.CO.UK

[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
}
-----------------------------

My problem with this is that if the customer adds new parts of the
forest, or things change, they will have problems troubleshooting.

Why do we not simply tell them to delete /etc/krb5.conf (because the
defaults work) or tell them to set dns_lookup_realm = true and
dns_lookup_kdc = true and only manually set up those realms that are
not part of their AD forest.

What am I missing here?

-- 
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)


More information about the samba-technical mailing list