Do we really want to tell people to set up krb5.conf that way?

Richard Sharpe realrichardsharpe at
Mon May 14 13:38:09 MDT 2012

Hi folks,

I notice that at this web site: we say
something like:

Setup /etc/krb5.conf like this:
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

default_realm = WINDOWS.JARA23.CO.UK
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes

   kdc =
   admin_server =
   default_domain =

.kerberos.server = WINDOWS.JARA23.CO.UK = WINDOWS.JARA23.CO.UK

profile = /var/kerberos/krb5kdc/kdc.conf

pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false

My problem with this is that if the customer adds new parts of the
forest, or things change, they will have problems troubleshooting.

Why do we not simply tell them to delete /etc/krb5.conf (because the
defaults work) or tell them to set dns_lookup_realm = true and
dns_lookup_kdc = true and only manually set up those realms that are
not part of their AD forest.

What am I missing here?

Richard Sharpe

More information about the samba-technical mailing list