Do we really want to tell people to set up krb5.conf that way?

Andrew Bartlett abartlet at
Mon May 14 21:31:05 MDT 2012

On Mon, 2012-05-14 at 12:38 -0700, Richard Sharpe wrote:
> Hi folks,
> I notice that at this web site:
> we say
> something like:
> Setup /etc/krb5.conf like this:
> -------------------------
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
> [libdefaults]
> default_realm = WINDOWS.JARA23.CO.UK
> dns_lookup_realm = false
> dns_lookup_kdc = false

> My problem with this is that if the customer adds new parts of the
> forest, or things change, they will have problems troubleshooting.
> Why do we not simply tell them to delete /etc/krb5.conf (because the
> defaults work) or tell them to set dns_lookup_realm = true and
> dns_lookup_kdc = true and only manually set up those realms that are
> not part of their AD forest.
> What am I missing here?

Indeed, this is very poor advise.  Except in exceptional situation, the
smb.conf as trimmed off above is all that should ever be set. 

Please trim the wiki example, which seems to have been an organic effort
from our valued contributors, but which isn't the best approach. 

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 

More information about the samba-technical mailing list