Do we really want to tell people to set up krb5.conf that way?

simo idra at samba.org
Tue May 15 06:00:11 MDT 2012


On Tue, 2012-05-15 at 13:31 +1000, Andrew Bartlett wrote: 
> On Mon, 2012-05-14 at 12:38 -0700, Richard Sharpe wrote:
> > Hi folks,
> > 
> > I notice that at this web site:
> > http://wiki.samba.org/index.php/Samba_%26_Active_Directory we say
> > something like:
> > 
> > Setup /etc/krb5.conf like this:
> > -------------------------
> > [logging]
> > default = FILE:/var/log/krb5libs.log
> > kdc = FILE:/var/log/krb5kdc.log
> > admin_server = FILE:/var/log/kadmind.log
> > 
> > [libdefaults]
> > default_realm = WINDOWS.JARA23.CO.UK
> > dns_lookup_realm = false
> > dns_lookup_kdc = false
> 
> > My problem with this is that if the customer adds new parts of the
> > forest, or things change, they will have problems troubleshooting.
> > 
> > Why do we not simply tell them to delete /etc/krb5.conf (because the
> > defaults work) or tell them to set dns_lookup_realm = true and
> > dns_lookup_kdc = true and only manually set up those realms that are
> > not part of their AD forest.
> > 
> > What am I missing here?
> 
> Indeed, this is very poor advise.  Except in exceptional situation, the
> smb.conf as trimmed off above is all that should ever be set. 
> 
> Please trim the wiki example, which seems to have been an organic effort
> from our valued contributors, but which isn't the best approach. 

Andrew, Richard, ina  configuration where winbind is installed and it si
built with the locator plugin, it doesn't really matter what's in
krb5.conf for location purposes, winbind will provide libkrb5 the right
address to contact.

Maybe we should make a note on the wiki and explain the effects of the
locator plugin and why it is very important to use it for best results.

Simo.


-- 
Simo Sorce
Samba Team GPL Compliance Officer <simo at samba.org>
Principal Software Engineer at Red Hat, Inc. <simo at redhat.com>



More information about the samba-technical mailing list