Do we really want to tell people to set up krb5.conf that way?
realrichardsharpe at gmail.com
Tue May 15 07:19:26 MDT 2012
On Tue, May 15, 2012 at 5:00 AM, simo <idra at samba.org> wrote:
> On Tue, 2012-05-15 at 13:31 +1000, Andrew Bartlett wrote:
>> On Mon, 2012-05-14 at 12:38 -0700, Richard Sharpe wrote:
>> > Hi folks,
>> > I notice that at this web site:
>> > http://wiki.samba.org/index.php/Samba_%26_Active_Directory we say
>> > something like:
>> > Setup /etc/krb5.conf like this:
>> > -------------------------
>> > [logging]
>> > default = FILE:/var/log/krb5libs.log
>> > kdc = FILE:/var/log/krb5kdc.log
>> > admin_server = FILE:/var/log/kadmind.log
>> > [libdefaults]
>> > default_realm = WINDOWS.JARA23.CO.UK
>> > dns_lookup_realm = false
>> > dns_lookup_kdc = false
>> > My problem with this is that if the customer adds new parts of the
>> > forest, or things change, they will have problems troubleshooting.
>> > Why do we not simply tell them to delete /etc/krb5.conf (because the
>> > defaults work) or tell them to set dns_lookup_realm = true and
>> > dns_lookup_kdc = true and only manually set up those realms that are
>> > not part of their AD forest.
>> > What am I missing here?
>> Indeed, this is very poor advise. Except in exceptional situation, the
>> smb.conf as trimmed off above is all that should ever be set.
>> Please trim the wiki example, which seems to have been an organic effort
>> from our valued contributors, but which isn't the best approach.
> Andrew, Richard, ina configuration where winbind is installed and it si
> built with the locator plugin, it doesn't really matter what's in
> krb5.conf for location purposes, winbind will provide libkrb5 the right
> address to contact.
> Maybe we should make a note on the wiki and explain the effects of the
> locator plugin and why it is very important to use it for best results.
Sure, I am cool with that. However, I have also seen problems when
people follow instructions similar to those on the wiki.
At two companies now I have tossed out krb5.conf settings like that.
More information about the samba-technical