Do we really want to tell people to set up krb5.conf that way?

Richard Sharpe realrichardsharpe at gmail.com
Tue May 15 07:19:26 MDT 2012


On Tue, May 15, 2012 at 5:00 AM, simo <idra at samba.org> wrote:
> On Tue, 2012-05-15 at 13:31 +1000, Andrew Bartlett wrote:
>> On Mon, 2012-05-14 at 12:38 -0700, Richard Sharpe wrote:
>> > Hi folks,
>> >
>> > I notice that at this web site:
>> > http://wiki.samba.org/index.php/Samba_%26_Active_Directory we say
>> > something like:
>> >
>> > Setup /etc/krb5.conf like this:
>> > -------------------------
>> > [logging]
>> > default = FILE:/var/log/krb5libs.log
>> > kdc = FILE:/var/log/krb5kdc.log
>> > admin_server = FILE:/var/log/kadmind.log
>> >
>> > [libdefaults]
>> > default_realm = WINDOWS.JARA23.CO.UK
>> > dns_lookup_realm = false
>> > dns_lookup_kdc = false
>>
>> > My problem with this is that if the customer adds new parts of the
>> > forest, or things change, they will have problems troubleshooting.
>> >
>> > Why do we not simply tell them to delete /etc/krb5.conf (because the
>> > defaults work) or tell them to set dns_lookup_realm = true and
>> > dns_lookup_kdc = true and only manually set up those realms that are
>> > not part of their AD forest.
>> >
>> > What am I missing here?
>>
>> Indeed, this is very poor advise.  Except in exceptional situation, the
>> smb.conf as trimmed off above is all that should ever be set.
>>
>> Please trim the wiki example, which seems to have been an organic effort
>> from our valued contributors, but which isn't the best approach.
>
> Andrew, Richard, ina  configuration where winbind is installed and it si
> built with the locator plugin, it doesn't really matter what's in
> krb5.conf for location purposes, winbind will provide libkrb5 the right
> address to contact.
>
> Maybe we should make a note on the wiki and explain the effects of the
> locator plugin and why it is very important to use it for best results.

Sure, I am cool with that. However, I have also seen problems when
people follow instructions similar to those on the wiki.

At two companies now I have tossed out krb5.conf settings like that.

-- 
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)


More information about the samba-technical mailing list