Rufe Glick <rufe.gl...@gmail.com> writes: > I'm trying to understand the inner workings of Kerberos here. The > following question has arisen: Does /etc/krb5.conf have to be present > and indentical on all Kerberos infrastructure participants?
No, not really. All participants should probably agree on some things, such as the KDCs for the realm and probably the domain to realm mapping rules. You normally want them to agree on other things, such as the default ticket lifetime to request or whether tickets are normally forwardable, so it's common to synchronize this file. But it's not at all required. In particular, if you have a realm set up with SRV and TXT records in DNS, it's quite possible to have a zero-configuration Kerberos client that simply pulls the information it needs from DNS queries. (Although I think the Kerberos libraries generally like to have the file exist, even if it's empty.) -- Russ Allbery (ea...@eyrie.org) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
