On Wed, Oct 29, 2014 at 3:39 PM, Russ Allbery <ea...@eyrie.org> wrote: > Rufe Glick <rufe.gl...@gmail.com> writes: >> I'm trying to understand the inner workings of Kerberos here. The >> following question has arisen: Does /etc/krb5.conf have to be present >> and indentical on all Kerberos infrastructure participants? > > No, not really. > > All participants should probably agree on some things, such as the KDCs > for the realm and probably the domain to realm mapping rules. You > normally want them to agree on other things, such as the default ticket > lifetime to request or whether tickets are normally forwardable, so it's > common to synchronize this file. But it's not at all required.
They can just agree to use DNS for most things. There are some things that you can't securely discover w/o DNSSEC, of which the main one is: - "default_realm" (if you need it, which generally implementations do) Other things have sane defaults: domain_realm, capaths, ... > In particular, if you have a realm set up with SRV and TXT records in DNS, > it's quite possible to have a zero-configuration Kerberos client that > simply pulls the information it needs from DNS queries. (Although I think > the Kerberos libraries generally like to have the file exist, even if it's > empty.) Yes. Nico -- ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
