So it sounds like you're still saying that the contents of my krb5.conf file will be read by krb5kdc and there is a good chance that something specified in my krb5.conf (for my client implementation) may override or merge with my server config *possibly* disrupt my KDC?
This is probably unlikely though since the setting normally set on the two files (apart from default realm) tend to be either a client or server setting, no? I'm testing everything on one box right now, and when I want to use my local KDC I do: export KRB5_CONFIG=/etc/localmit_krb5.conf and things seem to work. To switch back using my external KDC (AD), I simply unset the variable. Realizing this is an edge case, does this sound the best way, or would there be a more supported way? On Fri, Apr 24, 2015 at 5:45 PM, Greg Hudson <ghud...@mit.edu> wrote: > On 04/24/2015 03:44 PM, Ben H wrote: > > From a client perspective, if I want to switch to using a different > > krb5.conf file, I just use: > > > > export KRB5_CONFIG=/etc/alternate-krb5.conf > > > > But the server will always try to use /etc/krb5.conf > > The expected behavior is: > > * Every process uses $KRB5_CONFIG, defaulting to /etc/krb5.conf. > > * KDC-ish processes (krb5kdc, kadmind, kdb5_util, etc.) also use > $KRB5_KDC_PROFILE, defaulting to something like /var/krb5kdc/kdc.conf. > If both files exist, the contents are merged, with the values from > krb5.conf usually taking precedence (but we're not 100% consistent about > that). > > krb5kdc accepts a -r flag telling it what realm(s) to serve, so you may > not need to point it at a config file giving a different default_realm > value. > ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
