I'm trying to follow the client need for default_realm vs having additional kerberos REALM entries present in your [realms] section of your krb5.conf. If there was no default_realm defined, what does the client do (see default_realm at web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html ).
Are the clients keying of off default_realm because they are java based? Or is there some form of forced short principal name configuration that is causing this? If java; provide the krb5.conf you want java clients to use in the [JAVA_HOME]/jre/lib/security path. The JGSS checks there first. On Fri, Apr 24, 2015 at 5:16 PM, Ben H <bhen...@gmail.com> wrote: > So it sounds like you're still saying that the contents of my krb5.conf > file will be read by krb5kdc and there is a good chance that something > specified in my krb5.conf (for my client implementation) may override or > merge with my server config *possibly* disrupt my KDC? > > This is probably unlikely though since the setting normally set on the two > files (apart from default realm) tend to be either a client or server > setting, no? > > I'm testing everything on one box right now, and when I want to use my > local KDC I do: > > export KRB5_CONFIG=/etc/localmit_krb5.conf > > and things seem to work. To switch back using my external KDC (AD), I > simply unset the variable. > > Realizing this is an edge case, does this sound the best way, or would > there be a more supported way? > > > > > > On Fri, Apr 24, 2015 at 5:45 PM, Greg Hudson <ghud...@mit.edu> wrote: > > > On 04/24/2015 03:44 PM, Ben H wrote: > > > From a client perspective, if I want to switch to using a different > > > krb5.conf file, I just use: > > > > > > export KRB5_CONFIG=/etc/alternate-krb5.conf > > > > > > But the server will always try to use /etc/krb5.conf > > > > The expected behavior is: > > > > * Every process uses $KRB5_CONFIG, defaulting to /etc/krb5.conf. > > > > * KDC-ish processes (krb5kdc, kadmind, kdb5_util, etc.) also use > > $KRB5_KDC_PROFILE, defaulting to something like /var/krb5kdc/kdc.conf. > > If both files exist, the contents are merged, with the values from > > krb5.conf usually taking precedence (but we're not 100% consistent about > > that). > > > > krb5kdc accepts a -r flag telling it what realm(s) to serve, so you may > > not need to point it at a config file giving a different default_realm > > value. > > > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > -- Todd Grayson Customer Operations Engineering ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
