[Freeipa-users] Is the krb5.conf no longer used?

[Alexander Bokovoy]

On Wed, 01 Jun 2016, Geordie Grindle wrote:
>Does IPA only use ‘sssd.conf’ for kerberos authentication? Is there another file used to configure kerberos?
>
>I’ve built a host using Foreman and our puppet configuration usually
>pushes a krb5.conf file. However, if I delete it, everything still
>works fine.
>
>What if any function does /etc/krb5.conf have now?
libkrb5 has some default options compiled in. If your environment is
fine with these defaults, that's OK. However, it does not mean defaults
are always OK for everyone.

In particular, when you have integration with Active Directory, SSSD
generates a number of config snippets which get included via an include
statement in /etc/krb5.conf. These snippets define Kerberos-level
relationship between realms, load mapping plugins for AD Kerberos
principals and so on. This might not be important to you on the older
systems (you are using RHEL 6 where libkrb5 doesn't have some of the
interfaces SSSD is utilizing) but it is very important on RHEL 7, for
example.

Also, on RHEL 7 and in Fedora we use /etc/krb5.conf to redefine a place
where libkrb5 looks for default credentials cache (ccache) to utilize
kernel keyring storage to enhance security.

But if your setup is very simple topology wise, libkrb5 defaults are
just fine.
-- 
/ Alexander Bokovoy