[Freeipa-users] Is the krb5.conf no longer used?
Sumit Bose
sbose at redhat.com
Thu Jun 2 07:37:28 UTC 2016
On Thu, Jun 02, 2016 at 08:29:15AM +0300, Alexander Bokovoy wrote:
> On Wed, 01 Jun 2016, Geordie Grindle wrote:
> > Does IPA only use ‘sssd.conf’ for kerberos authentication? Is there another file used to configure kerberos?
> >
> > I’ve built a host using Foreman and our puppet configuration usually
> > pushes a krb5.conf file. However, if I delete it, everything still
> > works fine.
> >
> > What if any function does /etc/krb5.conf have now?
> libkrb5 has some default options compiled in. If your environment is
> fine with these defaults, that's OK. However, it does not mean defaults
> are always OK for everyone.
SSSD uses libkrb5 and hence use the library defaults and values from
/etc/krb5.conf. Nevertheless SSSD will override some of those values
with either data from its on configuration file or with data discovered
at run-time, e.g. via DNS or by evaluation some LDAP attributes. With
this we try to make sure that SSSD is able to work even if
/etc/krb5.conf is broken or is missing some options.
But this only holds for SSSD, all other users of libkrb5 like e.g.
kinit, ldapsearch, sshd ... Still rely on the data in krb5.conf. As
Alexander noted below SSSD tries to make the auto-discovered data
available to those applications but still they need to parse
/etc/krb5.conf first.
HTH
bye,
Sumit
>
> In particular, when you have integration with Active Directory, SSSD
> generates a number of config snippets which get included via an include
> statement in /etc/krb5.conf. These snippets define Kerberos-level
> relationship between realms, load mapping plugins for AD Kerberos
> principals and so on. This might not be important to you on the older
> systems (you are using RHEL 6 where libkrb5 doesn't have some of the
> interfaces SSSD is utilizing) but it is very important on RHEL 7, for
> example.
>
> Also, on RHEL 7 and in Fedora we use /etc/krb5.conf to redefine a place
> where libkrb5 looks for default credentials cache (ccache) to utilize
> kernel keyring storage to enhance security.
>
> But if your setup is very simple topology wise, libkrb5 defaults are
> just fine.
> --
> / Alexander Bokovoy
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list