On 17/02/16 09:36, bahan w wrote:
Hello !

I send you this mail for a question about the kerberos logs on the ipa
server.

On the server, there are two configuration files :
- kdc.conf : for the server
- krb5.conf : for the client

In both of these files, we can put a logging section.
In this section, there is 3 parameters :
- default
- kdc
- admin

May I put the same values for both client and server or is it better to put
different values for the server part ?

BR.

Bahan




Hello Bahan,
looking into krb5.conf man page I don't see any logging section. I think it should be enough to configure logging on the server (in kdc.conf).

Example:
User tries to perform kinit with nonexistent principal and receives error
$ kinit nonexistent
kinit: Client 'nonexist...@example.test' not found in Kerberos database while getting initial credentials

Then admin can see this event in the kdc log on server:
Feb 17 10:10:35 vm-248.example.test krb5kdc[11350](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 192.0.2.248: CLIENT_NOT_FOUND: nonexist...@example.test for krbtgt/example.t...@example.test, Client not found in Kerberos database

--
David Kupka

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to