Hi, Geordie

I think it should be optional. here is one of my IPA client's krb5.conf

# cat /etc/krb5.conf
#File modified by ipa-client-install

includedir /var/lib/sss/pubconf/krb5.include.d/

[libdefaults]
  default_realm = EXAMPLE.NET
  dns_lookup_realm = true
  dns_lookup_kdc = true
  rdns = false
  ticket_lifetime = 24h
  forwardable = yes
  udp_preference_limit = 0
  default_ccache_name = KEYRING:persistent:%{uid}


[realms]
  EXAMPLE.NET = {
    pkinit_anchors = FILE:/etc/ipa/ca.crt

  }


[domain_realm]
  .dev.example.net = EXAMPLE.NET
  dev.example.net = EXAMPLE.NET

Matrix


------------------ Original ------------------
From:  "Geordie Grindle";<geordie.grin...@gmail.com>;
Date:  Thu, Jun 2, 2016 03:57 AM
To:  "freeipa-users"<freeipa-users@redhat.com>; 

Subject:  [Freeipa-users] Is the krb5.conf no longer used?



Does IPA only use ??sssd.conf?? for kerberos authentication? Is there another 
file used to configure kerberos? 

I??ve built a host using Foreman and our puppet configuration usually pushes a 
krb5.conf file. However, if I delete it, everything still works fine.

What if any function does /etc/krb5.conf have now?

<snip>

[root@ipa_client ggrindle]# cat /etc/krb5.conf
cat: /etc/krb5.conf: No such file or directory
[root@ipa_client ggrindle]# rpm -qa |grep ipa-client
ipa-client-3.0.0-37.el6.x86_64
[root@ipa_client ggrindle]# kdestroy
[root@ipa_client ggrindle]# kinit ggrindle
Password for ggrin...@dev.example.com:
[root@ipa_client ggrindle]# klist
Ticket cache: FILE:/tmp/krb5cc_0.1
Default principal: ggrin...@dev.example.com

Valid starting     Expires            Service principal
06/01/16 19:40:19  06/02/16 19:40:14  krbtgt/dev.example....@dev.example.com

[root@ipa_client ggrindle]# tcpdump port 88
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
19:40:53.765163 IP ipa_client.test.dev.example.com.49228 > 
ipa_server.dev.example.com.kerberos:  v5
19:40:53.788043 IP ipa_server.dev.example.com.kerberos > 
ipa_client.test.dev.example.com.49228:
19:41:06.601826 IP ipa_client.test.dev.example.com.52896 > 
ipa_server.dev.example.com.kerberos:  v5
19:41:06.630012 IP ipa_server.dev.example.com.kerberos > 
ipa_client.test.dev.example.com.52896:  v5
^C
4 packets captured
6 packets received by filter
0 packets dropped by kernel.kerberos:  v5

</snip>

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to