On Wed, 01 Jun 2016, Geordie Grindle wrote:
Does IPA only use ‘sssd.conf’ for kerberos authentication? Is there another
file used to configure kerberos?
I’ve built a host using Foreman and our puppet configuration usually
pushes a krb5.conf file. However, if I delete it, everything still
What if any function does /etc/krb5.conf have now?
libkrb5 has some default options compiled in. If your environment is
fine with these defaults, that's OK. However, it does not mean defaults
are always OK for everyone.
In particular, when you have integration with Active Directory, SSSD
generates a number of config snippets which get included via an include
statement in /etc/krb5.conf. These snippets define Kerberos-level
relationship between realms, load mapping plugins for AD Kerberos
principals and so on. This might not be important to you on the older
systems (you are using RHEL 6 where libkrb5 doesn't have some of the
interfaces SSSD is utilizing) but it is very important on RHEL 7, for
Also, on RHEL 7 and in Fedora we use /etc/krb5.conf to redefine a place
where libkrb5 looks for default credentials cache (ccache) to utilize
kernel keyring storage to enhance security.
But if your setup is very simple topology wise, libkrb5 defaults are
/ Alexander Bokovoy
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project