On Wed, 01 Jun 2016, Geordie Grindle wrote:
Does IPA only use ‘sssd.conf’ for kerberos authentication? Is there another 
file used to configure kerberos?

I’ve built a host using Foreman and our puppet configuration usually
pushes a krb5.conf file. However, if I delete it, everything still
works fine.

What if any function does /etc/krb5.conf have now?
libkrb5 has some default options compiled in. If your environment is
fine with these defaults, that's OK. However, it does not mean defaults
are always OK for everyone.

In particular, when you have integration with Active Directory, SSSD
generates a number of config snippets which get included via an include
statement in /etc/krb5.conf. These snippets define Kerberos-level
relationship between realms, load mapping plugins for AD Kerberos
principals and so on. This might not be important to you on the older
systems (you are using RHEL 6 where libkrb5 doesn't have some of the
interfaces SSSD is utilizing) but it is very important on RHEL 7, for

Also, on RHEL 7 and in Fedora we use /etc/krb5.conf to redefine a place
where libkrb5 looks for default credentials cache (ccache) to utilize
kernel keyring storage to enhance security.

But if your setup is very simple topology wise, libkrb5 defaults are
just fine.
/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to