On 11/08/2016 05:13 PM, Ask Stack wrote:
I thought /etc/krb5.conf controls which kerberos server the clients talk
to.
As a test, I removed /etc/krb5.conf and rebooted the client. After
reboot, I can still log in and "kinit user" .
Removing /etc/krb5.keytab, however would stop user from logging in and
sssd to start.
/etc/krb5.conf configures Kerberos client library: it instructs the
client about which realm it should use, whether to use dns discovery or
use static list of KDC and mapping between DNS domains and realms.
Read `man krb5.conf' for more info.
sssd stores plenty of information about Kerberos realm in its own
configuration (realm, DNS discovery etc.) so it can authenticate the
user even without valid krb5.conf (as you observed).
However, to pull in user info from authoritative source (IPA LDAP), sssd
authenticates against IPA as the host principal using /etc/krb5.keytab,
that's why it stopped working and refused to start after you removed it.
--
Martin^3 Babinsky
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
