On 11/08/2016 05:13 PM, Ask Stack wrote:
I thought /etc/krb5.conf controls which kerberos server the clients talk

As a test, I removed /etc/krb5.conf and rebooted the client. After
reboot, I can still log in and "kinit user" .
Removing /etc/krb5.keytab, however would stop user from logging in and
sssd to start.

/etc/krb5.conf configures Kerberos client library: it instructs the client about which realm it should use, whether to use dns discovery or use static list of KDC and mapping between DNS domains and realms.

Read `man krb5.conf' for more info.

sssd stores plenty of information about Kerberos realm in its own configuration (realm, DNS discovery etc.) so it can authenticate the user even without valid krb5.conf (as you observed).

However, to pull in user info from authoritative source (IPA LDAP), sssd authenticates against IPA as the host principal using /etc/krb5.keytab, that's why it stopped working and refused to start after you removed it.

Martin^3 Babinsky

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to