Thanks Martin, and I always forget I can man a conf file.  

    On Tuesday, November 8, 2016 12:09 PM, Martin Babinsky 
<mbabi...@redhat.com> wrote:
 

 On 11/08/2016 05:13 PM, Ask Stack wrote:
> I thought /etc/krb5.conf controls which kerberos server the clients talk
> to.
>
> As a test, I removed /etc/krb5.conf and rebooted the client. After
> reboot, I can still log in and "kinit user" .
> Removing /etc/krb5.keytab, however would stop user from logging in and
> sssd to start.
>
>
>

/etc/krb5.conf configures Kerberos client library: it instructs the 
client about which realm it should use, whether to use dns discovery or 
use static list of KDC and mapping between DNS domains and realms.

Read `man krb5.conf' for more info.

sssd stores plenty of information about Kerberos realm in its own 
configuration (realm, DNS discovery etc.) so it can authenticate the 
user even without valid krb5.conf (as you observed).

However, to pull in user info from authoritative source (IPA LDAP), sssd 
authenticates against IPA as the host principal using /etc/krb5.keytab, 
that's why it stopped working and refused to start after you removed it.

-- 
Martin^3 Babinsky

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


   
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to