On Thu, Dec 22, 2016 at 03:18:28PM -0800, Henry B (Hank) Hotz, CISSP wrote:
> > On Dec 22, 2016, at 8:53 AM, Jeffrey Hutzelman <jh...@cmu.edu> wrote:
> [. . .]
> > kadmin -l is not a kdc and probably does not read kdc.conf.  I've not 
> > looked at the current code to see how much of this was resolved, but we 
> > used to have to patch a bunch of places to get kadmin -l and a bunch of the 
> > servers to read kdc.conf.
> > 
> > — Jeff
> +1  I recall the issue. Consistency would be nice.

Can we also not just also deprecate kdc.conf?

BTW, this code is in kadmin and kadmind:

184     if (config_file == NULL) {
185         aret = asprintf(&config_file, "%s/kdc.conf", hdb_db_dir(context));
186         if (aret == -1)
187             errx(1, "out of memory");
188     }
190     ret = krb5_prepend_config_files_default(config_file, &files);

So if you don't give kadmin -l a -c (--config-file) option, then it will
try reading kdc.conf from the directory listed in the default krb5.conf
in [hdb] db_dir.

Similar -the same, really- code is in kdc, kpasswdd, iprop-log,
ipropd-master, and ipropd-slave.

So, in /etc/krb5.conf you should have this:

    db-dir = /var/heimdal

(or wherever you put your HDB)

and in there you should have a kdc.conf or a symlink to it.

It should just work, though, admittedly, we don't have a test for this.


Reply via email to