On Thu, Dec 22, 2016 at 03:18:28PM -0800, Henry B (Hank) Hotz, CISSP wrote: > > On Dec 22, 2016, at 8:53 AM, Jeffrey Hutzelman <jh...@cmu.edu> wrote: > [. . .] > > > kadmin -l is not a kdc and probably does not read kdc.conf. I've not > > looked at the current code to see how much of this was resolved, but we > > used to have to patch a bunch of places to get kadmin -l and a bunch of the > > servers to read kdc.conf. > > > > — Jeff > > +1 I recall the issue. Consistency would be nice.
Can we also not just also deprecate kdc.conf? BTW, this code is in kadmin and kadmind: 184 if (config_file == NULL) { 185 aret = asprintf(&config_file, "%s/kdc.conf", hdb_db_dir(context)); 186 if (aret == -1) 187 errx(1, "out of memory"); 188 } 189 190 ret = krb5_prepend_config_files_default(config_file, &files); So if you don't give kadmin -l a -c (--config-file) option, then it will try reading kdc.conf from the directory listed in the default krb5.conf in [hdb] db_dir. Similar -the same, really- code is in kdc, kpasswdd, iprop-log, ipropd-master, and ipropd-slave. So, in /etc/krb5.conf you should have this: [hdb] db-dir = /var/heimdal (or wherever you put your HDB) and in there you should have a kdc.conf or a symlink to it. It should just work, though, admittedly, we don't have a test for this. Nico --