On Wed, Jul 26, 2017 at 08:45:17AM -0700, Russ Allbery wrote:
> Right, the point is not that you can't override with /etc/krb5.conf, the
> point is that /etc/hosts normally overrides everything without having to
> hunt down software-specific configuration files.
But in this case /etc/hosts clearly *can't* "override everything". It
cannot override the SRV records that are used to find the KDC via DNS,
because there is no syntax to express a SRV record in /etc/hosts; and
because of that, it is *a priori impossible* to know what hostname
you would have to "override" in /etc/hosts (were that supported) to
redirect Kerberos queries for a given realm to a particular IP address.
You can't even know whether DNS is used to look up the KDC or not without
looking at krb5.conf.
Despite the expectation which seems reasonable at first glance that
/etc/hosts could correctly be used to override a KDC in this way, in
fact it works only in a few special cases - the ones where DNS is
in use to find the KDC via SRV record *and* you can be 100% certain
that SRV record won't change. Not so useful.
Rather than relying on this, if you want to hardcode your KDC address,
far better to turn off DNS lookup of the KDC, use krb5.conf, and be
entirely manual and predictable, instead of half-manual, half-predictable,