In modern implementations no in fact you shouldn't instead you should use the DNS for all of these settings and at most use the default realm and possibly the domain to realm matching section. In most implementations of Kerberos the ability to set this local is deprecated or not avaliable at all amy more. Even in MIT's implementation it is slated to go away in a few versions so it is generally considered a bad idea to use it. Also the testers of the client libraries are mostly testing around DNS so you may run into issues if you use that section of the configuration.
Original Message From: [email protected] Sent: May 10, 2018 10:41 AM To: [email protected] Subject: Does KDC service need the [realms] section in its configuration file? On a Heimdal KDC server for the stanford.edu domain we start the KDC service using the --config-file option and point to the file /etc/heimdal-kdc/kdc.conf. This file is different than /etc/krb5.conf, for example, it contains some different log settings. In the file /etc/heimdal-kdc/kdc.conf we have this section: [realms] stanford.edu = { kdc = kdc-master-dev.stanford.edu master_kdc = kdc-master-dev.stanford.edu admin_server = kdc-master-dev.stanford.edu kpasswd_server = kdc-master-dev.stanford.edu default_domain = stanford.edu kadmind_port = 749 } Since the KDC service's realm is stanford.edu, is the KDC even using those settings? If so, how? Adam Lewenberg
