Re: [Freeipa-users] Is the krb5.conf no longer used?
On Thu, Jun 02, 2016 at 08:29:15AM +0300, Alexander Bokovoy wrote: > On Wed, 01 Jun 2016, Geordie Grindle wrote: > > Does IPA only use ‘sssd.conf’ for kerberos authentication? Is there another > > file used to configure kerberos? > > > > I’ve built a host using Foreman and our puppet configuration usually > > pushes a krb5.conf file. However, if I delete it, everything still > > works fine. > > > > What if any function does /etc/krb5.conf have now? > libkrb5 has some default options compiled in. If your environment is > fine with these defaults, that's OK. However, it does not mean defaults > are always OK for everyone. SSSD uses libkrb5 and hence use the library defaults and values from /etc/krb5.conf. Nevertheless SSSD will override some of those values with either data from its on configuration file or with data discovered at run-time, e.g. via DNS or by evaluation some LDAP attributes. With this we try to make sure that SSSD is able to work even if /etc/krb5.conf is broken or is missing some options. But this only holds for SSSD, all other users of libkrb5 like e.g. kinit, ldapsearch, sshd ... Still rely on the data in krb5.conf. As Alexander noted below SSSD tries to make the auto-discovered data available to those applications but still they need to parse /etc/krb5.conf first. HTH bye, Sumit > > In particular, when you have integration with Active Directory, SSSD > generates a number of config snippets which get included via an include > statement in /etc/krb5.conf. These snippets define Kerberos-level > relationship between realms, load mapping plugins for AD Kerberos > principals and so on. This might not be important to you on the older > systems (you are using RHEL 6 where libkrb5 doesn't have some of the > interfaces SSSD is utilizing) but it is very important on RHEL 7, for > example. > > Also, on RHEL 7 and in Fedora we use /etc/krb5.conf to redefine a place > where libkrb5 looks for default credentials cache (ccache) to utilize > kernel keyring storage to enhance security. > > But if your setup is very simple topology wise, libkrb5 defaults are > just fine. > -- > / Alexander Bokovoy > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Is the krb5.conf no longer used?
On Wed, 01 Jun 2016, Geordie Grindle wrote: Does IPA only use ‘sssd.conf’ for kerberos authentication? Is there another file used to configure kerberos? I’ve built a host using Foreman and our puppet configuration usually pushes a krb5.conf file. However, if I delete it, everything still works fine. What if any function does /etc/krb5.conf have now? libkrb5 has some default options compiled in. If your environment is fine with these defaults, that's OK. However, it does not mean defaults are always OK for everyone. In particular, when you have integration with Active Directory, SSSD generates a number of config snippets which get included via an include statement in /etc/krb5.conf. These snippets define Kerberos-level relationship between realms, load mapping plugins for AD Kerberos principals and so on. This might not be important to you on the older systems (you are using RHEL 6 where libkrb5 doesn't have some of the interfaces SSSD is utilizing) but it is very important on RHEL 7, for example. Also, on RHEL 7 and in Fedora we use /etc/krb5.conf to redefine a place where libkrb5 looks for default credentials cache (ccache) to utilize kernel keyring storage to enhance security. But if your setup is very simple topology wise, libkrb5 defaults are just fine. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Is the krb5.conf no longer used?
Hi, Geordie
I think it should be optional. here is one of my IPA client's krb5.conf
# cat /etc/krb5.conf
#File modified by ipa-client-install
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = EXAMPLE.NET
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = yes
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
EXAMPLE.NET = {
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.dev.example.net = EXAMPLE.NET
dev.example.net = EXAMPLE.NET
Matrix
-- Original --
From: "Geordie Grindle";<geordie.grin...@gmail.com>;
Date: Thu, Jun 2, 2016 03:57 AM
To: "freeipa-users"<freeipa-users@redhat.com>;
Subject: [Freeipa-users] Is the krb5.conf no longer used?
Does IPA only use ??sssd.conf?? for kerberos authentication? Is there another
file used to configure kerberos?
I??ve built a host using Foreman and our puppet configuration usually pushes a
krb5.conf file. However, if I delete it, everything still works fine.
What if any function does /etc/krb5.conf have now?
[root@ipa_client ggrindle]# cat /etc/krb5.conf
cat: /etc/krb5.conf: No such file or directory
[root@ipa_client ggrindle]# rpm -qa |grep ipa-client
ipa-client-3.0.0-37.el6.x86_64
[root@ipa_client ggrindle]# kdestroy
[root@ipa_client ggrindle]# kinit ggrindle
Password for ggrin...@dev.example.com:
[root@ipa_client ggrindle]# klist
Ticket cache: FILE:/tmp/krb5cc_0.1
Default principal: ggrin...@dev.example.com
Valid starting ExpiresService principal
06/01/16 19:40:19 06/02/16 19:40:14 krbtgt/dev.example@dev.example.com
[root@ipa_client ggrindle]# tcpdump port 88
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
19:40:53.765163 IP ipa_client.test.dev.example.com.49228 >
ipa_server.dev.example.com.kerberos: v5
19:40:53.788043 IP ipa_server.dev.example.com.kerberos >
ipa_client.test.dev.example.com.49228:
19:41:06.601826 IP ipa_client.test.dev.example.com.52896 >
ipa_server.dev.example.com.kerberos: v5
19:41:06.630012 IP ipa_server.dev.example.com.kerberos >
ipa_client.test.dev.example.com.52896: v5
^C
4 packets captured
6 packets received by filter
0 packets dropped by kernel.kerberos: v5
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
[Freeipa-users] Is the krb5.conf no longer used?
Does IPA only use ‘sssd.conf’ for kerberos authentication? Is there another file used to configure kerberos? I’ve built a host using Foreman and our puppet configuration usually pushes a krb5.conf file. However, if I delete it, everything still works fine. What if any function does /etc/krb5.conf have now? [root@ipa_client ggrindle]# cat /etc/krb5.conf cat: /etc/krb5.conf: No such file or directory [root@ipa_client ggrindle]# rpm -qa |grep ipa-client ipa-client-3.0.0-37.el6.x86_64 [root@ipa_client ggrindle]# kdestroy [root@ipa_client ggrindle]# kinit ggrindle Password for ggrin...@dev.example.com: [root@ipa_client ggrindle]# klist Ticket cache: FILE:/tmp/krb5cc_0.1 Default principal: ggrin...@dev.example.com Valid starting ExpiresService principal 06/01/16 19:40:19 06/02/16 19:40:14 krbtgt/dev.example@dev.example.com [root@ipa_client ggrindle]# tcpdump port 88 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 19:40:53.765163 IP ipa_client.test.dev.example.com.49228 > ipa_server.dev.example.com.kerberos: v5 19:40:53.788043 IP ipa_server.dev.example.com.kerberos > ipa_client.test.dev.example.com.49228: 19:41:06.601826 IP ipa_client.test.dev.example.com.52896 > ipa_server.dev.example.com.kerberos: v5 19:41:06.630012 IP ipa_server.dev.example.com.kerberos > ipa_client.test.dev.example.com.52896: v5 ^C 4 packets captured 6 packets received by filter 0 packets dropped by kernel.kerberos: v5 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
