On Thursday, December 9, 2021 at 1:54:26 AM UTC-5, Christian, Mark wrote:
I primarily use Kerberos with ssh gssapi-with-mic authentications, samba, and apache. I don't believe I need to populate the [domain_realm] section with hostname/domainname mappings to realms, even though the domainname for the hosts differs from the
Kerberos realm; these Kerberized services still work. Or am I mistaken? default_realm is defined under [libdefaults], and dns_lookup_realm and dns_lookup_kdc are set to false. The krb5.conf man page mentions that this mapping is necessary for some
programs or services. I'm wondering which services require this mapping?
Mark
There are many reasons [domain_realm] section exists. One overlooked reason is Kerberos understands lower-case only. Some environments might have the realm in upper case (some Microsoft Active Directory environments, for instance). Thus this section
allows your local Kerberos client to find those upper-case realms. Kerberos requires DNS, so even though your dns_lookup_realm and dns_lookup_kdc are set to false, and [domain_realms} might be blank, DNS will still be used, it just means your local
Kerberos client is not going to rely on what is defined in krb5.conf, rather it will use on the operating system's configured DNS servers. As far as the language on the krb5.conf man page mentioning that the mapping is necessary for some programs or
services - don't know.
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)