2

I'm working on a project for a standardized Linux image for our organization. This image will be domain joined, and I've written a script to fire on boot that will guide the IST person doing the Linux machine setup through the join.

Pretty much every guide I have seen states that you must edit krb5.conf to reflect your AD domain's structure. However, there's not much information as to why this is necessary, and I've found that I am able to perform domain joins via net ads (instead of net rpc) without altering krb5.conf at all, in both Ubuntu 12.04/14.04 and CentOS 6.5. This has been true in both Samba 3 and Samba 4; our AD backend I believe is now entirely Server 2k8 and has been since before I started this project.

Further, I'm able to set pam_winbind with the krb5auth option, and it properly creates the kerberos ticket in /tmp; wbinfo -K also works fine and creates a Kerberos ticket. So, my question really is - what does krb5.conf do that I'm missing? What impact will there be if it's not configured? Is it just going to be that programs using Kerberos to authenticate will not be able to do so, or is there some other subtler point that I'm not aware of (such as winbind falling back to an insecure RPC based auth method if krb5.conf is not correct?)

Improve this question

1 Answer 1

Reset to default
0

As far as I am aware, you do not need krb5.conf at all unless you want to use the krb5-user command-line utilities. It is not necessary for a working server to be domain-joined from a windows client or to use Samba to access shares, etc. You don't even need to install krb5-user for a working Samba system.

Improve this answer
2
  • That's what I was thinking and was what my usage experiences were pointing me to. It seems that the instructions that require krb5.conf setup and installation of kerberos are...well, not wrong, just performing unnecessary work. I'll sit on this for a day or two in case someone else comes along and can back a different opinion, but I think you're right. Commented Sep 19, 2014 at 17:21
  • I think you only really need krb-user if you want to perform kinit from your command-line, perhaps to get a ticket for some other admin task or to perform a klist as the myriad online tutorials do (but that is an optional activity despite, as you've experienced, it being implied as being necessary). Commented Sep 19, 2014 at 18:16

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.