When testing the PKINIT stuff I hit a stupid issue - due to a typo in
the realm name in kdc.conf users were not getting the +requires_preauth
attribute when being created. I quickly figured out what was happening
but it got me thinking about kdc.conf in general.
Currently the default kdc.conf contains the following:
[kdcdefaults]
kdc_ports = 88,750
[realms]
___default_realm___ = {
profile = /etc/krb5/krb5.conf
database_name = /var/krb5/principal
admin_keytab = /etc/krb5/kadm5.keytab
acl_file = /etc/krb5/kadm5.acl
kadmind_port = 749
max_life = 8h 0m 0s
max_renewable_life = 7d 0h 0m 0s
default_principal_flags = +preauth
}
The admin is expected to replace "___default_realm___" with the correct
realm or add additional realm stanzas for the configured realms.
The first thing to note is that the code defaults for "kdc_ports",
"profile", "database_name", "admin_keytab", "acl_file" and
"kadmind_port" are the same as the values specified here.
i.e. the above config file snippet is equivalent to:
[kdcdefaults]
[realms]
___default_realm___ = {
max_life = 8h 0m 0s
max_renewable_life = 7d 0h 0m 0s
default_principal_flags = +preauth
}
We could easily ship a simplified kdc.conf containing the above.
The question then arises why are the settings for "max_life",
"max_renewable_life" and "default_principal_flags" different to the code
defaults?
It seems to me to be particularily strange that "+preauth" isn't the
code default. A kerberos admin may not even notice that new users aren't
getting "+preauth" due to a misconfiguration.
Is there any reason not to change the code defaults to the above?
i.e.
current proposed
max_life 24h 8h
max_renewable_life 1year 1month
default_principal_flags +preauth
If we do these changes we can scrap kdc.conf in its entirety. We can
then encourage admins to stick to a single config-file - krb5.conf.
Perhaps we can add a commented-out realm stanza in krb5.conf so that
it's clear to admins that they can do realm configuration there.
Thoughts?
-M
