On Thu, Dec 22, 2016 at 03:18:28PM -0800, Henry B (Hank) Hotz, CISSP wrote:
> > On Dec 22, 2016, at 8:53 AM, Jeffrey Hutzelman wrote:
> [. . .]
>
> > kadmin -l is not a kdc and probably does not read kdc.conf. I've not
> > looked at the current code to see how much of this was resolved, but we
> > used to have to patch a bunch of places to get kadmin -l and a bunch of the
> > servers to read kdc.conf.
> >
> > — Jeff
>
> +1 I recall the issue. Consistency would be nice.
Can we also not just also deprecate kdc.conf?
BTW, this code is in kadmin and kadmind:
184 if (config_file == NULL) {
185 aret = asprintf(&config_file, "%s/kdc.conf", hdb_db_dir(context));
186 if (aret == -1)
187 errx(1, "out of memory");
188 }
189
190 ret = krb5_prepend_config_files_default(config_file, &files);
So if you don't give kadmin -l a -c (--config-file) option, then it will
try reading kdc.conf from the directory listed in the default krb5.conf
in [hdb] db_dir.
Similar -the same, really- code is in kdc, kpasswdd, iprop-log,
ipropd-master, and ipropd-slave.
So, in /etc/krb5.conf you should have this:
[hdb]
db-dir = /var/heimdal
(or wherever you put your HDB)
and in there you should have a kdc.conf or a symlink to it.
It should just work, though, admittedly, we don't have a test for this.
Nico
--
