Greg -
So from a privilege separation perspective, are we talking more from a
hardening perspective? E.g. if I can compromise serviceA that would give
me the key to serviceB?
While that is a valid concern - if we were to guarantee (theoretically)
that serviceA couldn't be breached (or there was
Interesting, yeah I think you self resolved with what you did with
KRB5REALM.
On Fri, Apr 24, 2015 at 4:13 PM, Ben H bhen...@gmail.com wrote:
Not exactly, though the answer to that use case might be the same.
My use case is that my system was (is) a client of REALMA.COM.
Now, I want to run a
So it sounds like you're still saying that the contents of my krb5.conf
file will be read by krb5kdc and there is a good chance that something
specified in my krb5.conf (for my client implementation) may override or
merge with my server config *possibly* disrupt my KDC?
This is probably unlikely
On Fri, 2015-04-24 at 16:46 -0400, Greg Hudson wrote:
On 04/24/2015 03:37 PM, Ben H wrote:
Why not simply use host/serverA.domain.com for both services?
At a protocol level, it's to support privilege separation on the server.
The CIFS server doesn't need access to the LDAP server key and
I'm trying to follow the client need for default_realm vs having additional
kerberos REALM entries present in your [realms] section of your krb5.conf.
If there was no default_realm defined, what does the client do
(see default_realm at
On 04/24/2015 03:44 PM, Ben H wrote:
From a client perspective, if I want to switch to using a different
krb5.conf file, I just use:
export KRB5_CONFIG=/etc/alternate-krb5.conf
But the server will always try to use /etc/krb5.conf
The expected behavior is:
* Every process uses
In regard to: Re: specifying an alternate realm/krb5.conf configuration for...:
2) Set KRB5REALM=REALMB in /etc/sysconfig/krb5kdc
#2 is working for me, and is maybe the correct answer to this question.
For RHEL-derived systems, that is the appropriate way to do what you're
trying to do.
I've worked with Kerberos implementations for a while, but almost
exclusively with AD in the KDC role (though MIT clients as well).
This may sound like a beginner question because of my lack of experience
with pure Kerberos.
When accessing services we require a service ticket for each principal,
Are you trying to run multiple realms (and db's) on the same KDC?
On Fri, Apr 24, 2015 at 2:59 PM, Ben H bhen...@gmail.com wrote:
Sorry, I did mean kdc.conf - and on my implementation it is
in /var/kerberos/krb5kdc.
I do understand:
kdc.conf = server config
krb5.conf = client config
But
On Fri, Apr 24, 2015 at 04:46:55PM -0400, Greg Hudson wrote:
On 04/24/2015 03:37 PM, Ben H wrote:
Why not simply use host/serverA.domain.com for both services?
At a protocol level, it's to support privilege separation on the server.
The CIFS server doesn't need access to the LDAP server
10 matches
Mail list logo
