kdc.conf

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

kdc.conf

Ivan
Hello.
I am new to installing and configuring [MIT] Kerberos. Version is 1.16.1.
My question is about a simple test setup of a kdc daemon on Linux OS.
Please tell me what settings I need to make in the kdc.conf file so that
the kdc-daemon runs the listening socket on:
1. The specified IPv4 address.
2. Did not use TCP, but used only UDP.
I wrote options in the kdc.conf file:
[kdcdefaults]
     kdc_listen = 203.0.113.1:88
     kdc_tcp_listen = ""
but these options are ignored:
$ ss -nlut | grep 88
udp UNCONN 0 0 0.0.0.0:88 0.0.0.0:*
udp UNCONN 0 0 [::]: 88 [::]: *
tcp LISTEN 0 5 0.0.0.0:88 0.0.0.0:*
tcp LISTEN 0 5 [::]: 88 [::]: *
As you can see, IPv6 is used, TCP is used, and the specified IPv4
address is not used.
Is it possible to customize the use of sockets according to the
described conditions?
Thank.
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: kdc.conf

Greg Hudson
On 3/22/19 5:53 AM, Ivan wrote:
> [kdcdefaults]
>      kdc_listen = 203.0.113.1:88
>      kdc_tcp_listen = ""

This looks right.  I just tried identical options (using my own IP
address) in a test setup and it worked for me.

> but these options are ignored:

Where is your kdc.conf file, and can you verify that krb5kdc is reading
it?  The default location of kdc.conf is in the KDC data directory
(typically /var/krb5kdc), and you can explicitly set it with the
KRB5_KDC_PROFILE environment variable.

Also check that you don't have stray kdc[_tcp]_listen or kdc[_tcp]_ports
options in a [realms] section which might be overriding the
[kdcdefaults] options, either in kdc.conf or krb5.conf.
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: kdc.conf

Ivan
> Where is your kdc.conf file, and can you verify that krb5kdc is reading
> it?  The default location of kdc.conf is in the KDC data directory
> (typically /var/krb5kdc), and you can explicitly set it with the
> KRB5_KDC_PROFILE environment variable.

Thank you for your reply and your time spent.
The idea turned out to be correct: in the Linux distribution I used, the
kdc daemon read the /etc/krb5.conf file (and not /etc/kdc.conf). Now
everything works as it should.
Many thanks again.
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: kdc.conf

Robbie Harwood
Ivan <[hidden email]> writes:

>> Where is your kdc.conf file, and can you verify that krb5kdc is reading
>> it?  The default location of kdc.conf is in the KDC data directory
>> (typically /var/krb5kdc), and you can explicitly set it with the
>> KRB5_KDC_PROFILE environment variable.
>
> Thank you for your reply and your time spent.
> The idea turned out to be correct: in the Linux distribution I used, the
> kdc daemon read the /etc/krb5.conf file (and not /etc/kdc.conf). Now
> everything works as it should.

Per kdc.conf(5), the kdc.conf file doesn't live in /etc; it lives
somewhere else.  (I put it at /var/kerberos/krb5kdc/kdc.conf in
RHEL/Fedora for historical reasons, while Debian/Ubuntu puts it at
/var/lib/krb5kdc/kdc.conf .)

However, as you observe, MIT krb5 will read and honor kdc.conf
directives from krb5.conf as well.

Thanks,
--Robbie

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos

signature.asc (847 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: kdc.conf

Ivan
> Per kdc.conf(5), the kdc.conf file doesn't live in /etc; it lives
> somewhere else.  (I put it at /var/kerberos/krb5kdc/kdc.conf in

You are right: strace showed that kdc.conf is not searched in /etc:
[root@host ~]# grep -e 'kdc\.' /tmp/strace.log
678   stat("/var/lib/krb5kdc/kdc.conf", 0x7ffcd7919710) = -1 ENOENT

Thank you.
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos