#7631 RFE: Does it make sense to remove [domain_realm] section from ipa-client krb5.conf files?
Opened 5 years ago by frenaud. Modified 5 years ago

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1561584

Description of problem:

The presence of a [domain_realm] profile mapping in /etc/krb5.conf prevents
DNS-based kerberos referrals from working. As IdM starts supporting realm
trust, it probably makes sense to not populate [domain_realm] by default,
pushing clients to perform DNS realm lookups (_kerberos TXT record for realm).

Metadata Update from @frenaud:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1561584

5 years ago

Robbie made some arguments against the proposed change for RHEL 7. RHEL 7 is still on krb5-1.15. Some heuristics fallback heuristics were added in 1.16.

Login to comment on this ticket.

Metadata