Bug 1561584

Summary: RFE: Does it make sense to remove [domain_realm] section from ipa-client krb5.conf files?
Product: Red Hat Enterprise Linux 8 Reporter: Brian J. Atkisson <batkisso>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED WONTFIX QA Contact: ipa-qe <ipa-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.0CC: abokovoy, cheimes, frenaud, jomurphy, mkosek, ndehadra, pasik, pcech, pvoborni, rcritten, rharwood, tscherf
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-07-09 12:52:40 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1644708, 1647919    

Description Brian J. Atkisson 2018-03-28 14:48:07 UTC 
Description of problem:

The presence of a [domain_realm] profile mapping in /etc/krb5.conf prevents DNS-based kerberos referrals from working. As IdM starts supporting realm trust, it probably makes sense to not populate [domain_realm] by default, pushing clients to perform DNS realm lookups (_kerberos TXT record for realm).
Comment 5 Florence Blanc-Renaud 2018-07-10 09:11:28 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/7631
Comment 17 Alexander Bokovoy 2019-03-24 07:32:03 UTC 
Based on our discussions with Robbie and others, I published an article explaining a situation with Kerberos service translation and what we need to update in MIT Kerberos to allow administrators to control name resolution order on the clients: https://vda.li/en/posts/2019/03/24/Kerberos-host-to-realm-translation/
Comment 18 Brian J. Atkisson 2019-03-24 20:57:58 UTC 
(In reply to Alexander Bokovoy from comment #17)
> Based on our discussions with Robbie and others, I published an article
> explaining a situation with Kerberos service translation and what we need to
> update in MIT Kerberos to allow administrators to control name resolution
> order on the clients:
> https://vda.li/en/posts/2019/03/24/Kerberos-host-to-realm-translation/

Great article! This is very helpful for explaining the situation to our users.
Comment 20 Petr Čech 2020-07-09 12:52:40 UTC 
Thank you taking your time and submitting this request for Red Hat Enterprise Linux. It was unfortunately not given priority Red Hat Enterprise Linux.
Given that this request is not planned for a close release, it is highly unlikely it will be fixed in this major version of Red Hat Enterprise Linux. We are therefore closing the request as WONTFIX.
To request that Red Hat reconsiders the decision, please reopen the Bugzilla with the help of Red Hat Customer Service and provide additional business and/or technical details about it's importance to you.