Created attachment 595339 [details] Patch which fixes the problem Description of problem: There are appropriate upstream values for the krb5.conf dns_lookup_realm and dns_lookup_kdc. authconfig should not set these parameters unless explicitly requested to do so. In fact, I'm not sure why it would need to set them at all. But in any case, upstream kerberos is supposed to work in a configuration-less manner out of the box. authconfig breaks this by setting dns_lookup_realm to false. Version-Release number of selected component (if applicable): authconfig-6.2.1-1.fc17 How reproducible: Every time Steps to Reproduce: 1. sudo authconfig --updateall --enablewinbind --enablewinbindauth Actual results: [libdefaults] default_realm = AD.THEWALTER.LAN dns_lookup_realm = false dns_lookup_kdc = false Expected results: No unnecessary modifications to krb5.conf, especially messing with defaults.
The problem is that these parameters are set so for consistency with SSSD. Especially the dns_lookup_realm is not yet (or at least was not) supported with SSSD.
dns_lookup_realm is set to false by default, so there's no need to be setting it here. But it's the dns_lookup_kdc = false that really breaks kerberos. Manually configuring kerberos for each realm unrealistic for most users, and is brittle for large domains with multiple kdc's that can fail over and be reconfigured. Using DNS for locating KDC's is the best practice, as it has been for a decade. IMO, krb5 should be completely configurationless for almost all use cases, and certainly by default.
As I did not use your patch but wrote it myself, please test whether it works for you.
Verified that this no longer happens with authconfig-6.2.3.