Red Hat Bugzilla – Bug 836628
authconfig shouldn't set dns_lookup_xxx = false
Last modified: 2012-08-15 12:12:24 EDT
Created attachment 595339 [details]
Patch which fixes the problem
Description of problem:
There are appropriate upstream values for the krb5.conf dns_lookup_realm and dns_lookup_kdc. authconfig should not set these parameters unless explicitly requested to do so. In fact, I'm not sure why it would need to set them at all.
But in any case, upstream kerberos is supposed to work in a configuration-less manner out of the box. authconfig breaks this by setting dns_lookup_realm to false.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. sudo authconfig --updateall --enablewinbind --enablewinbindauth
default_realm = AD.THEWALTER.LAN
dns_lookup_realm = false
dns_lookup_kdc = false
No unnecessary modifications to krb5.conf, especially messing with defaults.
The problem is that these parameters are set so for consistency with SSSD. Especially the dns_lookup_realm is not yet (or at least was not) supported with SSSD.
dns_lookup_realm is set to false by default, so there's no need to be setting it here.
But it's the dns_lookup_kdc = false that really breaks kerberos. Manually configuring kerberos for each realm unrealistic for most users, and is brittle for large domains with multiple kdc's that can fail over and be reconfigured. Using DNS for locating KDC's is the best practice, as it has been for a decade.
IMO, krb5 should be completely configurationless for almost all use cases, and certainly by default.
As I did not use your patch but wrote it myself, please test whether it works for you.
Verified that this no longer happens with authconfig-6.2.3.