Server settings from /etc/krb5.conf used despite KRB5_CONFIG set

[Andrej Mikus]

Hi,

I would like to request comment/suggestion for a problem that resembles
https://stackoverflow.com/questions/33132768/kerberos-still-using-default-etc-krb5-conf-file-even-after-setting-krb5-config

As a linux user, I am trying to access IIS website protected by
Kerberos. Linux is managed by different team than AD, both are using
their own Kerberos servers, and for some reason they use equal
domain/realm name.

I am pointing KRB5_CONFIG to a file with correct KDC address/name, but
kinit always refers to the IP specified in /etc/krb5.conf.

It is my understanding that setting environment variable overrides any
use of files in /etc, also the test scripts in the code distribution
suggest this.

The environment variable and authentication works well when using
a system that refers to in a different Linux domain in /etc/krb5.conf so
for now I can access the AD from there. Still would like to understand
what is going on on the other Linux system.

krb5-libs.x86_64 krb5-workstation.x86_64 1.18.2-14.el8 from RHEL8

Regards
Andrej

[John Devitofranceschi]

> On May 9, 2022, at 3:03 PM, Andrej Mikus <a-krb...@mikus.sk> wrote:
> I am pointing KRB5_CONFIG to a file with correct KDC address/name, but
> kinit always refers to the IP specified in /etc/krb5.conf.
>
> It is my understanding that setting environment variable overrides any
> use of files in /etc, also the test scripts in the code distribution
> suggest this.

Is there an sssd_krb5_locator_plugin getting in the way?

Check under /usr/lib/krb5/plugins/libkrb5.

jd

[Andrej Mikus]

That was it. In a different place and with different filename
/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so but setting
SSSD_KRB5_LOCATOR_DISABLE works!

Thanks a lot for the hint.

Andrej