no other libdefaults switch is working except forwardable

[piyushml20]

Looks like libdefaults section of krb5.conf file only supports forwardable switch out of https://web.mit.edu/kerberos/krb5-devel/doc/admin/conf_files/krb5_conf.html. Just wanted to confirm if this is true.

[rtt-ncc]

In the krb5.conf file that Berserko creates when you use the 'Create krb5.conf file', it only adds the forwardable switch to the [libdefaults] section.
However, if you manually added other switches to this section, then they should be picked up by the Java Kerberos libraries. I haven't had any cause to test this myself, but given that it picks up and actions the 'forwardable' flag I don't see why it would ignore other ones. I don't know which of the switches from the link you provide above are implemented by the Java Kerberos libraries though - maybe not all of them.

Is there something in particular that you are trying to do?

[piyushml20]

I tried other switches such as default_realm, canonicalize and it didn't work. I need these switches to work with our Kerberos setup. Currently, SPN is not getting created as per our environment. Thanks and Regards Piyush Mittal

…

On Mon, May 21, 2018 at 2:22 AM, Richard Turnbull ***@***.***> wrote: In the krb5.conf file that Berserko creates when you use the 'Create krb5.conf file', it only adds the forwardable switch to the [libdefaults] section. However, if you manually added other switches to this section, then they should be picked up by the Java Kerberos libraries. I haven't had any cause to test this myself, but given that it picks up and actions the 'forwardable' flag I don't see why it would ignore other ones. I don't know which of the switches from the link you provide above are implemented by the Java Kerberos libraries though - maybe not all of them. Is there something in particular that you are trying to do? — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#4 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AYwExNFcC4_Kplh1uXCTV6uSgheaPnAOks5t0deBgaJpZM4UEynF> .

[rtt-ncc]

Thanks for the further details!
OK, default_realm definitely won't work, because that is overridden by Berserko to be the 'Domain DNS Name' specified in the GUI. See the 'Setting Properties to Indicate the Default Realm and KDC' section at https://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/tutorials/KerberosReq.html.

I don't see any reason why the canonicalize flag would be ignored, but then I don't really know what it does.

Unfortunately Berserko doesn't yet cope well with more complex Kerberos configurations (which I'm guessing yours might be), in particular those that aren't based on Active Directory. And it can't yet handle cross-realm trusts ('domain trusts' in AD) due to limitations of the Java Kerberos libraries. I plan to add this support but haven't had time to do so yet.

Regards

Richard