-
Title
Relationship between vas.conf and KRB5.conf -
Description
What is the relationship between vas.conf and the krb5.conf file when they symlinked?
When they are linked what role does Authentication Services play in Kerberos based SSO on Linux/Unix hosts?
-
Resolution
Krb5.conf is the configuration file that the local operating system will use for its Kerberos libraries and implementation. To ensure that there is no conflict on any given system Authentication Services has its own implementation of Kerberos packaged within the installer, Heimdal to be specific. This also includes our own configuration files and libraries.
So in an instance when you are symlinking a krb5.conf and vas.conf together what this effectively enables is the ability to leverage a single configuration, so settings in vas.conf will apply to krb5.conf as well. This can also allow the use of a shared keytab.
In many instance Authentication Services can be leveraged to make creating and managing keytabs simpler which might including aliasing SPN’s or ENC types. Where things diverge is if an application is looking at KRB5.conf for Kerberos authentications. At that point the application does not rely on our libraries but will use the operating systems implementation of Kerberos.
So while we can make the setup and configuration easier to manage, the actual authentication/authorization processes themselves, for that specific application, are not actually processed through Authentication Services but the local KRB libraries. It is worth noting there is no requirement to link the two files, it can just be convenient to do so.