URL:
Reporter RHNID:
Section: -
Language: en-US (English)||||||||
Workaround: If you make it to step #8 from the description, the next step would be to either rm /etc/krb5.conf; yum -y reinstall krb5-libs or to manually remove the references to the broken realm settings.

Either way, you need to manually restart sssd afterwards.

Description: In a 12 person class, 4 of my students ran into a problem when configuring kerberos auth with RHEL7's authconfig tui & gui. After it happened to the first person I spent my lunch debugging it.

Steps to reproduce:

1. Open authconfig-tui or authconfig-gtk
2. Enable LDAP for user info & kerberos for auth
3. Input all the correct LDAP/kerb info, EXCEPT: leave the hash mark in the kerb realm field and add the realm after it, i.e.: #EXAMPLE.COM
4. Apply changes and watch sssd fail to start
5. Open preferred authconfig ui again
6. Remove hash-mark from beginning of kerberos realm and apply changes
7. Watch sssd still fail to start (you can turn on sssd debugging and see it struggling with kerberos but it's pretty cryptic)
8. Inspect /etc/krb5.conf and notice that multiple #REDHAT.COM entries are still present (in addition to the new proper realm entries)

I think this warrants warning box in the SG & IG that kerberos realm should absolutely not be prefixed with #.

PS: authconfig in Fedora 22 alpha no longer has the kerberos realm field pre-filled with the misleading "#"