Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-7348: How to remove decomissioned domain controllers from krb5.conf

Authentication Service ,  

22 August,16 at 09:50 PM

Applies to Centrify DirectControl (5.1.2 and up) on all OS platforms.

We decommissioned some domains, but the krb5.conf still showing KDC information for those domain realms. Is there a way to force the krb5.conf to update and remove domains that no longer have trust relation with the machine joined domain? 

By default, Centrify unix/linux agent will update
/etc/krb5.conf every 8 hours to store KDC information on all known realms. When autoediting krb5.conf, in the [domain_realm] section, adclient does not remove lines that it does not know about.
A parameter in
/etc/centrifydc/centrifydc.conf: adclient.krb5.conf.domain_realm.strict
The above paramater controls whether adclient should remove any unknown realm for the joined domain in the [domain_realm] section of krb5.conf. The default value is false. Once this parameter is set to true, ‘adreload’ is required to take effect and the unknown realm will be removed the next time krb5.conf is refreshed.