From 0247a7ea2e9d3aef8e5b44cc2c019f7f0c6aeed9 Mon Sep 17 00:00:00 2001
From: Yftach Herzog <yherzog@redhat.com>
Date: Wed, 27 Dec 2023 16:06:01 +0200
Subject: [PATCH] chore: add kerberos config file

Signed-off-by: Yftach Herzog <yherzog@redhat.com>
---
 Dockerfile              |  1 +
 data/kerberos/krb5.conf | 35 +++++++++++++++++++++++++++++++++++
 2 files changed, 36 insertions(+)
 create mode 100644 data/kerberos/krb5.conf

diff --git a/Dockerfile b/Dockerfile
index 0b12783..c0ee68b 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -19,6 +19,7 @@ ADD --chown=root:root --chmod=644 data/ca-trust/* /etc/pki/ca-trust/source/ancho
 RUN /usr/bin/fix-permissions /tmp/src \
     && /usr/bin/update-ca-trust
 RUN yum install -y krb5-workstation
+COPY data/kerberos/krb5.conf /etc
 USER 1001
 
 RUN \
diff --git a/data/kerberos/krb5.conf b/data/kerberos/krb5.conf
new file mode 100644
index 0000000..c3c6a41
--- /dev/null
+++ b/data/kerberos/krb5.conf
@@ -0,0 +1,35 @@
+# https://gitlab.corp.redhat.com/it-iam/system-configs/-/raw/master/krb5/idm/linux-krb5.conf
+includedir /etc/krb5.conf.d/
+
+# depending on your config, you may wish to uncomment the following:
+# includedir /var/lib/sss/pubconf/krb5.include.d/
+
+[libdefaults]
+default_realm = IPA.REDHAT.COM
+dns_lookup_realm = true
+dns_lookup_kdc = true
+rdns = false
+dns_canonicalize_hostname = false
+ticket_lifetime = 24h
+forwardable = true
+udp_preference_limit = 0
+default_ccache_name = KEYRING:persistent:%{uid}
+
+[realms]
+REDHAT.COM = {
+  default_domain = redhat.com
+  dns_lookup_kdc = true
+  master_kdc = kerberos.corp.redhat.com
+  admin_server = kerberos.corp.redhat.com
+}
+
+IPA.REDHAT.COM = {
+  default_domain = ipa.redhat.com
+  dns_lookup_kdc = true
+  # Trust tickets issued by legacy realm on this host
+  auth_to_local = RULE:[1:$1@$0](.*@REDHAT\.COM)s/@.*//
+  auth_to_local = DEFAULT
+}
+
+#DO NOT ADD A [domain_realms] section
+#https://mojo.redhat.com/docs/DOC-1166841