I have changed the Job settings in my AAP install, and I wanted to add /etc/krb5.conf to the list of “Paths to expose to isolated jobs”. That didn’t work. I got errors that sounded like SElinux, and permission denied on /etc/passwd for some reason.
I tried instead to add /etc/krb5.conf.d and that worked, but I then got an even more mysterious error: “Kerberos auth failure for principal XXX with pexpect: Included profile directory could not be read while initializing Kerberos 5 library”.
That sounded like it could use that path in the container, but something else broke.
Someone know how you’re really supposed to get your /etc/krb5.conf to be accessible from within your EE? Do I have to rebuilt the EE and include that file?
We’ve historically baked this directly into the EE and rebuild/repush the image if needed (we do scheduled rebuilds anyways). This may not be the best way of doing it and would be interested if there are others who have a better method, but it’s been solid for us for the last couple years.
If necessary I’d build the settings into the EE. Generally speaking for a typical enterprise AD environment it’s not required. You can control enough of the settings via the connection plugin and by formatting the username to include the correct UPN suffix (case sensitive for KRB5 and not Windows by default in AD it’s uppercase) to get the job done.