<joda@pdc.kth.se> (Johan Danielsson) writes:

> > It should at least automatically fall back when there is no Kerberos
> > enabled (like it does with YP).
> 
> But the problem is that there is no way to tell that there is no
> kerberos enabled. We could look for the non-existance of krb5.conf
> et. al., but I don't particularaly like that (software should work
> without configuration files).

Kerberos is pretty hosed if it can't map from realm name to KDC
names.

Not trying to use Kerberos if there's no config file is what the old
integrated krb4 code did, and it seemed reasonable.

It might be slightly smarter to conditionalize on whether a default
realm has been declared; this would allow for occasional, explicit use
of Kerberos tools by specifying the realm at runtime.

        - Nathan