includedir  /etc/rhn/krb5.conf.d

[libdefaults]
    # "dns_canonicalize_hostname" and "rdns" are better set to false for improved security.
    # If set to true, the canonicalization mechanism performed by Kerberos client may
    # allow service impersonification, the consequence is similar to conducting TLS certificate
    # verification without checking host name.
    # If left unspecified, the two parameters will have default value true, which is less secure.
    dns_canonicalize_hostname = false
    rdns = false
    # "verify_ap_req_nofail" is enabled to protect against KDC spoofing. After obtaining the
    # initial credentials the client library will attempt to verify if the KDC that issued them
    # is the same that issued the keys stored in the local keytab. If the client machine does
    # not have a keytab, it cannot be read or there is no host key in it, the verification will
    # fail if "verify_ap_req_nofail" is set to true. If it is set to false and the client machine
    # does not have a keytab, the verification is skipped.
    verify_ap_req_nofail = true
#   default_realm = EXAMPLE.COM
    default_ccache_name = KEYRING:persistent:%{uid}
    # move default keytab to the persistent /etc/rhn/krb5.conf.d directory
    default_keytab_name = FILE:/etc/rhn/krb5.conf.d/krb5.keytab

[realms]
#       EXAMPLE.COM = {
#                kdc = kerberos.example.com
#               admin_server = kerberos.example.com
#       }

[logging]
    kdc = FILE:/var/log/krb5/krb5kdc.log
    admin_server = FILE:/var/log/krb5/kadmind.log
    default = SYSLOG:NOTICE:DAEMON