So from the article I understand i can set the adclient.krb5.autoedit
to false and manage this file myself - i.e. copy from the local MIT KDC
- is that correct?
Yes you are correct.
Note that at that point (when you set the krb5.conf autoedit off) you are on the hook for maintaining AD domain controller entries (when you add/decommission DCs) as well as when trusts are established.
The reason being is that Centrify does not need krb5.conf to work, we populate it as a courtesy for Kerberos/GSSAPI apps and for MIT Kerberos tools to work as expected.
In addition, if you rely on the MIT KDC keytab for your systems you can specify an alternate path for the keytab used by Centrify with AD and let MIT Kerberos use the default location for the keytab.
However, since there's a trust in place, it may work without it, but that's where the devil and the details meet.