On Thu, Jan 31, 2013 at 4:47 AM, Jaroslav Reznik <jreznik(a)redhat.com> wrote:
Kerberos clients can optionally verify reverse DNS records for
services that
they connect to as a way of trying to identify which realm they belong to.
However in many cases these do not exist. Kerberos should fall back to it's
default behavior in that case. Failure to do this is a common point of failure
when using kerberos.
Is this basically the same as what was discussed a while back on the
MIT kerberos list?[1] If so, that is really great.
It was not clear to me from the feature description if this will
disable rdns entirely? Does this only covers cases where a PTR record
is completely missing, or does it also cover cases where the PTR
record present but "incorrect" (eg. doesn't match the forward record)?
I have plenty of both situations at my site :-(
- Ken
[1]
http://mailman.mit.edu/pipermail/kerberos/2011-July/017317.html