On 01/31/2013 07:57 PM, Ken Dreyer wrote:
On Thu, Jan 31, 2013 at 4:47 AM, Jaroslav Reznik
<jreznik(a)redhat.com> wrote:
> Kerberos clients can optionally verify reverse DNS records for services that
> they connect to as a way of trying to identify which realm they belong to.
> However in many cases these do not exist. Kerberos should fall back to it's
> default behavior in that case. Failure to do this is a common point of failure
> when using kerberos.
Is this basically the same as what was discussed a while back on the
MIT kerberos list?[1] If so, that is really great.
It was not clear to me from the feature description if this will
disable rdns entirely? Does this only covers cases where a PTR record
is completely missing, or does it also cover cases where the PTR
record present but "incorrect" (eg. doesn't match the forward record)?
I have plenty of both situations at my site :-(
That's not completely set in stone yet.
Ideally we would change the default to match rdns = false. But if that's
too invasive, we would make sure that the default does not fail when PTR
records do not exist.
Cheers,
Stef