Hi,
I'm wondering why krb5_validate defaults to false in sssd-krb5, and
apparently it's the same default in the mit kerberos libraries (via
verify_ap_req_nofail). It should solve the KDC impersonation attack,
at the expense of a slightly more complicated setup (create the host
principal, extract key, create keytab). Is it because of this added
difficulty in setting up things, or does it not work on very common
scenarios/applications? Or just one of those hard to do transitions?