One significant issue I have is that I believe with the dns-based option, the less secure DNS-based approach is preferred to the referrals. Automating the process of populating the referrals data on the KDCs would give you a much more secure result.
There's a lot to be said for having all code paths enabled (and I thought the upstream default was already to turn this on but to disable by default in the config file), but there's also a lot to be said for strongly discouraging the DNS-based approach because its security properties are very bad. --Sam -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org