On Wed, 2011-07-06 at 14:01 -0400, Ken Hornstein wrote: > I admit that these issues are not insurmountable. But I am just answering > the question that Greg asked.
Thanks, that's useful. Do you have any Heimdal clients in your environment, and do they cause problems with the hosts in question? (My understanding is that Heimdal never does reverse resolution.) Of course, the answers I get here are mostly useful as proxies for what level of disruption would occur for users who aren't on the list. Anyone who's paying attention could simply turn rdns back on. Jeff Altman wrote: > Getting rid of the reverse dns lookups for canonical name resolution > is the right thing to do and will finally bring MIT Kerberos into > compliance with RFC 4120. No; the forward resolution step also violates RFC 4120. Nico wrote: > I would also recommend finding a way to get rid of the forward > resolution as well. See: http://k5wiki.kerberos.org/wiki/Projects/Trust_KDC-local_name_resolution Not yet stated there is that when a client gets initial credentials, the KDC would communicate somehow (say, through encrypted padata) that it can do hostname resolution, and the client would store that information in a config setting in the ccache and suppress hostname canonicalization. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos