On 01/31/2013 07:57 PM, Ken Dreyer wrote: > On Thu, Jan 31, 2013 at 4:47 AM, Jaroslav Reznik <jreznik@xxxxxxxxxx> wrote: >> Kerberos clients can optionally verify reverse DNS records for services that >> they connect to as a way of trying to identify which realm they belong to. >> However in many cases these do not exist. Kerberos should fall back to it's >> default behavior in that case. Failure to do this is a common point of failure >> when using kerberos. > > Is this basically the same as what was discussed a while back on the > MIT kerberos list?[1] If so, that is really great. > > It was not clear to me from the feature description if this will > disable rdns entirely? Does this only covers cases where a PTR record > is completely missing, or does it also cover cases where the PTR > record present but "incorrect" (eg. doesn't match the forward record)? > I have plenty of both situations at my site :-( That's not completely set in stone yet. Ideally we would change the default to match rdns = false. But if that's too invasive, we would make sure that the default does not fail when PTR records do not exist. Cheers, Stef -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
