One significant issue I have is that I believe with the dns-based option, the less secure DNS-based approach is preferred to the referrals. Automating the process of populating the referrals data on the KDCs would give you a much more secure result.
There's a lot to be said for having all code paths enabled (and I thought the upstream default was already to turn this on but to disable by default in the config file), but there's also a lot to be said for strongly discouraging the DNS-based approach because its security properties are very bad. --Sam -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]

