On Thu, Jan 31, 2013 at 4:47 AM, Jaroslav Reznik <jrez...@redhat.com> wrote: > Kerberos clients can optionally verify reverse DNS records for services that > they connect to as a way of trying to identify which realm they belong to. > However in many cases these do not exist. Kerberos should fall back to it's > default behavior in that case. Failure to do this is a common point of failure > when using kerberos.
Is this basically the same as what was discussed a while back on the MIT kerberos list?[1] If so, that is really great. It was not clear to me from the feature description if this will disable rdns entirely? Does this only covers cases where a PTR record is completely missing, or does it also cover cases where the PTR record present but "incorrect" (eg. doesn't match the forward record)? I have plenty of both situations at my site :-( - Ken [1] http://mailman.mit.edu/pipermail/kerberos/2011-July/017317.html -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
