Package: kerberos-configs Version: 2.6 Severity: normal Dear Maintainer,
According to [1], the upstream implicit default of "rdns = true" is there for historical reasons only, and upstream suggests to consider setting it to "false": """ Consider setting rdns to false in order to reduce your dependence on precisely correct DNS information for service hostnames. Turning this flag off means that service hostnames will be canonicalized through forward name resolution (which adds your domain name to unqualified hostnames, and resolves CNAME records in DNS), but not through reverse address lookup. The default value of this flag is true for historical reasons only. """ In particular, I've seen reports of users failing to join a linux machine to an Active Directory domain unless they set this parameter to false. AWS also recommends it in their guide at [2] (note that "ubuntu" is the same as debian in this context): """ Disable Reverse DNS resolution and set the default realm to your domain's FQDN. Ubuntu Instances must be reverse-resolvable in DNS before the realm will work. Otherwise, you have to disable reverse DNS in /etc/krb5.conf as follows: sudo vi /etc/krb5.conf [libdefaults] default_realm = EXAMPLE.COM rdns = false """ I believe indeed this is particularly true for cloud environments, where reverse dns is not easily controllable, and also in other environments where you don't own the reverse dns. So maybe it would be best to default to rdns=false to make kerberos easier for more users? What are the security implications of this change? 1. https://web.mit.edu/kerberos/krb5-latest/doc/admin/install_clients.html#client-machine-configuration-files 2. https://docs.aws.amazon.com/directoryservice/latest/admin-guide/join_linux_instance.html
