On Thu, Nov 15, 2012 at 10:18 AM, Greg Hudson <[email protected]> wrote: > On 11/15/2012 11:46 AM, Ken Dreyer wrote: >> For msktutil, I recently received a patch to optionally set "rdns = >> false". > [...] >> What is the best way to determine MIT's rdns capability? > > I don't believe there is one, because that knob was never envisioned as > being application-controllable.
That's too bad. Is there any sort of version number I could check at least, just to offer some sort of warning in the interface? > I'm kind of curious how such a patch > could even work, and I'd question whether it's a good idea for some > applications to turn off rdns while others don't. msktutil writes out a temporary krb5.conf file and then does the kerberos operations with those settings. The msktutil feature optionally writes "rdns = false" into the temporary krb5.conf file. To give a bit of background on my own situation, in my environment at work, the main intranet DNS servers are unable to reverse-resolve the domain controllers. Possible workarounds we've considered: - Add the PTRs on the name servers - Use AD for DNS - Add IP addresses in /etc/hosts None of these options are optimal for technical or political reasons. It's best to just diable rdns for this particular application. > Whether "rdns = false" will work is complicated by the odd, probably > buggy behavior of getaddrinfo in some (maybe all) versions of glibc. > glibc does a PTR lookup for AI_CANONNAME if AI_ADDRCONFIG or > hints.ai_family is also used. We worked around this behavior in 1.10.2 > by changing how we call getaddrinfo(). Yes, a couple users on Ubuntu hit this bug too. At this point we're just waiting for the patches to trickle down to the distros. - Ken ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
