Change back dns_lookup_kdc to the default
The specifications recommend against using TXT records to mapping hostnames to realms. However they do not recommend against using SRV records to lookup the KDC. Change back to the MIT default of enabling DNS for KDC lookup. This allows automatic configuration and failover. A theoretical attack involving SRV records could be similarly accomplished by a similar attack involving the A records for the KDC hosts.
This commit is contained in:
Stef Walter
Nalin Dahyabhai
parent
7d6fe6def6
commit
2da8874065
@ -6,7 +6,6 @@
|
|||||||
[libdefaults]
|
[libdefaults]
|
||||||
default_realm = EXAMPLE.COM
|
default_realm = EXAMPLE.COM
|
||||||
dns_lookup_realm = false
|
dns_lookup_realm = false
|
||||||
dns_lookup_kdc = false
|
|
||||||
ticket_lifetime = 24h
|
ticket_lifetime = 24h
|
||||||
renew_lifetime = 7d
|
renew_lifetime = 7d
|
||||||
forwardable = true
|
forwardable = true
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user