There a re a few DNS options in krb5.conf that I think we should tune.
On freeipa servers we should NOT set the dns discovery knobs to true, because it might cause chicken/egg issues when we try to init the DNS server keytab within the DNS server when it starts.
We must make sure that the server hostname is resolved by /etc/hosts
On all servers and clients we should set rdns = false by default so that kerberos libraries do not insist in doing reverse IP resolution. This helps in environments where reverse entries can't be managed and reverse/forward do not match.
So on servers set:
dns_lookup_realm = false dns_lookup_kdc = false rdns = false
On clients set:
dns_lookup_realm = true dns_lookup_kdc = true rdns = false
master: 22c3a68
Metadata Update from @simo: - Issue assigned to jhrozek - Issue set to the milestone: FreeIPA 2.0.1 RC (bug fixing)
Login to comment on this ticket.