Skip Menu |

Subject: Document recommended profile settings which we can't make default
There are a number of profile options which we wish we could change the
defaults for, but have not because of interoperability or upgrade
concerns. We should document these in the admin guide, explaining the
benefits and costs of setting them. Here are the ones I currently have
in mind:

1. rdns = false (benefits: fewer confusing service principal issues
based on reverse DNS; costs: none unless you were relying on it)

2. dns_canonicalize_hostname = false (benefits: much better mutual
authentication security; costs: need a service principal name or alias
for each name users will type)

3. supported_enctypes = aes256-cts (benefits: smaller KDB, fewer
attackable long-term keys; costs: XP/server2003 interop, old Java

4. default_tkt_enctypes = DEFAULT -des3 -rc4 (benefits: cannot fool
clients into handing out secret keys; costs: interop). (I had
originally thought about setting default_tgs_enctypes and
permitted_enctypes as well, but I'm not sure those have easily
articulated benefits.)