Your message dated Mon, 25 Jul 2022 21:35:18 +0000 with message-id <e1og5js-0003x4...@fasolo.debian.org> and subject line Bug#1014829: fixed in kerberos-configs 2.7 has caused the Debian Bug report #1014829, regarding kerberos-configs: consider setting rdns=false by default to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1014829: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014829 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: kerberos-configs Version: 2.6 Severity: normal Dear Maintainer, According to [1], the upstream implicit default of "rdns = true" is there for historical reasons only, and upstream suggests to consider setting it to "false": """ Consider setting rdns to false in order to reduce your dependence on precisely correct DNS information for service hostnames. Turning this flag off means that service hostnames will be canonicalized through forward name resolution (which adds your domain name to unqualified hostnames, and resolves CNAME records in DNS), but not through reverse address lookup. The default value of this flag is true for historical reasons only. """ In particular, I've seen reports of users failing to join a linux machine to an Active Directory domain unless they set this parameter to false. AWS also recommends it in their guide at [2] (note that "ubuntu" is the same as debian in this context): """ Disable Reverse DNS resolution and set the default realm to your domain's FQDN. Ubuntu Instances must be reverse-resolvable in DNS before the realm will work. Otherwise, you have to disable reverse DNS in /etc/krb5.conf as follows: sudo vi /etc/krb5.conf [libdefaults] default_realm = EXAMPLE.COM rdns = false """ I believe indeed this is particularly true for cloud environments, where reverse dns is not easily controllable, and also in other environments where you don't own the reverse dns. So maybe it would be best to default to rdns=false to make kerberos easier for more users? What are the security implications of this change? 1. https://web.mit.edu/kerberos/krb5-latest/doc/admin/install_clients.html#client-machine-configuration-files 2. https://docs.aws.amazon.com/directoryservice/latest/admin-guide/join_linux_instance.html
--- End Message ---
--- Begin Message ---Source: kerberos-configs Source-Version: 2.7 Done: Sam Hartman <hartm...@debian.org> We believe that the bug you reported is fixed in the latest version of kerberos-configs, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1014...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Sam Hartman <hartm...@debian.org> (supplier of updated kerberos-configs package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Mon, 25 Jul 2022 15:10:52 -0600 Source: kerberos-configs Architecture: source Version: 2.7 Distribution: unstable Urgency: medium Maintainer: Sam Hartman <hartm...@debian.org> Changed-By: Sam Hartman <hartm...@debian.org> Closes: 587626 959982 1014829 Changes: kerberos-configs (2.7) unstable; urgency=medium . * Remove specification of encryption types from the default templates, Thanks Russ, Closes: #587626 * Set rdns to false on new installs and upgrades where it is not already set, Closes: #1014829 * Update standards version, debhelper compatibility, and update vcs information. * Mark mu/multi-arch: foreign, Closes: #959982 Checksums-Sha1: bceb110d00193898038369279748277b48270aa5 999 kerberos-configs_2.7.dsc 3706295da11342facb3a6e84f3d4a20a32857537 27168 kerberos-configs_2.7.tar.xz 0e9adf72d0bf387a908f7135c4070ea5411956e7 5063 kerberos-configs_2.7_source.buildinfo Checksums-Sha256: 9666e117889a92d15cdef7a9ae6570bb1078ed3c388926c4b112824cf3cbb713 999 kerberos-configs_2.7.dsc 4e39145f88287ed0a3202d6f71ee749f4c67faf5283b0d100575dc125951bbd2 27168 kerberos-configs_2.7.tar.xz b0f619c8302b64bd07dabd11bbe8414f0cc98f46ab7416023ed2bdbb098eb193 5063 kerberos-configs_2.7_source.buildinfo Files: 2001f66b35ffe420c7000fbd167e4272 999 net optional kerberos-configs_2.7.dsc 24209d1b0410f2b786b0a985c2ae5909 27168 net optional kerberos-configs_2.7.tar.xz c02b020c67ab99df2957e5af314ed353 5063 net optional kerberos-configs_2.7_source.buildinfo -----BEGIN PGP SIGNATURE----- iHUEARYIAB0WIQSj2jRwbAdKzGY/4uAsbEw8qDeGdAUCYt8HDgAKCRAsbEw8qDeG dGUCAQD3XDUdDA/5VCzXXpqEuest2MmEcTVskSmP2Yic2B9d7wEAsqrHEy9SEkuk F470hEaA2JDov7zv5eHGmTnNUTy08As= =Kc0m -----END PGP SIGNATURE-----
--- End Message ---
