Add a flag to prevent all host canonicalization

If dns_canonicalize_hostname is set to false in [libdefaults],
krb5_sname_to_principal will not canonicalize the hostname using
either forward or reverse lookups.

ticket: 7703 (new)

1 files changed, 9 insertions, 1 deletions

diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
index 6fa94e7c81..ff6a861e9d 100644
--- a/doc/admin/conf_files/krb5_conf.rst
+++ b/doc/admin/conf_files/krb5_conf.rst
@@ -185,6 +185,13 @@ The libdefaults section may contain any of the following relations:
     clients from taking advantage of new stronger enctypes when the
     libraries are upgraded.
 
+**dns_canonicalize_hostname**
+    Indicate whether name lookups will be used to canonicalize
+    hostnames for use in service principal names.  Setting this flag
+    to false can improve security by reducing reliance on DNS, but
+    means that short hostnames will not be canonicalized to
+    fully-qualified hostnames.  The default value is true.
+
 **dns_lookup_kdc**
     Indicate whether DNS SRV records should be used to locate the KDCs
     and other servers for a realm, if they are not listed in the
@@ -302,7 +309,8 @@ The libdefaults section may contain any of the following relations:
 **rdns**
     If this flag is true, reverse name lookup will be used in addition
     to forward name lookup to canonicalizing hostnames for use in
-    service principal names.  The default value is true.
+    service principal names.  If **dns_canonicalize_hostname** is set
+    to false, this flag has no effect.  The default value is true.
 
 **realm_try_domains**
     Indicate whether a host's domain components should be used to