Hi,

I'm wondering why krb5_validate defaults to false in sssd-krb5, and apparently it's the same default in the mit kerberos libraries (via verify_ap_req_nofail). It should solve the KDC impersonation attack, at the expense of a slightly more complicated setup (create the host principal, extract key, create keytab). Is it because of this added difficulty in setting up things, or does it not work on very common scenarios/applications? Or just one of those hard to do transitions?