diff --git a/NEWS b/NEWS
index f54209f7728e6aa436e01e8c1a5ca64347747c6c..73b393159e846442506d613746b3f3cf73a50d51 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,11 @@
+release/005.005 (unreleased)
+
+ [kerberos] Add the option rdns_enabled so that Kerberos can be
+ configured not to require clients to do a reverse DNS lookup on the
+ hostname of a service principal. The default is set to true, so
+ unless specifically overridden to false Kerberos
+ clients will behave as they always have. [adamhl]
+
release/005.004 (2017-01-09)
[os] Change the exec resource in the 'aptitude' staged
diff --git a/manifests/kerberos.pp b/manifests/kerberos.pp
index 72a84671dba00f2500211972a6b469be293fd35a..8f41cda85756e15134213f608cf54465ce016ec2 100644
--- a/manifests/kerberos.pp
+++ b/manifests/kerberos.pp
@@ -25,10 +25,17 @@
# (lookin' at you Java!) work better with TCP. Set this parameter to
# "true" to force the client to prefer TCP to UDP.
# Default: false
-
+#
+# $rdns_enabled: if 'true' have the Kerberos client do a reverse DNS
+# lookup on the hostname when connecting to a server. This should be set
+# to 'false' if you want the client to be able to connect to services where
+# the service name's IP address PTR record may not match the hostname
+# (e.g., for services running in Amazon Web Services).
+# Default: true
class base::kerberos(
- $prefer_tcp = false,
- $krb_env = 'prod',
+ $prefer_tcp = false,
+ $krb_env = 'prod',
+ $rdns_enabled = true,
){
# We only allow the 'prod', 'uat', and 'test' environments.
diff --git a/templates/kerberos/krb5.conf.erb b/templates/kerberos/krb5.conf.erb
index 7f962bebcea8e897288282ad9c399e8fb6b5f876..f0494cf1aada8abb9a8775fd1620ae8e6350fc88 100644
--- a/templates/kerberos/krb5.conf.erb
+++ b/templates/kerberos/krb5.conf.erb
@@ -50,6 +50,11 @@
forwardable = true
noaddresses = true
allow_weak_crypto = true
+<%- if (@rdns_enabled) then -%>
+ rdns = true
+<%- else -%>
+ rdns = false
+<%- end -%>
<% if (@prefer_tcp) then -%>
udp_preference_limit = 1
<% end -%>