[krbdev.mit.edu #7921] Document recommended profile settings which we can't make default

[Greg Hudson via RT]

There are a number of profile options which we wish we could change the 
defaults for, but have not because of interoperability or upgrade 
concerns.  We should document these in the admin guide, explaining the 
benefits and costs of setting them.  Here are the ones I currently have 
in mind:

1. rdns = false (benefits: fewer confusing service principal issues 
based on reverse DNS; costs: none unless you were relying on it)

2. dns_canonicalize_hostname = false (benefits: much better mutual 
authentication security; costs: need a service principal name or alias 
for each name users will type)

3. supported_enctypes = aes256-cts (benefits: smaller KDB, fewer 
attackable long-term keys; costs: XP/server2003 interop, old Java 
interop)

4. default_tkt_enctypes = DEFAULT -des3 -rc4 (benefits: cannot fool 
clients into handing out secret keys; costs: interop).  (I had 
originally thought about setting default_tgs_enctypes and 
permitted_enctypes as well, but I'm not sure those have easily 
articulated benefits.)