Description of problem:
krb5.conf(5) should document the master_kdc configuration option, using kdc/admin_server to specify a KDC in /etc/krb5.conf with DNS lookups disabled is not enough, in some cases it can be seen e.g. with KRB5_TRACE=/dev/stderr kinit -V user@REALM that another KDC is being contacted.
By also setting the currently undocumented master_kdc then only the specified KDC is being contacted.
Version-Release number of selected component (if applicable):
Reopening, I think that this option should be added to man page in rhel6.
Rhel 7 man has it and says:
Identifies the master KDC(s). Currently, this tag is used in
only one case: If an attempt to get credentials fails because of
an invalid password, the client software will attempt to contact
the master KDC, in case the user's password has just been
changed, and the updated database has not been propagated to the
slave servers yet.
This does not seem a very important issue to disrupt rhel6 with and it is fixed in rhel7.