<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2653.12">
<TITLE>RE: /etc/hosts on a Kerberos client - Please provide your advise.</TITLE>
</HEAD>
<BODY>
<P><FONT SIZE=2>Sridhar,</FONT>
</P>
<P><FONT SIZE=2>Our company has a lot of experience with Oracle ASE configuration and its Kerberos capabilities. I can help you with this issue if you provide me with some background to the actual configuration being tested - ie. what version of Oracle product is being used, what architecture, platforms etc.</FONT></P>
<P><FONT SIZE=2>If you can provide me with these details I suggest we continue this subject offlist.</FONT>
</P>
<P><FONT SIZE=2>Thanks, </FONT>
<BR><FONT SIZE=2>Tim Alsop</FONT>
<BR><FONT SIZE=2>CyberSafe Limited. </FONT>
</P>
<P><FONT SIZE=2>-----Original Message-----</FONT>
<BR><FONT SIZE=2>From: Sridhar Murthy [<A HREF="mailto:murthys@us.ibm.com">mailto:murthys@us.ibm.com</A>] </FONT>
<BR><FONT SIZE=2>Sent: 12 September 2003 06:44</FONT>
<BR><FONT SIZE=2>To: kerberos@mit.edu</FONT>
<BR><FONT SIZE=2>Cc: krbdev@mit.edu; Sam Hartman; James McBride; Richard A Ernst; glongsine@fs.fed.us; Steve Sipocz Jr; wdeschene@fs.fed.us</FONT></P>
<P><FONT SIZE=2>Subject: Re: /etc/hosts on a Kerberos client - Please provide your advise.</FONT>
</P>
<P><FONT SIZE=2>Dear Kerberos Support Analyst:</FONT>
</P>
<P><FONT SIZE=2>At the outset I would like to convey our sincere thanks for providing an excellent support to the IT community on KRB matters.</FONT></P>
<P><FONT SIZE=2>We are currently working on integrating an Oracle product with a Kerberos server. My colleague Jim McBride had written to krbdev@mit.edu and Sam Harman responded with his comments that as long as gethostbyaddr(gethostbyname(gethostname())) returns FQDN, things should work fine.</FONT></P>
<P><FONT SIZE=2>Oracle insists that we need to provide the FQDN in the /etc/hosts file and all along we have been telling them that it is not a MUST for us to put the FQDN name in the /etc/hosts files. Although Oracle's argument makes sense in a set-up where DNS is not configured correctly, we all know it, from the Name Service management perspective it is not a good idea to have the FQDN in the /etc/hosts. We should let the resolver libraries take care of the FQDN issues while making sue that the DNS is configured according to the specifications.</FONT></P>
<P><FONT SIZE=2>I am more than convinced that our environment is correctly configured and any application which relies on resolver libraries to derive the FQDN of the host will work correctly in our environment. I do not find it necessary to put the FQDN of the host in /etc/hosts file of the machine ( which makes the DNS set-up meaningless).</FONT></P>
<P><FONT SIZE=2>I wrote a very simple program (fqdn_of_host.c) to demonstrate that the resolver libraries are working correctly in an environment where DNS is setup properly and kerberos applications will work correctly in the same environment.</FONT></P>
<BR>
<P><FONT SIZE=2>==================================================================================================</FONT>
<BR><FONT SIZE=2>Some of the AIX commands produce the following results :</FONT>
</P>
<P><FONT SIZE=2>root@denver $ hostname</FONT>
<BR><FONT SIZE=2>denver</FONT>
</P>
<P><FONT SIZE=2>root@denver $ host denver</FONT>
<BR><FONT SIZE=2>denver.r2.fs.fed.us is 9.99.15.50</FONT>
</P>
<P><FONT SIZE=2>root@denver $ nslookup denver</FONT>
<BR><FONT SIZE=2>Server: netsrv.fs.fed.us</FONT>
<BR><FONT SIZE=2>Address: 9.99.15.100</FONT>
</P>
<P><FONT SIZE=2>Name: denver.r2.fs.fed.us</FONT>
<BR><FONT SIZE=2>Address: 9.99.15.50</FONT>
</P>
<P><FONT SIZE=2>root@denver $ nslookup 9.99.15.50</FONT>
<BR><FONT SIZE=2>Server: netsrv.fs.fed.us</FONT>
<BR><FONT SIZE=2>Address: 9.99.15.100</FONT>
</P>
<P><FONT SIZE=2>Name: denver.r2.fs.fed.us</FONT>
<BR><FONT SIZE=2>Address: 9.99.15.50</FONT>
</P>
<P><FONT SIZE=2>root@denver $ ifconfig en0</FONT>
<BR><FONT SIZE=2>en0: </FONT>
<BR><FONT SIZE=2>flags=e080863<UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST,GROUPRT,64BIT></FONT>
<BR><FONT SIZE=2> inet 9.99.15.50 netmask 0xffffff00 broadcast 9.99.15.255</FONT>
</P>
<BR>
<P><FONT SIZE=2>=============================================================================================</FONT>
</P>
<P><FONT SIZE=2>The /etc/hosts file on denver looks like </FONT>
</P>
<P><FONT SIZE=2>127.0.0.1 loopback localhost # loopback (lo0) </FONT>
<BR><FONT SIZE=2>name/address</FONT>
<BR><FONT SIZE=2>9.99.15.50 denver</FONT>
<BR><FONT SIZE=2>=============================================================================================</FONT>
<BR><FONT SIZE=2>The /etc/resolv.conf file on denver looks like</FONT>
</P>
<P><FONT SIZE=2>nameserver 9.99.15.100</FONT>
<BR><FONT SIZE=2>search r1.fs.fed.us r2.fs.fed.us r3.fs.fed.us </FONT>
<BR><FONT SIZE=2>r6.fs.fed.us boulder.ibm.com ibm.com fs.fed.us </FONT>
<BR><FONT SIZE=2>nameserver 9.17.223.121</FONT>
<BR><FONT SIZE=2>=============================================================================================</FONT>
<BR><FONT SIZE=2>The /etc/netsvc.conf file on the machine looks like:</FONT>
</P>
<P><FONT SIZE=2>hosts=bind4,local</FONT>
<BR><FONT SIZE=2>=============================================================================================</FONT>
<BR><FONT SIZE=2>/* </FONT>
<BR><FONT SIZE=2> Source code for fqdn_of_host.c </FONT>
</P>
<P><FONT SIZE=2>*/</FONT>
</P>
<P><FONT SIZE=2>#include <stdio.h></FONT>
<BR><FONT SIZE=2>#include <strings.h></FONT>
<BR><FONT SIZE=2>#include <netdb.h></FONT>
<BR><FONT SIZE=2>#include <sys/types.h></FONT>
<BR><FONT SIZE=2>#include <sys/socket.h></FONT>
<BR><FONT SIZE=2>#include <netinet/in.h></FONT>
<BR><FONT SIZE=2>#include <arpa/inet.h></FONT>
<BR><FONT SIZE=2>#include <unistd.h></FONT>
</P>
<P><FONT SIZE=2>main(argc, argv)</FONT>
<BR><FONT SIZE=2>int argc;</FONT>
<BR><FONT SIZE=2>char *argv[];</FONT>
<BR><FONT SIZE=2>{</FONT>
</P>
<P><FONT SIZE=2> unsigned char host_name[1024],</FONT>
<BR><FONT SIZE=2> name[100],</FONT>
<BR><FONT SIZE=2> *ptr,</FONT>
<BR><FONT SIZE=2> a[4];</FONT>
</P>
<P><FONT SIZE=2> static char domain_name[100],</FONT>
<BR><FONT SIZE=2> addrbuf[32], *ch;</FONT>
</P>
<P><FONT SIZE=2> int domain_len;</FONT>
</P>
<P><FONT SIZE=2> struct hostent *hostptr;</FONT>
</P>
<P><FONT SIZE=2> int i,</FONT>
<BR><FONT SIZE=2> count,</FONT>
<BR><FONT SIZE=2> ai[4];</FONT>
</P>
<P><FONT SIZE=2> gethostname(host_name, sizeof(host_name) );</FONT>
<BR><FONT SIZE=2> ptr=host_name ;</FONT>
<BR><FONT SIZE=2> printf ("Host Name by gethostname() : %s \n", ptr);</FONT>
<BR><FONT SIZE=2> </FONT>
<BR><FONT SIZE=2> hostptr = gethostbyname(ptr);</FONT>
<BR><FONT SIZE=2> printf ("\nHost Name by gethostbyname() : %s \n", hostptr->h_name);</FONT>
</P>
<P><FONT SIZE=2> for (i = 0; hostptr->h_aliases[i]; i++)</FONT>
<BR><FONT SIZE=2> printf ("Host Alias by gethostbyname() : %s\n", hostptr->h_aliases[i]);</FONT>
<BR><FONT SIZE=2> </FONT>
<BR><FONT SIZE=2> </FONT>
<BR><FONT SIZE=2> ch = strchr(hostptr->h_name,'.');</FONT>
<BR><FONT SIZE=2> if ( ch == NULL ){</FONT>
<BR><FONT SIZE=2> printf ( "DNS Entry does nor exist as per the hostname returned by gethostbyname()\n");</FONT>
<BR><FONT SIZE=2> }</FONT>
<BR><FONT SIZE=2> else{</FONT>
<BR><FONT SIZE=2> printf ( "Domain by gethostbyname() : %s\n", ++ch);</FONT>
<BR><FONT SIZE=2> }</FONT>
</P>
<P><FONT SIZE=2> for (i=0; i<4; i++)</FONT>
<BR><FONT SIZE=2> ai[i] = hostptr->h_addr_list[0][i];</FONT>
</P>
<P><FONT SIZE=2> for (i=0; i<4; i++)</FONT>
<BR><FONT SIZE=2> a[i] = (unsigned char)(ai[i] & 0xFF);</FONT>
<BR><FONT SIZE=2> snprintf(addrbuf, 32, "%d.%d.%d.%d", a[0], a[1], a[2], a[3]);</FONT>
<BR><FONT SIZE=2> printf ("Host IP by gethostbyname() : %s\n", addrbuf);</FONT>
</P>
<P><FONT SIZE=2> hostptr = gethostbyaddr(a,4,AF_INET);</FONT>
<BR><FONT SIZE=2> printf ("\nHost Name by gethostbyaddr() : %s \n", hostptr->h_name); }</FONT>
</P>
<P><FONT SIZE=2>=============================================================================================</FONT>
<BR><FONT SIZE=2>cc fqdn_of_host.c -o fqdn_of_host</FONT>
</P>
<P><FONT SIZE=2>When I run the compiled version of the above source code the output looks</FONT>
<BR><FONT SIZE=2>like:</FONT>
</P>
<P><FONT SIZE=2>root@denver $ fqdn_of_host</FONT>
<BR><FONT SIZE=2>Host Name by gethostname() : denver </FONT>
</P>
<P><FONT SIZE=2>Host Name by gethostbyname() : denver.r2.fs.fed.us </FONT>
<BR><FONT SIZE=2>Domain by gethostbyname() : r2.fs.fed.us</FONT>
<BR><FONT SIZE=2>Host IP by gethostbyname() : 9.99.15.50</FONT>
</P>
<P><FONT SIZE=2>Host Name by gethostbyaddr() : denver.r2.fs.fed.us </FONT>
</P>
<P><FONT SIZE=2>root@denver $ </FONT>
</P>
<P><FONT SIZE=2>===============================================================================================</FONT>
</P>
<P><FONT SIZE=2>I am of the opinion that " Oracle's argument that FQDN hostname must </FONT>
<BR><FONT SIZE=2>and should be present on the first line of the /etc/hosts file inorder </FONT>
<BR><FONT SIZE=2>for the kerberos server/clinet to work correctly does not make a good </FONT>
<BR><FONT SIZE=2>argument when DNS is configured correctly and it is assured that DNS will work correctly under all circumstances".</FONT>
</P>
<BR>
<P><FONT SIZE=2>What am I requesting you for?</FONT>
</P>
<P><FONT SIZE=2>Please confirm to us that " In the environment that has been described in </FONT>
<BR><FONT SIZE=2>this e-mail, it is NOT necessary for us to put the FQDN name of the host </FONT>
<BR><FONT SIZE=2>in /etc/hosts file for the kerberos server/client to work correctly "</FONT>
</P>
<BR>
<P><FONT SIZE=2>Once again, thanks for your help. A quick response to this is gratefully </FONT>
<BR><FONT SIZE=2>acknowledged.</FONT>
</P>
<BR>
<P><FONT SIZE=2>Regards,</FONT>
</P>
<P><FONT SIZE=2>Sridhar</FONT>
</P>
<P><FONT SIZE=2><<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>></FONT>
<BR><FONT SIZE=2>IBM BCS - Public Sector</FONT>
<BR><FONT SIZE=2>Voice (303) 924 - 0413</FONT>
<BR><FONT SIZE=2>Email murthys@us.ibm.com</FONT>
<BR><FONT SIZE=2><<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>></FONT>
<BR><FONT SIZE=2>----- Forwarded by Sridhar Murthy/Boulder/IBM on 09/11/2003 11:37 PM -----</FONT>
</P>
<BR>
<P><FONT SIZE=2>James McBride</FONT>
<BR><FONT SIZE=2>09/10/2003 01:47 PM</FONT>
</P>
<BR>
<P><FONT SIZE=2> To: Sridhar Murthy@IBMUS</FONT>
<BR><FONT SIZE=2> cc: Steve Sipocz Jr/Boulder/IBM@IBMUS, wdeschene@fs.fed.us, </FONT>
<BR><FONT SIZE=2>glongsine@fs.fed.us, Richard A Ernst/Boulder/IBM@IBMUS</FONT>
<BR><FONT SIZE=2> From: James McBride/Boulder/IBM@IBMUS</FONT>
<BR><FONT SIZE=2> Subject: Re: /etc/hosts on a Kerberos client</FONT>
</P>
<BR>
<P><FONT SIZE=2>Srihdar,</FONT>
<BR><FONT SIZE=2> Can you write C program to verify that "gethostbyaddr(gethostbyname(gethostname())) return a correct hostname with </FONT></P>
<P><FONT SIZE=2>an FQDN"?</FONT>
</P>
<P><FONT SIZE=2>TIA </FONT>
</P>
<P><FONT SIZE=2>Jim McBride</FONT>
<BR><FONT SIZE=2>Oracle Deployment and Support</FONT>
<BR><FONT SIZE=2>IBM Corporation</FONT>
<BR><FONT SIZE=2>6300 Diagonal HWY., Stop 003E</FONT>
<BR><FONT SIZE=2>Boulder, CO 80301-9020</FONT>
<BR><FONT SIZE=2>Office: (303) 924-5626</FONT>
<BR><FONT SIZE=2>Lab: (303) 924-0212</FONT>
<BR><FONT SIZE=2>Fax: (303) 924-9233</FONT>
<BR><FONT SIZE=2>mcbridejt@us.ibm.com</FONT>
</P>
<BR>
<BR>
<BR>
<BR>
<P><FONT SIZE=2>Sam Hartman <hartmans@mit.edu></FONT>
<BR><FONT SIZE=2>09/10/2003 12:40 PM</FONT>
</P>
<P><FONT SIZE=2> </FONT>
<BR><FONT SIZE=2> To: James McBride/Boulder/IBM@IBMUS</FONT>
<BR><FONT SIZE=2> cc: <krbdev@mit.edu>, wdeschene@fs.fed.us, Sridhar Murthy/Boulder/IBM@IBMUS, </FONT>
<BR><FONT SIZE=2>Kurt Bevers <Kurt.Bevers@oracle.com>, Steve Sipocz Jr/Boulder/IBM@IBMUS</FONT>
<BR><FONT SIZE=2> Subject: Re: /etc/hosts on a Kerberos client</FONT>
</P>
<BR>
<BR>
<P><FONT SIZE=2>>>>>> "James" == James McBride <mcbridejt@us.ibm.com> writes:</FONT>
</P>
<P><FONT SIZE=2> James> Dear Kerberos Support Analyst:</FONT>
</P>
<P><FONT SIZE=2> James> Oracle Support is reporting that MIT Kerberos requires that</FONT>
<BR><FONT SIZE=2> James> the FQDN of a Kerberos client must be in the /etc/hosts</FONT>
<BR><FONT SIZE=2> James> file. They provided the URL below as a reference:</FONT>
<BR><FONT SIZE=2> James> <A HREF="http://web.mit.edu/kerberos/www/krb5-1.3/krb5-1.3.1" TARGET="_blank">http://web.mit.edu/kerberos/www/krb5-1.3/krb5-1.3.1</A></FONT>
<BR><FONT SIZE=2> James> /doc/krb5-admin.html#Getting%20DNS%20Information%20Correct</FONT>
</P>
<P><FONT SIZE=2> James> We feel that Kerberos can use DNS and the operating system</FONT>
<BR><FONT SIZE=2> James> to determine the FQDN of a machine.</FONT>
</P>
<P><FONT SIZE=2> James> Please provide your perspective on this.</FONT>
</P>
<P><FONT SIZE=2> James> Thanks In Advance,</FONT>
</P>
<BR>
<P><FONT SIZE=2> James> Jim McBride Oracle Deployment and Support IBM Corporation</FONT>
<BR><FONT SIZE=2> James> 6300 Diagonal HWY., Stop 003E Boulder, CO 80301-9020</FONT>
<BR><FONT SIZE=2> James> Office: (303) 924-5626 Lab: (303) 924-0212 Fax: (303)</FONT>
<BR><FONT SIZE=2> James> 924-9233 mcbridejt@us.ibm.com</FONT>
</P>
<P><FONT SIZE=2> James> _______________________________________________ krbdev</FONT>
<BR><FONT SIZE=2> James> mailing list krbdev@mit.edu</FONT>
<BR><FONT SIZE=2> James> <A HREF="https://mailman.mit.edu/mailman/listinfo/krbdev" TARGET="_blank">https://mailman.mit.edu/mailman/listinfo/krbdev</A></FONT>
</P>
<P><FONT SIZE=2>Hi. The address krbdev@mit.edu is not an appropriate place to request</FONT>
<BR><FONT SIZE=2>Kerberos support. This address is for discussion of development of</FONT>
<BR><FONT SIZE=2>MIt Kerberos. You may want to address support questions to</FONT>
<BR><FONT SIZE=2>kerberos@mit.edu in the future.</FONT>
</P>
<BR>
<P><FONT SIZE=2>That said, with regard to DNS and hostnames, the requirement is that</FONT>
<BR><FONT SIZE=2>gethostbyaddr(gethostbyname(gethostname())) return a correct hostname</FONT>
<BR><FONT SIZE=2>with an FQDN. The easiest way of guaranteeing this is to make sure</FONT>
<BR><FONT SIZE=2>that both /etc/hosts and DNS will correctly resolve the machine.</FONT>
</P>
<P><FONT SIZE=2>Things that typically do not work include listing the machine's IP in</FONT>
<BR><FONT SIZE=2>/etc/hosts without the FQDN first; listing the machine's name on the</FONT>
<BR><FONT SIZE=2>localhost line in /etc/hosts; etc.</FONT>
</P>
<P><FONT SIZE=2>Not listing the machine's name in /etc/hosts at all while correctly</FONT>
<BR><FONT SIZE=2>configuring DNS will tend to work correctly.</FONT>
</P>
<BR>
<BR>
<BR>
<BR>
<P><FONT SIZE=2>________________________________________________</FONT>
<BR><FONT SIZE=2>Kerberos mailing list Kerberos@mit.edu</FONT>
<BR><FONT SIZE=2><A HREF="https://mailman.mit.edu/mailman/listinfo/kerberos" TARGET="_blank">https://mailman.mit.edu/mailman/listinfo/kerberos</A></FONT>
</P>
</BODY>
</HTML>