/etc/hosts on a Kerberos client - Please provide your advise.
Sridhar Murthy
murthys at us.ibm.com
Fri Sep 12 01:44:19 EDT 2003
Dear Kerberos Support Analyst:
At the outset I would like to convey our sincere thanks for providing
an excellent support to the IT community on KRB matters.
We are currently working on integrating an Oracle product with a Kerberos
server. My colleague Jim McBride had written to krbdev at mit.edu and Sam
Harman responded with his comments that as long as gethostbyaddr(gethostbyname(gethostname())) returns FQDN, things should work fine.
Oracle insists that we need to provide the FQDN in the /etc/hosts file
and all along we have been telling them that it is not a MUST for us to
put the FQDN name in the /etc/hosts files. Although Oracle's argument
makes sense in a set-up where DNS is not configured correctly, we all
know it, from the Name Service management perspective it is not a good
idea to have the FQDN in the /etc/hosts. We should let the resolver
libraries take care of the FQDN issues while making sue that the DNS is
configured according to the specifications.
I am more than convinced that our environment is correctly configured
and any application which relies on resolver libraries to derive the
FQDN of the host will work correctly in our environment. I do not find it
necessary to put the FQDN of the host in /etc/hosts file of the machine
( which makes the DNS set-up meaningless).
I wrote a very simple program (fqdn_of_host.c) to demonstrate that the
resolver libraries are working correctly in an environment where DNS is
setup properly and kerberos applications will work correctly in the same
environment.
==================================================================================================
Some of the AIX commands produce the following results :
root at denver $ hostname
denver
root at denver $ host denver
denver.r2.fs.fed.us is 9.99.15.50
root at denver $ nslookup denver
Server: netsrv.fs.fed.us
Address: 9.99.15.100
Name: denver.r2.fs.fed.us
Address: 9.99.15.50
root at denver $ nslookup 9.99.15.50
Server: netsrv.fs.fed.us
Address: 9.99.15.100
Name: denver.r2.fs.fed.us
Address: 9.99.15.50
root at denver $ ifconfig en0
en0:
flags=e080863<UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST,GROUPRT,64BIT>
inet 9.99.15.50 netmask 0xffffff00 broadcast 9.99.15.255
=============================================================================================
The /etc/hosts file on denver looks like
127.0.0.1 loopback localhost # loopback (lo0)
name/address
9.99.15.50 denver
=============================================================================================
The /etc/resolv.conf file on denver looks like
nameserver 9.99.15.100
search r1.fs.fed.us r2.fs.fed.us r3.fs.fed.us
r6.fs.fed.us boulder.ibm.com ibm.com fs.fed.us
nameserver 9.17.223.121
=============================================================================================
The /etc/netsvc.conf file on the machine looks like:
hosts=bind4,local
=============================================================================================
/*
Source code for fqdn_of_host.c
*/
#include <stdio.h>
#include <strings.h>
#include <netdb.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>
main(argc, argv)
int argc;
char *argv[];
{
unsigned char host_name[1024],
name[100],
*ptr,
a[4];
static char domain_name[100],
addrbuf[32], *ch;
int domain_len;
struct hostent *hostptr;
int i,
count,
ai[4];
gethostname(host_name, sizeof(host_name) );
ptr=host_name ;
printf ("Host Name by gethostname() : %s \n", ptr);
hostptr = gethostbyname(ptr);
printf ("\nHost Name by gethostbyname() : %s \n", hostptr->h_name);
for (i = 0; hostptr->h_aliases[i]; i++)
printf ("Host Alias by gethostbyname() : %s\n", hostptr->h_aliases[i]);
ch = strchr(hostptr->h_name,'.');
if ( ch == NULL ){
printf ( "DNS Entry does nor exist as per the hostname returned by
gethostbyname()\n");
}
else{
printf ( "Domain by gethostbyname() : %s\n", ++ch);
}
for (i=0; i<4; i++)
ai[i] = hostptr->h_addr_list[0][i];
for (i=0; i<4; i++)
a[i] = (unsigned char)(ai[i] & 0xFF);
snprintf(addrbuf, 32, "%d.%d.%d.%d", a[0], a[1], a[2], a[3]);
printf ("Host IP by gethostbyname() : %s\n", addrbuf);
hostptr = gethostbyaddr(a,4,AF_INET);
printf ("\nHost Name by gethostbyaddr() : %s \n", hostptr->h_name);
}
=============================================================================================
cc fqdn_of_host.c -o fqdn_of_host
When I run the compiled version of the above source code the output looks
like:
root at denver $ fqdn_of_host
Host Name by gethostname() : denver
Host Name by gethostbyname() : denver.r2.fs.fed.us
Domain by gethostbyname() : r2.fs.fed.us
Host IP by gethostbyname() : 9.99.15.50
Host Name by gethostbyaddr() : denver.r2.fs.fed.us
root at denver $
===============================================================================================
I am of the opinion that " Oracle's argument that FQDN hostname must
and should be present on the first line of the /etc/hosts file inorder
for the kerberos server/clinet to work correctly does not make a good
argument when DNS is configured correctly and it is assured that DNS will
work correctly under all circumstances".
What am I requesting you for?
Please confirm to us that " In the environment that has been described in
this e-mail, it is NOT necessary for us to put the FQDN name of the host
in /etc/hosts file for the kerberos server/client to work correctly "
Once again, thanks for your help. A quick response to this is gratefully
acknowledged.
Regards,
Sridhar
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
IBM BCS - Public Sector
Voice (303) 924 - 0413
Email murthys at us.ibm.com
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
----- Forwarded by Sridhar Murthy/Boulder/IBM on 09/11/2003 11:37 PM -----
James McBride
09/10/2003 01:47 PM
To: Sridhar Murthy at IBMUS
cc: Steve Sipocz Jr/Boulder/IBM at IBMUS, wdeschene at fs.fed.us,
glongsine at fs.fed.us, Richard A Ernst/Boulder/IBM at IBMUS
From: James McBride/Boulder/IBM at IBMUS
Subject: Re: /etc/hosts on a Kerberos client
Srihdar,
Can you write C program to verify that "gethostbyaddr(gethostbyname(gethostname())) return a correct hostname with
an FQDN"?
TIA
Jim McBride
Oracle Deployment and Support
IBM Corporation
6300 Diagonal HWY., Stop 003E
Boulder, CO 80301-9020
Office: (303) 924-5626
Lab: (303) 924-0212
Fax: (303) 924-9233
mcbridejt at us.ibm.com
Sam Hartman <hartmans at mit.edu>
09/10/2003 12:40 PM
To: James McBride/Boulder/IBM at IBMUS
cc: <krbdev at mit.edu>, wdeschene at fs.fed.us, Sridhar Murthy/Boulder/IBM at IBMUS,
Kurt Bevers <Kurt.Bevers at oracle.com>, Steve Sipocz Jr/Boulder/IBM at IBMUS
Subject: Re: /etc/hosts on a Kerberos client
>>>>> "James" == James McBride <mcbridejt at us.ibm.com> writes:
James> Dear Kerberos Support Analyst:
James> Oracle Support is reporting that MIT Kerberos requires that
James> the FQDN of a Kerberos client must be in the /etc/hosts
James> file. They provided the URL below as a reference:
James> http://web.mit.edu/kerberos/www/krb5-1.3/krb5-1.3.1
James> /doc/krb5-admin.html#Getting%20DNS%20Information%20Correct
James> We feel that Kerberos can use DNS and the operating system
James> to determine the FQDN of a machine.
James> Please provide your perspective on this.
James> Thanks In Advance,
James> Jim McBride Oracle Deployment and Support IBM Corporation
James> 6300 Diagonal HWY., Stop 003E Boulder, CO 80301-9020
James> Office: (303) 924-5626 Lab: (303) 924-0212 Fax: (303)
James> 924-9233 mcbridejt at us.ibm.com
James> _______________________________________________ krbdev
James> mailing list krbdev at mit.edu
James> https://mailman.mit.edu/mailman/listinfo/krbdev
Hi. The address krbdev at mit.edu is not an appropriate place to request
Kerberos support. This address is for discussion of development of
MIt Kerberos. You may want to address support questions to
kerberos at mit.edu in the future.
That said, with regard to DNS and hostnames, the requirement is that
gethostbyaddr(gethostbyname(gethostname())) return a correct hostname
with an FQDN. The easiest way of guaranteeing this is to make sure
that both /etc/hosts and DNS will correctly resolve the machine.
Things that typically do not work include listing the machine's IP in
/etc/hosts without the FQDN first; listing the machine's name on the
localhost line in /etc/hosts; etc.
Not listing the machine's name in /etc/hosts at all while correctly
configuring DNS will tend to work correctly.
More information about the Kerberos
mailing list