/etc/hosts on a Kerberos client - Please provide your advise.

Sridhar Murthy murthys at us.ibm.com
Fri Sep 12 01:44:19 EDT 2003 

Dear Kerberos Support Analyst:

At the outset  I  would like to convey our sincere thanks  for providing 
an excellent support to the  IT community  on KRB  matters.

We are currently working on  integrating an Oracle product with a Kerberos 
server. My colleague Jim McBride had written to krbdev at mit.edu  and  Sam 
Harman responded with his comments that as long as gethostbyaddr(gethostbyname(gethostname())) returns FQDN, things should work fine.

Oracle insists that we need to provide the FQDN  in the /etc/hosts file 
and all along we have been telling them that it is not a MUST for us to 
put the FQDN name in the /etc/hosts  files. Although Oracle's argument 
makes sense in a set-up where DNS is not configured correctly,  we all 
know it, from the Name Service management perspective it is not a good 
idea to have the FQDN in the /etc/hosts. We should let the resolver 
libraries  take care of the FQDN issues while making sue that the DNS is 
configured according to the specifications.

I am more than  convinced that our environment  is correctly configured 
and any  application which relies on  resolver libraries to derive the 
FQDN of the host will work correctly in our environment. I do not find it 
necessary to put the FQDN of  the  host in  /etc/hosts file of the machine 
( which makes the DNS set-up meaningless).

I wrote a very simple program (fqdn_of_host.c)  to demonstrate that the 
resolver libraries are  working  correctly in an environment where DNS is 
setup properly and kerberos applications will work correctly in the same 
environment.


==================================================================================================
Some of the AIX commands produce the following results :

root at denver $ hostname
denver

root at denver $ host denver
denver.r2.fs.fed.us is 9.99.15.50

root at denver $ nslookup denver
Server:  netsrv.fs.fed.us
Address:  9.99.15.100

Name:    denver.r2.fs.fed.us
Address:  9.99.15.50

root at denver $ nslookup 9.99.15.50
Server:  netsrv.fs.fed.us
Address:  9.99.15.100

Name:    denver.r2.fs.fed.us
Address:  9.99.15.50

root at denver $ ifconfig en0
en0: 
flags=e080863<UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST,GROUPRT,64BIT>
        inet 9.99.15.50 netmask 0xffffff00 broadcast 9.99.15.255


=============================================================================================

The /etc/hosts file on denver  looks like 

127.0.0.1               loopback localhost      # loopback (lo0) 
name/address
9.99.15.50              denver
=============================================================================================
The  /etc/resolv.conf   file on denver  looks  like

nameserver              9.99.15.100
search                  r1.fs.fed.us   r2.fs.fed.us   r3.fs.fed.us 
r6.fs.fed.us   boulder.ibm.com    ibm.com   fs.fed.us 
nameserver              9.17.223.121
=============================================================================================
The /etc/netsvc.conf  file on the machine looks like:

hosts=bind4,local
=============================================================================================
/* 
     Source code for   fqdn_of_host.c 

*/

#include <stdio.h>
#include <strings.h>
#include <netdb.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>

main(argc, argv)
int argc;
char *argv[];
{

  unsigned char         host_name[1024],
                               name[100],
                                *ptr,
                                a[4];

 static char           domain_name[100],
                                addrbuf[32], *ch;

  int                           domain_len;

  struct hostent         *hostptr;

  int                   i,
                        count,
                        ai[4];

  gethostname(host_name, sizeof(host_name) );
  ptr=host_name ;
  printf ("Host Name by gethostname()    : %s \n", ptr);
 
  hostptr = gethostbyname(ptr);
  printf ("\nHost Name by gethostbyname()  : %s \n", hostptr->h_name);

  for (i = 0; hostptr->h_aliases[i]; i++)
  printf ("Host Alias by gethostbyname() : %s\n", hostptr->h_aliases[i]);
 
 
  ch = strchr(hostptr->h_name,'.');
  if ( ch == NULL ){
    printf ( "DNS Entry does nor exist as per the hostname returned by 
gethostbyname()\n");
  }
  else{
    printf ( "Domain by gethostbyname()     : %s\n", ++ch);
  }

  for (i=0; i<4; i++)
       ai[i] = hostptr->h_addr_list[0][i];

  for (i=0; i<4; i++)
     a[i] = (unsigned char)(ai[i] & 0xFF);
  snprintf(addrbuf, 32, "%d.%d.%d.%d", a[0], a[1], a[2], a[3]);
  printf ("Host IP by gethostbyname()    : %s\n", addrbuf);

  hostptr = gethostbyaddr(a,4,AF_INET); 
  printf ("\nHost Name by gethostbyaddr()  : %s \n", hostptr->h_name);
}

=============================================================================================
cc   fqdn_of_host.c   -o   fqdn_of_host

When I run the compiled version of the above source code the output looks 
like:

root at denver $ fqdn_of_host
Host Name by gethostname()              : denver 

Host Name by gethostbyname()    : denver.r2.fs.fed.us 
Domain by gethostbyname()               : r2.fs.fed.us
Host IP by gethostbyname()              : 9.99.15.50

Host Name by gethostbyaddr()            : denver.r2.fs.fed.us 

root at denver $ 

===============================================================================================

I am of the opinion  that   " Oracle's argument that  FQDN hostname must 
and should  be present on the first line of the /etc/hosts file inorder 
for the kerberos server/clinet  to work correctly   does not   make a good 
argument when DNS is configured correctly and it is assured that DNS will 
work correctly under all circumstances".


What am I requesting you for?

Please confirm to us that " In the environment that has been described in 
this e-mail, it is NOT necessary for us to put the FQDN name of the host 
in  /etc/hosts file  for the kerberos server/client to work correctly "


Once again, thanks for your help. A quick response to this is gratefully 
acknowledged.


Regards,

Sridhar

<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
IBM BCS -  Public Sector
Voice    (303) 924 - 0413
Email    murthys at us.ibm.com
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
----- Forwarded by Sridhar Murthy/Boulder/IBM on 09/11/2003 11:37 PM -----


James McBride
09/10/2003 01:47 PM


        To:     Sridhar Murthy at IBMUS
        cc:     Steve Sipocz Jr/Boulder/IBM at IBMUS, wdeschene at fs.fed.us, 
glongsine at fs.fed.us, Richard A Ernst/Boulder/IBM at IBMUS
        From:   James McBride/Boulder/IBM at IBMUS
        Subject:        Re: /etc/hosts on a  Kerberos client


Srihdar,
        Can you write C program to verify that "gethostbyaddr(gethostbyname(gethostname())) return a correct hostname with 
an FQDN"?

TIA 

Jim McBride
Oracle Deployment and Support
IBM Corporation
6300 Diagonal HWY., Stop 003E
Boulder, CO  80301-9020
Office: (303) 924-5626
Lab: (303) 924-0212
Fax: (303) 924-9233
mcbridejt at us.ibm.com





Sam Hartman <hartmans at mit.edu>
09/10/2003 12:40 PM

 
        To:     James McBride/Boulder/IBM at IBMUS
        cc:     <krbdev at mit.edu>, wdeschene at fs.fed.us, Sridhar Murthy/Boulder/IBM at IBMUS, 
Kurt Bevers <Kurt.Bevers at oracle.com>, Steve Sipocz Jr/Boulder/IBM at IBMUS
        Subject:        Re: /etc/hosts on a  Kerberos client



>>>>> "James" == James McBride <mcbridejt at us.ibm.com> writes:

    James> Dear Kerberos Support Analyst:

    James> Oracle Support is reporting that MIT Kerberos requires that
    James> the FQDN of a Kerberos client must be in the /etc/hosts
    James> file.  They provided the URL below as a reference:
    James> http://web.mit.edu/kerberos/www/krb5-1.3/krb5-1.3.1
    James> /doc/krb5-admin.html#Getting%20DNS%20Information%20Correct

    James> We feel that Kerberos can use DNS and the operating system
    James> to determine the FQDN of a machine.

    James> Please provide your perspective on this.

    James> Thanks In Advance,


    James> Jim McBride Oracle Deployment and Support IBM Corporation
    James> 6300 Diagonal HWY., Stop 003E Boulder, CO 80301-9020
    James> Office: (303) 924-5626 Lab: (303) 924-0212 Fax: (303)
    James> 924-9233 mcbridejt at us.ibm.com

    James> _______________________________________________ krbdev
    James> mailing list krbdev at mit.edu
    James> https://mailman.mit.edu/mailman/listinfo/krbdev

Hi.  The address krbdev at mit.edu is not an appropriate place to request
Kerberos support.  This address is for discussion of development of
MIt Kerberos.  You may want to address support questions to
kerberos at mit.edu in the future.


That said, with regard to DNS and hostnames, the requirement is that
gethostbyaddr(gethostbyname(gethostname())) return a correct hostname
with an FQDN.  The easiest way of guaranteeing this is to make sure
that both /etc/hosts and DNS will correctly resolve the machine.

Things that typically do not work include listing the machine's IP in
/etc/hosts without the FQDN first; listing the machine's name on the
localhost line in /etc/hosts; etc.

Not listing the machine's name in /etc/hosts at all while correctly
configuring DNS will tend to work correctly.

More information about the Kerberos mailing list