/etc/hosts on a Kerberos client - Please provide your advise .
Tim Alsop
Tim.Alsop at CyberSafe.Ltd.UK
Sat Sep 13 03:14:04 EDT 2003
Sridhar,
Our company has a lot of experience with Oracle ASE configuration and its Kerberos capabilities. I can help you with this issue if you provide me with some background to the actual configuration being tested - ie. what version of Oracle product is being used, what architecture, platforms etc.
If you can provide me with these details I suggest we continue this subject offlist.
Thanks,
Tim Alsop
CyberSafe Limited.
-----Original Message-----
From: Sridhar Murthy [mailto:murthys at us.ibm.com]
Sent: 12 September 2003 06:44
To: kerberos at mit.edu
Cc: krbdev at mit.edu; Sam Hartman; James McBride; Richard A Ernst; glongsine at fs.fed.us; Steve Sipocz Jr; wdeschene at fs.fed.us
Subject: Re: /etc/hosts on a Kerberos client - Please provide your advise.
Dear Kerberos Support Analyst:
At the outset I would like to convey our sincere thanks for providing an excellent support to the IT community on KRB matters.
We are currently working on integrating an Oracle product with a Kerberos server. My colleague Jim McBride had written to krbdev at mit.edu and Sam Harman responded with his comments that as long as gethostbyaddr(gethostbyname(gethostname())) returns FQDN, things should work fine.
Oracle insists that we need to provide the FQDN in the /etc/hosts file and all along we have been telling them that it is not a MUST for us to put the FQDN name in the /etc/hosts files. Although Oracle's argument makes sense in a set-up where DNS is not configured correctly, we all know it, from the Name Service management perspective it is not a good idea to have the FQDN in the /etc/hosts. We should let the resolver libraries take care of the FQDN issues while making sue that the DNS is configured according to the specifications.
I am more than convinced that our environment is correctly configured and any application which relies on resolver libraries to derive the FQDN of the host will work correctly in our environment. I do not find it necessary to put the FQDN of the host in /etc/hosts file of the machine ( which makes the DNS set-up meaningless).
I wrote a very simple program (fqdn_of_host.c) to demonstrate that the resolver libraries are working correctly in an environment where DNS is setup properly and kerberos applications will work correctly in the same environment.
==================================================================================================
Some of the AIX commands produce the following results :
root at denver $ hostname
denver
root at denver $ host denver
denver.r2.fs.fed.us is 9.99.15.50
root at denver $ nslookup denver
Server: netsrv.fs.fed.us
Address: 9.99.15.100
Name: denver.r2.fs.fed.us
Address: 9.99.15.50
root at denver $ nslookup 9.99.15.50
Server: netsrv.fs.fed.us
Address: 9.99.15.100
Name: denver.r2.fs.fed.us
Address: 9.99.15.50
root at denver $ ifconfig en0
en0:
flags=e080863<UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST,GROUPRT,64BIT>
inet 9.99.15.50 netmask 0xffffff00 broadcast 9.99.15.255
=============================================================================================
The /etc/hosts file on denver looks like
127.0.0.1 loopback localhost # loopback (lo0)
name/address
9.99.15.50 denver
=============================================================================================
The /etc/resolv.conf file on denver looks like
nameserver 9.99.15.100
search r1.fs.fed.us r2.fs.fed.us r3.fs.fed.us
r6.fs.fed.us boulder.ibm.com ibm.com fs.fed.us
nameserver 9.17.223.121
=============================================================================================
The /etc/netsvc.conf file on the machine looks like:
hosts=bind4,local
=============================================================================================
/*
Source code for fqdn_of_host.c
*/
#include <stdio.h>
#include <strings.h>
#include <netdb.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>
main(argc, argv)
int argc;
char *argv[];
{
unsigned char host_name[1024],
name[100],
*ptr,
a[4];
static char domain_name[100],
addrbuf[32], *ch;
int domain_len;
struct hostent *hostptr;
int i,
count,
ai[4];
gethostname(host_name, sizeof(host_name) );
ptr=host_name ;
printf ("Host Name by gethostname() : %s \n", ptr);
hostptr = gethostbyname(ptr);
printf ("\nHost Name by gethostbyname() : %s \n", hostptr->h_name);
for (i = 0; hostptr->h_aliases[i]; i++)
printf ("Host Alias by gethostbyname() : %s\n", hostptr->h_aliases[i]);
ch = strchr(hostptr->h_name,'.');
if ( ch == NULL ){
printf ( "DNS Entry does nor exist as per the hostname returned by gethostbyname()\n");
}
else{
printf ( "Domain by gethostbyname() : %s\n", ++ch);
}
for (i=0; i<4; i++)
ai[i] = hostptr->h_addr_list[0][i];
for (i=0; i<4; i++)
a[i] = (unsigned char)(ai[i] & 0xFF);
snprintf(addrbuf, 32, "%d.%d.%d.%d", a[0], a[1], a[2], a[3]);
printf ("Host IP by gethostbyname() : %s\n", addrbuf);
hostptr = gethostbyaddr(a,4,AF_INET);
printf ("\nHost Name by gethostbyaddr() : %s \n", hostptr->h_name); }
=============================================================================================
cc fqdn_of_host.c -o fqdn_of_host
When I run the compiled version of the above source code the output looks
like:
root at denver $ fqdn_of_host
Host Name by gethostname() : denver
Host Name by gethostbyname() : denver.r2.fs.fed.us
Domain by gethostbyname() : r2.fs.fed.us
Host IP by gethostbyname() : 9.99.15.50
Host Name by gethostbyaddr() : denver.r2.fs.fed.us
root at denver $
===============================================================================================
I am of the opinion that " Oracle's argument that FQDN hostname must
and should be present on the first line of the /etc/hosts file inorder
for the kerberos server/clinet to work correctly does not make a good
argument when DNS is configured correctly and it is assured that DNS will work correctly under all circumstances".
What am I requesting you for?
Please confirm to us that " In the environment that has been described in
this e-mail, it is NOT necessary for us to put the FQDN name of the host
in /etc/hosts file for the kerberos server/client to work correctly "
Once again, thanks for your help. A quick response to this is gratefully
acknowledged.
Regards,
Sridhar
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
IBM BCS - Public Sector
Voice (303) 924 - 0413
Email murthys at us.ibm.com
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
----- Forwarded by Sridhar Murthy/Boulder/IBM on 09/11/2003 11:37 PM -----
James McBride
09/10/2003 01:47 PM
To: Sridhar Murthy at IBMUS
cc: Steve Sipocz Jr/Boulder/IBM at IBMUS, wdeschene at fs.fed.us,
glongsine at fs.fed.us, Richard A Ernst/Boulder/IBM at IBMUS
From: James McBride/Boulder/IBM at IBMUS
Subject: Re: /etc/hosts on a Kerberos client
Srihdar,
Can you write C program to verify that "gethostbyaddr(gethostbyname(gethostname())) return a correct hostname with
an FQDN"?
TIA
Jim McBride
Oracle Deployment and Support
IBM Corporation
6300 Diagonal HWY., Stop 003E
Boulder, CO 80301-9020
Office: (303) 924-5626
Lab: (303) 924-0212
Fax: (303) 924-9233
mcbridejt at us.ibm.com
Sam Hartman <hartmans at mit.edu>
09/10/2003 12:40 PM
To: James McBride/Boulder/IBM at IBMUS
cc: <krbdev at mit.edu>, wdeschene at fs.fed.us, Sridhar Murthy/Boulder/IBM at IBMUS,
Kurt Bevers <Kurt.Bevers at oracle.com>, Steve Sipocz Jr/Boulder/IBM at IBMUS
Subject: Re: /etc/hosts on a Kerberos client
>>>>> "James" == James McBride <mcbridejt at us.ibm.com> writes:
James> Dear Kerberos Support Analyst:
James> Oracle Support is reporting that MIT Kerberos requires that
James> the FQDN of a Kerberos client must be in the /etc/hosts
James> file. They provided the URL below as a reference:
James> http://web.mit.edu/kerberos/www/krb5-1.3/krb5-1.3.1
James> /doc/krb5-admin.html#Getting%20DNS%20Information%20Correct
James> We feel that Kerberos can use DNS and the operating system
James> to determine the FQDN of a machine.
James> Please provide your perspective on this.
James> Thanks In Advance,
James> Jim McBride Oracle Deployment and Support IBM Corporation
James> 6300 Diagonal HWY., Stop 003E Boulder, CO 80301-9020
James> Office: (303) 924-5626 Lab: (303) 924-0212 Fax: (303)
James> 924-9233 mcbridejt at us.ibm.com
James> _______________________________________________ krbdev
James> mailing list krbdev at mit.edu
James> https://mailman.mit.edu/mailman/listinfo/krbdev
Hi. The address krbdev at mit.edu is not an appropriate place to request
Kerberos support. This address is for discussion of development of
MIt Kerberos. You may want to address support questions to
kerberos at mit.edu in the future.
That said, with regard to DNS and hostnames, the requirement is that
gethostbyaddr(gethostbyname(gethostname())) return a correct hostname
with an FQDN. The easiest way of guaranteeing this is to make sure
that both /etc/hosts and DNS will correctly resolve the machine.
Things that typically do not work include listing the machine's IP in
/etc/hosts without the FQDN first; listing the machine's name on the
localhost line in /etc/hosts; etc.
Not listing the machine's name in /etc/hosts at all while correctly
configuring DNS will tend to work correctly.
________________________________________________
Kerberos mailing list Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
More information about the Kerberos
mailing list