/etc/hosts and DNS
clairst at uiuc.edu
Wed Feb 16 21:07:55 EST 2005
On 2005-02-14, Luke <clairst at uiuc.edu> wrote:
> The situation in my network requires some of my machines to never have the
> same address (traveling laptops, etc). I'd like them to be able to still
> access kerberized application servers. Will simply requesting addressless
> tickets solve this? Or are DNS lookups (forward or reverse) still
> necessary, even just for clients?
> My other question is about kerberized servers - my kdc has a PPPoE
> connection, so the outward facing address is dynamic. I can't change
> reverse lookups, sadly, due to my ISP. How can I use /etc/hosts to give a
> correct resolution? Can i use /etc/hosts in this situation, when my
> external IP is dynamic?
Well, I've sort of solved these problems. The first issue was the order of
the names in the 127.0.0.1 line of /etc/hosts - The FQDN needed to be first.
I was able to see that this was misconfigured by using hostname -f, which
returns whatever the system thinks its FQDN is.
However, I still couldn't connect passwordlessly. Using sshd -dd -p 10001
on my server, and connecting via ssh -vvv -p 10001 fqdn, i saw that the
client was trying to connect to a principal on the server with the name that
the fqdn's ip address (from the client's point of view) reverse-mapped to.
For example, if name foo.com maps to 10.10.10.10, and 10.10.10.10 reverse
maps to bogus.com, the ssh client was attempting to connect to principal
bogus.com on the ssh server, which fails, because the keytab includes a key
for foo.com, not bogus.com. So, the clients now include the server's
internal, static, IP address in their /etc/hosts file, and things work
However, my external IP adddress is dynamic, and reverse maps to garbage, so
I haven't been able to figure out a way for remote clients to connect - any
help/thoughts are appreciated.
More information about the Kerberos