[krbdev.mit.edu #8837] kprop replication does not work due to wrong DNS domain handling [Solved]
Ingo via RT
rt at KRBDEV-PROD-APP-1.mit.edu
Tue Oct 29 16:45:48 EDT 2019
<URL: https://krbdev.mit.edu/rt/Ticket/Display.html?id=8837 >
The problem was that the DNS domain 'example.com' was missed when referred to the local device name, for example
> Getting initial credentials for host/kdc10-1 at EXAMPLE.COM
that should be 'host/kdc10-1.example.com at EXAMPLE.COM'.
Because of this Kerberos credentials does not match and authentication fails.
The reason was an entry in '/etc/hosts'. To avoid an error message from sudo when executed offline (e.g. on a laptop) I was told to insert the hostname into '/etc/hosts' like this:
127.0.1.1 kdc10-1
Together with name resolution order defined with "hosts: files dns" in '/etc/nsswitch.conf' the file is first asked and I get with
~$ hostname -f
kdc10-1
This is also used by Kerberos.
The solution is to use the full qualified local hostname "127.0.1.1. kdc10-1.example.com" in '/etc/hosts' or omit the local device name completely. In the latter case DNS lookup is used to resolve the name. I omit the local device name now to have DNS name resolution for it.
More information about the krb5-bugs
mailing list