/etc/hosts on a Kerberos client - Please provide your advise .

Tim Alsop Tim.Alsop at CyberSafe.Ltd.UK
Sat Sep 13 03:14:04 EDT 2003


Sridhar,

Our company has a lot of experience with Oracle ASE configuration and its Kerberos capabilities. I can help you with this issue if you provide me with some background to the actual configuration being tested - ie. what version of Oracle product is being used, what architecture, platforms etc.

If you can provide me with these details I suggest we continue this subject offlist.

Thanks, 
Tim Alsop
CyberSafe Limited. 

-----Original Message-----
From: Sridhar Murthy [mailto:murthys at us.ibm.com] 
Sent: 12 September 2003 06:44
To: kerberos at mit.edu
Cc: krbdev at mit.edu; Sam Hartman; James McBride; Richard A Ernst; glongsine at fs.fed.us; Steve Sipocz Jr; wdeschene at fs.fed.us
Subject: Re: /etc/hosts on a Kerberos client - Please provide your advise.

Dear Kerberos Support Analyst:

At the outset  I  would like to convey our sincere thanks  for providing an excellent support to the  IT community  on KRB  matters.

We are currently working on  integrating an Oracle product with a Kerberos server. My colleague Jim McBride had written to krbdev at mit.edu  and  Sam Harman responded with his comments that as long as gethostbyaddr(gethostbyname(gethostname())) returns FQDN, things should work fine.

Oracle insists that we need to provide the FQDN  in the /etc/hosts file and all along we have been telling them that it is not a MUST for us to put the FQDN name in the /etc/hosts  files. Although Oracle's argument makes sense in a set-up where DNS is not configured correctly,  we all know it, from the Name Service management perspective it is not a good idea to have the FQDN in the /etc/hosts. We should let the resolver libraries  take care of the FQDN issues while making sue that the DNS is configured according to the specifications.

I am more than  convinced that our environment  is correctly configured and any  application which relies on  resolver libraries to derive the FQDN of the host will work correctly in our environment. I do not find it necessary to put the FQDN of  the  host in  /etc/hosts file of the machine ( which makes the DNS set-up meaningless).

I wrote a very simple program (fqdn_of_host.c)  to demonstrate that the resolver libraries are  working  correctly in an environment where DNS is setup properly and kerberos applications will work correctly in the same environment.


==================================================================================================
Some of the AIX commands produce the following results :

root at denver $ hostname
denver

root at denver $ host denver
denver.r2.fs.fed.us is 9.99.15.50

root at denver $ nslookup denver
Server:  netsrv.fs.fed.us
Address:  9.99.15.100

Name:    denver.r2.fs.fed.us
Address:  9.99.15.50

root at denver $ nslookup 9.99.15.50
Server:  netsrv.fs.fed.us
Address:  9.99.15.100

Name:    denver.r2.fs.fed.us
Address:  9.99.15.50

root at denver $ ifconfig en0
en0: 
flags=e080863<UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST,GROUPRT,64BIT>
        inet 9.99.15.50 netmask 0xffffff00 broadcast 9.99.15.255


=============================================================================================

The /etc/hosts file on denver  looks like 

127.0.0.1               loopback localhost      # loopback (lo0) 
name/address
9.99.15.50              denver
=============================================================================================
The  /etc/resolv.conf   file on denver  looks  like

nameserver              9.99.15.100
search                  r1.fs.fed.us   r2.fs.fed.us   r3.fs.fed.us 
r6.fs.fed.us   boulder.ibm.com    ibm.com   fs.fed.us 
nameserver              9.17.223.121
=============================================================================================
The /etc/netsvc.conf  file on the machine looks like:

hosts=bind4,local
=============================================================================================
/* 
     Source code for   fqdn_of_host.c 

*/

#include <stdio.h>
#include <strings.h>
#include <netdb.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>

main(argc, argv)
int argc;
char *argv[];
{

  unsigned char         host_name[1024],
                               name[100],
                                *ptr,
                                a[4];

 static char           domain_name[100],
                                addrbuf[32], *ch;

  int                           domain_len;

  struct hostent         *hostptr;

  int                   i,
                        count,
                        ai[4];

  gethostname(host_name, sizeof(host_name) );
  ptr=host_name ;
  printf ("Host Name by gethostname()    : %s \n", ptr);
 
  hostptr = gethostbyname(ptr);
  printf ("\nHost Name by gethostbyname()  : %s \n", hostptr->h_name);

  for (i = 0; hostptr->h_aliases[i]; i++)
  printf ("Host Alias by gethostbyname() : %s\n", hostptr->h_aliases[i]);
 
 
  ch = strchr(hostptr->h_name,'.');
  if ( ch == NULL ){
    printf ( "DNS Entry does nor exist as per the hostname returned by gethostbyname()\n");
  }
  else{
    printf ( "Domain by gethostbyname()     : %s\n", ++ch);
  }

  for (i=0; i<4; i++)
       ai[i] = hostptr->h_addr_list[0][i];

  for (i=0; i<4; i++)
     a[i] = (unsigned char)(ai[i] & 0xFF);
  snprintf(addrbuf, 32, "%d.%d.%d.%d", a[0], a[1], a[2], a[3]);
  printf ("Host IP by gethostbyname()    : %s\n", addrbuf);

  hostptr = gethostbyaddr(a,4,AF_INET);
  printf ("\nHost Name by gethostbyaddr()  : %s \n", hostptr->h_name); }

=============================================================================================
cc   fqdn_of_host.c   -o   fqdn_of_host

When I run the compiled version of the above source code the output looks
like:

root at denver $ fqdn_of_host
Host Name by gethostname()              : denver 

Host Name by gethostbyname()    : denver.r2.fs.fed.us 
Domain by gethostbyname()               : r2.fs.fed.us
Host IP by gethostbyname()              : 9.99.15.50

Host Name by gethostbyaddr()            : denver.r2.fs.fed.us 

root at denver $ 

===============================================================================================

I am of the opinion  that   " Oracle's argument that  FQDN hostname must 
and should  be present on the first line of the /etc/hosts file inorder 
for the kerberos server/clinet  to work correctly   does not   make a good 
argument when DNS is configured correctly and it is assured that DNS will work correctly under all circumstances".


What am I requesting you for?

Please confirm to us that " In the environment that has been described in 
this e-mail, it is NOT necessary for us to put the FQDN name of the host 
in  /etc/hosts file  for the kerberos server/client to work correctly "


Once again, thanks for your help. A quick response to this is gratefully 
acknowledged.


Regards,

Sridhar

<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
IBM BCS -  Public Sector
Voice    (303) 924 - 0413
Email    murthys at us.ibm.com
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
----- Forwarded by Sridhar Murthy/Boulder/IBM on 09/11/2003 11:37 PM -----


James McBride
09/10/2003 01:47 PM


        To:     Sridhar Murthy at IBMUS
        cc:     Steve Sipocz Jr/Boulder/IBM at IBMUS, wdeschene at fs.fed.us, 
glongsine at fs.fed.us, Richard A Ernst/Boulder/IBM at IBMUS
        From:   James McBride/Boulder/IBM at IBMUS
        Subject:        Re: /etc/hosts on a  Kerberos client


Srihdar,
        Can you write C program to verify that "gethostbyaddr(gethostbyname(gethostname())) return a correct hostname with 
an FQDN"?

TIA 

Jim McBride
Oracle Deployment and Support
IBM Corporation
6300 Diagonal HWY., Stop 003E
Boulder, CO  80301-9020
Office: (303) 924-5626
Lab: (303) 924-0212
Fax: (303) 924-9233
mcbridejt at us.ibm.com





Sam Hartman <hartmans at mit.edu>
09/10/2003 12:40 PM

 
        To:     James McBride/Boulder/IBM at IBMUS
        cc:     <krbdev at mit.edu>, wdeschene at fs.fed.us, Sridhar Murthy/Boulder/IBM at IBMUS, 
Kurt Bevers <Kurt.Bevers at oracle.com>, Steve Sipocz Jr/Boulder/IBM at IBMUS
        Subject:        Re: /etc/hosts on a  Kerberos client



>>>>> "James" == James McBride <mcbridejt at us.ibm.com> writes:

    James> Dear Kerberos Support Analyst:

    James> Oracle Support is reporting that MIT Kerberos requires that
    James> the FQDN of a Kerberos client must be in the /etc/hosts
    James> file.  They provided the URL below as a reference:
    James> http://web.mit.edu/kerberos/www/krb5-1.3/krb5-1.3.1
    James> /doc/krb5-admin.html#Getting%20DNS%20Information%20Correct

    James> We feel that Kerberos can use DNS and the operating system
    James> to determine the FQDN of a machine.

    James> Please provide your perspective on this.

    James> Thanks In Advance,


    James> Jim McBride Oracle Deployment and Support IBM Corporation
    James> 6300 Diagonal HWY., Stop 003E Boulder, CO 80301-9020
    James> Office: (303) 924-5626 Lab: (303) 924-0212 Fax: (303)
    James> 924-9233 mcbridejt at us.ibm.com

    James> _______________________________________________ krbdev
    James> mailing list krbdev at mit.edu
    James> https://mailman.mit.edu/mailman/listinfo/krbdev

Hi.  The address krbdev at mit.edu is not an appropriate place to request
Kerberos support.  This address is for discussion of development of
MIt Kerberos.  You may want to address support questions to
kerberos at mit.edu in the future.


That said, with regard to DNS and hostnames, the requirement is that
gethostbyaddr(gethostbyname(gethostname())) return a correct hostname
with an FQDN.  The easiest way of guaranteeing this is to make sure
that both /etc/hosts and DNS will correctly resolve the machine.

Things that typically do not work include listing the machine's IP in
/etc/hosts without the FQDN first; listing the machine's name on the
localhost line in /etc/hosts; etc.

Not listing the machine's name in /etc/hosts at all while correctly
configuring DNS will tend to work correctly.





________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/krbdev/attachments/20030913/8e4ad88f/attachment.htm


More information about the krbdev mailing list