How can I verify that my service principal will pass the DNS test?

Matthew M. DeLoera mdeloera at
Fri Feb 5 14:25:59 EST 2010


I have discovered a scenario where I pass my intended service principal 
"EDVR at" into gss_import_name and 
gss_init_sec_context, only to end up failing because the reverse-DNS 
lookup came back with "" instead. So, 
WireShark instead shows a TGS-REQ for 

In both Linux (Ubuntu) and Mac OS X, I do also find that if I put my 
intended FQDN ( into my host file 
for, everything does work.

Can any of you suggest something that I can tell my users, or put in my 
user's guide, to help prevent them from encountering this? Sadly, I 
don't know DNS very well, nor do I know exactly how/when a host file 
trumps DNS.

I guess as an alternative, is there an existing call by which I can ask 
through GSS to find out what service principal it's ultimately going to 
use, making it do its DNS validation, to log in my log file? If I could 
at least show that the failure was due to DNS configuration, it would 
help me a lot.

- Matthew

More information about the krbdev mailing list