On Wednesday, 10 March 2021 16:58:47 GMT Grant Taylor wrote: > On 3/10/21 8:25 AM, Michael wrote: > > I think this is relevant to DNS resolution of/with domain controllers > > and may depend on the AD/DC topology. > > I disagree. Pure Linux in a MIT / Heimdal Kerberos environment has the > same requirements. Hence having nothing specific to do with Active > Directory, much less the AD topology.
I'm losing my thread in this ... thread, but what I'm trying to say is the AD/ DC and Kerberos way of processing the /etc/hosts entries, when an /etc/hosts file is used, is different to your run of the mill Linux box and server. The Samba link in a previous message makes it clear the DC must have a DNS domain, which corresponds to the domain for the AD forest, this will be used by the Kerberos AD realm; and, the DC must have a static IP address. > > The idea is to use the LAN address of the box as the first address > > in /etc/hosts and use 127.0.0.1 as the second address in the file. > > Please elaborate. Because I believe the following qualifies with your > statement: > > 192.0.2.1 host.example.net host > 127.0.0.1 localhost > > Which is effectively the same as the following: > > 127.0.0.1 localhost > 192.0.2.1 host.example.net host > > Both of which are different than the following: > > 192.0.2.1 host.example.net host > 127.0.0.1 localhost host.example.net host Yes. > Putting host.example.net and host on the 127.0.0.1 line doesn't > accomplish anything. And it still suffers from -- what I think is -- > the poor recommendation that I'm inquiring about. The syntax is: IP_address canonical_hostname [aliases...] Therefore, in an entry like: 127.0.0.1 localhost host.example.net host the "host.example.net" and "host" are both entered as aliases, but will nevertheless resolve to 127.0.0.1 - which will break the Samba AD DC requirement. The host name and FQDN must resolve to the static IP of the DC on the LAN. Since /etc/hosts is parsed from the top, things may work fine when the localhost entry is further down the list and further down than any other entries acting as AD DNS resolvers - I don't recall testing this on Samba to know for sure. The same syntax won't break a LAMP, or vanilla linux PC, as long as the same box is not acting as a DC. > > If more AD/DNS servers exist in the network, then 127.0.0.1 could be > > even further down the list. > > > > https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-> > > > server-2008-R2-and-2008/ff807362(v=ws.10)?redirectedfrom=MSDN > > What does the number of DNS servers have to do with the contents of the > /etc/hosts file? See my statement above re. entries for AD DNS resolvers, if these are listed in the /etc/hosts file. > How is the contents of the /etc/hosts file related to the > /etc/resolv.conf file? The /etc/hosts file specifies the LAN IP address(es) of the DC which acts as DNS resolver for the AD DNS zones. The DC's /etc/resolv.conf shouldn't be pointing to non-AD compatible resolvers. > > I haven't over-thought this and there may be more to it, but on a > > pure linux environment I expect this would not be a requirement, > > hence the handbook approach. > > Apples and bowling balls. /etc/hosts is not the same concept as > /etc/resolv.conf. ACK. I hope what I've written above better reflects my understanding, although it could be factually incorrect. Other contributors should soon put me right. :-)
signature.asc
Description: This is a digitally signed message part.
