On 25.07.2017 17:00, Roland C. Dowdeswell wrote:
On Tue, Jul 25, 2017 at 09:47:18AM +0300, Heikki Lindholm wrote:


On 24.07.2017 19:40, Roland C. Dowdeswell wrote:
On Sun, Jul 23, 2017 at 08:23:52AM +0300, Heikki Lindholm wrote:


The Heimdal version identifies itself as 1.5.2. The main problem is that
Heimdal doesn't appear to use /etc/hosts for looking up the KDC's IP
address, but goes to DNS, and fails.

1.5.2 is quite old and, IIRC, I've seen this before.  You can work
around it by adding the kdc name with a dot at the end as an alias in
the hosts file.

Thank you very much. That trick did it. It's weird, though. I would have
likely never arrived at the same solution by myself.

It's a work-around in the Heimdal code which appends a trailing dot to
hostnames when looking them up to avoid the DNS search path specified
in /etc/resolv.conf.  Viktor and I discussed relaxing this yesterday
because we believe that it is counter-intuitive.  It certainly confused
me, but I worked it out by reading the code rather than the documentation.
The approach that we think will work in the short term is to append the
trailing dot iff the hostname came from DNS SRV RRs as they should not
honour the DNS search path.  The existing behaviour will be able to be
replicated by those who are using /etc/krb5.conf by appending their own
trailing dot to the configured names.

In the longer term, we should likely stop using getaddrinfo(3) for names
obtained from DNS SRV RRs and directly query DNS for them as this matches
expectations.  That is: you wouldn't expect that if you find

Isn't nsswitch.conf there to let the user specify which lookup to prefer for getaddrinfo() and others?

MIT krb5's behaviour at least was exactly what I expected, i.e. if there's a "kdc = kdc.foo.bar" in krb5.conf, kinit does the same kind of lookup as "ping kdc.foo.bar" does (= in my case takes it from /etc/hosts without DNS involvement).

Reply via email to