While you are technically correct, in my experience most SAs know very well
what services are provided and where, but don’t know enough about DNS to know
what a RR is. For that level of knowledge, having /etc/hosts take precedence is
exactly the “least surprise” behavior.
> On Jul 26, 2017, at 11:25 AM, Thor Lancelot Simon <t...@panix.com> wrote:
> On Wed, Jul 26, 2017 at 08:45:17AM -0700, Russ Allbery wrote:
>> Right, the point is not that you can't override with /etc/krb5.conf, the
>> point is that /etc/hosts normally overrides everything without having to
>> hunt down software-specific configuration files.
> But in this case /etc/hosts clearly *can't* "override everything". It
> cannot override the SRV records that are used to find the KDC via DNS,
> because there is no syntax to express a SRV record in /etc/hosts; and
> because of that, it is *a priori impossible* to know what hostname
> you would have to "override" in /etc/hosts (were that supported) to
> redirect Kerberos queries for a given realm to a particular IP address.
> You can't even know whether DNS is used to look up the KDC or not without
> looking at krb5.conf.
> Despite the expectation which seems reasonable at first glance that
> /etc/hosts could correctly be used to override a KDC in this way, in
> fact it works only in a few special cases - the ones where DNS is
> in use to find the KDC via SRV record *and* you can be 100% certain
> that SRV record won't change. Not so useful.
> Rather than relying on this, if you want to hardcode your KDC address,
> far better to turn off DNS lookup of the KDC, use krb5.conf, and be
> entirely manual and predictable, instead of half-manual, half-predictable,
> and half...donkeyed.
Personal email. hbh...@oxy.edu