On Tue, May 06, 2008 at 02:03:25AM +0100, Edd Barrett wrote: > Hi, > > Thanks for taking the time to reply. Most appreciated. > > On Tue, May 06, 2008 at 04:59:53PM -0700, Glenn Barry wrote: > > We pretty much require DNS and in fact mech_krb5.so links directly against > > libresolv.so to bypass the NameSvcSwitch to assure a FQDN is returned. > > > > And I think the RPCSEC_GSS svc name error msgs you are seeing are > > indicative of that requirement. > > I see. Would there not be a situation where only NIS is preferred, like > when the NIS server is doing the DNS lookups on clients behalves.
This is something that the Solaris krb team has discussed many times. The problem, if I recall correctly, is that the typical NIS configuration does not normally return fully qualified domain names. FQDNs are required by the MIT version of krb which Solaris is based off of so Solaris krb requires this as well. The FQDN req. is due to the fact that the service principal name in the KDB record is created in the form <service>/<FQDN>@<realm> and when the client sends a request for some service it needs to generate that service princ. name exactly. Given most users usually give the short form of the host as an arg to whatever client program (say ssh) is going to request a service ticket to authenticate to the service, it is up to krb code on the client to resolve the short hostname into its canonical form in order to generate the proper service princ name in the TGS_REQ. > I can live with it, but it seems limited. Agreed. One of these days we may provide additional features on the KDC side to work around the current FQDN requirement but we haven't seen much demand for it at this point as it appears that DNS is being used at the sites deploying krb. -- Will Fiveash Sun Microsystems Inc. http://opensolaris.org/os/project/kerberos/
