Dear Kerberos Support Analyst:
At the outset I would like to convey our sincere thanks for providing
an excellent support to the IT community on KRB matters.
We are currently working on integrating an Oracle product with a Kerberos
server. My colleague Jim McBride had written to [EMAIL PROTECTED] and Sam
Harman responded with his comments that as long as
gethostbyaddr(gethostbyname(gethostname())) returns FQDN, things should work fine.
Oracle insists that we need to provide the FQDN in the /etc/hosts file
and all along we have been telling them that it is not a MUST for us to
put the FQDN name in the /etc/hosts files. Although Oracle's argument
makes sense in a set-up where DNS is not configured correctly, we all
know it, from the Name Service management perspective it is not a good
idea to have the FQDN in the /etc/hosts. We should let the resolver
libraries take care of the FQDN issues while making sue that the DNS is
configured according to the specifications.
I am more than convinced that our environment is correctly configured
and any application which relies on resolver libraries to derive the
FQDN of the host will work correctly in our environment. I do not find it
necessary to put the FQDN of the host in /etc/hosts file of the machine
( which makes the DNS set-up meaningless).
I wrote a very simple program (fqdn_of_host.c) to demonstrate that the
resolver libraries are working correctly in an environment where DNS is
setup properly and kerberos applications will work correctly in the same
environment.
==================================================================================================
Some of the AIX commands produce the following results :
[EMAIL PROTECTED] $ hostname
denver
[EMAIL PROTECTED] $ host denver
denver.r2.fs.fed.us is 9.99.15.50
[EMAIL PROTECTED] $ nslookup denver
Server: netsrv.fs.fed.us
Address: 9.99.15.100
Name: denver.r2.fs.fed.us
Address: 9.99.15.50
[EMAIL PROTECTED] $ nslookup 9.99.15.50
Server: netsrv.fs.fed.us
Address: 9.99.15.100
Name: denver.r2.fs.fed.us
Address: 9.99.15.50
[EMAIL PROTECTED] $ ifconfig en0
en0:
flags=e080863<UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST,GROUPRT,64BIT>
inet 9.99.15.50 netmask 0xffffff00 broadcast 9.99.15.255
=============================================================================================
The /etc/hosts file on denver looks like
127.0.0.1 loopback localhost # loopback (lo0)
name/address
9.99.15.50 denver
=============================================================================================
The /etc/resolv.conf file on denver looks like
nameserver 9.99.15.100
search r1.fs.fed.us r2.fs.fed.us r3.fs.fed.us
r6.fs.fed.us boulder.ibm.com ibm.com fs.fed.us
nameserver 9.17.223.121
=============================================================================================
The /etc/netsvc.conf file on the machine looks like:
hosts=bind4,local
=============================================================================================
/*
Source code for fqdn_of_host.c
*/
#include <stdio.h>
#include <strings.h>
#include <netdb.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>
main(argc, argv)
int argc;
char *argv[];
{
unsigned char host_name[1024],
name[100],
*ptr,
a[4];
static char domain_name[100],
addrbuf[32], *ch;
int domain_len;
struct hostent *hostptr;
int i,
count,
ai[4];
gethostname(host_name, sizeof(host_name) );
ptr=host_name ;
printf ("Host Name by gethostname() : %s \n", ptr);
hostptr = gethostbyname(ptr);
printf ("\nHost Name by gethostbyname() : %s \n", hostptr->h_name);
for (i = 0; hostptr->h_aliases[i]; i++)
printf ("Host Alias by gethostbyname() : %s\n", hostptr->h_aliases[i]);
ch = strchr(hostptr->h_name,'.');
if ( ch == NULL ){
printf ( "DNS Entry does nor exist as per the hostname returned by
gethostbyname()\n");
}
else{
printf ( "Domain by gethostbyname() : %s\n", ++ch);
}
for (i=0; i<4; i++)
ai[i] = hostptr->h_addr_list[0][i];
for (i=0; i<4; i++)
a[i] = (unsigned char)(ai[i] & 0xFF);
snprintf(addrbuf, 32, "%d.%d.%d.%d", a[0], a[1], a[2], a[3]);
printf ("Host IP by gethostbyname() : %s\n", addrbuf);
hostptr = gethostbyaddr(a,4,AF_INET);
printf ("\nHost Name by gethostbyaddr() : %s \n", hostptr->h_name);
}
=============================================================================================
cc fqdn_of_host.c -o fqdn_of_host
When I run the compiled version of the above source code the output looks
like:
[EMAIL PROTECTED] $ fqdn_of_host
Host Name by gethostname() : denver
Host Name by gethostbyname() : denver.r2.fs.fed.us
Domain by gethostbyname() : r2.fs.fed.us
Host IP by gethostbyname() : 9.99.15.50
Host Name by gethostbyaddr() : denver.r2.fs.fed.us
[EMAIL PROTECTED] $
===============================================================================================
I am of the opinion that " Oracle's argument that FQDN hostname must
and should be present on the first line of the /etc/hosts file inorder
for the kerberos server/clinet to work correctly does not make a good
argument when DNS is configured correctly and it is assured that DNS will
work correctly under all circumstances".
What am I requesting you for?
Please confirm to us that " In the environment that has been described in
this e-mail, it is NOT necessary for us to put the FQDN name of the host
in /etc/hosts file for the kerberos server/client to work correctly "
Once again, thanks for your help. A quick response to this is gratefully
acknowledged.
Regards,
Sridhar
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
IBM BCS - Public Sector
Voice (303) 924 - 0413
Email [EMAIL PROTECTED]
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
----- Forwarded by Sridhar Murthy/Boulder/IBM on 09/11/2003 11:37 PM -----
James McBride
09/10/2003 01:47 PM
To: Sridhar [EMAIL PROTECTED]
cc: Steve Sipocz Jr/Boulder/[EMAIL PROTECTED], [EMAIL PROTECTED],
[EMAIL PROTECTED], Richard A Ernst/Boulder/[EMAIL PROTECTED]
From: James McBride/Boulder/[EMAIL PROTECTED]
Subject: Re: /etc/hosts on a Kerberos client
Srihdar,
Can you write C program to verify that
"gethostbyaddr(gethostbyname(gethostname())) return a correct hostname with
an FQDN"?
TIA
Jim McBride
Oracle Deployment and Support
IBM Corporation
6300 Diagonal HWY., Stop 003E
Boulder, CO 80301-9020
Office: (303) 924-5626
Lab: (303) 924-0212
Fax: (303) 924-9233
[EMAIL PROTECTED]
Sam Hartman <[EMAIL PROTECTED]>
09/10/2003 12:40 PM
To: James McBride/Boulder/[EMAIL PROTECTED]
cc: <[EMAIL PROTECTED]>, [EMAIL PROTECTED], Sridhar Murthy/Boulder/[EMAIL
PROTECTED],
Kurt Bevers <[EMAIL PROTECTED]>, Steve Sipocz Jr/Boulder/[EMAIL PROTECTED]
Subject: Re: /etc/hosts on a Kerberos client
>>>>> "James" == James McBride <[EMAIL PROTECTED]> writes:
James> Dear Kerberos Support Analyst:
James> Oracle Support is reporting that MIT Kerberos requires that
James> the FQDN of a Kerberos client must be in the /etc/hosts
James> file. They provided the URL below as a reference:
James> http://web.mit.edu/kerberos/www/krb5-1.3/krb5-1.3.1
James> /doc/krb5-admin.html#Getting%20DNS%20Information%20Correct
James> We feel that Kerberos can use DNS and the operating system
James> to determine the FQDN of a machine.
James> Please provide your perspective on this.
James> Thanks In Advance,
James> Jim McBride Oracle Deployment and Support IBM Corporation
James> 6300 Diagonal HWY., Stop 003E Boulder, CO 80301-9020
James> Office: (303) 924-5626 Lab: (303) 924-0212 Fax: (303)
James> 924-9233 [EMAIL PROTECTED]
James> _______________________________________________ krbdev
James> mailing list [EMAIL PROTECTED]
James> https://mailman.mit.edu/mailman/listinfo/krbdev
Hi. The address [EMAIL PROTECTED] is not an appropriate place to request
Kerberos support. This address is for discussion of development of
MIt Kerberos. You may want to address support questions to
[EMAIL PROTECTED] in the future.
That said, with regard to DNS and hostnames, the requirement is that
gethostbyaddr(gethostbyname(gethostname())) return a correct hostname
with an FQDN. The easiest way of guaranteeing this is to make sure
that both /etc/hosts and DNS will correctly resolve the machine.
Things that typically do not work include listing the machine's IP in
/etc/hosts without the FQDN first; listing the machine's name on the
localhost line in /etc/hosts; etc.
Not listing the machine's name in /etc/hosts at all while correctly
configuring DNS will tend to work correctly.
________________________________________________
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
