Sridhar, Our company has a lot of experience with Oracle ASE configuration and its Kerberos capabilities. I can help you with this issue if you provide me with some background to the actual configuration being tested - ie. what version of Oracle product is being used, what architecture, platforms etc.
If you can provide me with these details I suggest we continue this subject offlist. Thanks, Tim Alsop CyberSafe Limited. -----Original Message----- From: Sridhar Murthy [mailto:[EMAIL PROTECTED] Sent: 12 September 2003 06:44 To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; Sam Hartman; James McBride; Richard A Ernst; [EMAIL PROTECTED]; Steve Sipocz Jr; [EMAIL PROTECTED] Subject: Re: /etc/hosts on a Kerberos client - Please provide your advise. Dear Kerberos Support Analyst: At the outset I would like to convey our sincere thanks for providing an excellent support to the IT community on KRB matters. We are currently working on integrating an Oracle product with a Kerberos server. My colleague Jim McBride had written to [EMAIL PROTECTED] and Sam Harman responded with his comments that as long as gethostbyaddr(gethostbyname(gethostname())) returns FQDN, things should work fine. Oracle insists that we need to provide the FQDN in the /etc/hosts file and all along we have been telling them that it is not a MUST for us to put the FQDN name in the /etc/hosts files. Although Oracle's argument makes sense in a set-up where DNS is not configured correctly, we all know it, from the Name Service management perspective it is not a good idea to have the FQDN in the /etc/hosts. We should let the resolver libraries take care of the FQDN issues while making sue that the DNS is configured according to the specifications. I am more than convinced that our environment is correctly configured and any application which relies on resolver libraries to derive the FQDN of the host will work correctly in our environment. I do not find it necessary to put the FQDN of the host in /etc/hosts file of the machine ( which makes the DNS set-up meaningless). I wrote a very simple program (fqdn_of_host.c) to demonstrate that the resolver libraries are working correctly in an environment where DNS is setup properly and kerberos applications will work correctly in the same environment. ================================================================================================== Some of the AIX commands produce the following results : [EMAIL PROTECTED] $ hostname denver [EMAIL PROTECTED] $ host denver denver.r2.fs.fed.us is 9.99.15.50 [EMAIL PROTECTED] $ nslookup denver Server: netsrv.fs.fed.us Address: 9.99.15.100 Name: denver.r2.fs.fed.us Address: 9.99.15.50 [EMAIL PROTECTED] $ nslookup 9.99.15.50 Server: netsrv.fs.fed.us Address: 9.99.15.100 Name: denver.r2.fs.fed.us Address: 9.99.15.50 [EMAIL PROTECTED] $ ifconfig en0 en0: flags=e080863<UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST,GROUPRT,64BIT> inet 9.99.15.50 netmask 0xffffff00 broadcast 9.99.15.255 ============================================================================================= The /etc/hosts file on denver looks like 127.0.0.1 loopback localhost # loopback (lo0) name/address 9.99.15.50 denver ============================================================================================= The /etc/resolv.conf file on denver looks like nameserver 9.99.15.100 search r1.fs.fed.us r2.fs.fed.us r3.fs.fed.us r6.fs.fed.us boulder.ibm.com ibm.com fs.fed.us nameserver 9.17.223.121 ============================================================================================= The /etc/netsvc.conf file on the machine looks like: hosts=bind4,local ============================================================================================= /* Source code for fqdn_of_host.c */ #include <stdio.h> #include <strings.h> #include <netdb.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <arpa/inet.h> #include <unistd.h> main(argc, argv) int argc; char *argv[]; { unsigned char host_name[1024], name[100], *ptr, a[4]; static char domain_name[100], addrbuf[32], *ch; int domain_len; struct hostent *hostptr; int i, count, ai[4]; gethostname(host_name, sizeof(host_name) ); ptr=host_name ; printf ("Host Name by gethostname() : %s \n", ptr); hostptr = gethostbyname(ptr); printf ("\nHost Name by gethostbyname() : %s \n", hostptr->h_name); for (i = 0; hostptr->h_aliases[i]; i++) printf ("Host Alias by gethostbyname() : %s\n", hostptr->h_aliases[i]); ch = strchr(hostptr->h_name,'.'); if ( ch == NULL ){ printf ( "DNS Entry does nor exist as per the hostname returned by gethostbyname()\n"); } else{ printf ( "Domain by gethostbyname() : %s\n", ++ch); } for (i=0; i<4; i++) ai[i] = hostptr->h_addr_list[0][i]; for (i=0; i<4; i++) a[i] = (unsigned char)(ai[i] & 0xFF); snprintf(addrbuf, 32, "%d.%d.%d.%d", a[0], a[1], a[2], a[3]); printf ("Host IP by gethostbyname() : %s\n", addrbuf); hostptr = gethostbyaddr(a,4,AF_INET); printf ("\nHost Name by gethostbyaddr() : %s \n", hostptr->h_name); } ============================================================================================= cc fqdn_of_host.c -o fqdn_of_host When I run the compiled version of the above source code the output looks like: [EMAIL PROTECTED] $ fqdn_of_host Host Name by gethostname() : denver Host Name by gethostbyname() : denver.r2.fs.fed.us Domain by gethostbyname() : r2.fs.fed.us Host IP by gethostbyname() : 9.99.15.50 Host Name by gethostbyaddr() : denver.r2.fs.fed.us [EMAIL PROTECTED] $ =============================================================================================== I am of the opinion that " Oracle's argument that FQDN hostname must and should be present on the first line of the /etc/hosts file inorder for the kerberos server/clinet to work correctly does not make a good argument when DNS is configured correctly and it is assured that DNS will work correctly under all circumstances". What am I requesting you for? Please confirm to us that " In the environment that has been described in this e-mail, it is NOT necessary for us to put the FQDN name of the host in /etc/hosts file for the kerberos server/client to work correctly " Once again, thanks for your help. A quick response to this is gratefully acknowledged. Regards, Sridhar <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> IBM BCS - Public Sector Voice (303) 924 - 0413 Email [EMAIL PROTECTED] <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ----- Forwarded by Sridhar Murthy/Boulder/IBM on 09/11/2003 11:37 PM ----- James McBride 09/10/2003 01:47 PM To: Sridhar [EMAIL PROTECTED] cc: Steve Sipocz Jr/Boulder/[EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], Richard A Ernst/Boulder/[EMAIL PROTECTED] From: James McBride/Boulder/[EMAIL PROTECTED] Subject: Re: /etc/hosts on a Kerberos client Srihdar, Can you write C program to verify that "gethostbyaddr(gethostbyname(gethostname())) return a correct hostname with an FQDN"? TIA Jim McBride Oracle Deployment and Support IBM Corporation 6300 Diagonal HWY., Stop 003E Boulder, CO 80301-9020 Office: (303) 924-5626 Lab: (303) 924-0212 Fax: (303) 924-9233 [EMAIL PROTECTED] Sam Hartman <[EMAIL PROTECTED]> 09/10/2003 12:40 PM To: James McBride/Boulder/[EMAIL PROTECTED] cc: <[EMAIL PROTECTED]>, [EMAIL PROTECTED], Sridhar Murthy/Boulder/[EMAIL PROTECTED], Kurt Bevers <[EMAIL PROTECTED]>, Steve Sipocz Jr/Boulder/[EMAIL PROTECTED] Subject: Re: /etc/hosts on a Kerberos client >>>>> "James" == James McBride <[EMAIL PROTECTED]> writes: James> Dear Kerberos Support Analyst: James> Oracle Support is reporting that MIT Kerberos requires that James> the FQDN of a Kerberos client must be in the /etc/hosts James> file. They provided the URL below as a reference: James> http://web.mit.edu/kerberos/www/krb5-1.3/krb5-1.3.1 James> /doc/krb5-admin.html#Getting%20DNS%20Information%20Correct James> We feel that Kerberos can use DNS and the operating system James> to determine the FQDN of a machine. James> Please provide your perspective on this. James> Thanks In Advance, James> Jim McBride Oracle Deployment and Support IBM Corporation James> 6300 Diagonal HWY., Stop 003E Boulder, CO 80301-9020 James> Office: (303) 924-5626 Lab: (303) 924-0212 Fax: (303) James> 924-9233 [EMAIL PROTECTED] James> _______________________________________________ krbdev James> mailing list [EMAIL PROTECTED] James> https://mailman.mit.edu/mailman/listinfo/krbdev Hi. The address [EMAIL PROTECTED] is not an appropriate place to request Kerberos support. This address is for discussion of development of MIt Kerberos. You may want to address support questions to [EMAIL PROTECTED] in the future. That said, with regard to DNS and hostnames, the requirement is that gethostbyaddr(gethostbyname(gethostname())) return a correct hostname with an FQDN. The easiest way of guaranteeing this is to make sure that both /etc/hosts and DNS will correctly resolve the machine. Things that typically do not work include listing the machine's IP in /etc/hosts without the FQDN first; listing the machine's name on the localhost line in /etc/hosts; etc. Not listing the machine's name in /etc/hosts at all while correctly configuring DNS will tend to work correctly. ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
