Re: How to disable DNS lookups?

2017-07-25 Thread Heikki Lindholm 

On 25.07.2017 17:00, Roland C. Dowdeswell wrote:

On Tue, Jul 25, 2017 at 09:47:18AM +0300, Heikki Lindholm wrote:





On 24.07.2017 19:40, Roland C. Dowdeswell wrote:

On Sun, Jul 23, 2017 at 08:23:52AM +0300, Heikki Lindholm wrote:





The Heimdal version identifies itself as 1.5.2. The main problem is that
Heimdal doesn't appear to use /etc/hosts for looking up the KDC's IP
address, but goes to DNS, and fails.


1.5.2 is quite old and, IIRC, I've seen this before.  You can work
around it by adding the kdc name with a dot at the end as an alias in
the hosts file.


Thank you very much. That trick did it. It's weird, though. I would have
likely never arrived at the same solution by myself.


It's a work-around in the Heimdal code which appends a trailing dot to
hostnames when looking them up to avoid the DNS search path specified
in /etc/resolv.conf.  Viktor and I discussed relaxing this yesterday
because we believe that it is counter-intuitive.  It certainly confused
me, but I worked it out by reading the code rather than the documentation.
The approach that we think will work in the short term is to append the
trailing dot iff the hostname came from DNS SRV RRs as they should not
honour the DNS search path.  The existing behaviour will be able to be
replicated by those who are using /etc/krb5.conf by appending their own
trailing dot to the configured names.

In the longer term, we should likely stop using getaddrinfo(3) for names
obtained from DNS SRV RRs and directly query DNS for them as this matches
expectations.  That is: you wouldn't expect that if you find


Isn't nsswitch.conf there to let the user specify which lookup to prefer 
for getaddrinfo() and others?


MIT krb5's behaviour at least was exactly what I expected, i.e. if 
there's a "kdc = kdc.foo.bar" in krb5.conf, kinit does the same kind of 
lookup as "ping kdc.foo.bar" does (= in my case takes it from /etc/hosts 
without DNS involvement).

Re: How to disable DNS lookups?

2017-07-24 Thread Heikki Lindholm 

On 24.07.2017 19:40, Roland C. Dowdeswell wrote:

On Sun, Jul 23, 2017 at 08:23:52AM +0300, Heikki Lindholm wrote:





The Heimdal version identifies itself as 1.5.2. The main problem is that
Heimdal doesn't appear to use /etc/hosts for looking up the KDC's IP
address, but goes to DNS, and fails.


1.5.2 is quite old and, IIRC, I've seen this before.  You can work
around it by adding the kdc name with a dot at the end as an alias in
the hosts file.


Thank you very much. That trick did it. It's weird, though. I would have 
likely never arrived at the same solution by myself.


FreeBSD appears unwilling to update the base system heimdal as it has 
been the same for several releases already. I have no idea why.

How to disable DNS lookups?

2017-07-22 Thread Heikki Lindholm 

Hello list,

Out of laziness I'll just copy & paste an issue I sent to a freebsd ml 
(without responses):

-
I'm trying to mount a kerberized NFSv4 share on FreeBSD 11. It's an 
experimental setup without DNS; only /etc/hosts based lookup. I can't 
even get kinit to work and, expectedly, mounting also fails. The problem 
is that kinit stubbornly tries to get the kerberos kdc records from DNS, 
although the server's ip is specified in /etc/hosts and it's in 
krb5.conf and additionally krb5.conf is set to not do any DNS lookups.


So, I installed MIT kerberos and that version of kinit works fine, but 
the problem then is, how to make mount use the MIT version?

--

The Heimdal version identifies itself as 1.5.2. The main problem is that 
Heimdal doesn't appear to use /etc/hosts for looking up the KDC's IP 
address, but goes to DNS, and fails.


Maybe someone here can help? Of course, I can edit the freebsd source 
and rebuild Heimdal, but I'd rather not if I could configure my way out 
of this.


Regards,
Heikki Lindholm