[2093] in Kerberos-V5-bugs
Re: Canonical host names in a NIS/DNS network
daemon@ATHENA.MIT.EDU (Theodore Y. Ts'o)
Fri Jul 12 15:15:46 1996
Date: Fri, 12 Jul 1996 15:12:12 -0400
From: "Theodore Y. Ts'o" <tytso@MIT.EDU>
To: slack@cc.utah.edu
Cc: krb5-bugs@MIT.EDU
In-Reply-To: David Slack's message of Thu, 11 Jul 1996 11:24:36 -0600,
<199607111724.LAA22492@elendil.cc.utah.edu>
Date: Thu, 11 Jul 1996 11:24:36 -0600
From: David Slack <slack@elendil.cc.utah.edu>
The problem arises in deciding what the name of a machines
ticket should be. If we contact a machine from a host not on nis, the
canonical name is machine_name.cc.utah.edu. If we contact a machine
from a host within the nis network, the canonical name is simply
machine_name. This problem is complicated by the fact that a
significant number of our Suns running nis exist on multiple networks
and have multiple interfaces. A machine might be called any number of
different names depending on who is calling from where.
I consider this a bug in NIS. The "cannonical name" means the name that
is *canonical*. That is, a name which is unique to a host, and which
has meaning anywhere in the Internet, which means that it fully
qualified. gethostbyname() under NIS is broken (i.e. behaves
differently than the API as defined by Berkeley) in that it doesn't
return the fully qualfied domain name.
A few solutions have suggested themselves. One is to
completely ignore NIS and only query DNS to find the canonical name of
the host. This is not something we want to do, since it would require
that we completely change our networking environment to fit Kerberos,
where changing Kerberos a small amount would allow it to work within
our environment, as I will illustrate.
In general, removing NIS is almost always the right thing to do. :-) If
your site has made the mistake of depening on it, I can understand how
this might make things difficult for you.
I don't understand why it would be so far to use DNS for the purpose of
finding the canonical name of the host? Are you not bothering to set up
DNS at all? Even if you don't want to remove NIS entirely from your
system, it should be possible to link your Kerberos programs with a DNS
resolve that will correctly implement gethostbyname().
- Ted
