[925] in Kerberos-V5-bugs
Re: Resolver is not used on SunOS (possibly others?)
daemon@ATHENA.MIT.EDU (Theodore Ts'o)
Wed Nov 2 00:11:51 1994
Date: Wed, 2 Nov 1994 00:10:26 +0500
From: Theodore Ts'o <tytso@MIT.EDU>
To: Marc Horowitz <marc@MIT.EDU>
Cc: Ted Lemon <mellon@ipd.wellsfargo.com>, krb5-bugs@MIT.EDU
In-Reply-To: Marc Horowitz's message of Tue, 01 Nov 1994 22:56:49 EST,
<9411020356.AA00709@w20-575-12.MIT.EDU>
Date: Tue, 01 Nov 1994 22:56:49 EST
From: Marc Horowitz <marc@MIT.EDU>
Content-Length: 1550
>> I'm running SunOS 4.1.3 on several systems here, and have found that
>> if some systems are patched to support DNS hostname resolution and
>> some aren't, kerberos authentication between differently configured
>> systems fails.
I think this is probably due to misconfiguration of one set of systems
or the other, not just different configuration. I'd look into this
before suggesting changing the krb5 master sources. I have users who
daily run krb5 clients on machines with no dns to servers which do
have dns in libc.
The main requirement is that gethostbyname() and gethostbyaddr() must
return fully qualified domain names. With /etc/hosts, this means that
the hostname on each line must be the fully qualified domain name. With
NIS/YP, I think you're stuck, since I don't think NIS/YP supports that.
Since I'm pretty sure this is only Sun brain damage I'm not sure how I
want to deal with it. There is a note already in doc/OS-notes (which
will be in the next release), which points out some of the problems with
Solaris and SunOS. I'll be glad to amplify it if you can do some
expirementation. The key question is "how do you make SunOS and Solaris
gethostbyname() and gethostbyaddr() always return a FQDN?"
- Ted
This is what is in OS-Notes about this issue:
------------------------------------------------------------------------
Solaris versions 2.0 through 2.3:
The gethostbyname() routine is broken; it does not return a fully
qualified domain name, even if you are using the DNS. Since Kerberos
V5 uses the fully qualified domain name as the second component of a
service principal (i.e, "host/tsx-11.mit.edu@ATHENA.MIT.EDU), this
causes problems for servers who try to figure out their own fully
qualified domain name. (It turns out clients win because Kerberos
calls gethostbyname() and then calls gethostbyaddr() on the address,
and SunSoft didn't screw up gethostbyaddr() except when it is your own
local hostname!)
Workarounds:
1) Supply your own resolver library.
2) Upgrade to Solaris 2.4
3) Make sure your /etc/nsswitch.conf has the line:
hosts: files dns
and then in /etc/hosts, make sure there is a line with your
workstation's IP address and hostname, with the fully qualified domain
name first. Example:
18.172.1.4 dcl.mit.edu dcl
