[7530] in Kerberos
Re: Newbie Kerberos question
daemon@ATHENA.MIT.EDU (Jonathan Kamens)
Wed Jun 26 01:36:00 1996
To: kerberos@MIT.EDU
Date: 26 Jun 1996 05:24:39 GMT
From: jik@annex-1-slip-jik.cam.ov.com (Jonathan Kamens)
In article <DtKrux.4yz@ccc.amdahl.com>, Joanne Gauss <jeg40> writes:
|> I am just beginning to look at implementing Kerberos in our shop. One thing I
|> noticed is that Kerberos wants a fully qualified domain name in order to decide
|> on the appropriate realm. Our shop made a decision long ago to set up NIS,
|> /etc/hosts, etc. to return the short host name rather than FQDN. Am I mistaken
|> in thinking that this "old" decision is going to cause problems with Kerberos??
No, you're not mistaken.
|> I'd be especially interested in learning how others have dealt with this same
|> problem.
Fix your NIS maps so that the FQDN is first. If you need to be able to
support Kerberos interactions between machines using NIS and machines
using DNS, this is the only solution.
If, on the other hand, you believe that your Kerberos installation will
only be used on the machines which are using your NIS domain for
host-name data, you probably won't have a problem. But the first time
this assumption breaks down, and a host, while trying to contact a
Kerberos service, calls gethostbyname() followed by gethostbyaddr() on
the resulting address and gets a different host name than the server
thinks its host name is, things will start breaking. It's much easier
just to fix the NIS maps and solve the problem for good (or switch to
DNS for host-name resolution on all your hosts!).
