[14560] in Kerberos
Re: Solaris 8 and libresolv
daemon@ATHENA.MIT.EDU (Nicolas Williams)
Tue Jun 12 10:59:32 2001
Date: Tue, 12 Jun 2001 10:55:06 -0400
From: Nicolas Williams <Nicolas.Williams@ubsw.com>
To: kerberos@MIT.EDU
Cc: flaminio <Livio.Flaminio@agat.univ-lille1.fr>
Message-ID: <20010612105504.Y9416@sm2p1386swk.wdr.com>
Mail-Followup-To: kerberos@MIT.EDU,
flaminio <Livio.Flaminio@agat.univ-lille1.fr>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
In-Reply-To: <9g37ur$efj$1@new-usenet.uk.sun.com>; from Casper.Dik@Holland.Sun.Com on Mon, Jun 11, 2001 at 07:59:23PM +0000
To make a long story short, check out /etc/nsswitch.conf. That's where
you can specify how hosts are looked up.
You might see this:
% grep hosts /etc/nsswitch.conf
hosts: files dns
%
which means you must make sure that the primary hostname of all entries
in /etc/inet/hosts must be FQDN if you want Kerberos to work.
There's other variations. The rule is: DNS always returns FQDNs for
gethostbyaddr() queries, so if DNS is not first in the hosts lookup
order then you should make hostnames in the services preceding DNS be
FQDN.
It used to be that Solaris wouldn't boot if DNS was first in the hosts
lookup order. Is this still the case?
Nico
On Mon, Jun 11, 2001 at 07:59:23PM +0000, Casper H.S. Dik - Network Security Engineer wrote:
> [[ PLEASE DON'T SEND ME EMAIL COPIES OF POSTINGS ]]
>
> flaminio <Livio.Flaminio@agat.univ-lille1.fr> writes:
>
> >has anybody compiled Kerberos 1.2.2 under Solaris 8 ?
>
> >gmake[2]: Entering directory
> >`/site/src/krb5/krb5-1.2.2/sparc/tests/resolve'
> >LD_LIBRARY_PATH=`echo -L../../lib | sed -e "s/-L//g" -e "s/ /:/g"`;
> >export LD_LIBRARY_PATH; ./resolve
> >Hostname: MY-UNQUALIFIED-HOSTNAME
> >Host address: MY_IP_NO
> >FQDN: MY-UNQUALIFIED-HOSTNAME
> >Resolve library did not return a fully qualified domain name
> >You may have to reconfigure the kerberos distribution to select a
>
> This basically indicates a brokeness in your local configuration.
>
> Solaris is differennt from other systems in that linking w/ -lresolv
> does not force the use of the DNS reosolved for gethostbyname().
>
> The reasonf or this is simple, we believe that it is inappropriate for
> an application to have a compiled in hostname resolution policy that
> contradicts the one laid down by the system administrator.
>
> But it thus give the system adminsitartor an extra burden: to make applciation
> that require gethostbyname() to return an FQDN, he must configure
> NIS/NIS+ and /etc/hosts such that they return a FQDN; that something
> you didn't do.
>
>
> You can also download a Sun supported version of Kerberos from www.sun.com.
>
> Casper
> --
> Expressed in this posting are my opinions. They are in no way related
> to opinions held by my employer, Sun Microsystems.
> Statements on Sun products included here are not gospel and may
> be fiction rather than truth.
--
