Getting DNS Information Correct
Several aspects of Kerberos rely on name service. In order for Kerberos
to provide its high level of security, it is less forgiving of name
service problems than some other parts of your network. It is important
that your Domain Name System (DNS) entries and your hosts have the
correct information.
Each host's canonical name must be the fully-qualified host name
(including the domain), and each host's IP address must reverse-resolve
to the canonical name.
Other than the localhost
entry, make all entries in each
machine's /etc/hosts
file in the following form:
IP address fully-qualified hostname aliases
Here is a sample /etc/hosts
file:
# this is a comment
127.0.0.1 localhost [email protected]
10.0.0.6 daffodil.mit.edu trillium wake-robin
Additionally, on Solaris machines, you need to be sure the "hosts"
entry in the file
/etc/nsswitch.conf
includes the source
"dns" as well as "file".
Finally, each host's keytab file must include a host/key pair for the
host's canonical name. You can list the keys in a keytab file by
issuing the command klist -k
. For example:
viola# klist -k
Keytab name: /etc/krb5.keytab
KVNO Principal
---- ------------------------------------------------------------
1 host/[email protected]
If you telnet to the host with a fresh credentials cache (ticket file),
and then klist
, the host's service principal should be
host/fully-qualified-hostname@REALM_NAME.