Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Programming
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Databases
Mail Systems
openSolaris
Eclipse Documentation
Techotopia.com
Virtuatopia.com
Answertopia.com

How To Guides
Virtualization
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Windows
Problem Solutions
Privacy Policy

  




 

 

Getting DNS Information Correct

Several aspects of Kerberos rely on name service. In order for Kerberos to provide its high level of security, it is less forgiving of name service problems than some other parts of your network. It is important that your Domain Name System (DNS) entries and your hosts have the correct information.

Each host's canonical name must be the fully-qualified host name (including the domain), and each host's IP address must reverse-resolve to the canonical name.

Other than the localhost entry, make all entries in each machine's /etc/hosts file in the following form:

     IP address      fully-qualified hostname        aliases
     

Here is a sample /etc/hosts file:

     # this is a comment
     127.0.0.1       localhost [email protected]
     10.0.0.6       daffodil.mit.edu trillium wake-robin
     

Additionally, on Solaris machines, you need to be sure the "hosts" entry in the file
/etc/nsswitch.conf includes the source "dns" as well as "file".

Finally, each host's keytab file must include a host/key pair for the host's canonical name. You can list the keys in a keytab file by issuing the command klist -k. For example:

     viola# klist -k
     Keytab name: /etc/krb5.keytab
     KVNO Principal
     ---- ------------------------------------------------------------
        1 host/[email protected]
     

If you telnet to the host with a fresh credentials cache (ticket file), and then klist, the host's service principal should be host/fully-qualified-hostname@REALM_NAME.


 
 
  © 1985-2006 by the Massachusetts Institute of Technology - Reproduced with permission. Design by Interspire