Getting DNS Information Correct

Several aspects of Kerberos rely on name service. In order for Kerberos to provide its high level of security, it is less forgiving of name service problems than some other parts of your network. It is important that your Domain Name System (DNS) entries and your hosts have the correct information.

Each host's canonical name must be the fully-qualified host name (including the domain), and each host's IP address must reverse-resolve to the canonical name.

Other than the localhost entry, make all entries in each machine's /etc/hosts file in the following form:

     IP address      fully-qualified hostname        aliases
     

Here is a sample /etc/hosts file:

     # this is a comment
     127.0.0.1       localhost [email protected]
     10.0.0.6       daffodil.mit.edu trillium wake-robin
     

Additionally, on Solaris machines, you need to be sure the "hosts" entry in the file
/etc/nsswitch.conf includes the source "dns" as well as "file".

Finally, each host's keytab file must include a host/key pair for the host's canonical name. You can list the keys in a keytab file by issuing the command klist -k. For example:

     viola# klist -k
     Keytab name: /etc/krb5.keytab
     KVNO Principal
     ---- ------------------------------------------------------------
        1 host/[email protected]
     

If you telnet to the host with a fresh credentials cache (ticket file), and then klist, the host's service principal should be host/fully-qualified-hostname@REALM_NAME.