[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: /etc/hosts and system entries



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, 28 Sep 2007 13:52:07 -0400
Simo Sorce <ssorce redhat com> wrote:

> On Fri, 2007-09-28 at 11:05 -0600, Lamont Peterson wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> > 
> > On Fri, 28 Sep 2007 05:47:58 -0400
> > Jesse Keating <jkeating redhat com> wrote:
> > 
> > > On Fri, 28 Sep 2007 15:43:42 +0200
> > > "Alexander Boström" <abo kth se> wrote:
> > > 
> > > > While I do believe Kerberos protocols, libs or apps should be
> > > > smarter about these things sometimes and I'm not sure what
> > > > really happens here (though I've seen this happen a few times)
> > > > I really do think Kerberos is in its right to complain when
> > > > it's fed lies. If you put the hostname on the 127.0.0.1 line,
> > > > doesn't that override everything DNS says?
> > > 
> > > Almost every single location I take my laptop there is no dns
> > > entry for my hostname.  Relying upon every hostname to be DNS
> > > resolvable is extremely dated thinking.
> > > 
> > 
> > We use Kerberos here.  I have the notebooks hostname on the
> > 127.0.0.1 line in my /etc/hosts file.  Kerberos doesn't complain
> Try to do that on the KDC, the KDC does not listen on 127.0.0.1 for
> some reason.

Do I have "stupid" stamped on my forehead?  I didn't think I did. :)

Seriously, though, I wasn't talking about fixed servers or KDCs.  Of course, using 127.0.0.1 on a KDC would be problematic, but that's a "fixed server".  You're going to set it up and if you use DHCP, you're going to make sure that box always gets the same IP.  It's going to be in your DNS and you're going to make sure the PTR record is correct, too (if possible, but not strictly required).  You're also going to install the box and specify the hostname and not allow DHCP to try to determine it if you're using DHCP, in most cases.

We were talking about a notebook.  I don't know about you, but I don't run a KDC on mine.  We were talking about the notebook as a Kerberos client.

However, I have thought about running a slave KDC on my notebook, so that I don't have to wait for timeouts and failure due to not being able to contact the KDC while PAM is trying to authenticate.  Still, I'm sure there would be a whole lot of other issues with that, not the least of which would be dealing with the KDC db keys.  Oh well; I just don't have PAM doing Kerberos authentication and I simply run kinit when I need to.

> > IMNSHO, the /etc/hosts file is only for making sure that the box
> > can resolve itself regardless of what's going on with whatever
> > network(s) it's plugged into at the moment.  Period.  There are
> > plenty of daemons that will grumble if you use names in the
> > configuration and it can't resolve them (like MTAs, for example, in
> > some parts of their configs).
> 
> Sure, if we can make dhclient or the network configuration tools put
> in the right name-ip pair in /etc/hosts I have no problems.

Agreed.
- -- 
Lamont Peterson <lamont gurulabs com>
Senior Instructor
Guru Labs, L.C. [ http://www.GuruLabs.com/ ]

NOTE:  All messages from this email address should be digitally signed with my
       0xDC0DD409 GPG key. It is available on the pgp.mit.edu keyserver as
       well as other keyservers that sync with MIT's.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFG/Vvm+YBsl9wN1AkRAo8DAKDGtkpWbR6Ln9AJrUI/OfK6jCceRQCdEv2j
Ncm7pj5RZk5Ukrx31AymDIw=
=9Ydp
-----END PGP SIGNATURE-----


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]