-----BEGIN PGP SIGNED MESSAGE-----
On Fri, 28 Sep 2007 13:52:07 -0400
Simo Sorce <ssorce(a)redhat.com> wrote:
On Fri, 2007-09-28 at 11:05 -0600, Lamont Peterson wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> On Fri, 28 Sep 2007 05:47:58 -0400
> Jesse Keating <jkeating(a)redhat.com> wrote:
> > On Fri, 28 Sep 2007 15:43:42 +0200
> > "Alexander Boström" <abo(a)kth.se> wrote:
> > > While I do believe Kerberos protocols, libs or apps should be
> > > smarter about these things sometimes and I'm not sure what
> > > really happens here (though I've seen this happen a few times)
> > > I really do think Kerberos is in its right to complain when
> > > it's fed lies. If you put the hostname on the 127.0.0.1 line,
> > > doesn't that override everything DNS says?
> > Almost every single location I take my laptop there is no dns
> > entry for my hostname. Relying upon every hostname to be DNS
> > resolvable is extremely dated thinking.
> We use Kerberos here. I have the notebooks hostname on the
> 127.0.0.1 line in my /etc/hosts file. Kerberos doesn't complain
Try to do that on the KDC, the KDC does not listen on 127.0.0.1 for
Do I have "stupid" stamped on my forehead? I didn't think I did. :)
Seriously, though, I wasn't talking about fixed servers or KDCs. Of course, using
127.0.0.1 on a KDC would be problematic, but that's a "fixed server".
You're going to set it up and if you use DHCP, you're going to make sure that box
always gets the same IP. It's going to be in your DNS and you're going to make
sure the PTR record is correct, too (if possible, but not strictly required). You're
also going to install the box and specify the hostname and not allow DHCP to try to
determine it if you're using DHCP, in most cases.
We were talking about a notebook. I don't know about you, but I don't run a KDC
on mine. We were talking about the notebook as a Kerberos client.
However, I have thought about running a slave KDC on my notebook, so that I don't have
to wait for timeouts and failure due to not being able to contact the KDC while PAM is
trying to authenticate. Still, I'm sure there would be a whole lot of other issues
with that, not the least of which would be dealing with the KDC db keys. Oh well; I just
don't have PAM doing Kerberos authentication and I simply run kinit when I need to.
> IMNSHO, the /etc/hosts file is only for making sure that the
> can resolve itself regardless of what's going on with whatever
> network(s) it's plugged into at the moment. Period. There are
> plenty of daemons that will grumble if you use names in the
> configuration and it can't resolve them (like MTAs, for example, in
> some parts of their configs).
Sure, if we can make dhclient or the network configuration tools put
in the right name-ip pair in /etc/hosts I have no problems.
Lamont Peterson <lamont(a)gurulabs.com>
Guru Labs, L.C. [ http://www.GuruLabs.com/
NOTE: All messages from this email address should be digitally signed with my
0xDC0DD409 GPG key. It is available on the pgp.mit.edu
well as other keyservers that sync with MIT's.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
-----END PGP SIGNATURE-----