SCIENTIFIC-LINUX-USERS Archives

December 2009

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
FQDN in krb5.conf
From:
Tom Rockwell <[log in to unmask]>
Reply To:
Tom Rockwell <[log in to unmask]>
Date:
Thu, 10 Dec 2009 11:03:01 -0500
Content-Type:
text/plain
Parts/Attachments:
text/plain (44 lines) 
Hi,

I have a question about using FQDN in krb5.conf.

It seems that Kerberos libraries do an extra DNS lookup if the krb5.conf 
doesn't use complete FQDNs when specifying servers.

For example with a FNAL.GOV stanza in krb5.conf like this:

        FNAL.GOV = {
          default_domain = fnal.gov
          admin_server = krb-fnal-admin.fnal.gov
          kdc = krb-fnal-1.fnal.gov:88
          kdc = krb-fnal-2.fnal.gov:88
          kdc = krb-fnal-3.fnal.gov:88
          kpasswd_protocol = SET_CHANGE
        }

MIT Kerberos does an extra check to see if krb-fnal-admin.fnal.gov is a 
FQDN.  If the server names are specified as proper FQDNs (note the final 
".").  Then there is no need to do this check.  If name resolution on 
the client is slow, this can be a factor of 2 difference in time to get 
a ticket (note that this was testing on our own realm and not FNAL.GOV).


        FNAL.GOV = {
          default_domain = fnal.gov
          admin_server = krb-fnal-admin.fnal.gov.
          kdc = krb-fnal-1.fnal.gov.:88
          kdc = krb-fnal-2.fnal.gov.:88
          kdc = krb-fnal-3.fnal.gov.:88
          kpasswd_protocol = SET_CHANGE
        }

Is there a reason not to use the proper FQDN?  Most of the examples for 
krb5.conf don't show using FQDNs.

I saw this in a note on the MIT Kerberos list:

http://mailman.mit.edu/pipermail/kerberos/2006-September/010545.html

Thanks,
Tom Rockwell

ATOM RSS1 RSS2