Hi,
I have a question about using FQDN in krb5.conf.
It seems that Kerberos libraries do an extra DNS lookup if the krb5.conf
doesn't use complete FQDNs when specifying servers.
For example with a FNAL.GOV stanza in krb5.conf like this:
FNAL.GOV = {
default_domain = fnal.gov
admin_server = krb-fnal-admin.fnal.gov
kdc = krb-fnal-1.fnal.gov:88
kdc = krb-fnal-2.fnal.gov:88
kdc = krb-fnal-3.fnal.gov:88
kpasswd_protocol = SET_CHANGE
}
MIT Kerberos does an extra check to see if krb-fnal-admin.fnal.gov is a
FQDN. If the server names are specified as proper FQDNs (note the final
"."). Then there is no need to do this check. If name resolution on
the client is slow, this can be a factor of 2 difference in time to get
a ticket (note that this was testing on our own realm and not FNAL.GOV).
FNAL.GOV = {
default_domain = fnal.gov
admin_server = krb-fnal-admin.fnal.gov.
kdc = krb-fnal-1.fnal.gov.:88
kdc = krb-fnal-2.fnal.gov.:88
kdc = krb-fnal-3.fnal.gov.:88
kpasswd_protocol = SET_CHANGE
}
Is there a reason not to use the proper FQDN? Most of the examples for
krb5.conf don't show using FQDNs.
I saw this in a note on the MIT Kerberos list:
http://mailman.mit.edu/pipermail/kerberos/2006-September/010545.html
Thanks,
Tom Rockwell