Hi, I have a question about using FQDN in krb5.conf. It seems that Kerberos libraries do an extra DNS lookup if the krb5.conf doesn't use complete FQDNs when specifying servers. For example with a FNAL.GOV stanza in krb5.conf like this: FNAL.GOV = { default_domain = fnal.gov admin_server = krb-fnal-admin.fnal.gov kdc = krb-fnal-1.fnal.gov:88 kdc = krb-fnal-2.fnal.gov:88 kdc = krb-fnal-3.fnal.gov:88 kpasswd_protocol = SET_CHANGE } MIT Kerberos does an extra check to see if krb-fnal-admin.fnal.gov is a FQDN. If the server names are specified as proper FQDNs (note the final "."). Then there is no need to do this check. If name resolution on the client is slow, this can be a factor of 2 difference in time to get a ticket (note that this was testing on our own realm and not FNAL.GOV). FNAL.GOV = { default_domain = fnal.gov admin_server = krb-fnal-admin.fnal.gov. kdc = krb-fnal-1.fnal.gov.:88 kdc = krb-fnal-2.fnal.gov.:88 kdc = krb-fnal-3.fnal.gov.:88 kpasswd_protocol = SET_CHANGE } Is there a reason not to use the proper FQDN? Most of the examples for krb5.conf don't show using FQDNs. I saw this in a note on the MIT Kerberos list: http://mailman.mit.edu/pipermail/kerberos/2006-September/010545.html Thanks, Tom Rockwell