Node:Getting DNS Information Correct, Next:Configuring Your Firewall to Work With Kerberos V5, Previous:Clock Skew, Up:Application Servers
Several aspects of Kerberos rely on name service. In order for Kerberos to provide its high level of security, it is less forgiving of name service problems than some other parts of your network. It is important that your Domain Name System (DNS) entries and your hosts have the correct information.
Each host's canonical name must be the fully-qualified host name (including the domain), and each host's IP address must reverse-resolve to the canonical name.
Other than the localhost entry, make all entries in each
machine's /etc/hosts file in the following form:
IP address fully-qualified hostname aliases
Here is a sample /etc/hosts file:
# this is a comment
127.0.0.1 localhost localhost@mit.edu
10.0.0.6 daffodil.mit.edu trillium wake-robin
Additionally, on Solaris machines, you need to be sure the "hosts"
entry in the file
/etc/nsswitch.conf includes the source
"dns" as well as "file".
Finally, each host's keytab file must include a host/key pair for the
host's canonical name. You can list the keys in a keytab file by
issuing the command klist -k. For example:
viola# klist -k
Keytab name: /etc/krb5.keytab
KVNO Principal
---- ------------------------------------------------------------
1 host/daffodil.mit.edu@ATHENA.MIT.EDU
If you telnet to the host with a fresh credentials cache (ticket file),
and then klist, the host's service principal should be
host/fully-qualified-hostname@REALM_NAME.