3
<title>Kerberos V5 System Administrator's Guide</title>
4
<meta http-equiv="Content-Type" content="text/html">
5
<meta name="description" content="Kerberos V5 System Administrator's Guide">
6
<meta name="generator" content="makeinfo 4.5">
7
<link href="http://www.gnu.org/software/texinfo/" rel="generator-home">
12
Node:<a name="Getting%20DNS%20Information%20Correct">Getting DNS Information Correct</a>,
13
Next:<a rel="next" accesskey="n" href="Configuring-Your-Firewall-to-Work-With-Kerberos-V5.html#Configuring%20Your%20Firewall%20to%20Work%20With%20Kerberos%20V5">Configuring Your Firewall to Work With Kerberos V5</a>,
14
Previous:<a rel="previous" accesskey="p" href="Clock-Skew.html#Clock%20Skew">Clock Skew</a>,
15
Up:<a rel="up" accesskey="u" href="Application-Servers.html#Application%20Servers">Application Servers</a>
19
<h3 class="section">Getting DNS Information Correct</h3>
21
<p>Several aspects of Kerberos rely on name service. In order for Kerberos
22
to provide its high level of security, it is less forgiving of name
23
service problems than some other parts of your network. It is important
24
that your Domain Name System (DNS) entries and your hosts have the
27
<p>Each host's canonical name must be the fully-qualified host name
28
(including the domain), and each host's IP address must reverse-resolve
29
to the canonical name.
31
<p>Other than the <code>localhost</code> entry, make all entries in each
32
machine's <code>/etc/hosts</code> file in the following form:
34
<pre class="smallexample"> IP address fully-qualified hostname aliases
37
<p>Here is a sample <code>/etc/hosts</code> file:
39
<pre class="smallexample"> # this is a comment
40
127.0.0.1 localhost localhost@mit.edu
41
10.0.0.6 daffodil.mit.edu trillium wake-robin
44
<p>Additionally, on Solaris machines, you need to be sure the "hosts"
45
entry in the file <br> <code>/etc/nsswitch.conf</code> includes the source
46
"dns" as well as "file".
48
<p>Finally, each host's keytab file must include a host/key pair for the
49
host's canonical name. You can list the keys in a keytab file by
50
issuing the command <code>klist -k</code>. For example:
52
<pre class="smallexample"> viola# klist -k
53
Keytab name: /etc/krb5.keytab
55
---- ------------------------------------------------------------
56
1 host/daffodil.mit.edu@ATHENA.MIT.EDU
59
<p>If you telnet to the host with a fresh credentials cache (ticket file),
60
and then <code>klist</code>, the host's service principal should be
61
<i>host/fully-qualified-hostname@REALM_NAME</i>.