Hello,
It seems in F10 the hostname and DNS domain name are now being added as alias at the end of 127.0.0.1 definition, ala
127.0.0.1 localhost.localdomain localhost f10.domainname.com f10
which unfortunately breaks kerberos in its keytab lookups.
Here what's happening in kerberos libkrb5.so.3.3 library (which probably has not changed in while):
First the local hostname is looked up: gethostname(localname, MAXHOSTNAMELEN) returns 'f10.domainname.com' [which is correct]
Next the IP address is looked up: hints.ai_family = AF_INET; getaddrinfo(localname, 0, &hints, &ai); returns 'ai->ai_addr == 127.0.0.1' [which is kinda correct since 127.0.0.1 is _a_ local address]
Finally a reverse DNS lookup is done on the ai_addr (127.0.0.1): getnameinfo(ai->ai_addr, ai->ai_addrlen, ...) returns 'localhost.localdomain'
[which is not exactly wrong, but the DNS address of f10.domainname.com is not 127.0.0.1 its a 192.168.x.x address ]
Now if I simply remove the 'f10.domainname.com' and 'f10' from the line everything works.
If I convert it back to how it was down in F9: 127.0.0.1 f10 localhost.localdomain localhost localhost
everything works as well since the DNS lookup will return actual hostname 'f10'.
So may questions are:
- What was the reasoning behind the re-order? Was it needed to fix something else?
- Has anything else been effect this change? If so what was done about it?
- Who owns /etc/hosts? rpm -qf /etc/hosts returns "is not owned by any package"
tia,
steved.
On Sat, Jan 03, 2009 at 10:32:54AM -0500, Steve Dickson wrote:
It seems in F10 the hostname and DNS domain name are now being added as alias at the end of 127.0.0.1 definition, ala
127.0.0.1 localhost.localdomain localhost f10.domainname.com f10
which unfortunately breaks kerberos in its keytab lookups.
I had a similar problem with dnsmasq, which was apparently caused by dnsdomainname returning the wrong name (IIRC 'localdomain' rather than the real domain name). Copying lines from a working F-8 /etc/hosts fixed it for me. Sorry, I didn't make any detailed notes :-(
Rich.
On 01/03/2009 10:32 AM, Steve Dickson wrote:
Hello,
It seems in F10 the hostname and DNS domain name are now being added as alias at the end of 127.0.0.1 definition, ala
127.0.0.1 localhost.localdomain localhost f10.domainname.com f10
which unfortunately breaks kerberos in its keytab lookups.
Every F10 install I did had a bad /etc/hosts file in the way you describe. Easy enough to fix but not for Aunt Tilly - tho she may not care and desktop impact is probably lowish.
However this does impact other services as well (squid/apache and others). I had terrible problems with some daemons inappropriately listening on 127.0.0.1 and not on the real IP until I fixed the hosts file.
Mail Lists wrote:
On 01/03/2009 10:32 AM, Steve Dickson wrote:
Hello,
It seems in F10 the hostname and DNS domain name are now being added as alias at the end of 127.0.0.1 definition, ala
127.0.0.1 localhost.localdomain localhost f10.domainname.com f10
which unfortunately breaks kerberos in its keytab lookups.
Every F10 install I did had a bad /etc/hosts file in the way you describe. Easy enough to fix but not for Aunt Tilly - tho she may not care and desktop impact is probably lowish.
However this does impact other services as well (squid/apache and others). I had terrible problems with some daemons inappropriately listening on 127.0.0.1 and not on the real IP until I fixed the hosts file.
It appears this was a know problem, https://bugzilla.redhat.com/show_bug.cgi?id=474086, and was resolved by adding the non-FQDN hostname to the end of the 127.0.0.1 line.
This resolution does indeed fix the problem I was seeing with the kerberos libraries.
steved.
Am Samstag, den 03.01.2009, 10:32 -0500 schrieb Steve Dickson:
Hello,
It seems in F10 the hostname and DNS domain name are now being added as alias at the end of 127.0.0.1 definition, ala
127.0.0.1 localhost.localdomain localhost f10.domainname.com f10
which unfortunately breaks kerberos in its keytab lookups.
It would be nice to fix this once and for all :)
http://www.faqs.org/docs/securing/chap9sec95.html recommends:
127.0.0.1 localhost.localdomain localhost myhostname 1.2.3.4 myhostname
On 01/04/2009 01:52 PM, nodata wrote: t would be nice to fix this once and for all :)
http://www.faqs.org/docs/securing/chap9sec95.html recommends:
127.0.0.1 localhost.localdomain localhost myhostname 1.2.3.4 myhostname
I would definitely not do that .. i would recommend
127.0.0.1 localhost.localdomain localhost 1.2.3.4 foo@my.dom foo
Am Sonntag, den 04.01.2009, 13:56 -0500 schrieb Mail Lists:
On 01/04/2009 01:52 PM, nodata wrote: t would be nice to fix this once and for all :)
http://www.faqs.org/docs/securing/chap9sec95.html recommends:
127.0.0.1 localhost.localdomain localhost myhostname 1.2.3.4 myhostname
I would definitely not do that .. i would recommend
127.0.0.1 localhost.localdomain localhost 1.2.3.4 foo@my.dom foo
What if 1.2.3.4 is a floating service address, and 1.2.3.1 and 1.2.3.2 are the active and passive hosts?
On 01/04/2009 02:58 PM, nodata wrote:
What if 1.2.3.4 is a floating service address, and 1.2.3.1 and 1.2.3.2 are the active and passive hosts?
I am no expert in clustering, or hot stand by machines - so in the config you have in mind - is the floating IP not associated with a fixed name so the consumers dont know that the machine is being switched over?
If so both active and passive could have as their /etc/hosts files:
127.0.0.1 localhost.localdomain localhost 1.2.3.1 m1.my.dom m1 1.2.3.2 m2.my.dom m2 1.2.3.4 float.my.dom float
Then I assume you need to weewee on arp a little and do something like ip address add xxx .. and delete it off the failing one etc etc ... ?
On the other hand - you probably dont need any of this as DNS is probably doing it all no ?
I'll leave this to the failover, clusterer experts ..
gene