1 |
On 3/12/21 12:04 PM, Michael wrote: |
2 |
> Right. That's the nub of it. Samba, with AD-DC and Kerberos |
3 |
> configuration deserves special attention and the apps devs advise |
4 |
> accordingly. |
5 |
|
6 |
I see it differently. |
7 |
|
8 |
There's the sloppy / slipshod way that doesn't negatively effect /most/ |
9 |
things. Then there's the better / proper way that doesn't negatively |
10 |
effect anything. |
11 |
|
12 |
I see no reason to ever do it the sloppy / slipshod way when it's simple |
13 |
to do it the better / proper way. |
14 |
|
15 |
> Yes, I recall apache would fail if you tried to contact |
16 |
> http://localhost or its FQDN from the server itself, with something |
17 |
> like "... host name not valid for this server", but it would serve |
18 |
> the default "It works!" webpage when the server's FQDN was called |
19 |
> from clients. Anyway, all this is O/T from the main question. |
20 |
|
21 |
It is on topic as supporting evidence to why the main topic, having the |
22 |
hostname on the 127.0.0.1 / ::1 IP in the /etc/hosts file, is a bad idea. |
23 |
|
24 |
> It doesn't, obviously the two files are fulfilling different purposes. |
25 |
> You could however specify in the DC's host file any additional DNS |
26 |
> servers in the AD DNS zone with their static IP addresses. I tend |
27 |
> to do this and also check the hosts file in the first instance when I |
28 |
> forget what other machines play some (important) role on the current |
29 |
> host's functions. This is by no means a rule or even a recommendation |
30 |
> for others to do the same. ;-) |
31 |
|
32 |
Ah. So you're (ab)using the /etc/hosts file as a form of documentation |
33 |
to make life for future you easier. Fair enough. But call the spade |
34 |
the spade that it is. State that you're putting the information there |
35 |
for documentation purposes, not because it's needed for some other reason. |
36 |
|
37 |
> I wouldn't call it majorly "wrong" on a standalone desktop use case, in |
38 |
> the sense that it shouldn't break things - I think. |
39 |
|
40 |
I would call a configuration that works in all cases to be superior to a |
41 |
configuration that only works in some cases and fails in other cases. |
42 |
As such I'm describing the inferior configuration as "wrong". |
43 |
|
44 |
> Address 127.0.0.1 is for internal consumption, it won't be seen by the |
45 |
> external network and the host can refer to itself as its user desires. |
46 |
|
47 |
External hosts will see the 127.0.0.1 / ::1 address when things, like |
48 |
Kerberos, use gethostbyname() and put the returned value into traffic |
49 |
that leaves the system. |
50 |
|
51 |
Aside: localhost / 127.0.0.1 / ::1 is /not/ unique to any system. |
52 |
Conversely a hosts name /is/ unique to /only/ the system. Thus anything |
53 |
that wants the local host's unique name should never use / see localhost |
54 |
/ 127.0.0.1 / ::1. As such, any time that a hosts unique name resolves |
55 |
to a non-unique address should be considered wrong. |
56 |
|
57 |
> Furthermore, LAN addresses and domains may change all the time on |
58 |
> say a roaming laptop, so setting up aliases against a temporary LAN |
59 |
> IP becomes cumbersome. |
60 |
|
61 |
I never allow an external DHCP server (et al.) to specify the local |
62 |
system's host name. Especially DHCP servers that I don't know, much |
63 |
less trust. |
64 |
|
65 |
People's names don't change when they move to a different address. At |
66 |
least this is the norm for the vast majority of people in the U.S.A. I |
67 |
assume the same for the rest of the world. |
68 |
|
69 |
> Yes, specifying a FQDN against localhost doesn't align with the |
70 |
> practice of most distros and a number of RFCs, therefore asking why |
71 |
> the handbook offers this guidance without qualifying it is worth |
72 |
> exploring further. |
73 |
|
74 |
Very good point. |
75 |
|
76 |
> We have already established the handbook suggestion creates breakage on |
77 |
> Samba with AD/DC, potentially on a webserver, and perhaps other server |
78 |
> applications. I agree using 127.0.0.1 for the special "localhost" |
79 |
> hostname is cleaner and in these use cases the right solution. |
80 |
|
81 |
Yes. |
82 |
|
83 |
> I recalled old bugs filed about this and had a look. I don't know of |
84 |
> other dev conversations/bugs and what might have produced the current |
85 |
> guidance in the handbook: |
86 |
> |
87 |
> https://bugs.gentoo.org/40203 |
88 |
> https://bugs.gentoo.org/53188 |
89 |
|
90 |
These hint at other underlying bugs / (mis)configuration issues. |
91 |
|
92 |
I can see why people might have chosen to hack around this problem by |
93 |
causing the host's name to resolve to 127.0.0.1 / ::1. -- However, |
94 |
I'll argue that a better solution would be to add an additional IP |
95 |
address to the lo (or dummy) interface and make the name resolve to that. |
96 |
|
97 |
> Interestingly you attracted my attention to the man page for the |
98 |
> hosts file, which I assume is installed by baselayout. I noticed |
99 |
> this example quoted at the bottom where 127.0.1.1 is used for the |
100 |
> host's FQDN: |
101 |
> |
102 |
> EXAMPLES |
103 |
> # The following lines are desirable for IPv4 capable hosts |
104 |
> 127.0.0.1 localhost |
105 |
> |
106 |
> # 127.0.1.1 is often used for the FQDN of the machine |
107 |
> 127.0.1.1 thishost.mydomain.org thishost |
108 |
|
109 |
You can probably guess that I think this is a bug which should be corrected. |
110 |
|
111 |
Or at the very least call out that this is inferior and can cause problems. |
112 |
|
113 |
> If the Gentoo handbook recommends something different, I think the devs |
114 |
> should at least qualify why this is so and potentially offer warnings |
115 |
> on use cases where the handbook recommendation is inappropriate and |
116 |
> must be deviated from. |
117 |
|
118 |
Agreed. |
119 |
|
120 |
Also, see prior comment about superior / everywhere vs inferior / not |
121 |
everywhere options. |
122 |
|
123 |
|
124 |
|
125 |
-- |
126 |
Grant. . . . |
127 |
unix || die |