1 |
On Wednesday, 10 March 2021 16:58:47 GMT Grant Taylor wrote: |
2 |
> On 3/10/21 8:25 AM, Michael wrote: |
3 |
> > I think this is relevant to DNS resolution of/with domain controllers |
4 |
> > and may depend on the AD/DC topology. |
5 |
> |
6 |
> I disagree. Pure Linux in a MIT / Heimdal Kerberos environment has the |
7 |
> same requirements. Hence having nothing specific to do with Active |
8 |
> Directory, much less the AD topology. |
9 |
|
10 |
I'm losing my thread in this ... thread, but what I'm trying to say is the AD/ |
11 |
DC and Kerberos way of processing the /etc/hosts entries, when an /etc/hosts |
12 |
file is used, is different to your run of the mill Linux box and server. |
13 |
|
14 |
The Samba link in a previous message makes it clear the DC must have a DNS |
15 |
domain, which corresponds to the domain for the AD forest, this will be used |
16 |
by the Kerberos AD realm; and, |
17 |
|
18 |
the DC must have a static IP address. |
19 |
|
20 |
|
21 |
> > The idea is to use the LAN address of the box as the first address |
22 |
> > in /etc/hosts and use 127.0.0.1 as the second address in the file. |
23 |
> |
24 |
> Please elaborate. Because I believe the following qualifies with your |
25 |
> statement: |
26 |
> |
27 |
> 192.0.2.1 host.example.net host |
28 |
> 127.0.0.1 localhost |
29 |
> |
30 |
> Which is effectively the same as the following: |
31 |
> |
32 |
> 127.0.0.1 localhost |
33 |
> 192.0.2.1 host.example.net host |
34 |
> |
35 |
> Both of which are different than the following: |
36 |
> |
37 |
> 192.0.2.1 host.example.net host |
38 |
> 127.0.0.1 localhost host.example.net host |
39 |
|
40 |
Yes. |
41 |
|
42 |
|
43 |
> Putting host.example.net and host on the 127.0.0.1 line doesn't |
44 |
> accomplish anything. And it still suffers from -- what I think is -- |
45 |
> the poor recommendation that I'm inquiring about. |
46 |
|
47 |
The syntax is: |
48 |
|
49 |
IP_address canonical_hostname [aliases...] |
50 |
|
51 |
Therefore, in an entry like: |
52 |
|
53 |
127.0.0.1 localhost host.example.net host |
54 |
|
55 |
the "host.example.net" and "host" are both entered as aliases, but will |
56 |
nevertheless resolve to 127.0.0.1 - which will break the Samba AD DC |
57 |
requirement. The host name and FQDN must resolve to the static IP of the DC |
58 |
on the LAN. |
59 |
|
60 |
Since /etc/hosts is parsed from the top, things may work fine when the |
61 |
localhost entry is further down the list and further down than any other |
62 |
entries acting as AD DNS resolvers - I don't recall testing this on Samba to |
63 |
know for sure. |
64 |
|
65 |
The same syntax won't break a LAMP, or vanilla linux PC, as long as the same |
66 |
box is not acting as a DC. |
67 |
|
68 |
|
69 |
> > If more AD/DNS servers exist in the network, then 127.0.0.1 could be |
70 |
> > even further down the list. |
71 |
> > |
72 |
> > https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-> > server-2008-R2-and-2008/ff807362(v=ws.10)?redirectedfrom=MSDN |
73 |
> |
74 |
> What does the number of DNS servers have to do with the contents of the |
75 |
> /etc/hosts file? |
76 |
|
77 |
See my statement above re. entries for AD DNS resolvers, if these are listed |
78 |
in the /etc/hosts file. |
79 |
|
80 |
|
81 |
> How is the contents of the /etc/hosts file related to the |
82 |
> /etc/resolv.conf file? |
83 |
|
84 |
The /etc/hosts file specifies the LAN IP address(es) of the DC which acts as |
85 |
DNS resolver for the AD DNS zones. The DC's /etc/resolv.conf shouldn't be |
86 |
pointing to non-AD compatible resolvers. |
87 |
|
88 |
|
89 |
> > I haven't over-thought this and there may be more to it, but on a |
90 |
> > pure linux environment I expect this would not be a requirement, |
91 |
> > hence the handbook approach. |
92 |
> |
93 |
> Apples and bowling balls. /etc/hosts is not the same concept as |
94 |
> /etc/resolv.conf. |
95 |
|
96 |
ACK. I hope what I've written above better reflects my understanding, |
97 |
although it could be factually incorrect. Other contributors should soon put |
98 |
me right. :-) |