| 1 |
On Wednesday, 10 March 2021 16:58:47 GMT Grant Taylor wrote: |
| 2 |
> On 3/10/21 8:25 AM, Michael wrote: |
| 3 |
> > I think this is relevant to DNS resolution of/with domain controllers |
| 4 |
> > and may depend on the AD/DC topology. |
| 5 |
> |
| 6 |
> I disagree. Pure Linux in a MIT / Heimdal Kerberos environment has the |
| 7 |
> same requirements. Hence having nothing specific to do with Active |
| 8 |
> Directory, much less the AD topology. |
| 9 |
|
| 10 |
I'm losing my thread in this ... thread, but what I'm trying to say is the AD/ |
| 11 |
DC and Kerberos way of processing the /etc/hosts entries, when an /etc/hosts |
| 12 |
file is used, is different to your run of the mill Linux box and server. |
| 13 |
|
| 14 |
The Samba link in a previous message makes it clear the DC must have a DNS |
| 15 |
domain, which corresponds to the domain for the AD forest, this will be used |
| 16 |
by the Kerberos AD realm; and, |
| 17 |
|
| 18 |
the DC must have a static IP address. |
| 19 |
|
| 20 |
|
| 21 |
> > The idea is to use the LAN address of the box as the first address |
| 22 |
> > in /etc/hosts and use 127.0.0.1 as the second address in the file. |
| 23 |
> |
| 24 |
> Please elaborate. Because I believe the following qualifies with your |
| 25 |
> statement: |
| 26 |
> |
| 27 |
> 192.0.2.1 host.example.net host |
| 28 |
> 127.0.0.1 localhost |
| 29 |
> |
| 30 |
> Which is effectively the same as the following: |
| 31 |
> |
| 32 |
> 127.0.0.1 localhost |
| 33 |
> 192.0.2.1 host.example.net host |
| 34 |
> |
| 35 |
> Both of which are different than the following: |
| 36 |
> |
| 37 |
> 192.0.2.1 host.example.net host |
| 38 |
> 127.0.0.1 localhost host.example.net host |
| 39 |
|
| 40 |
Yes. |
| 41 |
|
| 42 |
|
| 43 |
> Putting host.example.net and host on the 127.0.0.1 line doesn't |
| 44 |
> accomplish anything. And it still suffers from -- what I think is -- |
| 45 |
> the poor recommendation that I'm inquiring about. |
| 46 |
|
| 47 |
The syntax is: |
| 48 |
|
| 49 |
IP_address canonical_hostname [aliases...] |
| 50 |
|
| 51 |
Therefore, in an entry like: |
| 52 |
|
| 53 |
127.0.0.1 localhost host.example.net host |
| 54 |
|
| 55 |
the "host.example.net" and "host" are both entered as aliases, but will |
| 56 |
nevertheless resolve to 127.0.0.1 - which will break the Samba AD DC |
| 57 |
requirement. The host name and FQDN must resolve to the static IP of the DC |
| 58 |
on the LAN. |
| 59 |
|
| 60 |
Since /etc/hosts is parsed from the top, things may work fine when the |
| 61 |
localhost entry is further down the list and further down than any other |
| 62 |
entries acting as AD DNS resolvers - I don't recall testing this on Samba to |
| 63 |
know for sure. |
| 64 |
|
| 65 |
The same syntax won't break a LAMP, or vanilla linux PC, as long as the same |
| 66 |
box is not acting as a DC. |
| 67 |
|
| 68 |
|
| 69 |
> > If more AD/DNS servers exist in the network, then 127.0.0.1 could be |
| 70 |
> > even further down the list. |
| 71 |
> > |
| 72 |
> > https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-> > server-2008-R2-and-2008/ff807362(v=ws.10)?redirectedfrom=MSDN |
| 73 |
> |
| 74 |
> What does the number of DNS servers have to do with the contents of the |
| 75 |
> /etc/hosts file? |
| 76 |
|
| 77 |
See my statement above re. entries for AD DNS resolvers, if these are listed |
| 78 |
in the /etc/hosts file. |
| 79 |
|
| 80 |
|
| 81 |
> How is the contents of the /etc/hosts file related to the |
| 82 |
> /etc/resolv.conf file? |
| 83 |
|
| 84 |
The /etc/hosts file specifies the LAN IP address(es) of the DC which acts as |
| 85 |
DNS resolver for the AD DNS zones. The DC's /etc/resolv.conf shouldn't be |
| 86 |
pointing to non-AD compatible resolvers. |
| 87 |
|
| 88 |
|
| 89 |
> > I haven't over-thought this and there may be more to it, but on a |
| 90 |
> > pure linux environment I expect this would not be a requirement, |
| 91 |
> > hence the handbook approach. |
| 92 |
> |
| 93 |
> Apples and bowling balls. /etc/hosts is not the same concept as |
| 94 |
> /etc/resolv.conf. |
| 95 |
|
| 96 |
ACK. I hope what I've written above better reflects my understanding, |
| 97 |
although it could be factually incorrect. Other contributors should soon put |
| 98 |
me right. :-) |
Archives