On Tue, Jul 25, 2017 at 09:47:18AM +0300, Heikki Lindholm wrote: > > On 24.07.2017 19:40, Roland C. Dowdeswell wrote: > >On Sun, Jul 23, 2017 at 08:23:52AM +0300, Heikki Lindholm wrote: > >> > > > >>The Heimdal version identifies itself as 1.5.2. The main problem is that > >>Heimdal doesn't appear to use /etc/hosts for looking up the KDC's IP > >>address, but goes to DNS, and fails. > > > >1.5.2 is quite old and, IIRC, I've seen this before. You can work > >around it by adding the kdc name with a dot at the end as an alias in > >the hosts file. > > Thank you very much. That trick did it. It's weird, though. I would have > likely never arrived at the same solution by myself.
It's a work-around in the Heimdal code which appends a trailing dot to hostnames when looking them up to avoid the DNS search path specified in /etc/resolv.conf. Viktor and I discussed relaxing this yesterday because we believe that it is counter-intuitive. It certainly confused me, but I worked it out by reading the code rather than the documentation. The approach that we think will work in the short term is to append the trailing dot iff the hostname came from DNS SRV RRs as they should not honour the DNS search path. The existing behaviour will be able to be replicated by those who are using /etc/krb5.conf by appending their own trailing dot to the configured names. In the longer term, we should likely stop using getaddrinfo(3) for names obtained from DNS SRV RRs and directly query DNS for them as this matches expectations. That is: you wouldn't expect that if you find _kerberos._udp.my.realm IN SRV 0 0 88 foo.my.realm that an entry for foo.my.realm in /etc/hosts would then override the DNS for it. -- Roland C. Dowdeswell