Could someone help me understand IP addresses, DNS, and Kerberos on OpenBSD?
I was getting "incorrect net address" when trying to kinit, and I found that switching 2 lines in /etc/hosts putting first 10.0.1.201 auth.my.realm auth before ::1 auth.my.realm auth fixed this, but I don't understand this and I suspect this means I'm doing something else wrong. Starting from a fresh install of OpenBSD4.1/i386 for my server alone on a test network. The server name was set to 'auth', domain name 'my.realm', and IP set to 10.0.1.202 Trying to get this server to act as a kdc. I needed the server to also run DNS on this test network. I added a forward and reverse zone to /var/named/etc/named.conf zone "my.realm" { type master; file "master/my.realm"; forwarders { }; } zone "1.0.10.in-addr.arpa" { type master; file "master/10-0-1.zone"; forwarders { }; } /var/named/master/my.realm contains my.realm. IN SOA auth.my.realm. root.my.realm. (...) @ IN NS auth.my.realm. localhost IN A 127.0.0.1 auth IN A 10.0.1.202 /var/named/master/10-0-1.zone contains @ IN SOA auth.my.realm. root.my.realm. (...) NS auth.my.realm. 202 PTR auth.my.realm. For Kerberos, then, I tried to follow the directions at www.h5l.se/manual/HEAD/info/heimdal.html I created an /etc/kerberosV/krb5.conf file [appdefaults] kinit = { afslog = no } [libdefaults] default_realm = MY.REALM [realms] MY.REALM = { kdc = auth.my.realm } [domain_realm] .my.realm = MY.REALM I made the database directory: # mkdir /var/heimdal I initialized the realm and added a principal # kadmin l kadmin> init MY.REALM Realm max ticket life [unlimited]: ... kadmin>add admin ... I started the kdc: # /usr/libexec/kdc & but when I tried # kinit admin or # kinit admin --no-address I got "incorrect net address" When I checked /var/heimdal/kdc.log, the errors seemed to suggest that ::1 was the IP from which the ticket request came from, and it didn't like that. So I changed /etc/hosts from ::1 localhost.my.realm localhost 127.0.0.1 localhost.my.realm localhost ::1 auth.my.realm auth 10.0.1.202 auth.my.realm auth to 10.0.1.201 auth.my.realm auth ::1 auth.my.realm auth and now I can successfully # kinit admin But I don't understand - It seemed that kinit was trying ::1, an IPv6 address, first. Why this one? Does my problem lie in my DNS configuration? Do I need an IPv6 reverse zone file? Any help understanding this interaction would be very appreciated. Thanks so much.