On Fri, Nov 05, 2010 at 10:03:25AM -0700, Mike DeMarco wrote: > Build 134 > My nsswitch.conf file is setup as such > > hosts files nis dns > ipnodes files nis dns > > when snooping the interface I see dns lookups even though the ipaddress lives > in the local host file and or the nis database. > > It was a very early problem with nsswitch that it would still follow through > with requests even though they were satisfied with the prior request. I tried > to limit it going out to the next resource if the current one was found with > > hosts: files [SUCCESS=return] nis [SUCCESS=return] dns > ipnodes: files [SUCCESS=return] nis [SUCCESS=return] dns > > But still every request goes to dns no matter what it finds in the files > database or nis database. > > Waiting for a dns timeout on every ssh to a host that is not in dns is a > killer. > > Anyone seen this behavior and have input.
ssh will try to do krb auth by default and krb bypasses the nsswitch to always try DNS to canonicalize host names. So it may help to config ssh to not try krb auth (which is basically the gssapi* auth methods, see man ssh_config). If that doesn't help, use truss or dtrace to see how dns is getting called via ssh. -- Will Fiveash Oracle http://opensolaris.org/os/project/kerberos/ Sent using mutt, a sweet, text based e-mail app <http://www.mutt.org/> _______________________________________________ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
