smiles@ferrari.nmc.ed.ray.com (Kevin Ruddy) (12/29/90)
I'm confused. I recently installed Ultrix 4.1A on two DECstation 3100s. I have a question about Hesiod, a question about sendmail, and a real problem with Kerberos. I read (or thought I did) the BIND/Hesiod Guide. It didn't seem to mention that I needed to add an HS NS RR anywhere, but I believe that I had to in order to make it work. My question: do I also need an HS A RR? That doesn't make much sense, but I've configured one in anyway for now. Does the sendmail the comes with Ultrix (5.57, it claims) support MX records? I have MX records for nodes without IP addresses, and letters that are addressed to that node are being bounced. Our machine, ferrari.nmc.ed.ray.com, is in the domain nmc.ed.ray.com. When I mail user@sud.ed.ray.com (domain ed.ray.com), it goes through the $R relay. If I mail user@sud (no domain specified), it bounces, saying it "sud.tcp... 550 Host unknown". While it is reasonable to want fully-qualifed names, I have to support a large user organization that expects a "domain fall-through" -- if there's no host.nmc.ed.ray.com, try host.ed.ray.com, then host.ray.com ... -- and now, for the problem with Kerberos. I have two machines trying to use Kerberos. I'll explain my current configuration. One is a master (ferrari.nmc.ed.ray.com), while the other is a client (tif2.ed.ray.com). I have an /etc/krb.conf on both machines that looks like this (without the leading tab, of course): ed.ray.com ed.ray.com ferrari.nmc.ed.ray.com I ran kdb_init on ferrari. I ran kdb_edit and added principals for "named" and "hesiod". I ran ext_srvtab to generate a srvtab for both ferrari and tif2. (I noticed tif2's was empty.) I also ran kstash. My security level is at ENHANCED. I did not do BSD -> UPGRADE -> ENHANCED or anything like that. During the initial installation, I just picked ENHANCED. When I telnet to either machine, I get a "Kerberos initialization failure" message. I get the same message when I use "su". I don't see any such message when I log in on the console. (Perhaps it's not recognized by the prompting program?) When I start a Kerberos-authenticated named (bindsetup generated the line in /etc/rc.local), it dies with a syslog message thus: [date] localhost: [pid] named: bad krb_svc_int call 255 Also, when I make auth.ed.ray.com Hesiod queries from tif2 (the client machine), I get a "Server failed" message. I think I read somewhere in TFM that if named is not Kerberos-authenticated, it will not pass along auth Hesiod information. Is this correct? If anyone could help me out with these problems, I would greatly appreciate it. I'm really stuck. Please mail me instead of posting, as I've gotten mail working (I think!), but not news. I will gladly summarize if there's any interest. As an aside, does anyone know if DEC is planning to add Kerberos authentication for users? I don't see a "klogin" utility or any of the fun stuff I've seen at Athena. And it's unfortunate that there isn't a kerbsetup utility to make this whole process easier, but I would suspect that one is on its way. Thanks in advance. Really. Kevin Ruddy smiles@ferrari.nmc.ed.ray.com