Algorithm to resolve host names

The following process is used to map a service principal name to a key in the SPNEGO key table:

  1. Resolve the host name to an IP address. The mapping process depends on your host name resolution configuration. Typically, the /etc/hosts file is checked first followed by the DNS server that is configured in the resolv.conf file.

    If the resolution succeeds, the process continues with step 2.

    If the resolution fails, the canonical name is assumed to be the same as the host name. The process continues with step 3.

  2. Resolve the IP address to the canonical name. The mapping process depends on your host name resolution configuration. Typically, the /etc/hosts file is checked first followed by the DNS server that is configured in the resolv.conf file.

    If the IP address is found in the /etc/hosts file, the canonical name is set to the first host name that is listed.

    If the IP address is not found in the /etc/hosts file, the DNS server is queried to complete a reverse lookup on the IP address. If the DNS server returns a host name for this IP address, this host name becomes the canonical name. If the IP address is not found in the /etc/hosts file and if the DNS server does not return a host name for this IP address, the canonical name is assumed to be the same as the host name.

    Common error
    The /etc/hosts file lists the short name of the host before the fully qualified host name, the format of the /etc/hosts file is incorrect. Entries in the /etc/hosts file are in the following format: 
    IP_address fully_qualified_hostname short_name

    When the format is incorrect, host name resolution might return the short name. The canonical name is then set to this short name. When this issue occurs, the Web server searches for the wrong key in the key table. The canonical name must be set to match the host name that clients use to contact the Web server.

    Resolution
    Contact your AIX , Linux , or Solaris system administrator on how to change entries in the following files:
    • /etc/hosts
    • resolv.conf
  3. Map the canonical name from step 1 or step 2 to the realm name by checking the [domain_realm] stanza of the /opt/PolicyDirector/etc/krb5.conf file. Each entry in this stanza maps a host name or domain name to a realm name.

    The canonical host name if checked against each of the host entries. If a matching host entry is found, the realm name becomes the realm specified for the host. If no matching host entry is found, the domain entries are checked. If a matching domain entry is found, the realm name becomes the realm specified for that domain. If no matching domain entry is found, the realm name becomes the value of the [libdefaults] default_realm entry in the /opt/PolicyDirector/etc/krb5.conf file.

    Common error
    The entries in the [domain_realm] stanza of the /opt/PolicyDirector/etc/krb5.conf file are incorrect.
    Resolution
    Verify the realm name specified in the [domain_realm] stanza is correct, and verify the canonical name matches a host or domain entry in this stanza.
  4. Verify the key table contains this entry.
    Common error
    The key table does not contain a matching entry.
    Resolution
    Use the am_klist command or the am_ktutil program to check the SPNEGO key table for an entry in the following format: 
    HTTP/canonical_name@realm_name

    For details about using the am_ktutil program, see Validating keys in key tables.

Parent topic: Problems with SPNEGO