Host name resolution considerations
To ensure that Kerberos authentication and host name resolution work properly with your Kerberos-enabled applications, verify that your PCs and your IBM® i platforms resolve the same host name for the system on which the service application resides.
In a Kerberos environment, both the client and the server use some method of host name resolution to determine the host name for the system on which a particular application or service resides. If the IBM i platforms and the PCs use a Domain Name System (DNS) server, it is important that they use the same DNS server to perform host name resolution or, if they use more than one DNS server, that the host names are the same on both DNS servers. If your IBM i platform or PC resolves host names locally (from a local host table or file), they might resolve a host name that is different from the corresponding host name recorded on the DNS server. This might cause network authentication service to fail.
To ensure that Kerberos authentication and host name resolution work properly with your Kerberos-enabled applications, you must verify that your PCs and your IBM i platforms resolve the same host name for the system on which the service application resides. In the following example, this system is called System A.
The following instructions demonstrate how to determine whether the PCs and IBM i platforms resolve the same name for System A. Refer to the example work sheets as you follow the instructions.
You can enter your own information in the blank work sheets when you perform these steps for your Kerberos realm.
Details
DNS server
- Contains data resource records that indicate that IP address 10.1.1.1 correlates to host name systema.myco.com, the IP address and host name for System A.
- Might be used by the PC, System A, or both for host
resolution.Note: This example demonstrates one DNS server. However, your network might use more than one DNS server. For example, your PC might use one DNS server to resolve host names and your IBM i platform might use a different DNS server. You need to determine how many DNS servers your realm is using for host resolution and adapt this information to your situation.
PC
- Runs Windows operating system.
- Represents both the PC used to administer network authentication service and the PC used by a user with no special authorities for his routine tasks.
- Contains the hosts file which indicates that IP address 10.1.1.1 correlates
to host name systema.myco.com.Note: You can find the hosts file in this folder:
- Windows XP, Windows Vista, and Windows 7 operating system: C:\WINDOWS\system32\drivers\etc\hosts
System A
- Runs IBM i 5.4, or later.
- Contains a service application that you need to access using network authentication service (Kerberos authentication).
- Within the Configure TCP (CFGTCP) menu, options 10
and 12 indicate the following information for System A:
- Option 10 (Work with TCP/IP host table entries):
- Internet Address: 10.1.1.1
- Host Name: systema.myco.com
- Option 12 (Change TCP/IP domain information):
- Host name: systema
- Domain name: myco.com
- Host name search priority: *LOCAL or *REMOTENote: The Host name search priority parameter indicates either *LOCAL or *REMOTE depending on how your network administrator configured TCP/IP to perform host resolution on the system.
- Option 10 (Work with TCP/IP host table entries):
On the PC, determine the host name for System A. | ||
---|---|---|
Step | Source | Host name |
1.a.1 | PC hosts file | systema.myco.com |
1.b.1 | DNS server | systema.myco.com |
On System A, determine the host name for System A. | ||
---|---|---|
Step | Source | Host name |
2.a.2 | System A
CFGTCP menu, option 12 |
Host name: systema
Domain name: myco.com |
Note: Host name search priority value: *LOCAL or *REMOTE
|
||
2.b.2 | System A
CFGTCP menu, option 10 |
systema.myco.com |
2.c.1 | DNS server | systema.myco.com |
These three host names must match exactly. | |
---|---|
Step | Host name |
Step 1 | systema.myco.com |
Step 2.a.2 | systema
myco.com |
2d | systema.myco.com |
You can use the following three work sheets to verify that your PCs and your IBM i platforms resolve the same host name for the system on which the service application resides.
On the PC, determine the host name for the IBM i platform. | ||
---|---|---|
Step | Source | Host name |
1.a.1 | PC hosts file | |
1.b.1 | DNS server |
On the IBM i platform, determine the host name for the IBM i platform. | ||
---|---|---|
Step | Source | Host name |
2.a.2 | IBM i
CFGTCP menu, option 12 |
Host name:
Domain name: |
Note Host name search priority value: *LOCAL or *REMOTE | ||
2.b.2 | IBM i
CFGTCP menu, option 10 |
|
2.c.1 | DNS server |
These three host names must match exactly. | |
---|---|
Step | Host name |
Step 1 | |
Step 2.a.2 | |
2d |