The following process is used to map a service principal name to
a key in the SPNEGO key table:
- Resolve the host name to an IP address.
The mapping process depends on your host name resolution configuration.
Typically, the /etc/hosts file is checked first
followed by the DNS server that is configured in the resolv.conf file.
If
the resolution succeeds, the process continues with step 2.
If
the resolution fails, the canonical name is assumed to be the same
as the host name. The process continues with step 3.
- Resolve the IP address to the canonical
name. The mapping process depends on your host name resolution configuration.
Typically, the /etc/hosts file is checked first
followed by the DNS server that is configured in the resolv.conf file.
If
the IP address is found in the /etc/hosts file,
the canonical name is set to the first host name that is listed.
If
the IP address is not found in the /etc/hosts file,
the DNS server is queried to complete a reverse lookup on the IP address.
If the DNS server returns a host name for this IP address, this host
name becomes the canonical name.
If the IP address is not found
in the
/etc/hosts file and if the DNS server
does not return a host name for this IP address, the canonical name
is assumed to be the same as the host name.
- Common error
- The /etc/hosts file lists the short name
of the host before the fully qualified host name, the format of the /etc/hosts file
is incorrect. Entries in the /etc/hosts file
are in the following format:
IP_address fully_qualified_hostname short_name
When
the format is incorrect, host name resolution might return the short
name. The canonical name is then set to this short name. When this
issue occurs, the Web server searches for the wrong key in the key
table. The canonical name must be set to match the host name that
clients use to contact the Web server.
- Resolution
- Contact your AIX®, Linux, or Solaris system administrator
on how to change entries in the following files:
- Map the canonical name from step 1 or
step 2 to
the realm name by checking the [domain_realm] stanza
of the /opt/PolicyDirector/etc/krb5.conf file.
Each entry in this stanza maps a host name or domain name to a realm
name.
The canonical host name if checked against each of the host
entries. If a matching host entry is found, the realm name becomes
the realm that is specified for the host. If no matching host entry
is found, the domain entries are checked. If a matching domain entry
is found, the realm name becomes the realm that is specified for that
domain.
If no matching domain entry is found, the realm name
becomes the value of the
[libdefaults] default_realm entry
in the
/opt/PolicyDirector/etc/krb5.conf file.
- Common error
- The entries in the [domain_realm] stanza of the /opt/PolicyDirector/etc/krb5.conf file
are incorrect.
- Resolution
- Verify that the realm name specified in the [domain_realm] stanza
is correct, and verify that the canonical name matches a host or domain
entry in this stanza.
- Verify that the key table contains this entry.
- Common error
- The key table does not contain a matching entry.
- Resolution
- Use the am_klist command or the am_ktutil program
to check the SPNEGO key table for an entry in the following format:
HTTP/canonical_name@realm_name
For
details about using the am_ktutil program, see Validating keys in key tables.