Mike Eisler wrote:

>> multipls OS releases. If you take advantage of subtle configurations
>> to make things work the way you want (such as using an NIS domain
>> name that does not match your network's default domain name, or
>> using hostnames that are not fully qualified because of people's old
>> software that uses "$HOSTNAME" = "non-fully-qualified-hostname"
>> sorts of statements, it quickly becomes a nightmare. And Kerberos
>> used to be pretty fascist about insisting that the
>
> Which is why the Solaris NFS/Kerberos V5 stack always canonicalizes
> based on the FQDN returned by DNS.
>
> have you actually used an NFS/Kerberos V5 stack, or are you
> casting theory?

Harsh, harsh experience with older NFS/Kerberos implementations in very
heterogeneous configurations. Unless they've added something since then,
Kerberos uses the various "gethostby" functions in libc to try to determine
the canonical hostname, and actually uses the first entry returned as the
"canonical" name. And unfortunately, you can't just assert that "DNS gives
the canonical hostname". The various actual functions can and do give
multiple answers, depending on the system's pre-defined "HOSTNAME", the
contents of /etc/hosts, the NIS published "hosts" table, the contents of
/etc/resolv.conf to actually decide where to do the DNS lookup that you
mentioned, etc. DNS is in fact rarely configured to be their first source of
IP/HOSTNAME resolution, the first source is usually /etc/hosts. And the
function then typically returns all these names in order of how they were
resolved, namely from /etc/hosts first. This is why it's such fun to say
"OK, I've set hostname to be 'my.domain.com', but because I can get away
with it I put "127.0.0.2 my my.domain.com my.offsite-domain.com' in
/etc/hosts.

It's completely legal in DNS and these address functions to do this,
although it's usually considered a bad idea because such shortend hostnames
are not necessarily unique in even a modest sized network and can cause
fascinating, fascinating confusions for all involved. The main excuse to do
it is to simplify your life if you swap a machine from one DNS domain to
another frequently, and you want to be consistent about using a short alias
and non FQHN for your system-dependent software tools in both domains
without resetting your HOSTNAME. You can't safely just switch HOSTNAME at
whim: you'll break X-servers and X-clients running locally on your machine.
And ghods forbid you change HOSTNAME while you've got an NFS mount as client
or server! Changing HOSTNAME is usually accompanied by bringing the system
down to a single user mode to avoid exactly that sort of fun and games.

In a Kerberized environment, you probably shouldn't be hopping back and
forth between domains anyway, but I think you can see where it can get quite
complex to straighten out such joys and delights.