Re: [gentoo-user] Why do we add the local host name to the 127.0.0.1 / ::1 entry in the /etc/hosts file?

[Grant Taylor <gtaylor@gentoo.tnetconsulting.net>]

On 3/11/21 6:38 AM, Michael wrote:
> I'm losing my thread in this ... thread, but what I'm trying to say 
> is the AD/ DC and Kerberos way of processing the /etc/hosts entries, 
> when an /etc/hosts file is used, is different to your run of the mill 
> Linux box and server.

I disagree.

First, AD/DC ~ Kerberos don't process the /etc/hosts file.  They do ask 
the system to resolve names to IP addresses.

Second, the system will process the /etc/hosts file, DNS, NIS(+) in the 
order configured in the /etc/nsswitch file so that it can resolve names 
to IP addresses for programs that ask it to do so.

Third, both non-AD / non-Kerberos and AD / Kerberos systems ask the 
system to resolve names to IP addresses.  Further, I'll bet dollars to 
donuts that they call the same functions and use the same subsystems.

I will agree that non-AD / non-Kerberos systems are not sensitive to -- 
what some consider to be -- the misconfigurations that AD / Kerberos 
systems are.

> The Samba link in a previous message makes it clear the DC must have 
> a DNS domain, which corresponds to the domain for the AD forest, 
> this will be used by the Kerberos AD realm; and, the DC must have a 
> static IP address.

Yes.  But that has nothing to do with the contents of the /etc/hosts file.

> The syntax is:
> 
> IP_address canonical_hostname [aliases...]

Agreed.  That's what it should be.  Though I've seen all sorts of failures.

> Therefore, in an entry like:
> 
> 127.0.0.1	localhost host.example.net host
> 
> the "host.example.net" and "host" are both entered as aliases, but 
> will nevertheless resolve to 127.0.0.1 - which will break the Samba 
> AD DC requirement.

Agreed.

> The host name and FQDN must resolve to the static IP of the DC on 
> the LAN.

Remember, that this also applies to clients, not just DCs.

> Since /etc/hosts is parsed from the top, things may work fine when 
> the localhost entry is further down the list and further down than 
> any other entries acting as AD DNS resolvers - I don't recall testing 
> this on Samba to know for sure.

Why are you putting entries for the DNS servers in the /etc/hosts file?

> The same syntax won't break a LAMP, or vanilla linux PC, as long as 
> the same box is not acting as a DC.

Actually it can.  I've seen it multiple times in the past.

Bind a service to /only/ the LAN IP.  Then have the system try to 
connect to itself.  It will fail because the service isn't listening on 
the loopback IP.

This is (or was) common on web servers that had multiple IP addresses to 
use different TLS certificates before SNI became a viable thing.  Have 
each virtual web server listen on only it's specific IP address.  Have 
the virtual web server for the system's FQDN follow suit for consistency 
reasons.  Then trying to connect to the FQDN would fail if it was an 
alias for 127.0.0.1 or ::1.

> See my statement above re. entries for AD DNS resolvers, if these 
> are listed in the /etc/hosts file.

You didn't answer my question.

What does the number of DNS servers (configured in /etc/resolv.conf) 
have to do with the contents of the /etc/hosts file?

> The /etc/hosts file specifies the LAN IP address(es) of the DC which 
> acts as DNS resolver for the AD DNS zones.

No, the /etc/hosts file has nothing to do with how /DNS/ resolution 
operates.

> The DC's /etc/resolv.conf shouldn't be pointing to non-AD compatible 
> resolvers.

Which has nothing to do with the contents of /etc/hosts.

> ACK.  I hope what I've written above better reflects my understanding, 
> although it could be factually incorrect.  Other contributors should 
> soon put me right.  :-)

I'm wondering if your understanding is that there's a close relationship 
and interaction between the contents of /etc/hosts and /etc/resolv.conf 
as in the former effects the latter.  This is not the case.

/etc/hosts and /etc/resolv.conf are completely independent and can each 
quite happily exist without the other.  You can even run systems without 
one or the other.  Running without both is technically possible, but 
things start to get ... cumbersome.

You can add entries in /etc/hosts for the DNS servers as a convenience. 
But doing so has no influence on how the DNS resolution subsystem 
functions.  The DNS resolution subsystem is driven by options in the 
/etc/resolv.conf file.  And it's done independently of the contents of 
the /etc/hosts file.

Yes, the /etc/hosts file and the /etc/resolv.conf file both have to do 
with name to IP (and IP to name) resolution.  But they are as 
independent of each other as looking up a phone number in the phone book 
vs calling and asking the operator to look it up for you.  They achieve 
the same goal, but do so completely different ways and completely 
independently of each other.

This has been and is an interesting discussion.  However, I'm still no 
closer to learning why the Gentoo handbook wants the local host name 
added to the 127.0.0.1 / ::1 entry in the /etc/hosts file.  Something 
which I believe is wrong and bad advice.



-- 
Grant. . . .
unix || die