4

Using ".local" as your hostname breaks Kerberos (and other services) in Mac OS Server 10.5 Advanced because the server will only do Bonjour lookups instead of checking with the DNS Server(s). There is an old Apple knowledgebase article (from OS 10.3) that says adding the string "local" to the "Search Domains" section of the Network System Preference Pane will force your computer to lookup via a DNS server instead of just Bonjour...

...which sounds like it would also allow you to use "server.local" as your hostname - can anyone confirm this is the case, or is there some other drawback with this workaround?

username
  • 4,725
  • 18
  • 54
  • 78
  • 1
    maybe i should clarify here: this is assuming you've correctly added your server's ".local" hostame to its DNS Service, or some other private DNS server's records. if you call your server "myserver.private" Kerberos starts normally on the server - if you call it "myserver.local" Kerberos will fail – username May 10 '09 at 20:23

3 Answers3

2

If your internal domain is .local, you will have a problem resolving names via DNS. There is an old article on Mac OS X Hints which describes a solution:

I created a company.local file in /etc/resolver, and populated this file with the nameservers for the company.local AD domain. This allows Mac OS X to use standard DNS to resolve company.local (or subdomain.company.local), while still allowing Rendezvous to operate as expected.

The only drawback I've seen to this approach is that the nameservers in this company.local file don't update via DHCP, so I have to update them manually.

Here is a more official support document from Apple which will parse your existing /etc/resolv.conf to populate the file in /etc/resolvers.

Jared Oberhaus
  • 596
  • 6
  • 14
2

I'm not sure how similar OS X is to linux, but I had a similar problem with an ubuntu install, and was able to solve it by editing /etc/nsswitch.conf

Under the hosts entry I had to re-order the services so that dns came before any of the mdns4 entries.

My modified line looks like:

hosts:     files dns mdns4_minimal [NOTFOUND=return] mdns4

Hope that helps someone!

Brent
  • 22,219
  • 19
  • 68
  • 102
1

I'm not a kerberos expert, but I believe that it requires a function DNS infrastructure. The .local domain only exists inside the multicast resolver, and isn't a real zone. My advice would be to setup a separate internal domain, private.yourcompany.com.

Dave Cheney
  • 18,307
  • 7
  • 48
  • 56
  • ixnay. you can set the server up to provide dns for itself and kerberos normally works just fine. the issue here is that Mac OS does not lookup ".local" hostnames the same way it looks up other hostnames – username May 09 '09 at 15:48
  • Yes, it doesn't lookup .local's using the standard mechanisms, because they are not normal domains, a .local reference cannot exist outside the same multicast domain, so it makes little sense to look up the domains via the standard tools – Dave Cheney May 09 '09 at 15:53
  • that's not exactly what i meant. ".local" really *is* special - it's reserved for Bonjour. A Mac will happily look up pretty much any other FLD, ".private" or ".lan" *will* be looked up via DNS. just because they are blackholed outside your own subnet, doesn't mean you can't configure DNS to use them for your internal machines – username May 10 '09 at 19:37