help-cfengine
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: editfiles methodology question


From: Atom Powers
Subject: Re: editfiles methodology question
Date: Mon, 7 Nov 2005 10:57:04 -0800

In principle I agree with Mark; that $host should not include the
domain; I would even go so far as to say that Kerberos and Oracle are
broken, they should use a lookup that generates $host.$domain.

But in the context of cfengine, $host could cause problems if you have
two different systems named "www.domain.net" and "www.domain.com".
(Shame on any body who uses "www" as a hostname, but I've seen worse.)
BUT, that is much easier to work around than cutting the domain
portion off a variable.

On 11/7/05, Mark Burgess <address@hidden> wrote:
>
> There are, of course, reasons for doing so -- but they are, in my purist
> option, hacks. I always think it is a shame when people recommend hacks
> to work around other software, instead of fixing the problems at root
> cause.... but now someone will ask me why I haven't fixed all the
> problems with cfengine,,,
>
> M
>
>
> On Mon, 2005-11-07 at 10:21 -0800, Eli Stair wrote:
> > Fair enough.
> >
> > I agree mimmic-ing the behaviour of another program just because it is
> > "correct" in that context is not really exemplary of good practice.  But
> > in the context of those examples, it's valid.
> >
> > Point being I guess that if one were interoperating with these or other
> > similar systems, having a  dichotomy in the way hostnames resolve like
> > that can be confusing and even dangerous (if you have humans running it ;).
> >
> > I actually don't have a strong opinion either way, unless there came a
> > point when at a system-level cfengine and other software required
> > different levels of DNS granularity.  The "other" software occasionally
> > does have a system-level requirement already.
> >
> > /eli
> >
> > Mark Burgess wrote:
> > > I disagree with them.
> > >
> > > On Mon, 2005-11-07 at 10:09 -0800, Eli Stair wrote:
> > >
> > >>I'm not the expert on this (as I haven't READ the relevant RFC's), but
> > >>for instance when running Kerberos and Oracle (and probably other auth
> > >>software as well) the best practice (and it's been stated RFC-compliant
> > >>method) is to return FQDN for hostname lookups.
> > >>
> > >>Not doing so will result in improper/non-functional Kerberos with
> > >>tickets not applying to a host or service (been there).  Oracle can
> > >>break all authenticated connectivity (been there too).  They even go so
> > >>far as to recommend defining FQDN in /etc/hosts for all Oracle hosts to
> > >>bypass any DNS/system-level problems with resolution.
> > >>
> > >>Very over-simplified example, but a valid one I've had to deal with.
> > >>
> > >>/eli
> > >>
> > >>
> > >>>This is normal if you have fully qualified names returned by your
> > >>>hostname lookup, which is not something I recommend.
> > >>>
> > >
> > >
> > >
> >
>
>
>
> _______________________________________________
> Help-cfengine mailing list
> address@hidden
> http://lists.gnu.org/mailman/listinfo/help-cfengine
>


--
--
Perfection is just a word I use occasionally with mustard.
--Atom Powers--




reply via email to

[Prev in Thread] Current Thread [Next in Thread]