Kerberos in Oracle Solaris does not use the name-service/switch service. Rather, the Kerberos service uses DNS to resolve host names. Therefore, DNS must be enabled on all hosts. With DNS, the principal must contain the fully qualified domain name (FQDN) of each host. For example, if the host name is boston, the DNS domain name is example.com, and the realm name is EXAMPLE.COM, then the principal name for the host would be host/boston.example.com@EXAMPLE.COM. The examples in this guide require that DNS is configured and that the FQDN is used for each host.
The Kerberos service canonicalizes host alias names through DNS, and uses the canonicalized form (cname) when constructing the service principal for the associated service. Therefore, when creating a service principal, the host name component of service principal names is the canonical form of the host name of the system that provides the service.
The following example shows how the Kerberos service canonicalizes host names. If a user runs the command ssh alpha.example.com where alpha.example.com is a DNS host alias for the cname beta.example.com, the Kerberos service canonicalizes alpha.example.com to beta.example.com. The KDC processes the ticket as a request for the service principal host/beta.example.com.
For the principal names that include the FQDN of a host, be sure to match the string that describes the DNS domain name in the /etc/resolv.conf file. The Kerberos service requires that the DNS domain name be in lowercase letters when you are specifying the FQDN for a principal. The DNS domain name can include uppercase and lowercase letters, but only use lowercase letters when you are creating a host principal. For example, the DNS domain name can be example.com, Example.COM, or any other variation. The principal name for the host would still be host/boston.example.com@EXAMPLE.COM.
In addition, the Service Management Facility (SMF) has been configured so that many of the daemons or commands do not start if the DNS client service is not running. The kdb5_util, kadmind, and kpropd daemons, as well as the kprop command are configured to depend on the DNS service. To fully use the features that are available from the Kerberos service and SMF, you must enable the DNS client service on all hosts.