Stupid /etc/hosts problems with service principal names

Richard Sharpe realrichardsharpe at
Wed Apr 18 13:39:22 MDT 2012

On 4/18/12, Jeremy Allison <jra at> wrote:
> On Wed, Apr 18, 2012 at 10:02:41AM -0700, Richard Sharpe wrote:
>> Hi folks,
>> I recently saw a problem with Samba giving out what seemed like the
>> wrong service principal name in the response to a Negotiate Protocol,
>> but it came down to Samba trying to convert the hostname (short form)
>> into an FQDN and name_to_fqdn calls gethostbyname, which, because of
>> /etc/nsswitch, looks in /etc/hosts, and since we had an entry there
>> that had not been changed after the domain join, came up with the
>> wrong FQDN ...
>> It seems to me that the correct thing here is not to put an entry for
>> this machine in /etc/hosts (apart from localhost) relating to the
>> hostname of the member server because it should be using DNS anyway,
>> and if access to DNS is broken, lots of stuff is not going to work
>> anyway.
>> Any comments? Is this stuff that has been discussed before now?
> Sounds like a broken setup to me. And yeah, we shouldn't be
> doing anything inside /etc/hosts.

Well, we, as in Samba, are not doing anything (wrong) there. It is
some OEMs who have been doing things incorrectly here. Often it goes
unnoticed because Windows clients will fail to find the service
principal in the KDC and will fall back to NTLMSSP and customers are
often none the wiser.

It's probably a best-practices thing.

Richard Sharpe

More information about the samba-technical mailing list