Client and Service Principal Names
When you are using the Kerberos service, DNS must be enabled on
all hosts. With DNS, the principal should contain the Fully Qualified Domain Name (FQDN)
of each host. For example, if the host name is boston, the DNS
domain name is example.com, and the realm name is EXAMPLE.COM, then the principal
name for the host should be host/boston.example.com@EXAMPLE.COM. The examples in this book require that
DNS is configured and use the FQDN for each host.
For the principal names that include the FQDN of a host, it
is important to match the string that describes the DNS domain name in
the /etc/resolv.conf file. The Kerberos service requires that the DNS domain name
be in lowercase letters when you are specifying the FQDN for a principal.
The DNS domain name can include uppercase and lowercase letters, but only use lowercase
letters when you are creating a host principal. For example, it doesn't matter
if the DNS domain name is example.com, Example.COM, or any other variation.
The principal name for the host would still be host/boston.example.com@EXAMPLE.COM.
In addition, the Service Management Facility has been configured so that many of
the daemons or commands do not start if the DNS client service is
not running. The kdb5_util, kadmind, and kpropd daemons, as well as the kprop
command all are configured to depend on the DNS service. To fully utilize
the features available using the Kerberos service and SMF, you must enable the
DNS client service on all hosts.