Prevent default hostname resolution in /etc/hosts


New Member
May 5, 2016
I am implementing SSO with FreeIPA and Proxmox LXC containers. I've encountered numerous errors while trying to setup kerberos5 keytab. Problem seems to be default hostname resolution in /etc/hosts

Specifically this part:
# --- BEGIN PVE --- sssd-testing
# --- END PVE ---

Which fails to correctly canonicalize hostname, and possibly reverse dns records.

So my question is: how do I prevent/disable that proxmox feature?

This is my documented and apparent cause, may be helpful for someone like myself.

What I'm trying to do:
kinit -kt /etc/krb5.keytab

Error I got at first
kinit: Cannot determine realm for host (principal host/sssd-testing@)

So that can be solved by adding static mapping to [domain_realm] part of /etc/sssd/sssd.conf
which for me looks like:
sssd-testing = MY_REDACTED_REALM

Then I got yet another error:
kinit: Keytab contains no suitable keys for host/sssd-testing@MY_REDACTED_REALM while getting initial credentials

Which was caused by failed canonicalization, since we resolved host with /etc/hosts.

So I solved that by removing hosts entry, and it worked flawlessly. But here is problem, each time container is restarted those entries are put back again.
root@container # touch /etc/.pve-ignore.hosts


The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!