[31073] in Kerberos
Re: kerberos tickets and the SPNs
daemon@ATHENA.MIT.EDU (Markus Moeller)
Thu May 7 19:15:03 2009
From: "Markus Moeller" <huaraz@moeller.plus.com>
In-Reply-To: <mailman.20.1241667589.9729.kerberos@mit.edu>
Date: Thu, 7 May 2009 23:56:55 +0100
MIME-Version: 1.0
Message-ID: <WMqdnac-6seh-p7XnZ2dnUVZ8hidnZ2d@posted.plusnet>
To: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
"Ravi Channavajhala" <ravi.channavajhala@dciera.com> wrote in message
news:mailman.20.1241667589.9729.kerberos@mit.edu...
> On Thu, May 7, 2009 at 1:19 AM, Markus Moeller <huaraz@moeller.plus.com>
> wrote:
>>
>> You could add a copy to the keytab with ktutil which has an uppercase
>> HOST
>> e.g.
>>
>> # ktutil
>> ktutil: rkt /tmp/test.keytab
>> ktutil: l -k
>> slot KVNO Principal
>> ---- ---- ---------------------------------------------------------------------
>> 1 3 host/opensuse11.suse.home@SUSE.HOME
>> (0xd962b1ecc18a809eb57c4a031193623a)
>> ktutil: addent -key -p HOST/opensuse11.suse.home@SUSE.HOME -k 3 -e
>> rc4-hmac
>> Key for HOST/opensuse11.suse.home@SUSE.HOME (hex):
>> d962b1ecc18a809eb57c4a031193623a
>> ktutil: l -k
>> slot KVNO Principal
>> ---- ---- ---------------------------------------------------------------------
>> 1 3 host/opensuse11.suse.home@SUSE.HOME
>> (0xd962b1ecc18a809eb57c4a031193623a)
>> 2 3 HOST/opensuse11.suse.home@SUSE.HOME
>> (0xd962b1ecc18a809eb57c4a031193623a)
>> ktutil: wkt /tmp/new.keytab
>> ktutil: quit
>
> Interesting. This means, I need to have all the SPNs included in the
> keytab? Do you see an inherent problem with deleting the existing
> SPNs on windows KDC and adding only one SPN of the form host/fqdn and
> generating the keytab?
>
The best would be to have one entry in AD with the host/fqdn syntax. If you
have clients requesting HOST/fqdn just use the above method to add a second
entry with the same key. AD will handle HOST/fqdn and host/fqdn in the same
way as it is case insensitive, so no need to add a second entry to AD.
Markus
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
