[31098] in Kerberos
Re: kerberos tickets and the SPNs
daemon@ATHENA.MIT.EDU (Douglas E. Engert)
Mon May 11 14:36:51 2009
X-Barracuda-Envelope-From: deengert@anl.gov
Message-ID: <4A087012.9040803@anl.gov>
Date: Mon, 11 May 2009 13:36:02 -0500
From: "Douglas E. Engert" <deengert@anl.gov>
MIME-Version: 1.0
To: Markus Moeller <huaraz@moeller.plus.com>
In-Reply-To: <A2C7F2C7C9E74C13A219123500EBCC93@VAIOLaptop>
Cc: Brian Elliott Finley <finley@anl.gov>, kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Markus Moeller wrote:
>
> I use also msktutil and you can find it here
> http://dag.wieers.com/rpm/packages/msktutil/
That points to:
http://download.systemimager.org/~finley/msktutil/
and Finley is here at ANL.
We now have Debian mods to 0.3.16-7 to work with W2008, and use the
Windows attribute msDs-supportedEncryptionTypes so one can use AES.
Any one interested?
>
> You can also use setspn -A host/fqdn in lowercase. instead of setspn -R.
>
> BTW the original netjoin tool from MS used computer accounts not user
> accounts. http://msdn.microsoft.com/en-us/library/ms808911.aspx
> http://download.microsoft.com/download/win2000pro/2kkerb2/1.0/nt5/en-us/ad-unix.exe
> I don't know why they changed their mind.
>
> Markus
>
> ----- Original Message ----- From: "Ravi Channavajhala"
> <ravi.channavajhala@dciera.com>
> To: "Douglas E. Engert" <deengert@anl.gov>
> Cc: "Markus Moeller" <huaraz@moeller.plus.com>; <kerberos@mit.edu>
> Sent: Friday, May 08, 2009 8:59 PM
> Subject: Re: kerberos tickets and the SPNs
>
>
> Don't agree here. Natively adding a computer to AD and checking with
> setspn -L didn't show any SPNs. Resetting the SPNs with setspn -R,
> creates two entries
>
> HOST/HOSTNAME$
> HOST/HOSTNAME$.SHORTFORM DOMAIN
>
> Both are incorrect....
>
> The point is, I can manipulate SPNs to no end, but obviously no
> success with Kerberos. My real issue is kerberos flip flopping with
> 'Server not found in Database' to 'Keytable entry incorrect Key
> version'.
>
>
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
