[31310] in Kerberos
Kerberos auth against AD, keytabs, and service principal names
daemon@ATHENA.MIT.EDU (kerberos@noopy.org)
Mon Jul 20 14:30:04 2009
MIME-Version: 1.0
Date: Mon, 20 Jul 2009 14:23:42 -0400
Message-ID: <cba4e37e0907201123w2bc53d58ic3686fab49895fb1@mail.gmail.com>
From: kerberos@noopy.org
To: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
I've been able to use ktpass.exe on the Windows (2003R2) side to
create working keytabs for my NFSv4 environment. I'd like to have
both host/ and nfs/ service principal names for each host.fqdn in my
(DNS) domain. To this end I ran 'setspn -A ...' to create a SPN for
host/host.fqdn and nfs/host.fqdn and then I ran ktpass.exe to create a
keytab for each of host/host.fqdn and nfs/host.fqdn.
Then I copied the keytabs to my Linux system and tested kinit for
host/host.fqdn and nfs/host.fqdn. kinit for nfs/host.fqdn worked but
kinit for host/host.fqdn *failed*. What?! Looking at my entries in
AD, it appears that ktpass.exe sets both userprincipal name and
serviceprincipal name to *the same thing* and merely adding SPNs to
the host.fqdn entry in AD doesn't fix the problem with kinit -- if
princ/host.fqdn doesn't exist in AD as a UPN. That is to say, only
UPNs are consulted when I kinit some princ/host.fqdn?
Is my assessment right about this? Is the only solution to have
multiple AD entries, one for each SPN you intend to support?
--
K
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
