[31316] in Kerberos
Re: Kerberos auth against AD, keytabs, and service principal names
daemon@ATHENA.MIT.EDU (kerberos@noopy.org)
Mon Jul 20 15:54:05 2009
MIME-Version: 1.0
In-Reply-To: <4A64C5AB.7060205@anl.gov>
Date: Mon, 20 Jul 2009 15:51:55 -0400
Message-ID: <cba4e37e0907201251s6811b16dga2619dfa20fb0690@mail.gmail.com>
From: kerberos@noopy.org
To: "Douglas E. Engert" <deengert@anl.gov>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="iso-8859-1"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On Mon, Jul 20, 2009 at 3:29 PM, Douglas E. Engert<deengert@anl.gov> wrote:
>
[snip
>
> A keytab has the SPN and the key.
I know this much as I've been writing out my own keytabs. :-)
> When you kinit using a keytab to AD, you are using the SPN, but AD
> is looking it up as a UPN.
So this means servicePrincipalName is effectively useless in AD for
non-Windows systems, right -- in particular when you have X number of
principals in a keytab but only the one that matches the UPN will
work?
That's all I'm really trying to determine before...
>> Is the only solution to have multiple AD entries, one for each SPN you intend to support?
>
> That may not be so bad, as you may want different keys for different
> principals. Just have a good account name naming convention for all
> these accounts.
... I try to implement the above.
--
K
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
