[31317] in Kerberos
Re: Kerberos auth against AD, keytabs, and service principal names
daemon@ATHENA.MIT.EDU (Douglas E. Engert)
Mon Jul 20 16:11:33 2009
Message-ID: <4A64CF4B.5010202@anl.gov>
Date: Mon, 20 Jul 2009 15:10:51 -0500
From: "Douglas E. Engert" <deengert@anl.gov>
MIME-Version: 1.0
To: kerberos@noopy.org
In-Reply-To: <cba4e37e0907201251s6811b16dga2619dfa20fb0690@mail.gmail.com>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
kerberos@noopy.org wrote:
> On Mon, Jul 20, 2009 at 3:29 PM, Douglas E. Engert<deengert@anl.gov> wrote:
> [snip
>> A keytab has the SPN and the key.
>
> I know this much as I've been writing out my own keytabs. :-)
>
>> When you kinit using a keytab to AD, you are using the SPN, but AD
>> is looking it up as a UPN.
>
> So this means servicePrincipalName is effectively useless in AD for
> non-Windows systems, right
No. Its is useless if you are trying to do a kinit, but not
if you want host/FQDN, HTTP/FQDN and ldap/FQDN to be the same for use
as service principals.
As Michael Allen said:
"Ktpass is a very simple program and cannot be used for what you are doing."
-- in particular when you have X number of
> principals in a keytab but only the one that matches the UPN will
> work?
>
> That's all I'm really trying to determine before...
>
>>> Is the only solution to have multiple AD entries, one for each SPN you intend to support?
>> That may not be so bad, as you may want different keys for different
>> principals. Just have a good account name naming convention for all
>> these accounts.
>
> ... I try to implement the above.
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
