|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |
Message-ID: <4A64D36F.20401@realityfailure.org> Date: Mon, 20 Jul 2009 16:28:31 -0400 From: John Jasen <jjasen@realityfailure.org> MIME-Version: 1.0 To: kerberos@noopy.org In-Reply-To: <cba4e37e0907201251s6811b16dga2619dfa20fb0690@mail.gmail.com> Cc: kerberos@mit.edu, "Douglas E. Engert" <deengert@anl.gov> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: kerberos-bounces@mit.edu kerberos@noopy.org wrote: > On Mon, Jul 20, 2009 at 3:29 PM, Douglas E. Engert<deengert@anl.gov> wrote: > [snip >> A keytab has the SPN and the key. > > I know this much as I've been writing out my own keytabs. :-) > >> When you kinit using a keytab to AD, you are using the SPN, but AD >> is looking it up as a UPN. > > So this means servicePrincipalName is effectively useless in AD for > non-Windows systems, right -- in particular when you have X number of > principals in a keytab but only the one that matches the UPN will > work? No. I asked questions along the same vein a while back. : Apparently you should be doing a kinit -S serviceprinciplename/hostname.fqdn (ie: nfs/foo.noopy.org), to get a service ticket for the appropriate service. -- -- John E. Jasen (jjasen@realityfailure.org) -- No one will sorrow for me when I die, because those who would -- are dead already. -- Lan Mandragoran, The Wheel of Time, New Spring ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |