[31319] in Kerberos
Re: Kerberos auth against AD, keytabs, and service principal names
daemon@ATHENA.MIT.EDU (kerberos@noopy.org)
Mon Jul 20 16:46:55 2009
MIME-Version: 1.0
In-Reply-To: <4A64D36F.20401@realityfailure.org>
Date: Mon, 20 Jul 2009 16:46:17 -0400
Message-ID: <cba4e37e0907201346u87750baxaa076dd4d90f7331@mail.gmail.com>
From: kerberos@noopy.org
To: John Jasen <jjasen@realityfailure.org>
Cc: kerberos@mit.edu, "Douglas E. Engert" <deengert@anl.gov>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Mon, Jul 20, 2009 at 4:28 PM, John Jasen<jjasen@realityfailure.org> wrote:
> kerberos@noopy.org wrote:
>>
>> So this means servicePrincipalName is effectively useless in AD for
>> non-Windows systems, right -- in particular when you have X number of
>> principals in a keytab but only the one that matches the UPN will
>> work?
>
> No. I asked questions along the same vein a while back. :
>
> Apparently you should be doing a kinit -S
> serviceprinciplename/hostname.fqdn (ie: nfs/foo.noopy.org), to get a
> service ticket for the appropriate service.
Ah ha! So this is the magic test I'd been misunderstanding.
So now I can do the following and everything works in the way I'd hope:
kinit -k -t /some/keytab princ/host.fqdn@REALM
kinit -S otherprinc/host.fqdn@REALM myprinc@REALM
Thanks everyone!
(And yes, I agree that ktpass.exe isn't the right tool for this job.
msktutil would seem to work nicely in an environment where one has
admin access to AD.)
--
Nathan Patwardhan
"There should be a dating service for unusual-in-a-good-way people."
~~ Anne Kadet - http://www.noopy.org/quotes/q.cgi?tag=annedating
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
