[31529] in Kerberos
Re: msktutil requires seperate account for each service principal?
daemon@ATHENA.MIT.EDU (Markus Moeller)
Fri Oct 2 15:22:06 2009
To: kerberos@mit.edu
From: "Markus Moeller" <huaraz@moeller.plus.com>
Date: Fri, 2 Oct 2009 20:21:02 +0100
Message-ID: <ha5jr0$2eq$1@ger.gmane.org>
Mime-Version: 1.0
X-Complaints-To: usenet@ger.gmane.org
In-Reply-To: <471AD4CD1F3AC846911E0C520A522E7204560F1C@cernxchg74.cern.ch>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
John,
That is correct. msktutil updates the key of the computer account. So the
second msktutil call with the same computer-name will make the first entry
invalid. But you can have host and http asssigned to the same AD account if
you use other tools like net ads join with net ads keytab.
Regards
Markus
"John Hefferman" <john.hefferman@cern.ch> wrote in message
news:471AD4CD1F3AC846911E0C520A522E7204560F1C@cernxchg74.cern.ch...
> Dear list,
>
> To my knowledge (and after some tests), msktutil requires a separate
> account in active directory for each service principal needed for a
> machine.
>
> For instance, if a Linux computer is going to need a host/ and a http/
> service principal it would be nessesary to run msktutil twice, such as:
>
> msktutil -h fqdn --computer-name linux-computer --verbose -s host/fqdn -k
> linuxComputer.keytab --server domainControllerFqdn
>
> msktutil -h fqdn --computer-name linux-computer-http --verbose -s
> http/fqdn -k linuxComputerHttp.keytab --server domainControllerFqdn
>
> I just wanted to confirm this was the case, or whether it is possible to
> have both host/ and http/ under the same account in AD.
>
> Thanks in advance for any help,
>
> John
>
>
>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
