[31758] in Kerberos
Re: ktpass troubles
daemon@ATHENA.MIT.EDU (Douglas E. Engert)
Fri Dec 11 10:22:48 2009
Message-ID: <4B2263A1.5020302@anl.gov>
Date: Fri, 11 Dec 2009 09:22:09 -0600
From: "Douglas E. Engert" <deengert@anl.gov>
MIME-Version: 1.0
To: Vitaly Tskhovrebov <Vitaly.Tskhovrebov@exigenservices.com>
In-Reply-To: <B6C4EB6BB2F4654C835D1F7319E4E6742B7DBE4B2F@SPBEX03.internal.corp>
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Vitaly Tskhovrebov wrote:
> It's funny, but when the "host" test was done, the "HTTP" was broken. It's a
> kind of street magic...
>
You can still use ktpass, but its much cleaner to use one principal
per account. They will each have separate key, and in separate
keytabs. You can still combine the the two keytabs with ktutil.
Your issues where with trying to have both a "HTTP" and "host" SPN
on the same account.
> There was no replication issue, 'cause I made commands on the target DC.
> I'll try next week this tool, thanks!
>
> --
> Vitaly.
>
> We don't use ktpass but msktutil instead:
>
> http://download.systemimager.org/~finley/msktutil/
>
> (If you use this, If the service name is not lowercase,
> use the --computer-name option rather then letting it
> derive the name.)
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
