help sought: accessing linux services from clients in an AD

[Barbat, Calin]

Hello!

I'm trying to make a service running on a linux host accessible (using MIT Kerberos for single sign on) to windows clients. The linux host and the windows clients are in a common Windows 2000 Server Active Directory domain.
After having "googled" exhaustively for (and collected a huge amount of) relevant information, I have some questions about two particular Windows tools:

The one is ktpass.exe (it's used to extract the keytab from the Windows Domain Controller), the other is setspn.exe (Seems to establish a relationship between a User and a Service Principal).
Many step-by-step descriptions don't mention the later (setspn.exe). However, some posts in a Linux security mailing list mention it.

The Windows-side setup of a service account seems to go like:

1. Create AD service user account.
2. (Optional? Necessary? Recommended?) setspn to map a service to the account.
3. ktpass to extract keytab entry for the service user account

My questions are:

1. (When) Do I need to do a setspn or not?
2. Does it have to be issued before or after ktpass?
3. What is the difference to ktpass alone?
4. Have you attempted to do a similar thing? If so, share your knowledge. :-)

Thank you,

C. Barbat