kerberos tickets and the SPNs
Markus Moeller
huaraz at moeller.plus.com
Thu May 7 18:56:55 EDT 2009
"Ravi Channavajhala" <ravi.channavajhala at dciera.com> wrote in message
news:mailman.20.1241667589.9729.kerberos at mit.edu...
> On Thu, May 7, 2009 at 1:19 AM, Markus Moeller <huaraz at moeller.plus.com>
> wrote:
>>
>> You could add a copy to the keytab with ktutil which has an uppercase
>> HOST
>> e.g.
>>
>> # ktutil
>> ktutil: rkt /tmp/test.keytab
>> ktutil: l -k
>> slot KVNO Principal
>> ---- ---- ---------------------------------------------------------------------
>> 1 3 host/opensuse11.suse.home at SUSE.HOME
>> (0xd962b1ecc18a809eb57c4a031193623a)
>> ktutil: addent -key -p HOST/opensuse11.suse.home at SUSE.HOME -k 3 -e
>> rc4-hmac
>> Key for HOST/opensuse11.suse.home at SUSE.HOME (hex):
>> d962b1ecc18a809eb57c4a031193623a
>> ktutil: l -k
>> slot KVNO Principal
>> ---- ---- ---------------------------------------------------------------------
>> 1 3 host/opensuse11.suse.home at SUSE.HOME
>> (0xd962b1ecc18a809eb57c4a031193623a)
>> 2 3 HOST/opensuse11.suse.home at SUSE.HOME
>> (0xd962b1ecc18a809eb57c4a031193623a)
>> ktutil: wkt /tmp/new.keytab
>> ktutil: quit
>
> Interesting. This means, I need to have all the SPNs included in the
> keytab? Do you see an inherent problem with deleting the existing
> SPNs on windows KDC and adding only one SPN of the form host/fqdn and
> generating the keytab?
>
The best would be to have one entry in AD with the host/fqdn syntax. If you
have clients requesting HOST/fqdn just use the above method to add a second
entry with the same key. AD will handle HOST/fqdn and host/fqdn in the same
way as it is case insensitive, so no need to add a second entry to AD.
Markus
More information about the Kerberos
mailing list