service name restrictions in AD? problem with kca_service

Dirk Pape pape at
Mon Oct 13 10:56:52 EDT 2003


maybe I have some related bug with pricipal names in AD, but maybe not

In article 
<CCB2683E47559142B2DFE0768181A5BBD82535 at campaspe-cq.vic.cmis.CSIRO.AU>,
 Bob.Smart at wrote:

> With just kca it worked. With kca_service I got:
>   get_cert_authent_K5: krb5_mk_req: Server not found in Kerberos database
>   Try re-authenticating(K5).  Unable to use your tickets to build the
> necessary authenticator.
> However I find this hard to believe since there doesn't seem 
> to be report of such a problem on the web that I can find.

For the use of the kerberized IMAP-Server cyrus, we need to map a SPN 
imap.hostname to a service account in AD.

I tried this with ktpass but mapping always failed with an error and the 
SPN was not attached to the account (I tried this with new accounts 

But it was possible to attach imap/hostname to the same account. Hence 
there seems to be some problem which is related to syntax of SPNs 
allowed in AD.

To your question about using computer accounts:

In W2k-Server I have succeeded to map a SPN to a computer account by 
mapping to the user host$, where host is the hostname. This did not work 
when I recently tried on a 2003 Server.


Dr. Dirk Pape (Leiter des Rechnerbetriebs)
FB Mathematik und Informatik der FU-Berlin
Takustr. 9, 14195 Berlin
Tel. +49 (30) 838 75143, Fax. +49 (30) 838 75190

More information about the Kerberos mailing list