service name restrictions in AD? problem with kca_service
pape at inf.fu-berlin.de
Mon Oct 13 10:56:52 EDT 2003
maybe I have some related bug with pricipal names in AD, but maybe not
<CCB2683E47559142B2DFE0768181A5BBD82535 at campaspe-cq.vic.cmis.CSIRO.AU>,
Bob.Smart at csiro.au wrote:
> With just kca it worked. With kca_service I got:
> get_cert_authent_K5: krb5_mk_req: Server not found in Kerberos database
> Try re-authenticating(K5). Unable to use your tickets to build the
> necessary authenticator.
> However I find this hard to believe since there doesn't seem
> to be report of such a problem on the web that I can find.
For the use of the kerberized IMAP-Server cyrus, we need to map a SPN
imap.hostname to a service account in AD.
I tried this with ktpass but mapping always failed with an error and the
SPN was not attached to the account (I tried this with new accounts
But it was possible to attach imap/hostname to the same account. Hence
there seems to be some problem which is related to syntax of SPNs
allowed in AD.
To your question about using computer accounts:
In W2k-Server I have succeeded to map a SPN to a computer account by
mapping to the user host$, where host is the hostname. This did not work
when I recently tried on a 2003 Server.
Dr. Dirk Pape (Leiter des Rechnerbetriebs)
FB Mathematik und Informatik der FU-Berlin
Takustr. 9, 14195 Berlin
Tel. +49 (30) 838 75143, Fax. +49 (30) 838 75190
More information about the Kerberos