samba keytab support for AD and kinit -k

Markus Moeller huaraz at moeller.plus.com
Sun Dec 5 08:56:55 EST 2004


Luke

you can use setspn to assign a SPN to a user or computer account.

http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/setspn-o.asp

Regards
Markus

"Luke Howard" <lukeh at padl.com> wrote in message 
news:200411300252.iAU2q9cd037261 at au.padl.com...
>
>>Unfortunately it looks like 3.0.9, while providing the host services
>>that use the keytab with all combinations of
>>keytab entries to match the Windows 2003/AD SPN and UPN combinations,
>>does not address this issue.  The UPN
>>is still registered as HOST/{short-host-name}@REALM, and a normal kinit
>>-k  will not succeed because the KDC
>>does not accept the use of the SPN for an initial authentication.   I
>>understand there is a way under Windows to
>>map SPNs to user accounts (UPNs), but I'm not sure how to accomplish
>>that. Maybe we can accomplish this when
>>we create the LDAP entry in AD?   That might be a better alternative
>>than changing the UPN to HOST/{fqdn}@REALM
>>if it may cause any problems.
>
> I don't think there is a way around setting the UPN to contain the
> FQDN.
>
> -- Luke
>
>
> --
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 





More information about the Kerberos mailing list