samba keytab support for AD and kinit -k
Markus Moeller
huaraz at moeller.plus.com
Sun Dec 5 08:56:55 EST 2004
Luke
you can use setspn to assign a SPN to a user or computer account.
http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/setspn-o.asp
Regards
Markus
"Luke Howard" <lukeh at padl.com> wrote in message
news:200411300252.iAU2q9cd037261 at au.padl.com...
>
>>Unfortunately it looks like 3.0.9, while providing the host services
>>that use the keytab with all combinations of
>>keytab entries to match the Windows 2003/AD SPN and UPN combinations,
>>does not address this issue. The UPN
>>is still registered as HOST/{short-host-name}@REALM, and a normal kinit
>>-k will not succeed because the KDC
>>does not accept the use of the SPN for an initial authentication. I
>>understand there is a way under Windows to
>>map SPNs to user accounts (UPNs), but I'm not sure how to accomplish
>>that. Maybe we can accomplish this when
>>we create the LDAP entry in AD? That might be a better alternative
>>than changing the UPN to HOST/{fqdn}@REALM
>>if it may cause any problems.
>
> I don't think there is a way around setting the UPN to contain the
> FQDN.
>
> -- Luke
>
>
> --
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
More information about the Kerberos
mailing list