samba keytab support for AD and kinit -k

Luke Howard lukeh at padl.com
Mon Nov 29 21:52:09 EST 2004


>Unfortunately it looks like 3.0.9, while providing the host services 
>that use the keytab with all combinations of
>keytab entries to match the Windows 2003/AD SPN and UPN combinations, 
>does not address this issue.  The UPN
>is still registered as HOST/{short-host-name}@REALM, and a normal kinit 
>-k  will not succeed because the KDC
>does not accept the use of the SPN for an initial authentication.   I 
>understand there is a way under Windows to
>map SPNs to user accounts (UPNs), but I'm not sure how to accomplish 
>that. Maybe we can accomplish this when
>we create the LDAP entry in AD?   That might be a better alternative 
>than changing the UPN to HOST/{fqdn}@REALM
>if it may cause any problems.

I don't think there is a way around setting the UPN to contain the
FQDN.

-- Luke


--


More information about the Kerberos mailing list