samba keytab support for AD and kinit -k
Luke Howard
lukeh at padl.com
Mon Nov 29 21:52:09 EST 2004
>Unfortunately it looks like 3.0.9, while providing the host services
>that use the keytab with all combinations of
>keytab entries to match the Windows 2003/AD SPN and UPN combinations,
>does not address this issue. The UPN
>is still registered as HOST/{short-host-name}@REALM, and a normal kinit
>-k will not succeed because the KDC
>does not accept the use of the SPN for an initial authentication. I
>understand there is a way under Windows to
>map SPNs to user accounts (UPNs), but I'm not sure how to accomplish
>that. Maybe we can accomplish this when
>we create the LDAP entry in AD? That might be a better alternative
>than changing the UPN to HOST/{fqdn}@REALM
>if it may cause any problems.
I don't think there is a way around setting the UPN to contain the
FQDN.
-- Luke
--
More information about the Kerberos
mailing list