Can kinit but not kvno
John Gilbertson
jgilbert at liv.ac.uk
Thu Apr 17 10:57:28 EDT 2008
Douglas E. Engert wrote:
> kvno is requesting a service ticket. But user accounts in AD don't
> normally have a servicePrincipalName attribute.
>
> kvno should work for actual service principals like:
>
> kvno host/livad.liv.ac.uk
>
> Why do you need to use kvno with a user account?
>
> If you need to know the kvno for the user, you can use ldap or ADSI Edit
> and search for the user and read the msDS-KeyVersionNumber attribute.
>
> You might be able to add a servicePrincipalName to the user account if
> you really need to get a service ticket for the user.
Ah that does explain it all thankyou.
I was just testing to make sure everything was working before bothering
our AD team to set up a service principal for a test service. I didn't
know if I had got the initial setup right or not.
--
John Gilbertson
More information about the Kerberos
mailing list