Kerberos auth against AD, keytabs, and service principal names
kerberos at noopy.org
Mon Jul 20 14:23:42 EDT 2009
I've been able to use ktpass.exe on the Windows (2003R2) side to
create working keytabs for my NFSv4 environment. I'd like to have
both host/ and nfs/ service principal names for each host.fqdn in my
(DNS) domain. To this end I ran 'setspn -A ...' to create a SPN for
host/host.fqdn and nfs/host.fqdn and then I ran ktpass.exe to create a
keytab for each of host/host.fqdn and nfs/host.fqdn.
Then I copied the keytabs to my Linux system and tested kinit for
host/host.fqdn and nfs/host.fqdn. kinit for nfs/host.fqdn worked but
kinit for host/host.fqdn *failed*. What?! Looking at my entries in
AD, it appears that ktpass.exe sets both userprincipal name and
serviceprincipal name to *the same thing* and merely adding SPNs to
the host.fqdn entry in AD doesn't fix the problem with kinit -- if
princ/host.fqdn doesn't exist in AD as a UPN. That is to say, only
UPNs are consulted when I kinit some princ/host.fqdn?
Is my assessment right about this? Is the only solution to have
multiple AD entries, one for each SPN you intend to support?
More information about the Kerberos