Kerberos auth against AD, keytabs, and service principal names kerberos at
Mon Jul 20 14:23:42 EDT 2009

I've been able to use ktpass.exe on the Windows (2003R2) side to
create working keytabs for my NFSv4 environment.  I'd like to have
both host/ and nfs/ service principal names for each host.fqdn in my
(DNS) domain.  To this end I ran 'setspn -A ...' to create a SPN for
host/host.fqdn and nfs/host.fqdn and then I ran ktpass.exe to create a
keytab for each of host/host.fqdn and nfs/host.fqdn.

Then I copied the keytabs to my Linux system and tested kinit for
host/host.fqdn and nfs/host.fqdn.  kinit for nfs/host.fqdn worked but
kinit for host/host.fqdn *failed*.   What?!  Looking at my entries in
AD, it appears that ktpass.exe sets both userprincipal name and
serviceprincipal name to *the same thing* and merely adding SPNs to
the host.fqdn entry in AD doesn't fix the problem with kinit -- if
princ/host.fqdn doesn't exist in AD as a UPN.  That is to say, only
UPNs are consulted when I kinit some princ/host.fqdn?

Is my assessment right about this?  Is the only solution to have
multiple AD entries, one for each SPN you intend to support?


More information about the Kerberos mailing list