Kerberos auth against AD, keytabs, and service principal names kerberos at
Mon Jul 20 15:51:55 EDT 2009

On Mon, Jul 20, 2009 at 3:29 PM, Douglas E. Engert<deengert at> wrote:
> A keytab has the SPN and the key.

I know this much as I've been writing out my own keytabs.  :-)

> When you kinit using a keytab to AD, you are using the SPN, but AD
> is looking it up as a UPN.

So this means servicePrincipalName is effectively useless in AD for
non-Windows systems, right -- in particular when you have X number of
principals in a keytab but only the one that matches the UPN will

That's all I'm really trying to determine before...

>>  Is the only solution to have multiple AD entries, one for each SPN you intend to support?
> That may not be so bad, as you may want different keys for different
> principals. Just have a good account name naming convention for all
> these accounts.

... I try to implement the above.


More information about the Kerberos mailing list