Kerberos auth against AD, keytabs, and service principal names

John Jasen jjasen at
Mon Jul 20 16:28:31 EDT 2009

kerberos at wrote:
> On Mon, Jul 20, 2009 at 3:29 PM, Douglas E. Engert<deengert at> wrote:
> [snip
>> A keytab has the SPN and the key.
> I know this much as I've been writing out my own keytabs.  :-)
>> When you kinit using a keytab to AD, you are using the SPN, but AD
>> is looking it up as a UPN.
> So this means servicePrincipalName is effectively useless in AD for
> non-Windows systems, right -- in particular when you have X number of
> principals in a keytab but only the one that matches the UPN will
> work?

No. I asked questions along the same vein a while back. :

Apparently you should be doing a kinit -S
serviceprinciplename/hostname.fqdn (ie: nfs/, to get a
service ticket for the appropriate service.

-- John E. Jasen (jjasen at
-- No one will sorrow for me when I die, because those who would
-- are dead already. -- Lan Mandragoran, The Wheel of Time, New Spring

More information about the Kerberos mailing list