Kerberos auth against AD, keytabs, and service principal names
John Jasen
jjasen at realityfailure.org
Mon Jul 20 16:28:31 EDT 2009
kerberos at noopy.org wrote:
> On Mon, Jul 20, 2009 at 3:29 PM, Douglas E. Engert<deengert at anl.gov> wrote:
> [snip
>> A keytab has the SPN and the key.
>
> I know this much as I've been writing out my own keytabs. :-)
>
>> When you kinit using a keytab to AD, you are using the SPN, but AD
>> is looking it up as a UPN.
>
> So this means servicePrincipalName is effectively useless in AD for
> non-Windows systems, right -- in particular when you have X number of
> principals in a keytab but only the one that matches the UPN will
> work?
No. I asked questions along the same vein a while back. :
Apparently you should be doing a kinit -S
serviceprinciplename/hostname.fqdn (ie: nfs/foo.noopy.org), to get a
service ticket for the appropriate service.
--
-- John E. Jasen (jjasen at realityfailure.org)
-- No one will sorrow for me when I die, because those who would
-- are dead already. -- Lan Mandragoran, The Wheel of Time, New Spring
More information about the Kerberos
mailing list