Kerberos auth against AD, keytabs, and service principal names
kerberos at noopy.org
Mon Jul 20 16:46:17 EDT 2009
On Mon, Jul 20, 2009 at 4:28 PM, John Jasen<jjasen at realityfailure.org> wrote:
> kerberos at noopy.org wrote:
>> So this means servicePrincipalName is effectively useless in AD for
>> non-Windows systems, right -- in particular when you have X number of
>> principals in a keytab but only the one that matches the UPN will
> No. I asked questions along the same vein a while back. :
> Apparently you should be doing a kinit -S
> serviceprinciplename/hostname.fqdn (ie: nfs/foo.noopy.org), to get a
> service ticket for the appropriate service.
Ah ha! So this is the magic test I'd been misunderstanding.
So now I can do the following and everything works in the way I'd hope:
kinit -k -t /some/keytab princ/host.fqdn at REALM
kinit -S otherprinc/host.fqdn at REALM myprinc at REALM
(And yes, I agree that ktpass.exe isn't the right tool for this job.
msktutil would seem to work nicely in an environment where one has
admin access to AD.)
"There should be a dating service for unusual-in-a-good-way people."
~~ Anne Kadet - http://www.noopy.org/quotes/q.cgi?tag=annedating
More information about the Kerberos