Kerberos auth against AD, keytabs, and service principal names kerberos at
Mon Jul 20 16:46:17 EDT 2009

On Mon, Jul 20, 2009 at 4:28 PM, John Jasen<jjasen at> wrote:
> kerberos at wrote:
>> So this means servicePrincipalName is effectively useless in AD for
>> non-Windows systems, right -- in particular when you have X number of
>> principals in a keytab but only the one that matches the UPN will
>> work?
> No. I asked questions along the same vein a while back. :
> Apparently you should be doing a kinit -S
> serviceprinciplename/hostname.fqdn (ie: nfs/, to get a
> service ticket for the appropriate service.

Ah ha!  So this is the magic test I'd been misunderstanding.

So now I can do the following and everything works in the way I'd hope:

  kinit -k -t /some/keytab princ/host.fqdn at REALM
  kinit -S otherprinc/host.fqdn at REALM myprinc at REALM

Thanks everyone!

(And yes, I agree that ktpass.exe isn't the right tool for this job.
msktutil would seem to work nicely in an environment where one has
admin access to AD.)

Nathan Patwardhan
"There should be a dating service for unusual-in-a-good-way people."
~~ Anne Kadet  -

More information about the Kerberos mailing list