confusion with service principal names in Active Directory

Paul Moore paul.moore at centrify.com
Mon Mar 30 12:59:49 EDT 2009 

use adsiedit (GUI) to set the spn on the AD rpincipal 
or setspn cli tool

http://technet.microsoft.com/en-us/library/cc773257.aspx

-----Original Message-----
From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On
Behalf Of John Jasen
Sent: Monday, March 30, 2009 9:07 AM
To: kerberos at mit.edu
Subject: confusion with service principal names in Active Directory


Please forgive me if this is not the right venue.

I seem to have not found the magic required to use kerberos service
principal names on unix systems against an Active Directory server.

In the one particular example, we're trying to use kerberized NFS, so
the server daemon needs to be able to find nfs/fqdn at REALM.

I can see the entries in the computer accounts servicePrincipalName
field, but the various UNIX systems can't find them -- either on service
initialization, or attempting kinit from commandline with the system
keytab.

IE:

klist -ke /etc/krb5.keytab | grep host

2 host/kernelpanic.example.com at EXAMPLE.REALM (DES cbc mode with CRC-32)

[root at kernelpanic ~]# kinit host/kernelpanic.example.com -kt
/etc/krb5.keytab
kinit(v5): Client not found in Kerberos database while getting initial
credentials

(same results if I do host/kernelpanic.example.com at EXAMPLE.REALM)

This behavior holds true for OS X kerberos clients, Red Hat 4 and 5
kerberos clients, and Solaris 10 kerberos clients. I can provide the
versions if required.

The AD server in question is Windows 2003 R2.

The only way I've found around this is to set the userPrincipalName in
AD to the service I really really need.

ie: in the case above, userPrincipalName is set to
nfs/kernelpanic.example.com at EXAMPLE.REALM. After doing that, I can kinit
that service principal successfully, and the service dependent on it can
also initialize correctly.

>From my testing, using ktpass.exe to write a keytab file seems to
pretty
much automatically set the userPrincipalName to the last entry created.
Unfortunately, if you have a multi-role server, this creates
difficulties. (ie: trying to use http/hostname and sql/hostname).

Is there a way around this that I've missed? An option either on the
client side or the server side that I've missed?

-- 
-- John E. Jasen (jjasen at realityfailure.org)
-- No one will sorrow for me when I die, because those who would
-- are dead already. -- Lan Mandragoran, The Wheel of Time, New Spring
________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

More information about the Kerberos mailing list