kerberos tickets and the SPNs

Ravi Channavajhala ravi.channavajhala at
Wed May 6 15:57:22 EDT 2009

On Thu, May 7, 2009 at 1:03 AM, Douglas E. Engert <deengert at> wrote:
> Windows treats principal names as case insensitive.
> Kerberos treats them as case sensitive.
> Normally Kerberos host/hostname at REALM has "host" in lower case.
> So why is Samba net ADS join is using upper case is not clear.

Just to be sure, I did delete the computer object from AD and
re-creatd it from net ads, the SPNs appear again in the same way.

> If the net ads join adds the SPN in uppercase, then the ktpass
> with lower case, it will work, as windows is case insensitive
> and the SPN already exists.
> You could try changing the SPN to lower case.

I might as well add new SPNs with spnset -A option

> So you have two accounts with the same SPN? (differing by case only?)
> Or did you remove the net ads join created entry first?

yeah but they are two different objects, one is a computer and the
other is a user.  In the above case the two SPNs are for the computer
object only as indicated by the host.  The SPN for user object appears

>> I then ftped this file over to Solaris host and try to authenticate a user
>> login via AD, I get
>> PAM-KRB5 (auth): krb5_verify_init_creds failed: Server not found in Kerberos
>> database
> Could be the case issue. krb5 is looking for "host"

Looks like it, as I get different error messages depending on how I
specify the ktpass -princ with either host or HOST.

>> Running PAM in debug mode didn't reveal anything specific other than the
>> obvious.
> Wireshark could be used to see the network traffic between server and KDC.
> This sounds like a case issue...

It sure is, but my problem is how to avoid manual work in case if
future server base is being built and I have to do a monkey boy's job
of checking SPNs and adding/removing... there must be a way out of
this.  I got oodles of ldap traffic captured with snoop,  which I will
look further.

More information about the Kerberos mailing list