kerberos tickets and the SPNs

Ravi Channavajhala ravi.channavajhala at
Fri May 8 14:55:37 EDT 2009

On Fri, May 8, 2009 at 8:10 PM, Douglas E. Engert <deengert at> wrote:

>> I deleted the computer object in AD, waited for the replication to
>> complete and then re-added the AD object.  Now the SPN appears as
> Note that the MS documentation says to add a "user" account, not a
> "computer"
> account. (Sounds counterintuitive...)
>  To configure the UNIX hosts
>   Use the Active Directory Management tool to create a new user account for
> the UNIX host:
>   Select the Users folder, right-click and select New, then choose user.
>   Type the name of the UNIX host.
> (Last line is pick a unique name in the forest for the account, i.e. uses as
> SamAccountName (without the $) so must be 19 characters. Use some
> convention,
> like host-name-dept where is h short for host, name is the simple host name,
> and dept. (We have department DNS domains, but the AD is is site wide.)
> The ktpass then *ADDS* the SPN to the user account using the -principal
> option.
> I am pretty sure if you create a "computer" account, the SPN gets added
> during account creation, and that is why you are seeing the uppercase HOST.

This is obviously is not what happens when you use Solaris
(adjoin-s10u5) or Samba's net ads join' command.  Both of these
approaches create a computer object specifically.  The interesting
behavior is creates the computer object with one specific
SPN (host/host.fqdn), where as Samba creates (HOST/HOSTNAME and
HOST/host.fqdn).  Solaris adjoin generates /etc/krb5/krb5.keytab with
all the known authentications such as DES-CBC-MD5, DES-CBC-CRC and
RC4-HMAC-MD5, where as the samba net ads keytab create simply doesn't
create one.  Mind you, I'm using Sun natively packaged Samba.  Where
as I can clearly see the UPN with, the one I created with
net ads doesn't.  Both of them show the SamAccount as HOSTNAME$.  The
adjoin literally uses ldapadd to add the host to computers

Alright, I digress....back to Kerberos.  I didnt get around the
problem.  So I'm going to install a Linux server and see how I fare.

More information about the Kerberos mailing list