kerberos tickets and the SPNs
Ravi Channavajhala
ravi.channavajhala at dciera.com
Fri May 8 14:55:37 EDT 2009
On Fri, May 8, 2009 at 8:10 PM, Douglas E. Engert <deengert at anl.gov> wrote:
>> I deleted the computer object in AD, waited for the replication to
>> complete and then re-added the AD object. Now the SPN appears as
>>
>
> Note that the MS documentation says to add a "user" account, not a
> "computer"
> account. (Sounds counterintuitive...)
>
> http://technet.microsoft.com/en-us/library/bb742433.aspx
>
> To configure the UNIX hosts
>
> Use the Active Directory Management tool to create a new user account for
> the UNIX host:
>
> Select the Users folder, right-click and select New, then choose user.
>
> Type the name of the UNIX host.
>
> (Last line is pick a unique name in the forest for the account, i.e. uses as
> SamAccountName (without the $) so must be 19 characters. Use some
> convention,
> like host-name-dept where is h short for host, name is the simple host name,
> and dept. (We have department DNS domains, but the AD is is site wide.)
>
> The ktpass then *ADDS* the SPN to the user account using the -principal
> option.
> I am pretty sure if you create a "computer" account, the SPN gets added
> during account creation, and that is why you are seeing the uppercase HOST.
This is obviously is not what happens when you use Solaris adjoin.sh
(adjoin-s10u5) or Samba's net ads join' command. Both of these
approaches create a computer object specifically. The interesting
behavior is adjoin.sh creates the computer object with one specific
SPN (host/host.fqdn), where as Samba creates (HOST/HOSTNAME and
HOST/host.fqdn). Solaris adjoin generates /etc/krb5/krb5.keytab with
all the known authentications such as DES-CBC-MD5, DES-CBC-CRC and
RC4-HMAC-MD5, where as the samba net ads keytab create simply doesn't
create one. Mind you, I'm using Sun natively packaged Samba. Where
as I can clearly see the UPN with adjoin.sh, the one I created with
net ads doesn't. Both of them show the SamAccount as HOSTNAME$. The
adjoin literally uses ldapadd to add the host to computers
container....
Alright, I digress....back to Kerberos. I didnt get around the
problem. So I'm going to install a Linux server and see how I fare.
More information about the Kerberos
mailing list