kerberos tickets and the SPNs
Douglas E. Engert
deengert at anl.gov
Fri May 8 15:32:42 EDT 2009
Ravi Channavajhala wrote:
> On Fri, May 8, 2009 at 8:10 PM, Douglas E. Engert <deengert at anl.gov> wrote:
>>> I deleted the computer object in AD, waited for the replication to
>>> complete and then re-added the AD object. Now the SPN appears as
>> Note that the MS documentation says to add a "user" account, not a
>> account. (Sounds counterintuitive...)
>> To configure the UNIX hosts
>> Use the Active Directory Management tool to create a new user account for
>> the UNIX host:
>> Select the Users folder, right-click and select New, then choose user.
>> Type the name of the UNIX host.
>> (Last line is pick a unique name in the forest for the account, i.e. uses as
>> SamAccountName (without the $) so must be 19 characters. Use some
>> like host-name-dept where is h short for host, name is the simple host name,
>> and dept. (We have department DNS domains, but the AD is is site wide.)
>> The ktpass then *ADDS* the SPN to the user account using the -principal
>> I am pretty sure if you create a "computer" account, the SPN gets added
>> during account creation, and that is why you are seeing the uppercase HOST.
> This is obviously is not what happens when you use Solaris adjoin.sh
> (adjoin-s10u5) or Samba's net ads join' command. Both of these
> approaches create a computer object specifically.
The point I was making, is that the Microsoft create computer account may
be adding the HOST/hostname for you assuming it is going to be a Windows
computer. So ktpass does not change the case of trhe SPN if its already
> The interesting
> behavior is adjoin.sh creates the computer object with one specific
> SPN (host/host.fqdn), where as Samba creates (HOST/HOSTNAME and
> HOST/host.fqdn). Solaris adjoin generates /etc/krb5/krb5.keytab with
> all the known authentications such as DES-CBC-MD5, DES-CBC-CRC and
> RC4-HMAC-MD5, where as the samba net ads keytab create simply doesn't
> create one. Mind you, I'm using Sun natively packaged Samba. Where
> as I can clearly see the UPN with adjoin.sh, the one I created with
> net ads doesn't. Both of them show the SamAccount as HOSTNAME$. The
> adjoin literally uses ldapadd to add the host to computers
We use msktutil that uses OpenLDAP, to create the account (computer)
and msktutil then Kerberos to change the password, and LDAP to
set the SPN, and then creates/updates the keytab file. Sort of
what adjoin.sh would do.
> Alright, I digress....back to Kerberos. I didnt get around the
> problem. So I'm going to install a Linux server and see how I fare.
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
More information about the Kerberos