kerberos tickets and the SPNs

Douglas E. Engert deengert at anl.gov
Fri May 8 15:32:42 EDT 2009 


Ravi Channavajhala wrote:
> On Fri, May 8, 2009 at 8:10 PM, Douglas E. Engert <deengert at anl.gov> wrote:
> 
>>> I deleted the computer object in AD, waited for the replication to
>>> complete and then re-added the AD object.  Now the SPN appears as
>>>
>> Note that the MS documentation says to add a "user" account, not a
>> "computer"
>> account. (Sounds counterintuitive...)
>>
>> http://technet.microsoft.com/en-us/library/bb742433.aspx
>>
>>  To configure the UNIX hosts
>>
>>   Use the Active Directory Management tool to create a new user account for
>> the UNIX host:
>>
>>   Select the Users folder, right-click and select New, then choose user.
>>
>>   Type the name of the UNIX host.
>>
>> (Last line is pick a unique name in the forest for the account, i.e. uses as
>> SamAccountName (without the $) so must be 19 characters. Use some
>> convention,
>> like host-name-dept where is h short for host, name is the simple host name,
>> and dept. (We have department DNS domains, but the AD is is site wide.)
>>
>> The ktpass then *ADDS* the SPN to the user account using the -principal
>> option.
>> I am pretty sure if you create a "computer" account, the SPN gets added
>> during account creation, and that is why you are seeing the uppercase HOST.
> 
> This is obviously is not what happens when you use Solaris adjoin.sh
> (adjoin-s10u5) or Samba's net ads join' command.  Both of these
> approaches create a computer object specifically. 

The point I was making, is that the Microsoft create computer account may
be adding the HOST/hostname for you assuming it is going to be a Windows
computer. So ktpass does not change the case of trhe SPN if its already
set.

> The interesting
> behavior is adjoin.sh creates the computer object with one specific
> SPN (host/host.fqdn), where as Samba creates (HOST/HOSTNAME and
> HOST/host.fqdn).  Solaris adjoin generates /etc/krb5/krb5.keytab with
> all the known authentications such as DES-CBC-MD5, DES-CBC-CRC and
> RC4-HMAC-MD5, where as the samba net ads keytab create simply doesn't
> create one.  Mind you, I'm using Sun natively packaged Samba.  Where
> as I can clearly see the UPN with adjoin.sh, the one I created with
> net ads doesn't.  Both of them show the SamAccount as HOSTNAME$.  The
> adjoin literally uses ldapadd to add the host to computers
> container....

We use msktutil that uses OpenLDAP, to create the account (computer)
and msktutil then Kerberos to change the password, and LDAP to
set the SPN, and then creates/updates the keytab file.  Sort of
what adjoin.sh would do.

> 
> Alright, I digress....back to Kerberos.  I didnt get around the
> problem.  So I'm going to install a Linux server and see how I fare.
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list