kerberos tickets and the SPNs
Ravi Channavajhala
ravi.channavajhala at dciera.com
Fri May 8 15:59:55 EDT 2009
On Sat, May 9, 2009 at 1:02 AM, Douglas E. Engert <deengert at anl.gov> wrote:
>
>
> Ravi Channavajhala wrote:
>>
>> On Fri, May 8, 2009 at 8:10 PM, Douglas E. Engert <deengert at anl.gov>
>> wrote:
>>> Note that the MS documentation says to add a "user" account, not a
>>> "computer"
>>> account. (Sounds counterintuitive...)
>>>
>>> http://technet.microsoft.com/en-us/library/bb742433.aspx
>>>
>>> To configure the UNIX hosts
>>>
>>> Use the Active Directory Management tool to create a new user account
>>> for
>>> the UNIX host:
>>>
>>> Select the Users folder, right-click and select New, then choose user.
>>>
>>> Type the name of the UNIX host.
>>>
>>> (Last line is pick a unique name in the forest for the account, i.e. uses
>>> as
>>> SamAccountName (without the $) so must be 19 characters. Use some
>>> convention,
>>> like host-name-dept where is h short for host, name is the simple host
>>> name,
>>> and dept. (We have department DNS domains, but the AD is is site wide.)
>>>
>>> The ktpass then *ADDS* the SPN to the user account using the -principal
>>> option.
>>> I am pretty sure if you create a "computer" account, the SPN gets added
>>> during account creation, and that is why you are seeing the uppercase
>>> HOST.
>>
>> This is obviously is not what happens when you use Solaris adjoin.sh
>> (adjoin-s10u5) or Samba's net ads join' command. Both of these
>> approaches create a computer object specifically.
>
> The point I was making, is that the Microsoft create computer account may
> be adding the HOST/hostname for you assuming it is going to be a Windows
> computer. So ktpass does not change the case of trhe SPN if its already
> set.
Don't agree here. Natively adding a computer to AD and checking with
setspn -L didn't show any SPNs. Resetting the SPNs with setspn -R,
creates two entries
HOST/HOSTNAME$
HOST/HOSTNAME$.SHORTFORM DOMAIN
Both are incorrect....
The point is, I can manipulate SPNs to no end, but obviously no
success with Kerberos. My real issue is kerberos flip flopping with
'Server not found in Database' to 'Keytable entry incorrect Key
version'.
More information about the Kerberos
mailing list