kerberos tickets and the SPNs
Markus Moeller
huaraz at moeller.plus.com
Fri May 8 17:34:22 EDT 2009
I use also msktutil and you can find it here
http://dag.wieers.com/rpm/packages/msktutil/
You can also use setspn -A host/fqdn in lowercase. instead of setspn -R.
BTW the original netjoin tool from MS used computer accounts not user
accounts. http://msdn.microsoft.com/en-us/library/ms808911.aspx
http://download.microsoft.com/download/win2000pro/2kkerb2/1.0/nt5/en-us/ad-unix.exe
I don't know why they changed their mind.
Markus
----- Original Message -----
From: "Ravi Channavajhala" <ravi.channavajhala at dciera.com>
To: "Douglas E. Engert" <deengert at anl.gov>
Cc: "Markus Moeller" <huaraz at moeller.plus.com>; <kerberos at mit.edu>
Sent: Friday, May 08, 2009 8:59 PM
Subject: Re: kerberos tickets and the SPNs
Don't agree here. Natively adding a computer to AD and checking with
setspn -L didn't show any SPNs. Resetting the SPNs with setspn -R,
creates two entries
HOST/HOSTNAME$
HOST/HOSTNAME$.SHORTFORM DOMAIN
Both are incorrect....
The point is, I can manipulate SPNs to no end, but obviously no
success with Kerberos. My real issue is kerberos flip flopping with
'Server not found in Database' to 'Keytable entry incorrect Key
version'.
More information about the Kerberos
mailing list