kerberos tickets and the SPNs

Douglas E. Engert deengert at anl.gov
Mon May 11 14:36:02 EDT 2009



Markus Moeller wrote:
> 
> I use also msktutil and you can find it here 
> http://dag.wieers.com/rpm/packages/msktutil/

That points to:
    http://download.systemimager.org/~finley/msktutil/
and Finley is here at ANL.

We now have Debian mods to 0.3.16-7  to work with W2008, and use the
Windows attribute msDs-supportedEncryptionTypes so one can use AES.
Any one interested?

> 
> You can also use setspn -A host/fqdn in lowercase. instead of setspn -R.
> 
> BTW the original netjoin tool from MS used computer accounts not user 
> accounts. http://msdn.microsoft.com/en-us/library/ms808911.aspx
> http://download.microsoft.com/download/win2000pro/2kkerb2/1.0/nt5/en-us/ad-unix.exe 
> I don't know why they changed their mind.
> 
> Markus
> 
> ----- Original Message ----- From: "Ravi Channavajhala" 
> <ravi.channavajhala at dciera.com>
> To: "Douglas E. Engert" <deengert at anl.gov>
> Cc: "Markus Moeller" <huaraz at moeller.plus.com>; <kerberos at mit.edu>
> Sent: Friday, May 08, 2009 8:59 PM
> Subject: Re: kerberos tickets and the SPNs
> 
> 
> Don't agree here.  Natively adding a computer to AD and checking with
> setspn -L didn't show any SPNs.  Resetting the SPNs with setspn -R,
> creates two entries
> 
> HOST/HOSTNAME$
> HOST/HOSTNAME$.SHORTFORM DOMAIN
> 
> Both are incorrect....
> 
> The point is, I can manipulate SPNs to no end, but obviously no
> success with Kerberos. My real issue is kerberos flip flopping with
> 'Server not found in Database' to 'Keytable entry incorrect Key
> version'.
> 
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444



More information about the Kerberos mailing list