kerberos tickets and the SPNs
Brian Elliott Finley
finley at anl.gov
Mon May 11 14:54:20 EDT 2009
I've uploaded the latest changes:
http://download.systemimager.org/~finley/msktutil/
Douglas E. Engert wrote:
>
>
> Markus Moeller wrote:
>>
>> I use also msktutil and you can find it here
>> http://dag.wieers.com/rpm/packages/msktutil/
>
> That points to:
> http://download.systemimager.org/~finley/msktutil/
> and Finley is here at ANL.
>
> We now have Debian mods to 0.3.16-7 to work with W2008, and use the
> Windows attribute msDs-supportedEncryptionTypes so one can use AES.
> Any one interested?
>
>>
>> You can also use setspn -A host/fqdn in lowercase. instead of setspn -R.
>>
>> BTW the original netjoin tool from MS used computer accounts not user
>> accounts. http://msdn.microsoft.com/en-us/library/ms808911.aspx
>> http://download.microsoft.com/download/win2000pro/2kkerb2/1.0/nt5/en-us/ad-unix.exe
>> I don't know why they changed their mind.
>>
>> Markus
>>
>> ----- Original Message ----- From: "Ravi Channavajhala"
>> <ravi.channavajhala at dciera.com>
>> To: "Douglas E. Engert" <deengert at anl.gov>
>> Cc: "Markus Moeller" <huaraz at moeller.plus.com>; <kerberos at mit.edu>
>> Sent: Friday, May 08, 2009 8:59 PM
>> Subject: Re: kerberos tickets and the SPNs
>>
>>
>> Don't agree here. Natively adding a computer to AD and checking with
>> setspn -L didn't show any SPNs. Resetting the SPNs with setspn -R,
>> creates two entries
>>
>> HOST/HOSTNAME$
>> HOST/HOSTNAME$.SHORTFORM DOMAIN
>>
>> Both are incorrect....
>>
>> The point is, I can manipulate SPNs to no end, but obviously no
>> success with Kerberos. My real issue is kerberos flip flopping with
>> 'Server not found in Database' to 'Keytable entry incorrect Key
>> version'.
>>
>>
>>
>
--
Brian Elliott Finley
Deputy Manager, Unix, Storage, and Operations
Computing and Information Systems
Argonne National Laboratory
Office: 630.252.4742
Mobile: 630.631.6621
More information about the Kerberos
mailing list