msktutil requires seperate account for each service principal?

John Hefferman john.hefferman at cern.ch
Mon Oct 5 03:57:43 EDT 2009 

Thank you both for your replies. Using msktutil with multiple -s options would probably be better.

> IMHO I would use separate accounts for each principal.

Other than only being able to kinit -k as one of the SPN's, and having to specify all SPN's if a new SPN is to be added, are there any other disadvantages to doing it this way?

Thanks again,

John


________________________________________
From: kerberos-bounces at mit.edu [kerberos-bounces at mit.edu] On Behalf Of Douglas E. Engert [deengert at anl.gov]
Sent: 02 October 2009 22:33
To: Markus Moeller
Cc: kerberos at mit.edu
Subject: Re: msktutil requires seperate account for each service principal?

Markus Moeller wrote:
> John,
>
>   That is correct. msktutil updates the key of the computer account. So the
> second msktutil call with the same computer-name will make the first entry
> invalid. But you can have host and http asssigned to the same AD account if
> you use other tools like net ads join with net ads keytab.

You can also use the msktutil feature to have multiple entries in the same
keytab, for example principals for host and HTTP. They both have the same key
which may not be what you really want.

To do this use mutiple -s <service> options when you create the keytab and
account. Note in AD they will each have SPN, but a common UPN, in case
you want to use kinit with a keytab.

IMHO I would use separate accounts for each principal.

>
> Regards
> Markus
>
> "John Hefferman" <john.hefferman at cern.ch> wrote in message
> news:471AD4CD1F3AC846911E0C520A522E7204560F1C at cernxchg74.cern.ch...
>> Dear list,
>>
>> To my knowledge (and after some tests), msktutil requires a separate
>> account in active directory for each service principal needed for a
>> machine.
>>
>> For instance, if a Linux computer is going to need a host/ and a http/
>> service principal it would be nessesary to run msktutil twice, such as:
>>
>> msktutil -h fqdn --computer-name linux-computer --verbose -s host/fqdn -k
>> linuxComputer.keytab --server domainControllerFqdn
>>
>> msktutil -h fqdn --computer-name linux-computer-http --verbose -s
>> http/fqdn -k linuxComputerHttp.keytab --server domainControllerFqdn
>>
>> I just wanted to confirm this was the case, or whether it is possible to
>> have both host/ and http/ under the same account in AD.
>>
>> Thanks in advance for any help,
>>
>> John
>>
>>
>>
>> ________________________________________________
>> Kerberos mailing list           Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>

--

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444
________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

More information about the Kerberos mailing list