2003 R2 AD servicePrincipalName issue

Gnädinger Ralf ralf.gnaedinger at joma-polytec.de
Wed Nov 9 02:29:20 EST 2011


Hi all,

I am trying to kerbernize my apache via mod_auth_kerb on a debian squeeze box with our company 2003 R2 active directory service.

After I configured Kerberos on my linux box I am able to get a ticket using kinit username.

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: sysman at JOMA.DE

Valid starting     Expires            Service principal
11/09/11 07:51:29  11/09/11 17:51:17  krbtgt/JOMA.DE at JOMA.DE
        renew until 11/10/11 07:51:29, Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5

Then I created a computer account and added the service principal names like this in our AD

#setspn -R jp-sys8
#setspn -A HTTP/jp-sys8.joma.de jp-sys8
#setspn -L jp-sys8

Registered ServicePrincipalNames for CN=jp-sys8,CN=Computers,DC=joma,DC=de:
    HOST/jp-sys8.joma.de
    HOST/jp-sys8
    HTTP/jp-sys8.joma.de

Now when I use kvno on my linux box it is possible to get the version like this

# kvno HOST/jp-sys8
HOST/jp-sys8 at JOMA.DE: kvno = 2

but if I try HOST/jp-sys8.joma.de it`s not working...

# kvno HOST/jp-sys8.joma.de
kvno: Server not found in Kerberos database while getting credentials for HOST/jp-sys8.joma.de at JOMA.DE

When I am adding HTTP/jp-sys8 as service principal it is the same HTTP/jp-sys8 works HTTP/jp-sys8.joma.de doesn`t.

Is there anything i`ve missed?

Thanks

Ralf





More information about the Kerberos mailing list