cname - setspn alternate with MIT KDC
varun mittal
vmittal05 at gmail.com
Mon Jun 3 14:23:19 EDT 2013
Hello
We have a setup for kerberized CIFS access where at present the KDC is
Active Directory(2008 R2). The DNS is hosted on Windows 2003 server. CIFS
server is RHEL 6.2(using samba) and CIFS clients are RHEL 5.x(using
smbclient).
There are 2 system within this setup where we want to support a failover
scenario. The client will always uses a single hostname for data access.
*The plan is to migrate to MIT KDC, eventually.*
The kerberized CIFS mandates the use of netbios names for access. And the
two systems have different netbios names.
In event of failover, we are using a DNS CNAME record for switching between
the netbios names. It requires to create service principals 'cifs\cname'
for the computer accounts (using setspn command, as has been documented
here http://support.microsoft.com/kb/870911 )
That being said, as we now want to replace the AD KDC with an MIT KDC, we
don't know what's the alternate for the setspn jig that was required for
this setup to work.
How do we associate the cifs/cname principal with cifs/<netbios-name> like
we did for AD(from that link I posted above) ?
Any help would be much appreciated. Let me know if we need any kind of
logs/config changes which can help achieve us this goal
More information about the Kerberos
mailing list