theory behind unique SPNs

Ben H bhendin at gmail.com
Fri Apr 24 15:37:31 EDT 2015


I've worked with Kerberos implementations for a while, but almost
exclusively with AD in the KDC role (though MIT clients as well).
This may sound like a beginner question because of my lack of experience
with "pure" Kerberos.

When accessing services we require a service ticket for each principal, so
I would ask my TGS for the following:

cifs/serverA.domain.com
ldap/serverA.domain.com

I can have multiple SPNs attached to a single host.  Each server service
uses its own respective SPN.
Even if I have a ticket for either (or both) does not actually give me the
rights to do anything other than connect.
In the Windows world the PAC would authorize me as to what files I could
transfer with cifs or what ldap ops I could perform.

Why not simply use host/serverA.domain.com for both services?
It isn't an identification issue, since my requests will go to different
ports.
And, as long as the servers support these names it will work.
Some NFS implementations for instance allow the use of host/ instead of
nfs/ to make keytab configuration easier.

I'm sure there is a good security answer behind this, but I'm not
visualizing it.

As a practical example I would like the argument against using myservice/
as the principal for 3 different services running on the same host.
The server application supports a dynamic principal and maintaining one
keytab entry is certainly easier.

Thanks


More information about the Kerberos mailing list