spn alias
Stefan Kania
stefan at kania-online.de
Sun Mar 9 11:57:07 EDT 2025
Am 08.03.25 um 21:23 schrieb Ken Hornstein:
>>> If you are using MIT Kerberos (anything 1.10 or newer) on the
>>> LDAP server, you can use the krb5.conf configuration entry
>>> "ignore_acceptor_hostname" to allow the server to match on any valid
>>> hostname. See details here:
>>
>> Hi Ken,
>>
>> that did it. Thank you. Now we get the ticket trough the loadbalancer.
>> But OpenLDAP is complaining about the name of the principal is not
>> matching the fqd. WE now will go the way without the load balancer. We
>> will use SRV-records.
>
> Hm, _OpenLDAP_ is complaining? Are you sure? Like, how does it even know?
> Exactly what error are you getting?
>
> --Ken
KRB5_TRACE=/dev/stdout kinit <principal>
is showing that I connect to the LDAP-Server and the LDAP-server is
responding and sending me a service-ticket I can see with "klist". But
then I got an err=49 from the LDAP-Server. I can see it in the log of
the LDAP-Server.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4402 bytes
Desc: Kryptografische S/MIME-Signatur
URL: <http://mailman.mit.edu/pipermail/kerberos/attachments/20250309/ea9056f8/attachment.p7s>
More information about the Kerberos
mailing list