Are there conventions for service principal naming?
Matthew M. DeLoera
mdeloera at exacq.com
Thu Dec 10 18:08:13 EST 2009
Over the past few days I've managed to discover some details about
service principal naming that I wanted to confirm with all of you, if
If my SPN is in the form service_name/fqdn at REALM :
- I'm running gssglue (Ubuntu) with the MIT GSS-API and krb5 libs. When
I sniff with WireShark, I notice that the SPN in my requests is always
forced to all lower-case, regardless of what my code specifies. This
burnt me some when I was recently debugging a linux service with AD2003.
I couldn't understand why I kept getting "no principal in keytab matches
desired name". It took forever to finally notice mixed-case in what
should have been the matching principal in my keytab. (I'd inadvertently
specified all upper-case when I ran ktpass in AD). I've since managed to
google some mention that the fqdn *must* be all lower-case. So, is it
correct that my fqdn will always be forced to lower-case on the wire? If
so, there are a couple changes I'd want to make in my own software.
- Are there any guidelines to what I should use for service_name? Any
lower/upper case conventions? Right now I'm just using "host/", and I
haven't managed to find any definitive rules on a convention to follow.
That's all. No problems to speak of, otherwise!
More information about the krbdev