Re: kerberos tickets and the SPNs
- From: "Douglas E. Engert" <deengert@xxxxxxx>
- Date: Fri, 08 May 2009 09:40:20 -0500
Ravi Channavajhala wrote:
On Fri, May 8, 2009 at 4:26 AM, Markus Moeller <huaraz@xxxxxxxxxxxxxxxx> wrote:
Interesting. This means, I need to have all the SPNs included in theThe best would be to have one entry in AD with the host/fqdn syntax. If you
keytab? Do you see an inherent problem with deleting the existing
SPNs on windows KDC and adding only one SPN of the form host/fqdn and
generating the keytab?
have clients requesting HOST/fqdn just use the above method to add a second
entry with the same key. AD will handle HOST/fqdn and host/fqdn in the same
way as it is case insensitive, so no need to add a second entry to AD.
I deleted the computer object in AD, waited for the replication to
complete and then re-added the AD object. Now the SPN appears as
Note that the MS documentation says to add a "user" account, not a "computer"
account. (Sounds counterintuitive...)
http://technet.microsoft.com/en-us/library/bb742433.aspx
To configure the UNIX hosts
Use the Active Directory Management tool to create a new user account for the UNIX host:
Select the Users folder, right-click and select New, then choose user.
Type the name of the UNIX host.
(Last line is pick a unique name in the forest for the account, i.e. uses as
SamAccountName (without the $) so must be 19 characters. Use some convention,
like host-name-dept where is h short for host, name is the simple host name,
and dept. (We have department DNS domains, but the AD is is site wide.)
The ktpass then *ADDS* the SPN to the user account using the -principal option.
I am pretty sure if you create a "computer" account, the SPN gets added
during account creation, and that is why you are seeing the uppercase HOST.
host/host.fqdn
Which is good. I ran the ktpass to generate the new keys for this
host using the SPN created with the correct realm. Now, when Solaris
is trying to authenticate a AD user, I still get the server not found
in kerberos database, modifying the keytab manually with ktutil on
solaris gives me PAM-KRB5 (auth) the key table entry not found. If it
is of any academic value, in the -mapuser switch I used is an ordinary
AD user (not even a service account) whose name is same as the
computer name.
The ktpass -mapuser user refers to the account created to hold the
principal, above not a real user.
One is cn=users, the other cn=computers, so I dont
It does not matter where it is located, but follow some convention,
lie create a cn=Unix and you can have Unix admins given rights to add
accounts to this subtree.
believe this could be the problem. For the kicks, I created another
user whose name is not the same as the host and tried...no luck. So
having distinct SPN, UPNs also didnt work.
As a last desperate measure, is there any elegant way to examine the
kerberos database to see if a sticky reference to the host principal
is lingering around and forcibly delete it? This is really getting a
bit vexing
You could use ldapsearch and filter for "(serviceprincipalname=host/fqdn)"
or "(dnshostname=fqdn)"
________________________________________________
Kerberos mailing list Kerberos@xxxxxxx
https://mailman.mit.edu/mailman/listinfo/kerberos
--
Douglas E. Engert <DEEngert@xxxxxxx>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
.
- References:
- Re: kerberos tickets and the SPNs
- From: Douglas E. Engert
- Re: kerberos tickets and the SPNs
- From: Markus Moeller
- Re: kerberos tickets and the SPNs
- From: Ravi Channavajhala
- Re: kerberos tickets and the SPNs
- From: Markus Moeller
- Re: kerberos tickets and the SPNs
- Prev by Date: Re: cannot kinit to AD realm using alternative dns name
- Next by Date: RE: cannot kinit to AD realm using alternative dns name
- Previous by thread: Re: kerberos tickets and the SPNs
- Next by thread: Re: kerberos tickets and the SPNs
- Index(es):
Relevant Pages
|
Loading
