Re: kerberos tickets and the SPNs
- From: "Douglas E. Engert" <deengert@xxxxxxx>
- Date: Fri, 08 May 2009 14:32:42 -0500
Ravi Channavajhala wrote:
On Fri, May 8, 2009 at 8:10 PM, Douglas E. Engert <deengert@xxxxxxx> wrote:
I deleted the computer object in AD, waited for the replication toNote that the MS documentation says to add a "user" account, not a
complete and then re-added the AD object. Now the SPN appears as
"computer"
account. (Sounds counterintuitive...)
http://technet.microsoft.com/en-us/library/bb742433.aspx
To configure the UNIX hosts
Use the Active Directory Management tool to create a new user account for
the UNIX host:
Select the Users folder, right-click and select New, then choose user.
Type the name of the UNIX host.
(Last line is pick a unique name in the forest for the account, i.e. uses as
SamAccountName (without the $) so must be 19 characters. Use some
convention,
like host-name-dept where is h short for host, name is the simple host name,
and dept. (We have department DNS domains, but the AD is is site wide.)
The ktpass then *ADDS* the SPN to the user account using the -principal
option.
I am pretty sure if you create a "computer" account, the SPN gets added
during account creation, and that is why you are seeing the uppercase HOST.
This is obviously is not what happens when you use Solaris adjoin.sh
(adjoin-s10u5) or Samba's net ads join' command. Both of these
approaches create a computer object specifically.
The point I was making, is that the Microsoft create computer account may
be adding the HOST/hostname for you assuming it is going to be a Windows
computer. So ktpass does not change the case of trhe SPN if its already
set.
The interesting
behavior is adjoin.sh creates the computer object with one specific
SPN (host/host.fqdn), where as Samba creates (HOST/HOSTNAME and
HOST/host.fqdn). Solaris adjoin generates /etc/krb5/krb5.keytab with
all the known authentications such as DES-CBC-MD5, DES-CBC-CRC and
RC4-HMAC-MD5, where as the samba net ads keytab create simply doesn't
create one. Mind you, I'm using Sun natively packaged Samba. Where
as I can clearly see the UPN with adjoin.sh, the one I created with
net ads doesn't. Both of them show the SamAccount as HOSTNAME$. The
adjoin literally uses ldapadd to add the host to computers
container....
We use msktutil that uses OpenLDAP, to create the account (computer)
and msktutil then Kerberos to change the password, and LDAP to
set the SPN, and then creates/updates the keytab file. Sort of
what adjoin.sh would do.
Alright, I digress....back to Kerberos. I didnt get around the
problem. So I'm going to install a Linux server and see how I fare.
--
Douglas E. Engert <DEEngert@xxxxxxx>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
.
- References:
- Re: kerberos tickets and the SPNs
- From: Douglas E. Engert
- Re: kerberos tickets and the SPNs
- From: Markus Moeller
- Re: kerberos tickets and the SPNs
- From: Ravi Channavajhala
- Re: kerberos tickets and the SPNs
- From: Markus Moeller
- Re: kerberos tickets and the SPNs
- Prev by Date: Re: kerberos tickets and the SPNs
- Next by Date: Re: kerberos tickets and the SPNs
- Previous by thread: Re: kerberos tickets and the SPNs
- Next by thread: Re: kerberos tickets and the SPNs
- Index(es):
Relevant Pages
|
Loading
