I am trying to get a deeper understanding how services are organized.
When browsing the LDAP directory in FreeIPA I can see that services are
organized in a separate (DN:
cn=services,cn=accounts,dc=linux,dc=mydomain,dc=at) and that each
services connection to the computer object can be found in the ManagedBy
attribute. So far, so good.
In the Windows world I see services specified directly in SPN attributes
of a computer object. That makes sense and looks very similar to the IPA
world.
What I do not completely understand is why SPNs cann also be specified
as an attribute of an AD (service account) user. Why? What's the purpose
of that? (almost every tutorial on the web uses the mapuser-parameter of
the ktpass command but none states why this is needed.) I can imagine
that it makes sense for Linux servers when there is no computer object
in the AD. But what are other reasons/use cases?
I do know that this question is slightly off-topic. Nevertheless, I am
sure somebody here has a good answer to it which I would highly
appreciate to hear.
Cheers,
Ronald
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
