use adsiedit (GUI) to set the spn on the AD rpincipal or setspn cli tool http://technet.microsoft.com/en-us/library/cc773257.aspx
-----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of John Jasen Sent: Monday, March 30, 2009 9:07 AM To: [email protected] Subject: confusion with service principal names in Active Directory Please forgive me if this is not the right venue. I seem to have not found the magic required to use kerberos service principal names on unix systems against an Active Directory server. In the one particular example, we're trying to use kerberized NFS, so the server daemon needs to be able to find nfs/f...@realm. I can see the entries in the computer accounts servicePrincipalName field, but the various UNIX systems can't find them -- either on service initialization, or attempting kinit from commandline with the system keytab. IE: klist -ke /etc/krb5.keytab | grep host 2 host/[email protected] (DES cbc mode with CRC-32) [r...@kernelpanic ~]# kinit host/kernelpanic.example.com -kt /etc/krb5.keytab kinit(v5): Client not found in Kerberos database while getting initial credentials (same results if I do host/[email protected]) This behavior holds true for OS X kerberos clients, Red Hat 4 and 5 kerberos clients, and Solaris 10 kerberos clients. I can provide the versions if required. The AD server in question is Windows 2003 R2. The only way I've found around this is to set the userPrincipalName in AD to the service I really really need. ie: in the case above, userPrincipalName is set to nfs/[email protected]. After doing that, I can kinit that service principal successfully, and the service dependent on it can also initialize correctly. >From my testing, using ktpass.exe to write a keytab file seems to pretty much automatically set the userPrincipalName to the last entry created. Unfortunately, if you have a multi-role server, this creates difficulties. (ie: trying to use http/hostname and sql/hostname). Is there a way around this that I've missed? An option either on the client side or the server side that I've missed? -- -- John E. Jasen ([email protected]) -- No one will sorrow for me when I die, because those who would -- are dead already. -- Lan Mandragoran, The Wheel of Time, New Spring ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
