"Ravi Channavajhala" <[email protected]> wrote in message news:[email protected]... > On Thu, May 7, 2009 at 1:19 AM, Markus Moeller <[email protected]> > wrote: >> >> You could add a copy to the keytab with ktutil which has an uppercase >> HOST >> e.g. >> >> # ktutil >> ktutil: rkt /tmp/test.keytab >> ktutil: l -k >> slot KVNO Principal >> ---- ---- >> --------------------------------------------------------------------- >> 1 3 host/[email protected] >> (0xd962b1ecc18a809eb57c4a031193623a) >> ktutil: addent -key -p HOST/[email protected] -k 3 -e >> rc4-hmac >> Key for HOST/[email protected] (hex): >> d962b1ecc18a809eb57c4a031193623a >> ktutil: l -k >> slot KVNO Principal >> ---- ---- >> --------------------------------------------------------------------- >> 1 3 host/[email protected] >> (0xd962b1ecc18a809eb57c4a031193623a) >> 2 3 HOST/[email protected] >> (0xd962b1ecc18a809eb57c4a031193623a) >> ktutil: wkt /tmp/new.keytab >> ktutil: quit > > Interesting. This means, I need to have all the SPNs included in the > keytab? Do you see an inherent problem with deleting the existing > SPNs on windows KDC and adding only one SPN of the form host/fqdn and > generating the keytab? >
The best would be to have one entry in AD with the host/fqdn syntax. If you have clients requesting HOST/fqdn just use the above method to add a second entry with the same key. AD will handle HOST/fqdn and host/fqdn in the same way as it is case insensitive, so no need to add a second entry to AD. Markus ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
