John Hefferman wrote: > Thank you both for your replies. Using msktutil with multiple -s options > would probably be better. > >> IMHO I would use separate accounts for each principal. > > Other than only being able to kinit -k as one of the SPN's, and having to > specify all SPN's if a new SPN is to be added, are there any other > disadvantages to doing it this way? >
Keeping the DC and the keytab in sync is the main issue. There may be security issues, if the keytab is shared between two applications not at the same trust level. For example if you run your HTTP server as a non-root user for security reasons, you don't want to share the keytab with the host/fqdn principal. And AD complicates this even more, as with RC4 the same key is used for both. Best to use the conventional Kerberos wisdom of don't share keys between multiple principals. Its not hard to use msktutil in this way, just have a naming convention for the hosts. Use the --computer-name keeping it to 19 characters or less, all lower case. something like service-simplehostname works well. The base does not have to be in CNu=Computers either. Work with you AD admin on a location, and use the msktutil --base option. -- > Thanks again, > > John > > > ________________________________________ > From: [email protected] [[email protected]] On Behalf Of > Douglas E. Engert [[email protected]] > Sent: 02 October 2009 22:33 > To: Markus Moeller > Cc: [email protected] > Subject: Re: msktutil requires seperate account for each service principal? > > Markus Moeller wrote: >> John, >> >> That is correct. msktutil updates the key of the computer account. So the >> second msktutil call with the same computer-name will make the first entry >> invalid. But you can have host and http asssigned to the same AD account if >> you use other tools like net ads join with net ads keytab. > > You can also use the msktutil feature to have multiple entries in the same > keytab, for example principals for host and HTTP. They both have the same key > which may not be what you really want. > > To do this use mutiple -s <service> options when you create the keytab and > account. Note in AD they will each have SPN, but a common UPN, in case > you want to use kinit with a keytab. > > IMHO I would use separate accounts for each principal. > >> Regards >> Markus >> >> "John Hefferman" <[email protected]> wrote in message >> news:[email protected]... >>> Dear list, >>> >>> To my knowledge (and after some tests), msktutil requires a separate >>> account in active directory for each service principal needed for a >>> machine. >>> >>> For instance, if a Linux computer is going to need a host/ and a http/ >>> service principal it would be nessesary to run msktutil twice, such as: >>> >>> msktutil -h fqdn --computer-name linux-computer --verbose -s host/fqdn -k >>> linuxComputer.keytab --server domainControllerFqdn >>> >>> msktutil -h fqdn --computer-name linux-computer-http --verbose -s >>> http/fqdn -k linuxComputerHttp.keytab --server domainControllerFqdn >>> >>> I just wanted to confirm this was the case, or whether it is possible to >>> have both host/ and http/ under the same account in AD. >>> >>> Thanks in advance for any help, >>> >>> John >>> >>> >>> >>> ________________________________________________ >>> Kerberos mailing list [email protected] >>> https://mailman.mit.edu/mailman/listinfo/kerberos >>> >> >> ________________________________________________ >> Kerberos mailing list [email protected] >> https://mailman.mit.edu/mailman/listinfo/kerberos >> >> > > -- > > Douglas E. Engert <[email protected]> > Argonne National Laboratory > 9700 South Cass Avenue > Argonne, Illinois 60439 > (630) 252-5444 > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert <[email protected]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
