Marc Dionne wrote:
John W. Sopko Jr. wrote:
Without more information I would
only be speculating on how Microsoft intends one to use the "setspn"
command. Having multiple service principles attached to a single account
name is confusing.
Nothing to do with AFS, but "setspn" is useful even in a strictly Windows
environment. I use it regularly in a couple of situations:
- to allow kerberos authentication to work when accessing some services
via a DNS alias. In this case you attach a SPN for each alias to the
server's account.
- to allow kerberos authentication to work with IIS when the associated
pool is run with an account other than the standard local accounts (ex.
Network Service). In this case SPNs for each server and any aliases are
attached to the user account that runs the IIS pool.
Marc
I am not a Windows admin but after researching it does appear that the
setspn command is more useful for a Windows environment. I did see
some Microsoft Tech notes about using setspn for IIS and SQL Server.
I believe that using the ktpass command with the -mapuser option is
probably the proper way to export keytabs to U/Linux services and
not use setspn at all.
--
John W. Sopko Jr. University of North Carolina
email: sopko AT cs.unc.edu Computer Science Dept., CB 3175
Phone: 919-962-1844 Sitterson Hall; Room 044
Fax: 919-962-1799 Chapel Hill, NC 27599-3175
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
