On Thu, Aug 18, 2016 at 08:48:37AM +0000, Joakim Tjernlund wrote: > Is there a difference between the above two options?
yes, there is. Only with user principal you can get ticket granting tickets (TGTs). So only those can be used with kinit or for login. Service principals are used to identify services, e.g. if a user wants to access the LDAP service he needs a service ticket for the service ldap/[email protected]. > > Also, I have always wondered why there is two version of ever service as in: > host/[email protected] > vs. > host/[email protected] This is afaik some shortcut for Windows/AD environments. In general Kerberos relies on DNS and hence host/[email protected] is all you need. For compatibility AD still supports a different kind of names called NetBIOS names. Typically the NetBIOS name is just the first part of the DNS name in upper-case. But there is not general rule for this and due to some restrictions on either side (NetBIOS names can only be 15 bytes long, but may contain '.') it is even not always possible to find the matching name in the other scheme. Since the Windows users are used to the NetBIOS names AD supports them in the service principals as well. HTH bye, Sumit > > Jocke > _______________________________________________ > sssd-users mailing list > [email protected] > https://lists.fedorahosted.org/admin/lists/[email protected] _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/admin/lists/[email protected]
