Maybe a little bit OT question here: SPN vs UPN only exists in Microsoft KDC implementation right? i.e. if I deploy IPA domain, there is still no difference between these 2 (as IPA is using MIT KDC) right?
Thanks, Ondrej -----Original Message----- From: Sumit Bose [mailto:[email protected]] Sent: Tuesday, August 23, 2016 3:49 PM To: [email protected] Subject: [SSSD-users] Re: adcli --service-name="host" vs. --user-principal=host/[email protected]? On Thu, Aug 18, 2016 at 08:48:37AM +0000, Joakim Tjernlund wrote: > Is there a difference between the above two options? yes, there is. Only with user principal you can get ticket granting tickets (TGTs). So only those can be used with kinit or for login. Service principals are used to identify services, e.g. if a user wants to access the LDAP service he needs a service ticket for the service ldap/[email protected]. > > Also, I have always wondered why there is two version of ever service as in: > host/[email protected] > vs. > host/[email protected] This is afaik some shortcut for Windows/AD environments. In general Kerberos relies on DNS and hence host/[email protected] is all you need. For compatibility AD still supports a different kind of names called NetBIOS names. Typically the NetBIOS name is just the first part of the DNS name in upper-case. But there is not general rule for this and due to some restrictions on either side (NetBIOS names can only be 15 bytes long, but may contain '.') it is even not always possible to find the matching name in the other scheme. Since the Windows users are used to the NetBIOS names AD supports them in the service principals as well. HTH bye, Sumit > > Jocke > _______________________________________________ > sssd-users mailing list > [email protected] > https://lists.fedorahosted.org/admin/lists/[email protected] > ed.org _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/admin/lists/[email protected] ----- The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: [email protected]. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18. _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/admin/lists/[email protected]
