On Tue, Aug 23, 2016 at 01:55:00PM +0000, Ondrej Valousek wrote: > Maybe a little bit OT question here: > > SPN vs UPN only exists in Microsoft KDC implementation right? > i.e. if I deploy IPA domain, there is still no difference between these 2 > (as IPA is using MIT KDC) right?
In general yes, but please note that the handling of the service principals is completely different in AD and IPA. In AD they are just attributes of a host object while in IPA they are object on their own. As a consequence in AD all services will use the same key based on the host password while with IPA each service on a host will have an individual key. HTH bye, Sumit > > Thanks, > Ondrej > > > -----Original Message----- > From: Sumit Bose [mailto:[email protected]] > Sent: Tuesday, August 23, 2016 3:49 PM > To: [email protected] > Subject: [SSSD-users] Re: adcli --service-name="host" vs. > --user-principal=host/[email protected]? > > On Thu, Aug 18, 2016 at 08:48:37AM +0000, Joakim Tjernlund wrote: > > Is there a difference between the above two options? > > yes, there is. Only with user principal you can get ticket granting tickets > (TGTs). So only those can be used with kinit or for login. > > Service principals are used to identify services, e.g. if a user wants to > access the LDAP service he needs a service ticket for the service > ldap/[email protected]. > > > > > Also, I have always wondered why there is two version of ever service as in: > > host/[email protected] > > vs. > > host/[email protected] > > This is afaik some shortcut for Windows/AD environments. In general Kerberos > relies on DNS and hence host/[email protected] is all you > need. For compatibility AD still supports a different kind of names called > NetBIOS names. Typically the NetBIOS name is just the first part of the DNS > name in upper-case. But there is not general rule for this and due to some > restrictions on either side (NetBIOS names can only be 15 bytes long, but may > contain '.') it is even not always possible to find the matching name in the > other scheme. Since the Windows users are used to the NetBIOS names AD > supports them in the service principals as well. > > HTH > > bye, > Sumit > > > > > Jocke > > _______________________________________________ > > sssd-users mailing list > > [email protected] > > https://lists.fedorahosted.org/admin/lists/[email protected] > > ed.org > _______________________________________________ > sssd-users mailing list > [email protected] > https://lists.fedorahosted.org/admin/lists/[email protected] > > ----- > > The information contained in this e-mail and in any attachments is > confidential and is designated solely for the attention of the intended > recipient(s). If you are not an intended recipient, you must not use, > disclose, copy, distribute or retain this e-mail or any part thereof. If you > have received this e-mail in error, please notify the sender by return e-mail > and delete all copies of this e-mail from your computer system(s). Please > direct any additional queries to: [email protected]. Thank You. > Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. > 378073. Registered Office: South County Business Park, Leopardstown, Dublin > 18. > _______________________________________________ > sssd-users mailing list > [email protected] > https://lists.fedorahosted.org/admin/lists/[email protected] _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/admin/lists/[email protected]
