On Thu, May 7, 2009 at 1:03 AM, Douglas E. Engert <[email protected]> wrote: > > Windows treats principal names as case insensitive. > Kerberos treats them as case sensitive. > > Normally Kerberos host/hostn...@realm has "host" in lower case. > So why is Samba net ADS join is using upper case is not clear.
Just to be sure, I did delete the computer object from AD and re-creatd it from net ads, the SPNs appear again in the same way. > If the net ads join adds the SPN in uppercase, then the ktpass > with lower case, it will work, as windows is case insensitive > and the SPN already exists. > > You could try changing the SPN to lower case. I might as well add new SPNs with spnset -A option >> HOST/HOSTNAME >> >> HOST/hostname.domain.com (FQDN) >> > > So you have two accounts with the same SPN? (differing by case only?) > Or did you remove the net ads join created entry first? yeah but they are two different objects, one is a computer and the other is a user. In the above case the two SPNs are for the computer object only as indicated by the host. The SPN for user object appears typically DOMAIN\USERNAME >> I then ftped this file over to Solaris host and try to authenticate a user >> login via AD, I get >> >> PAM-KRB5 (auth): krb5_verify_init_creds failed: Server not found in Kerberos >> database >> > > Could be the case issue. krb5 is looking for "host" Looks like it, as I get different error messages depending on how I specify the ktpass -princ with either host or HOST. >> Running PAM in debug mode didn't reveal anything specific other than the >> obvious. > > Wireshark could be used to see the network traffic between server and KDC. > This sounds like a case issue... It sure is, but my problem is how to avoid manual work in case if future server base is being built and I have to do a monkey boy's job of checking SPNs and adding/removing... there must be a way out of this. I got oodles of ldap traffic captured with snoop, which I will look further. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
