"Ravi Channavajhala" <ravi.channavajh...@dciera.com> wrote in message news:mailman.20.1241667589.9729.kerbe...@mit.edu... > On Thu, May 7, 2009 at 1:19 AM, Markus Moeller <hua...@moeller.plus.com> > wrote: >> >> You could add a copy to the keytab with ktutil which has an uppercase >> HOST >> e.g. >> >> # ktutil >> ktutil: rkt /tmp/test.keytab >> ktutil: l -k >> slot KVNO Principal >> ---- ---- >> --------------------------------------------------------------------- >> 1 3 host/opensuse11.suse.h...@suse.home >> (0xd962b1ecc18a809eb57c4a031193623a) >> ktutil: addent -key -p HOST/opensuse11.suse.h...@suse.home -k 3 -e >> rc4-hmac >> Key for HOST/opensuse11.suse.h...@suse.home (hex): >> d962b1ecc18a809eb57c4a031193623a >> ktutil: l -k >> slot KVNO Principal >> ---- ---- >> --------------------------------------------------------------------- >> 1 3 host/opensuse11.suse.h...@suse.home >> (0xd962b1ecc18a809eb57c4a031193623a) >> 2 3 HOST/opensuse11.suse.h...@suse.home >> (0xd962b1ecc18a809eb57c4a031193623a) >> ktutil: wkt /tmp/new.keytab >> ktutil: quit > > Interesting. This means, I need to have all the SPNs included in the > keytab? Do you see an inherent problem with deleting the existing > SPNs on windows KDC and adding only one SPN of the form host/fqdn and > generating the keytab? >
The best would be to have one entry in AD with the host/fqdn syntax. If you have clients requesting HOST/fqdn just use the above method to add a second entry with the same key. AD will handle HOST/fqdn and host/fqdn in the same way as it is case insensitive, so no need to add a second entry to AD. Markus ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos