Ravi Channavajhala wrote: > On Fri, May 8, 2009 at 8:10 PM, Douglas E. Engert <[email protected]> wrote: > >>> I deleted the computer object in AD, waited for the replication to >>> complete and then re-added the AD object. Now the SPN appears as >>> >> Note that the MS documentation says to add a "user" account, not a >> "computer" >> account. (Sounds counterintuitive...) >> >> http://technet.microsoft.com/en-us/library/bb742433.aspx >> >> To configure the UNIX hosts >> >> Use the Active Directory Management tool to create a new user account for >> the UNIX host: >> >> Select the Users folder, right-click and select New, then choose user. >> >> Type the name of the UNIX host. >> >> (Last line is pick a unique name in the forest for the account, i.e. uses as >> SamAccountName (without the $) so must be 19 characters. Use some >> convention, >> like host-name-dept where is h short for host, name is the simple host name, >> and dept. (We have department DNS domains, but the AD is is site wide.) >> >> The ktpass then *ADDS* the SPN to the user account using the -principal >> option. >> I am pretty sure if you create a "computer" account, the SPN gets added >> during account creation, and that is why you are seeing the uppercase HOST. > > This is obviously is not what happens when you use Solaris adjoin.sh > (adjoin-s10u5) or Samba's net ads join' command. Both of these > approaches create a computer object specifically.
The point I was making, is that the Microsoft create computer account may be adding the HOST/hostname for you assuming it is going to be a Windows computer. So ktpass does not change the case of trhe SPN if its already set. > The interesting > behavior is adjoin.sh creates the computer object with one specific > SPN (host/host.fqdn), where as Samba creates (HOST/HOSTNAME and > HOST/host.fqdn). Solaris adjoin generates /etc/krb5/krb5.keytab with > all the known authentications such as DES-CBC-MD5, DES-CBC-CRC and > RC4-HMAC-MD5, where as the samba net ads keytab create simply doesn't > create one. Mind you, I'm using Sun natively packaged Samba. Where > as I can clearly see the UPN with adjoin.sh, the one I created with > net ads doesn't. Both of them show the SamAccount as HOSTNAME$. The > adjoin literally uses ldapadd to add the host to computers > container.... We use msktutil that uses OpenLDAP, to create the account (computer) and msktutil then Kerberos to change the password, and LDAP to set the SPN, and then creates/updates the keytab file. Sort of what adjoin.sh would do. > > Alright, I digress....back to Kerberos. I didnt get around the > problem. So I'm going to install a Linux server and see how I fare. > > -- Douglas E. Engert <[email protected]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
