On 04/24/2015 03:37 PM, Ben H wrote: > Why not simply use host/serverA.domain.com for both services?
At a protocol level, it's to support privilege separation on the server. The CIFS server doesn't need access to the LDAP server key and vice versa. Of course you only get this benefit if (a) the two services use different keys, and (b) the two service implementations are sufficiently isolated on the server host. In a normal AD deployment (as I understand it) the first constraint isn't true, but the client shouldn't assume that. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos