Yves Dorfsman wrote: > John Jasen wrote: > > I am Windows challenged and have never touched AD, but have been interacting > with it from the *NIX side, and usually, sending Achim's document > (http://grolmsnet.de/kerbtut) to the "Windows guys" solves all my problems.
Yeah, I read over it, and it seems to have consolidated a few things that I found elsewhere. >> Question #1: Is there a way to get kadmin from a linux || sun || os x >> client to talk to AD correctly? Barring that, is there a way that I've >> missed to do basic principal manipulation (get principal, listprincs, etc)? > > Possibly, but it would not be good enough because AD is kerberos + Microsoft > extensions, and the kadmin from MIT does not know about the Microsoft > extensions. I was afraid of that .... heimdal's kadmin allegedly has AD support, but beyond allegations, I wasn't able to get it to work. >> Question #2: Is there a way to map multiple service principal names to >> an AD account correctly? From my testing, it appears that creating more >> than one SPN for an account pretty much overwrites the last one, no >> matter what AD might otherwise say. > > I'm pretty sure the answer is no, because in AD a principal corresponds to > an account and vice versa. Have a look at chapter 6 in Achim's document > mentioned above. Again, I fear thats the case. In my searching, I saw a hotfix for 2008 to handle SPNs a little better, if not correctly, but none for win2k3 R2. :( -- -- John E. Jasen ([EMAIL PROTECTED]) -- No one will sorrow for me when I die, because those who would -- are dead already. -- Lan Mandragoran, The Wheel of Time, New Spring _______________________________________________ Tech mailing list [email protected] http://lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
