On Tue, 22 Mar 2011, Michael B Allen wrote:
Hi John,
You would not have to create "dummy" machine records. The servicePrincipalName attribute on an AD account is multi-valued and clients can request and get a ticket for ANY principal in that list. So you only need one account.
And you do not need special permissions if you have an existing keytab because you can use the keytab to authenticate with AD and add servicePrincipalName values to the account itself. At least in theory you can. I don't know if Samba's routine for adding HTTP SPNs is smart enough to know that it needs to not just add servicePrincipalName values but that it will also need to rebuild the keytab.
Yes, but using the machine principal you're able to request any number of service principals that are SERVICENAME/<machinename>. For this to work in a virtual hosting environment, you need multiple machine names (since we're talking about making a number of HTTP/<blah> principals). Whilst I accept this is possible, I don't see how you'd do it without being a domain admin. How do I create the records starting from a position of only having the machine credential for the web server, and at best another user credential with rights to create machine objects?
With domain admin rights, I get how your scheme works, although it wasn't a route I'd previously considered.
jh