On Sat, Mar 19, 2011 at 4:28 AM, John Hodrien <J.H.Hodrien at leeds.ac.uk> wrote: >> An HTTP client can authenticate with any principal in the service >> keytab and only one of their hostnames is going to have a PTR record. >> So I'm not sure I understand your claim here. > > Two A records, with PTR record pointing to the A record that didn't have a > service principal defined. MIT client tries to use valid A record, MIT > client > rejects the connection as it can't get a service principal for the PTR > directed A record. I'm not saying it *should* do this... > > In AD, the machine's only going to have service principals for the FQDN that > matches the machine name it was joined to the domain with. Creating these > additionaly service principals I think is something you can't trivially do > without being a domain admin, or perhaps creating dummy machine records. If > you're using AD for DNS as well, I think that could end up being a bit > exciting. Hi John, You would not have to create "dummy" machine records. The servicePrincipalName attribute on an AD account is multi-valued and clients can request and get a ticket for ANY principal in that list. So you only need one account. And you do not need special permissions if you have an existing keytab because you can use the keytab to authenticate with AD and add servicePrincipalName values to the account itself. At least in theory you can. I don't know if Samba's routine for adding HTTP SPNs is smart enough to know that it needs to not just add servicePrincipalName values but that it will also need to rebuild the keytab. And of course you do not have to use the Samba keytab at all really. In fact, if you're doing a lot of HTTP virtual hosting (which is really what we're talking about) you're probably better off just creating a separate service account, adding SPNs using setspn.exe and then build a keytab with principals for all of the SPNs with some tool like ktutil (ktpass.exe will not work though because it only sets one HTTP principal last I checked - it's a useless program). In our Plexcel product we have a routine that just queries AD for the latest KVNO and servicePrincipalName attribute and then generates a keytab with an entries for each servicePrincipalName value: http://www.ioplex.com/api/plexcel_gen_service_keytab.html This is largely used by the "setup" program of the Plexcel software for itself but it would be no less useful for just about anyting that needs a keytab from AD. Mike -- Michael B Allen Java Active Directory Integration http://www.ioplex.com/