On Wed, Mar 23, 2011 at 2:35 PM, John Hodrien <J.H.Hodrien at leeds.ac.uk> wrote: > On Wed, 23 Mar 2011, Michael B Allen wrote: > >>> Yes, but using the machine principal you're able to request any number of >>> service principals that are SERVICENAME/<machinename>. For this to work >>> in a >>> virtual hosting environment, you need multiple machine names (since we're >>> talking about making a number of HTTP/<blah> principals). Whilst I >>> accept >> >> The "<machinename>" of the principal does NOT have to match the actual >> machine name. You could create a User object called "alice" with >> servicePrincipalName values of HTTP/as1.busicorp.local, >> HTTP/mycomputer.net and HTTP/test1 and requesting tickets for any of >> those names will work just fine. AD just searches for an account with >> a servicePrincipalName value that matches the principal requested for >> the service ticket. >> >> Pedantic note: If you have the same servicePrincipalName value on more >> than one account, AD will actually choke and not return a ticket at >> all (because the request is ambiguous), there is no constraint in AD >> to stop people from accidentally adding the same SPN to multiple >> accounts and AD will not return any kind of meaningful error about it. > > Sure, but if you're not a domain admin, you've only got a machine principal, > and your own principal (which I can use to join machines to the domain). > Given those, and *not* a domain admin credential, how do you create those > principals? You do kinit -k with the keytab for the machine account and then an ldap_modify to add servicePrincipalName values for the desired principals. The machine account has permission sufficient to modify itself. Mike -- Michael B Allen Java Active Directory Integration http://www.ioplex.com/