[Authentication] Additional hostnames in SPNs using 'adcli update' or 'adcli join'

Niklas Andersson niklas.andersson at openforce.se
Thu Apr 14 14:29:27 UTC 2016


Hi Patrice,

  Have a look at ktutil [1]. I used that to create proper keys in order 
to get OpenLDAP to respond nicely to Kerberos-requests. Should most 
probably work for your scenario as well.

[1] 
http://web.mit.edu/kerberos/krb5-1.12/doc/admin/admin_commands/ktutil.html

Regards,
Niklas

On 14/04/16 14:49, Patrice Peterson wrote:
> Hi,
>
> we have a compute cluster that is part of our Active Directory domain.
> We would like to be able to SSH between all cluster nodes using SSH's
> GSSAPI auth mechanism. However, the login node poses a bit of trouble:
> The compute nodes reach it as
> "login001.cluster-internal.ad.example.com", while the users reach the
> login node from a different network interface, using
> "cluster1.ad.example.com". The hostname of the login node is also
> 'cluster1.ad.example.com'.
>
> I am fairly sure I can achieve that by adding both SPNs,
> 'host/login001.cluster-internal.ad.example.com' and
> 'host/cluster1.ad.example.com' to the keytab. However, I wasn't able to
> create such a keytab when using the '--service-name' switch for adcli,
> as that only allows me to add another service and not another hostname.
>
> Is there a way to do this with just adcli, or do I have to generate the
> Keytab on a Windows machine with the help of our domain administrator?
>
> Thanks for any help!
>
> - Patrice
>



More information about the Authentication mailing list