[29688] in Kerberos
Re: Can kinit but not kvno
daemon@ATHENA.MIT.EDU (John Gilbertson)
Thu Apr 17 11:00:14 2008
From: John Gilbertson <jgilbert@liv.ac.uk>
Date: Thu, 17 Apr 2008 15:57:28 +0100
Message-ID: <fu7ogo$qes$1@news.liv.ac.uk>
Mime-Version: 1.0
X-Complaints-To: abuse@liverpool.ac.uk
In-Reply-To: <mailman.20.1208443554.25183.kerberos@mit.edu>
To: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Douglas E. Engert wrote:
> kvno is requesting a service ticket. But user accounts in AD don't
> normally have a servicePrincipalName attribute.
>
> kvno should work for actual service principals like:
>
> kvno host/livad.liv.ac.uk
>
> Why do you need to use kvno with a user account?
>
> If you need to know the kvno for the user, you can use ldap or ADSI Edit
> and search for the user and read the msDS-KeyVersionNumber attribute.
>
> You might be able to add a servicePrincipalName to the user account if
> you really need to get a service ticket for the user.
Ah that does explain it all thankyou.
I was just testing to make sure everything was working before bothering
our AD team to set up a service principal for a test service. I didn't
know if I had got the initial setup right or not.
--
John Gilbertson
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
