[36921] in Kerberos
Re: theory behind unique SPNs
daemon@ATHENA.MIT.EDU (Greg Hudson)
Fri Apr 24 16:47:08 2015
Message-ID: <553AABBF.4050306@mit.edu>
Date: Fri, 24 Apr 2015 16:46:55 -0400
From: Greg Hudson <ghudson@mit.edu>
MIME-Version: 1.0
To: Ben H <bhendin@gmail.com>, kerberos@mit.edu
In-Reply-To: <CAAd7auYHF29ew2xp5yfnk0=ha281f6cC74yh=+QkuVFV0vfG3g@mail.gmail.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 04/24/2015 03:37 PM, Ben H wrote:
> Why not simply use host/serverA.domain.com for both services?
At a protocol level, it's to support privilege separation on the server.
The CIFS server doesn't need access to the LDAP server key and vice versa.
Of course you only get this benefit if (a) the two services use
different keys, and (b) the two service implementations are sufficiently
isolated on the server host. In a normal AD deployment (as I understand
it) the first constraint isn't true, but the client shouldn't assume that.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
