A question about KeyTab files

CXMelga

New Member
Credits
0
Hello can someone please help me with the following question

I am from a Windows Server background, please do not kick me off the forum :)

I know how to create and use a KeyTab file. I note the following behaviour when creating a keytab file on Windows (to be used on a Linux system)

When creating the KeyTab (using KTPass on windows which is similar to KTUtil) the principal you specify e.g. HTTP://[email protected] (where REALM is the Active Directory realm) is used to do two things in Active Directory, we will use a User object in Active Direcrory this example to associate the KeyTab file too

1) Set the SPN (service principal name) associated with the user object
2) Set the 'user logon' name of the user object

Now I can understand why the SPN is to the value specified when creating the KeyTab file

What I do not understand is why the 'logon name' is set too, I can only assume when the Linux host tries to authenticate to AD using the KeyTab file it tries to 'authenticate' as the user whose 'logon name' matches the principal in the KeyTab file. Meaning any SPNs (as they may be more than one) is used post logon (or perhaps also referenced during the logon)


Can someone kindly help me with this question

Thanks very much
CXMelga
 


Members online


Latest posts

Top