adcli --service-name="host" vs. --user-principal=host/gentoo-lab.transmode.se@TRANSMODE.SE?
Is there a difference between the above two options?
Also, I have always wondered why there is two version of ever service as in: host/GENTOO-LAB@TRANSMODE.SE vs. host/gentoo-lab.transmode.se@TRANSMODE.SE
Jocke
On Thu, Aug 18, 2016 at 08:48:37AM +0000, Joakim Tjernlund wrote:
Is there a difference between the above two options?
yes, there is. Only with user principal you can get ticket granting tickets (TGTs). So only those can be used with kinit or for login.
Service principals are used to identify services, e.g. if a user wants to access the LDAP service he needs a service ticket for the service ldap/ldap-server.example.com@EXAMPLE.COM.
Also, I have always wondered why there is two version of ever service as in: host/GENTOO-LAB@TRANSMODE.SE vs. host/gentoo-lab.transmode.se@TRANSMODE.SE
This is afaik some shortcut for Windows/AD environments. In general Kerberos relies on DNS and hence host/gentoo-lab.transmode.se@TRANSMODE.SE is all you need. For compatibility AD still supports a different kind of names called NetBIOS names. Typically the NetBIOS name is just the first part of the DNS name in upper-case. But there is not general rule for this and due to some restrictions on either side (NetBIOS names can only be 15 bytes long, but may contain '.') it is even not always possible to find the matching name in the other scheme. Since the Windows users are used to the NetBIOS names AD supports them in the service principals as well.
HTH
bye, Sumit
Jocke _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
Maybe a little bit OT question here:
SPN vs UPN only exists in Microsoft KDC implementation right? i.e. if I deploy IPA domain, there is still no difference between these 2 (as IPA is using MIT KDC) right?
Thanks, Ondrej
-----Original Message----- From: Sumit Bose [mailto:sbose@redhat.com] Sent: Tuesday, August 23, 2016 3:49 PM To: sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Re: adcli --service-name="host" vs. --user-principal=host/gentoo-lab.transmode.se@TRANSMODE.SE?
On Thu, Aug 18, 2016 at 08:48:37AM +0000, Joakim Tjernlund wrote:
Is there a difference between the above two options?
yes, there is. Only with user principal you can get ticket granting tickets (TGTs). So only those can be used with kinit or for login.
Service principals are used to identify services, e.g. if a user wants to access the LDAP service he needs a service ticket for the service ldap/ldap-server.example.com@EXAMPLE.COM.
Also, I have always wondered why there is two version of ever service as in: host/GENTOO-LAB@TRANSMODE.SE vs. host/gentoo-lab.transmode.se@TRANSMODE.SE
This is afaik some shortcut for Windows/AD environments. In general Kerberos relies on DNS and hence host/gentoo-lab.transmode.se@TRANSMODE.SE is all you need. For compatibility AD still supports a different kind of names called NetBIOS names. Typically the NetBIOS name is just the first part of the DNS name in upper-case. But there is not general rule for this and due to some restrictions on either side (NetBIOS names can only be 15 bytes long, but may contain '.') it is even not always possible to find the matching name in the other scheme. Since the Windows users are used to the NetBIOS names AD supports them in the service principals as well.
HTH
bye, Sumit
Jocke _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahost ed.org
_______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
-----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
On Tue, Aug 23, 2016 at 01:55:00PM +0000, Ondrej Valousek wrote:
Maybe a little bit OT question here:
SPN vs UPN only exists in Microsoft KDC implementation right? i.e. if I deploy IPA domain, there is still no difference between these 2 (as IPA is using MIT KDC) right?
In general yes, but please note that the handling of the service principals is completely different in AD and IPA. In AD they are just attributes of a host object while in IPA they are object on their own. As a consequence in AD all services will use the same key based on the host password while with IPA each service on a host will have an individual key.
HTH
bye, Sumit
Thanks, Ondrej
-----Original Message----- From: Sumit Bose [mailto:sbose@redhat.com] Sent: Tuesday, August 23, 2016 3:49 PM To: sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Re: adcli --service-name="host" vs. --user-principal=host/gentoo-lab.transmode.se@TRANSMODE.SE?
On Thu, Aug 18, 2016 at 08:48:37AM +0000, Joakim Tjernlund wrote:
Is there a difference between the above two options?
yes, there is. Only with user principal you can get ticket granting tickets (TGTs). So only those can be used with kinit or for login.
Service principals are used to identify services, e.g. if a user wants to access the LDAP service he needs a service ticket for the service ldap/ldap-server.example.com@EXAMPLE.COM.
Also, I have always wondered why there is two version of ever service as in: host/GENTOO-LAB@TRANSMODE.SE vs. host/gentoo-lab.transmode.se@TRANSMODE.SE
This is afaik some shortcut for Windows/AD environments. In general Kerberos relies on DNS and hence host/gentoo-lab.transmode.se@TRANSMODE.SE is all you need. For compatibility AD still supports a different kind of names called NetBIOS names. Typically the NetBIOS name is just the first part of the DNS name in upper-case. But there is not general rule for this and due to some restrictions on either side (NetBIOS names can only be 15 bytes long, but may contain '.') it is even not always possible to find the matching name in the other scheme. Since the Windows users are used to the NetBIOS names AD supports them in the service principals as well.
HTH
bye, Sumit
Jocke _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahost ed.org
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
sssd-users@lists.fedorahosted.org
-
Joakim Tjernlund -
Ondrej Valousek -
Sumit Bose