I've worked with Kerberos implementations for a while, but almost exclusively with AD in the KDC role (though MIT clients as well). This may sound like a beginner question because of my lack of experience with "pure" Kerberos.
When accessing services we require a service ticket for each principal, so I would ask my TGS for the following: cifs/serverA.domain.com ldap/serverA.domain.com I can have multiple SPNs attached to a single host. Each server service uses its own respective SPN. Even if I have a ticket for either (or both) does not actually give me the rights to do anything other than connect. In the Windows world the PAC would authorize me as to what files I could transfer with cifs or what ldap ops I could perform. Why not simply use host/serverA.domain.com for both services? It isn't an identification issue, since my requests will go to different ports. And, as long as the servers support these names it will work. Some NFS implementations for instance allow the use of host/ instead of nfs/ to make keytab configuration easier. I'm sure there is a good security answer behind this, but I'm not visualizing it. As a practical example I would like the argument against using myservice/ as the principal for 3 different services running on the same host. The server application supports a dynamic principal and maintaining one keytab entry is certainly easier. Thanks ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
