On 08/22/2015 11:34 AM, Cory Albrecht wrote: > Let me see if I understand. > > I've already created the principal for my account with: > > addprinc -x dn=uid=cory,ou=People,dc=cory,dc=albrecht,dc=name cory > > So now to that dn I need to add the krbCanonicalName attribute. When I > create a new principal, say "cory/root", I can just manually add another > krbPrincipalName attribute with it to the dn=uid=cory,... object? And > something similar for the machine principals?
You have the procedure right. However, this procedure creates multiple names for the same principal entry. You cannot have different principal entries with different keys on the same LDAP object. For that, you can create standalone principal objects pointing to LDAP objects with -x linkdn=... as suggested by Luca Rea. These links do not affect the behavior of the LDAP KDB module, but you can use the resulting krbObjectReferences attribute in LDAP searches. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
