I'm now kerberizing a cross-platform application with GSSAPI. While I'm not clear about the difference between UPN and SPN.

The development environment is a Samba4 AD DC server on CentOS 6.4 with a Windows server 2008 R2 a member box in the domain, say EXAMPLE.COM (You may be curious why not use Win2008 as DC directly. And as I stated previously, the application is cross-platform, I'm now testing in this setting. The normal Win DC-Linux MEM setting works fine.). I create a new user foobar:users to run the application. When I use foobar@EXAMPLE.COM, i.e. the UPN, to authenticate the application against Kerberos, I keep receiving

Kerberos: Principal may not act as server ERROR

Following a thread on Samba maillist, I think I should create a service principal name say app/dc.example.com for the UPN with samba-tool

samba-tool spn add app/dc.example.com foobar

This time I will receive another error

Samba4 KDC - no such entry found in hdb

My question is what's the difference between a UPN and SPN? By samba-tool spn list foobar, it says foobar has servicePrincipalName app/dc.example.com. How could I associate a UPN with an SPN?

Thank you very much.

Simply put,

• UPN: An entity performing client requests to some service. Entity may be human or machine. See here.
• SPN: An entity processing requests for a specific service, e.g., HTTP, LDAP, SSH, etc. Machine only. See here.

A UPN retrieves a service ticket for an SPN to use that actual service.

If your samba-tool call your request samba to register the SPN app/dc.example.com to the UPN foobar. Since You have not provided the realm of the SPN and UPN, Samba will assume the default realm of the machine this call is performed from. In Windows terms, you mostly bind an SPN to a machine UPN. Which is always: <name>$@<REALM>. Note the dollar sign.