I'm now kerberizing a cross-platform application with GSSAPI. While I'm not clear about the difference between UPN and SPN.
The development environment is a Samba4 AD DC server on CentOS 6.4 with a Windows server 2008 R2 a member box in the domain, say EXAMPLE.COM (You may be curious why not use Win2008 as DC directly. And as I stated previously, the application is cross-platform, I'm now testing in this setting. The normal Win DC-Linux MEM setting works fine.).
I create a new user foobar:users
to run the application.
When I use foobar@EXAMPLE.COM
, i.e. the UPN, to authenticate the application against Kerberos, I keep receiving
Kerberos: Principal may not act as server ERROR
Following a thread on Samba maillist, I think I should create a service principal name say app/dc.example.com
for the UPN with samba-tool
samba-tool spn add app/dc.example.com foobar
This time I will receive another error
Samba4 KDC - no such entry found in hdb
My question is what's the difference between a UPN and SPN?
By samba-tool spn list foobar
, it says foobar
has servicePrincipalName app/dc.example.com
.
How could I associate a UPN with an SPN?
Thank you very much.
Simply put,
A UPN retrieves a service ticket for an SPN to use that actual service.
If your
samba-tool
call your request samba to register the SPNapp/dc.example.com
to the UPNfoobar
. Since You have not provided the realm of the SPN and UPN, Samba will assume the default realm of the machine this call is performed from. In Windows terms, you mostly bind an SPN to a machine UPN. Which is always:<name>$@<REALM>
. Note the dollar sign.