Oh, yes, you talked about UPN, not SPN, sorry.
Actually, I have just checked attributes in AD for my machine.
I have everything!
It happened that I tried a lot to get it work before send email to the mailinglist -
I have the following principals :
sAMAccountName CLIENT$
servicePrincipalName HOST/CLIENT
servicePrincipalName
HOST/client.domain.org
servicePrincipalName
nfs/client.domain.org/client
servicePrincipalName
nfs/client.domain.org/client.domain.org
userPrincipalName
nfs/client.domain.org
I used 'realm' command for adding new principals for the machine (as long my
'history' can reach)
realm join -v -U USER --user-principal=host/client.domain.org --computer-ou
OU="Linux computers",OU=ADResources
DOMAIN.ORG
realm join -v -U USER --user-principal=nfs/client.domain.org --computer-ou OU="Linux
computers",OU=ADResources
DOMAIN.ORG
At last, I ' leaved' domain and 'rejoined' again - but it seems that it
wasn't done clean.
Now I have no UPN entry in my /etc/krb5.ketab.
How I can get it again?
What is a clean way of "leaving" domain for the machine, with removing all
entries inclusiv DNS entries?
Best
longina
-----Original Message-----
From: sssd-users-bounces(a)lists.fedorahosted.org
[mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of John Hodrien
Sent: 12. februar 2014 11:27
To: End-user discussions about the System Security Services Daemon
Subject: Re: [SSSD-users] sssd-1.11.1 Saucy automount(nfs4+krb problem)
On Wed, 12 Feb 2014, Ondrej Valousek wrote:
Well not exactly.
rpc.gssd (i.e. NFS client side) does need a TGT. Kerberized NFS server (i.e.
rpc.svcgssd) is just happy with the ServicePrincipal.
Sure, although if you just roll this out as standard policy for joining machines to the
domain, having the nfs/fqdn UPN setup all over the shop won't break anything, and
it's a rare requirement to need another UPN for a machine.
If you do, there are ways of having even more UPNs for a single host.
To make the long story short, you have 3 options now:
1. Have the nfs-utils maintainers fix this bug for you :) 2. Use short
hostname 3. Define UserServicePrincipal computer attribute in AD and
add something
like "nfs/fqdn". This will allow Gssd to obtain a TGT using that princpal.
Personally, I think taking both option 1 *and* 3 is the best solution.
jh
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users