0

I'm not sure I understand when & why mapUser is needed.

  • When you generate a keytab with ktpass you can map the Service Principal to a user wit mapUser. You can then kinit to the Service from an other machine using that keytab.

  • When trying the same with ktutils from a linux machine, this is not possible. You simply generate a keytab for the user and kinit to the user.

The SPN setting is the following:

  • Service User: SQLservice
  • Service Policy Group
  • User from OU SQLusers: sqluser
  • SPN -S MYSSQLSvc/SQLservice.mynetwork.net SQLuser

I had followed a guide explaining SPN's should be set around this architecture.

Gonzalo Etse
  • 1
  • The documentation states mapuser is for creating keytab files for non-Windows platforms. "To create a Kerberos .keytab file for a host computer that isn't running the Windows operating system, you must map the principal to the account and set the host principal password." https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/ktpass – Greg Askew Apr 20 '22 at 15:38
  • Thanks! I guess my question is more towards why this is *not* required when generating the keytab from the non-windows machine with `ktutils`, like this: - `add_entry -password -p -k 1 -e aes128-sha1` - Doc: https://docs.tibco.com/pub/spotfire_server/7.8.0/doc/html/TIB_sfire_server_tsas_admin_help/GUID-27726F6E-569C-4704-8433-5CCC0232EC79.html I've also not been able to attach to a SPN, instead what is asked is to generate the keytab directly to the UPN. – Gonzalo Etse Apr 20 '22 at 15:45
  • /mapuser is AD specific. It updates the userPrincipalName attribute of the account. https://stackoverflow.com/questions/21598421/purpose-of-mapuser-in-ktpass – Greg Askew Apr 20 '22 at 16:59
  • Thanks again Greg. I understand that, but yet I don't understand how you would do the same when using ktutils instead of ktpass (meaning, generating the keytab from linux instead of from the Domain controller). I investigated more, and I think that the solution might reside in mapping the service to a user when generating the SPN, as in this video: https://www.youtube.com/watch?v=F1HWdPTQZMM&list=PLtnrQHVKb9k3rhP_Aui2XPMR8hdWwN8uS&index=2 In the second video he directly kinits as the user instead of the SPN. – Gonzalo Etse Apr 21 '22 at 09:18

0 Answers0