I'm not sure I understand when & why mapUser is needed.
When you generate a keytab with ktpass you can map the Service Principal to a user wit
mapUser
. You can thenkinit
to the Service from an other machine using that keytab.When trying the same with ktutils from a linux machine, this is not possible. You simply generate a keytab for the user and kinit to the user.
The SPN setting is the following:
- Service User: SQLservice
- Service Policy Group
- User from OU SQLusers: sqluser
- SPN -S MYSSQLSvc/SQLservice.mynetwork.net SQLuser
I had followed a guide explaining SPN's should be set around this architecture.