1

Is it possible to use kadmin (Linux) to add/remote SPNs from an Active Directory server?

I'm trying to add some service principles on my Active Directory server and store the keys in the local keytab (on the Linux machine).

SofaKng
  • 389
  • 1
  • 10
  • 18

1 Answers1

3

Short answer: no. kadmin can only talk with an actual MIT Kerberos server/database.

However, you should still be able to add/remove/change SPNs in Active Directory via standard LDAP tools. The SPN's associated with an object are in a multi-valued attribute called "servicePrincipalName".

Ryan Bolger
  • 16,472
  • 3
  • 40
  • 59
  • Thanks ... So when I'm looking at tutorials talking about using kadmin to add SPNs and to the keytab, what should I be using? – SofaKng Sep 15 '15 at 01:26
  • 1
    You can use ktutil to modfy keytab files as usual (adding entries for a given SPN with a given password and KVNO). In Active Directory, those SPNs are generally associated with either a computer object or a user object (most likely a user in your case). So you'd use the LDAP tools to add the SPNs to the user account and then ktutil to add a reference to that SPN in the keytab file. The KVNO attribute on an AD object is called "msDS-KeyVersionNumber". – Ryan Bolger Sep 15 '15 at 02:48