Hi,
>> Yes and it is no wonder because UPN and SPN serve a
different task. I
>> recommend searching MS technet for this. They have a nice explanation
>> for this.
> In simple terms it's service for a receiver and user for initiator.
> Unfortunately this can sometimes get a little blury. NFSv4 is a good
> example of that.
Exactly :-) . In NFSv4 the rpc.gssd expect the UPN and rpc.svcgssd SPN -
and none is going to tell you this as none expect you will use Windows
based KDC for NFSv4... :-( . In Linux based KDC there is no strict
distinction for these I believe (citation needed here).
MIT KDC provides related functionality but as the documentation suggests
it is probably something most people do not want to use.
5.3.3 Adding or Modifying Principals
{-|+}allow_svr
The “-allow_svr” flag prohibits the issuance of service tickets for
this principal. “+allow_svr” clears this flag. In effect, “-allow_svr”
sets the KRB5_KDB_DISALLOW_SVR flag on the principal in the database.
{-|+}allow_tgs_req
The “-allow_tgs_req” option specifies that a Ticket-Granting Service
(TGS) request for a service ticket for this principal is not permitted.
You will probably never need to use this option. “+allow_tgs_req” clears
this flag. The default is “+allow_tgs_req”. In effect, “-allow_tgs_req”
sets the KRB5_KDB_DISALLOW_TGT_BASED flag on the principal in the database.
http://web.mit.edu/kerberos/krb5-1.9/krb5-1.9.2/doc/krb5-admin.html
Cheers,
--
Marko Myllynen