On 11/28/2011 10:16 AM, John Hodrien wrote:

On Mon, 28 Nov 2011, Ondrej Valousek wrote:

Yes.  My understanding is the only difference between a service principal and
a user principal is that the KDC will not issue a ticket granting ticket to a
service principal.

jh


Yes and it is no wonder  because UPN and SPN serve a different task. I
recommend searching MS technet for this. They have a nice explanation for
this.

In simple terms it's service for a receiver and user for initiator.
Unfortunately this can sometimes get a little blury.  NFSv4 is a good example
of that.

Exactly :-) . In NFSv4 the rpc.gssd expect the UPN and rpc.svcgssd SPN - and none is going to tell you this as none expect you will use Windows based KDC for NFSv4... :-( . In Linux based KDC there is no strict distinction for these I believe (citation needed here).