On 9/2/21 12:49 AM, Sumit Bose wrote:
The reason is that 'kinit -k' constructs the principal by
calling
gethostname() or similar, adding the 'host/' prefix and the realm. But
by default this principal in AD is only a service principal can cannot
be used to request a TGT as kinit does. AD only allows user principals
for request a TGT and this is by default 'SHORT$(a)AD.REALM'. If the
userPrincipalName attribute is set, this principal given here is allowed
as well.
This raises a couple of questions. Because of AD's flat address space,
we use a host naming convention in AD as a sort of low rent namespacing;
so, for example, for this host the college is cns and the research group
cryo, so the AD hostname is cns-cryo-ross1$
However,
# hostname
rossmann.biosci.utexas.edu
which is easier for the users to remember for ssh purposes. We set
ad_hostname =
cns-cryo-ross1.austin.utexas.edu
in /etc/sssd/sssd.conf.
But I just checked, and kinit does not use ad_hostname, so I have to run
it as
kinit -k -R cns-cryo-ross1$
The question is, then what does use the ad_hostname key/value pair?
Next, the kinit example provided by Spike was `kinit -k` -- we always
run `kinit -k -R`
-R renews the TGT, which is what I thought is the thing set to expire in
AD that needs to be periodically renewed. What's the purpose of running
`kinit -k` without the -R?