Ken Raeburn wrote:

> But I'd be really surprised if a Windows KDC couldn't be convinced to
> add an arbitrary service principal somehow. (But since I don't play
> around with Windows KDCs much, I couldn't tell you how to do it
> without doing all the same Google searches that you'd expect to have
> to do.)

(1) Add an account

(2) Use "SETSPN" to set a service principal name on the account

(3) Use "KTPASS" to set the enctype preferences, generate a
strong random password, and generate a keytab file

Jeffrey Altman

Ken Raeburn wrote:

> On Aug 23, 2006, at 3:43, Olfmatic wrote:
>
>>I understand your warnings. But it is not possible to add the
>>service to the realm, because it is running on a host that is not
>>in the same windows domain and not in the same kerberos realm.

Not true at least for Unix hosts. A service is "in a realm"
be virtue of possessing the key of a service principal registered
in the realm. The same service could accept tickets issued by
multiple independent realms, if it had entries in its keytab
for the principals.

Now if the service is running on window, and you are using the Windows
Kerberos it might not be true, because windows does more then Kerberos
authentication.

> To
>>be more precise, it is not running in a kerberos realm at all and
>>thus is not really a kerberos service.

Then why are you trying to use Kerberos?

>
>
> Ken
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>

--

Douglas E. Engert
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos