Kerberos:UPN和SPN之间的区别 [英] Kerberos: difference between UPN and SPN

问题描述

我现在正在使用GSSAPI来对跨平台应用程序进行kerberize. 虽然我不清楚UPN和SPN之间的区别.

I'm now kerberizing a cross-platform application with GSSAPI. While I'm not clear about the difference between UPN and SPN.

开发环境是CentOS 6.4上的Samba4 AD DC服务器，Windows Server 2008 R2是域中的成员框，例如EXAMPLE.COM(您可能很好奇为什么不直接将Win2008用作DC.正如我之前所说的那样，应用程序是跨平台的，我现在在此设置下进行测试.正常的Win DC-Linux MEM设置可以正常工作.) 我创建一个新用户foobar:users来运行该应用程序. 当我使用foobar@EXAMPLE.COM即UPN来针对Kerberos验证应用程序时，我会不断收到

The development environment is a Samba4 AD DC server on CentOS 6.4 with a Windows server 2008 R2 a member box in the domain, say EXAMPLE.COM (You may be curious why not use Win2008 as DC directly. And as I stated previously, the application is cross-platform, I'm now testing in this setting. The normal Win DC-Linux MEM setting works fine.). I create a new user foobar:users to run the application. When I use foobar@EXAMPLE.COM, i.e. the UPN, to authenticate the application against Kerberos, I keep receiving

Kerberos:主体不能充当服务器错误

Kerberos: Principal may not act as server ERROR

在Samba邮件列表上的线程之后，我想我应该使用samba-tool

Following a thread on Samba maillist, I think I should create a service principal name say app/dc.example.com for the UPN with samba-tool

samba-tool spn add app/dc.example.com foobar

这次我会收到另一个错误

This time I will receive another error

Samba4 KDC-在hdb中找不到此类条目

Samba4 KDC - no such entry found in hdb

我的问题是UPN和SPN有什么区别? 在samba-tool spn list foobar中，它表示foobar 具有 servicePrincipalName app/dc.example.com. 如何将UPN与SPN相关联?

My question is what's the difference between a UPN and SPN? By samba-tool spn list foobar, it says foobar has servicePrincipalName app/dc.example.com. How could I associate a UPN with an SPN?

非常感谢您.

推荐答案

简单地说，

• UPN::执行客户端对某些服务的请求的实体.实体可以是人，也可以是机器.请参见此处.
• SPN::实体处理对特定服务(例如HTTP，LDAP，SSH等)的请求.仅用于计算机.请参见此处.

• UPN: An entity performing client requests to some service. Entity may be human or machine. See here.
• SPN: An entity processing requests for a specific service, e.g., HTTP, LDAP, SSH, etc. Machine only. See here.

UPN检索SPN的服务票证以使用该实际服务.

A UPN retrieves a service ticket for an SPN to use that actual service.

如果您的samba-tool调用您的请求samba，以将SPN app/dc.example.com注册到UPN foobar.由于您尚未提供SPN和UPN的领域，因此Samba将假定执行此调用的计算机的默认领域.用Windows术语来说，您通常将SPN绑定到计算机UPN.总是:<name>$@<REALM>.注意美元符号.

If your samba-tool call your request samba to register the SPN app/dc.example.com to the UPN foobar. Since You have not provided the realm of the SPN and UPN, Samba will assume the default realm of the machine this call is performed from. In Windows terms, you mostly bind an SPN to a machine UPN. Which is always: <name>$@<REALM>. Note the dollar sign.

这篇关于Kerberos:UPN和SPN之间的区别的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！