-
제목
WARNING: 502 host.keytab is missing entries for AD SPN entries -
설명
WARNING: 502 host.keytab is missing entries for AD SPN entries
-
해결 방안
You can use the below command to set the serviceprincipal name on the computer object in AD:
/opt/quest/bin/vastool -u <ADamin> setattrs -m host/ serviceprincipalname <HTTP/machine1> <HTTP/machine1.example.com> host/
Other useful commands:
bash-3.00# vastool ktutil
Usage: vastool ktutil
[ -k keytab_name ] [-v] { alias {principal} {alias} | list [--keys] [--timestamp] | remove {-p {principal}} [-V {kvno}] [-e {enc_type}] }
-k [keytab_name] Specify the keytab path
-v verbose
--keys Include keys in output
--timestamp Include timestamp in output
-p [principal] Specify the principal to remove
-V [kvno] Specify the kvno to remove
-e [enc_type] Specify the enc_type to remove
To list what is in your keytab file: vastool ktutil -k <path to keytab file > listFor example see below:
-bash-3.00# vastool ktutil -k /etc/opt/quest/vas/host.keytab list
/etc/opt/quest/vas/host.keytab:Vno Type Principal
318 aes128-cts-hmac-sha1-96 host/stewie.cs-unix.ca@CS-UNIX.CA
318 aes128-cts-hmac-sha1-96 STEWIE$@CS-UNIX.CA
318 aes128-cts-hmac-sha1-96 cifs/stewie.cs-unix.ca@CS-UNIX.CA
318 aes128-cts-hmac-sha1-96 host/STEWIE@CS-UNIX.CA
318 aes256-cts-hmac-sha1-96 host/stewie.cs-unix.ca@CS-UNIX.CA
318 aes256-cts-hmac-sha1-96 STEWIE$@CS-UNIX.CA
318 aes256-cts-hmac-sha1-96 cifs/stewie.cs-unix.ca@CS-UNIX.CA
318 aes256-cts-hmac-sha1-96 host/STEWIE@CS-UNIX.CA
318 arcfour-hmac-md5 host/stewie.cs-unix.ca@CS-UNIX.CA
318 arcfour-hmac-md5 STEWIE$@CS-UNIX.CA
318 arcfour-hmac-md5 cifs/stewie.cs-unix.ca@CS-UNIX.CA
318 arcfour-hmac-md5 host/STEWIE@CS-UNIX.CA
317 aes128-cts-hmac-sha1-96 STEWIE$@CS-UNIX.CA
317 aes128-cts-hmac-sha1-96 host/stewie.cs-unix.ca@CS-UNIX.CA
317 aes128-cts-hmac-sha1-96 cifs/stewie.cs-unix.ca@CS-UNIX.CA
317 aes128-cts-hmac-sha1-96 host/STEWIE@CS-UNIX.CA
317 aes256-cts-hmac-sha1-96 STEWIE$@CS-UNIX.CA
317 aes256-cts-hmac-sha1-96 host/stewie.cs-unix.ca@CS-UNIX.CA
317 aes256-cts-hmac-sha1-96 cifs/stewie.cs-unix.ca@CS-UNIX.CA
317 aes256-cts-hmac-sha1-96 host/STEWIE@CS-UNIX.CA
317 arcfour-hmac-md5 STEWIE$@CS-UNIX.CA
317 arcfour-hmac-md5 host/stewie.cs-unix.ca@CS-UNIX.CA
317 arcfour-hmac-md5 cifs/stewie.cs-unix.ca@CS-UNIX.CA
317 arcfour-hmac-md5 host/STEWIE@CS-UNIX.CA
To Remove:Vastool ktutil remove -p < principal>
From example:
vastool ktutil remove -p host/stewie.cs-unix.ca@CS-UNIX.CA -
추가 정보
For information about Service Principal Names, here is a link to Microsoft's information on it:
http://msdn.microsoft.com/en-us/library/windows/desktop/ms677949(v=vs.85).aspx
There is a known issue in QAS 4.1.0 and 4.1.1 where the vastool status command reports that SPNs for CIFS are missing from host.keytab when they are not missing. The defect tracking ID for this issue is 653398.