When is mapUser required -

Gonzalo Etse

8/20/23, 3:21 PM

I'm not sure I understand when & why mapUser is needed.

When you generate a keytab with ktpass you can map the Service Principal to a user wit mapUser. You can then kinit to the Service from an other machine using that keytab.
When trying the same with ktutils from a linux machine, this is not possible. You simply generate a keytab for the user and kinit to the user.

The SPN setting is the following:

Service User: SQLservice
Service Policy Group
User from OU SQLusers: sqluser
SPN -S MYSSQLSvc/SQLservice.mynetwork.net SQLuser

I had followed a guide explaining SPN's should be set around this architecture.

0 + 0

active-directory

kerberos

spn

kinit

network-security

Greg Askew

8/20/23, 3:38 PM

The documentation states mapuser is for creating keytab files for non-Windows platforms. "To create a Kerberos .keytab file for a host computer that isn't running the Windows operating system, you must map the principal to the account and set the host principal password." https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/ktpass

Gonzalo Etse

8/20/23, 3:45 PM

Thanks! I guess my question is more towards why this is *not* required when generating the keytab from the non-windows machine with `ktutils`, like this: - `add_entry -password -p <database account name> -k 1 -e aes128-sha1` - Doc: https://docs.tibco.com/pub/spotfire_server/7.8.0/doc/html/TIB_sfire_server_tsas_admin_help/GUID-27726F6E-569C-4704-8433-5CCC0232EC79.html I've also not been able to attach to a SPN, instead what is asked is to generate the keytab directly to the UPN.

Greg Askew

8/20/23, 4:59 PM

/mapuser is AD specific. It updates the userPrincipalName attribute of the account. https://stackoverflow.com/questions/21598421/purpose-of-mapuser-in-ktpass

Gonzalo Etse

8/21/23, 9:18 AM

Thanks again Greg. I understand that, but yet I don't understand how you would do the same when using ktutils instead of ktpass (meaning, generating the keytab from linux instead of from the Domain controller). I investigated more, and I think that the solution might reside in mapping the service to a user when generating the SPN, as in this video: https://www.youtube.com/watch?v=F1HWdPTQZMM&list=PLtnrQHVKb9k3rhP_Aui2XPMR8hdWwN8uS&index=2 In the second video he directly kinits as the user instead of the SPN.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: When is mapUser required -

TH: เมื่อใดที่ต้องใช้ mapUser -

RO: Când este necesar mapUser -

RU: Когда требуется mapUser -

VI: Khi nào mapUser được yêu cầu -

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.