Score:0

When is mapUser required -

ad flag

I'm not sure I understand when & why mapUser is needed.

  • When you generate a keytab with ktpass you can map the Service Principal to a user wit mapUser. You can then kinit to the Service from an other machine using that keytab.

  • When trying the same with ktutils from a linux machine, this is not possible. You simply generate a keytab for the user and kinit to the user.

The SPN setting is the following:

  • Service User: SQLservice
  • Service Policy Group
  • User from OU SQLusers: sqluser
  • SPN -S MYSSQLSvc/SQLservice.mynetwork.net SQLuser

I had followed a guide explaining SPN's should be set around this architecture.

cn flag
The documentation states mapuser is for creating keytab files for non-Windows platforms. "To create a Kerberos .keytab file for a host computer that isn't running the Windows operating system, you must map the principal to the account and set the host principal password." https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/ktpass
Gonzalo Etse avatar
ad flag
Thanks! I guess my question is more towards why this is *not* required when generating the keytab from the non-windows machine with `ktutils`, like this: - `add_entry -password -p <database account name> -k 1 -e aes128-sha1` - Doc: https://docs.tibco.com/pub/spotfire_server/7.8.0/doc/html/TIB_sfire_server_tsas_admin_help/GUID-27726F6E-569C-4704-8433-5CCC0232EC79.html I've also not been able to attach to a SPN, instead what is asked is to generate the keytab directly to the UPN.
cn flag
/mapuser is AD specific. It updates the userPrincipalName attribute of the account. https://stackoverflow.com/questions/21598421/purpose-of-mapuser-in-ktpass
Gonzalo Etse avatar
ad flag
Thanks again Greg. I understand that, but yet I don't understand how you would do the same when using ktutils instead of ktpass (meaning, generating the keytab from linux instead of from the Domain controller). I investigated more, and I think that the solution might reside in mapping the service to a user when generating the SPN, as in this video: https://www.youtube.com/watch?v=F1HWdPTQZMM&list=PLtnrQHVKb9k3rhP_Aui2XPMR8hdWwN8uS&index=2 In the second video he directly kinits as the user instead of the SPN.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.