In adcli we should use 'host/fqdn@REALM' instead of 'HOST/fqdn@REALM' as one of our our default SPNs. AD doesn't care much about case sensitivity but openssh sshd does.
Created attachment 107484 [details] [review]
Use "host/fqdn@REALM" as default SPN instead of "HOST/fqdn@REALM"
Windows doesn't care, as it's mostly case insensitive, but sshd
does care here.
Attachment 107484 [details] pushed as ec132a3 - Use "host/fqdn@REALM" as default SPN instead of "HOST/fqdn@REALM"
Double checked with Simo Sorce on IRC.
[Apologies for commenting on a old, closed bug - let me know if an alternative path is preferable]
Just hit this bug by updating our CentOS 6 server build process to use adcli to join the AD domain.
Using the EPEL6 version of adcli 0.7.3, adcli builds a keytab with:
While SSSD works with this keytab, openssh-server does not work with GSSAPI login using it.
What would be required to get a fixed version of adcli released into EPEL6?
Would a new release (0.7.6) be possible, and would this be acceptable for EPEL6?
Partially answered my own question, raised a bug in EPEL: