× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.



I'm pretty sure it's krbsvr400.
FWIW, I have:
krbsvr400
ldap
HTTP
HOST
cifs
nfs

For me, only host name works for any EIM (this could be in my setup, I don't know). For DNS, I've found that the following PING commands must resolve to the same fully-qualified name for my server.
ping {short hostname}
ping -a {IP address}





-----Original Message-----
From: Steinmetz, Paul [mailto:PSteinmetz@xxxxxxxxxx]
Sent: Thursday, August 31, 2017 7:38 AM
To: 'Midrange Systems Technical Discussion' <midrange-l@xxxxxxxxxxxx>
Subject: RE: EIM SSO expired password issues

Justin,

I found notes from and old lengthy PMR from IBM, see below.
For mapped drives, only system name will work, IPs no longer.

Which keytab principal is used for ODBC?

PMR notes.
Regarding making kerberos connections to the IP address, it appears that (although this has worked in the past) at some point Microsoft clients stopped using Kerberos for connections established via IP address and current Microsoft clients appear to only make Kerberos connections only for system names that resolve in DNS. So, the IP address is probably not going to work. I found the following article on support.microsoft.com:

https://support.microsoft.com/en-us/help/322979/kerberos-is-not-used-when-you-connect-to-smb-shares-by-using-ip-address

If you need additional confirmation, please contact Microsoft.

Regarding encrypted password connections to IP addresses (which you and I also talked about) the developer tells me that NetServer does bind to all TCP/IP interfaces that are active at the time when NetServer starts. Clients should be able to access NetServer, using encrypted passwords, through any interface with a network path from the client to the server.

Regarding which Service Principals are necessary:

(HOST) The HOST form of the principal name is obsolete. It was used by Windows 2000, and is still part of the NetServer documentation and configuration wizard for compatibility sake. If you are only running 'currently in service' Windows clients, the HOST principals won't ever be used and can be removed.

(cifs) Only the service principals for names that you plan to connect to using Kerberos are necessary. For example, if the Qname (QPencor name) is unused, the principals can be removed. IP address can also be removed, since currently supported Microsoft clients do not appear to support kerberos connections using IP address.

The developer stated that the NetServer (NETSERVER06) name may or may not work in current environments since it is a NetBIOS name. If it doesn't work, he said it can be removed. When he told me that, one thing came to mind. Since kerberos is DNS based, I wonder if a DNS entry could be added (on the DNS) for the NetServer name. I can't guarantee that would work, but it's something you could try if you wish. If it does work please let me know and I'll add that little trick to our documentation.

The developer is reluctant to advise anyone to remove the fully qualified principal name because behavior may vary based on your DNS configuration. It is advised that you keep both the Pencorp06 and Pencorp06.pencorp.com principals at a minimum.

Paul



As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.