Univention Bugzilla – Bug 34669
Sync servicePrincipalName
Last modified: 2020-07-13 20:13:00 CEST
Currently there is no way to indirectly set a servicePrincipalName in Samba/AD via some UDM operation. This would be good for situations like Bug 30115 and Bug 27980 / Bug 30348 (related: Bug 31968) and would avoid Bugs like Bug 34575 The S4-Connector only synchronizes userPrincipalName with krb5PrincipalName, both of which are single-value. To make things more challenging the OpenLDAP krb5-kdc.schema semantics differ from the servicePrincipalName (SPN) concept in AD/Samba: * In OpenLDAP we have separate objects below cn=kerberos for each SPN. * In AD/Samba we have several SPNs attached to one machine/user object. The "advantage" of the AD/Samba approach is that one set of Kerberos keys can be associated with several services. Starting with Windows 2008 R2 Active Directory additionally supports "Managed Service Accounts", which might be more compatible with the OpenLDAP schema: http://blogs.technet.com/b/askds/archive/2009/09/10/managed-service-accounts-understanding-implementing-best-practices-and-troubleshooting.aspx It's probably pretty challenging to adjust the S4-Connector in a way that covers these options, but some way to achive this would be good.
This also blocks Bug 32079.
This issue has been filed against UCS 4.2. UCS 4.2 is out of maintenance and many UCS components have changed in later releases. Thus, this issue is now being closed. If this issue still occurs in newer UCS versions, please use "Clone this bug" or reopen it and update the UCS version. In this case please provide detailed information on how this issue is affecting you.