12 April,16 at 11:11 AM
Applies to: All versions of Centrify DirectControl
Question:
Is it possible to exclude specific SPNs (service principal names) from being created at time of adjoin?
The reason being an application needs to use some SPNs which are created by Centrify during the join. Since SPNs have to be unique, a conflict is reported.
Answer:
Yes, prior to adjoin, remove the application related SPN(s) from the adclient.krb5.service.principals parameter in /etc/centrifydc/centrifydc.conf
This configuration parameter specifies additional service principals for entries in the Kerberos key table. The key table is populated by default with the service principals host and http. This parameter’s value must be one or more principal service names, separated by a space or by a comma.
For example:
adclient.krb5.service.principals: ldap nfs
If this parameter is not defined in the configuration file, no additional principal names are added to the Kerberos key table.
KB-8904: Removal of SPN from create list at precreate time does not prevent that SPN from being made at join time
KB-6038: How to specify the license type to use when joining the server to AD using adjoin?
KB-6041: How to show current license type in use by adclient
KB-6040: How to change the license type in use after adclient successful joined to the AD?
KB-3925: How to add Centrify parameter to a group policy
KB-6073: How to join the Linux/Unix Centrify Server to Active Directory with specific Computer Role?
[TIPS] A Centrify Server Suite Cheat Sheet
KB-6056: How to report the group policy settings that are in effect for the local computer?
KB-20210: Common Questions Regarding Centrify DirectControl and CoreOS