Purpose of mapuser in ktpass

Question

I just want to find out what the purpose of mapping a user to a service using ktpass is. For example I am on Windows and I run ktpass like this:

ktpass -out <keytab location> -princ <host/domain.com> -mapUser useraccount@domain.com -mapOp add .........

When we map a user to the -princ does it mean that only "useraccount" can authenticate the service? And how do we use the -add and -set option? what is the difference?

My issue is this: I have many users wanting to use a service I have, and authenticate through kerberos (JASS Krb5LoginModule) but I don't want to specify many user principal names in the jaas.config file. So I am thinking of using SPN instead, and mapping the users.

Answer 1

Option -mapUser useraccount@domain.com tells ktpass to store 'principal' in attribute userPrincipalName of this user in Active Directory, so that Active Directory would be able to find it, when clients ask for KerberosServiceTicket for this 'principal' and issue such ticket.

-mapUser specifies name of a user, which represents your service in Active Directory.

Using ktpass you're doing two things: generating keytab for your service (so that it could open Kerberos tickets received from clients, i.e. authenticate them), and registering principal in Active Directory (so that clients could get tickets for service at all).

In jaas.config file you specify just one principal name (for service), not for the clients. Once user logs into Active Directory domain, he/she has right to get service ticket for your service.