[cifs-protocol] Where is the link between Kerberos principals and servicePrincipalName/userPrincipalName specified?
Andrew Bartlett
abartlet at samba.org
Wed Jan 28 17:50:54 MST 2015
In MS-KILE, following on from 114121712176508 which is in a bit of a
dead end, I'm wondering about where the mapping between the values in
LDAP and the valid values for client and server principal names in
Kerberos is specified?
We 'know' most of this - either a userPrincipalName or the
samAccountName @ REALM (or netbios domain) is a valid client principal,
and samAccountName @ REALM or servicePrinicpalName @ REALM is a valid
server principal, but I can't find where this is actually written down,
and I'm not entirely clear what exact restriction I should implement on
these mappings, if any.
In particular, what specifically determines that a principal is a valid
Kerberos service principal?
Thanks,
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the cifs-protocol
mailing list