[cifs-protocol] Where is the link between Kerberos principals and servicePrincipalName/userPrincipalName specified?

Andrew Bartlett abartlet at samba.org
Mon Feb 9 23:55:22 MST 2015

On Thu, 2015-01-29 at 13:50 +1300, Andrew Bartlett wrote:
> In MS-KILE, following on from 114121712176508 which is in a bit of a
> dead end, I'm wondering about where the mapping between the values in
> LDAP and the valid values for client and server principal names in
> Kerberos is specified?
> We 'know' most of this - either a userPrincipalName or the
> samAccountName @ REALM (or netbios domain) is a valid client principal,
> and samAccountName @ REALM or servicePrinicpalName @ REALM is a valid
> server principal, but I can't find where this is actually written down,
> and I'm not entirely clear what exact restriction I should implement on
> these mappings, if any.  
> In particular, what specifically determines that a principal is a valid
> Kerberos service principal?


I don't have a record of this being assigned a case.  Can someone at
Microsoft please start looking into this, as it appears to be a gap in
the documentation. 

Andrew Bartlett

Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the cifs-protocol mailing list