[cifs-protocol] Where is the link between Kerberos principals and servicePrincipalName/userPrincipalName specified?
abartlet at samba.org
Mon Feb 9 23:55:22 MST 2015
On Thu, 2015-01-29 at 13:50 +1300, Andrew Bartlett wrote:
> In MS-KILE, following on from 114121712176508 which is in a bit of a
> dead end, I'm wondering about where the mapping between the values in
> LDAP and the valid values for client and server principal names in
> Kerberos is specified?
> We 'know' most of this - either a userPrincipalName or the
> samAccountName @ REALM (or netbios domain) is a valid client principal,
> and samAccountName @ REALM or servicePrinicpalName @ REALM is a valid
> server principal, but I can't find where this is actually written down,
> and I'm not entirely clear what exact restriction I should implement on
> these mappings, if any.
> In particular, what specifically determines that a principal is a valid
> Kerberos service principal?
I don't have a record of this being assigned a case. Can someone at
Microsoft please start looking into this, as it appears to be a gap in
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the cifs-protocol