[cifs-protocol] Where is the link between Kerberos principals and servicePrincipalName/userPrincipalName specified?
bburgin at microsoft.com
Tue Feb 10 01:00:13 MST 2015
The case SR 115012912337526 was created. Our colleague Sree , copied, is assigned to it.
From: Andrew Bartlett [mailto:abartlet at samba.org]
Sent: Monday, February 9, 2015 10:55 PM
To: Interoperability Documentation Help
Cc: cifs-protocol at samba.org
Subject: Re: [cifs-protocol] Where is the link between Kerberos principals and servicePrincipalName/userPrincipalName specified?
On Thu, 2015-01-29 at 13:50 +1300, Andrew Bartlett wrote:
> In MS-KILE, following on from 114121712176508 which is in a bit of a
> dead end, I'm wondering about where the mapping between the values in
> LDAP and the valid values for client and server principal names in
> Kerberos is specified?
> We 'know' most of this - either a userPrincipalName or the
> samAccountName @ REALM (or netbios domain) is a valid client
> principal, and samAccountName @ REALM or servicePrinicpalName @ REALM
> is a valid server principal, but I can't find where this is actually
> written down, and I'm not entirely clear what exact restriction I
> should implement on these mappings, if any.
> In particular, what specifically determines that a principal is a
> valid Kerberos service principal?
I don't have a record of this being assigned a case. Can someone at Microsoft please start looking into this, as it appears to be a gap in the documentation.
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the cifs-protocol