[cifs-protocol] 115012912337526 Where is the link between Kerberos principals and servicePrincipalName/userPrincipalName specified?
Stefan (metze) Metzmacher
metze at samba.org
Wed Feb 18 01:01:48 MST 2015
Hi Sreekanth,
> Hello Andrew, below are the answers for your questions (numbered for convenience).
>
>
> 1) A valid Server Principal Name would be samAccountName @ REALM
> 2) And for a Service it would be ServicePrinicpalName @ REALM
> 3) A valid Client Principal Name would be userPrincipalName or samAccountName at REALM
>
> Where are details for #1, #2, #3 ?
>
>
> 4) What specifically determines that a principal is a valid Kerberos service principal? I can't find where this is actually written down, and I'm not entirely clear what exact restriction I should implement on these mappings, if any.
>
>
> ANSWERS:
> =========
>
> For #1 above i.e. format of "Server Principal Name" refer to MS-DISO section 7.4.5.5. Nothing new to add apart from what MIT Kerberos docs describe "Server Principal" to be.
>
> For #2 i.e. format of "Service Principal Name" text in MS-ADTS section 3.1.1.5.3.1.1.4 servicePrincipalName seems to answer it adequately.
>
> "MS-KILE section 3.1.5.11 Naming " also describes this and [SPNNAMES] reference in MS-KILE points to the following
> https://msdn.microsoft.com/en-us/library/ms677601(v=vs.85).aspx
> https://msdn.microsoft.com/en-us/library/ms676921(v=vs.85).aspx
>
> For #3, i.e. format of "Client Principal” ,
>
> See MS-ADTS section 5.1.1.1.1 Simple Authentication
>
> <SNIPPET>
> The UPN of an object is either:
> A value of the userPrincipalName attribute of the object, or
>
> Only for AD DS: The value of the sAMAccountName attribute of the object, followed by a "@" sign, followed by either:
> The DNS name of a domain in the same forest as the object, or
> A value in the uPNSuffixes attribute of the Partitions container in the config NC replica.
> </SNIPPET>
While uPNSuffixes is partly mentioned, msDS-SPNSuffixes is not mentioned
at all.
I think the behaviour description of uPNSuffixes and msDS-SPNSuffixes
should be improved.
Does msDS-SPNSuffixes apply to every servicePrincipalName in the forest?
metze
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20150218/a3b82723/attachment.pgp>
More information about the cifs-protocol
mailing list