[cifs-protocol] 115012912337526 Where is the link between Kerberos principals and servicePrincipalName/userPrincipalName specified?

Stefan (metze) Metzmacher metze at samba.org
Wed Feb 18 01:01:48 MST 2015 

Hi Sreekanth,

> Hello Andrew,  below are the answers for your questions (numbered for convenience). 
> 
> 
> 1)	A valid Server Principal Name would be  samAccountName @ REALM
> 2)	And  for a  Service it would be  ServicePrinicpalName @ REALM
> 3)	A valid Client Principal Name would be   userPrincipalName   or   samAccountName at REALM
> 
> Where are details for #1, #2, #3 ?
> 
> 
> 4)	What specifically determines that a principal is a valid Kerberos service principal? I can't find where this is actually written down, and I'm not entirely clear what exact restriction I should implement on these mappings, if any.
> 
> 
> ANSWERS:
> =========
> 
> For #1 above i.e. format of "Server Principal Name" refer to MS-DISO section 7.4.5.5. Nothing new to add apart from what MIT Kerberos docs describe "Server Principal" to be.
> 
> For #2  i.e. format of "Service Principal Name" text in MS-ADTS section 3.1.1.5.3.1.1.4 servicePrincipalName seems to answer it adequately. 
> 
> "MS-KILE section 3.1.5.11 Naming " also describes this and [SPNNAMES] reference in MS-KILE points to the following 
> https://msdn.microsoft.com/en-us/library/ms677601(v=vs.85).aspx 
> https://msdn.microsoft.com/en-us/library/ms676921(v=vs.85).aspx
> 
> For #3, i.e. format of "Client Principal” , 
> 
> See MS-ADTS section 5.1.1.1.1 Simple Authentication
> 
> <SNIPPET>
> The UPN of an object is either:
> A value of the userPrincipalName attribute of the object, or
> 
> Only for AD DS: The value of the sAMAccountName attribute of the object, followed by a "@" sign, followed by either:
> The DNS name of a domain in the same forest as the object, or
> A value in the uPNSuffixes attribute of the Partitions container in the config NC replica.
> </SNIPPET>

While uPNSuffixes is partly mentioned, msDS-SPNSuffixes is not mentioned
at all.
I think the behaviour description of uPNSuffixes and msDS-SPNSuffixes
should be improved.
Does msDS-SPNSuffixes apply to every servicePrincipalName in the forest?

metze

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20150218/a3b82723/attachment.pgp>

More information about the cifs-protocol mailing list