[cifs-protocol] 115012912337526 Where is the link between Kerberos principals and servicePrincipalName/userPrincipalName specified?
Stefan (metze) Metzmacher
metze at samba.org
Wed Feb 18 01:01:48 MST 2015
> Hello Andrew, below are the answers for your questions (numbered for convenience).
> 1) A valid Server Principal Name would be samAccountName @ REALM
> 2) And for a Service it would be ServicePrinicpalName @ REALM
> 3) A valid Client Principal Name would be userPrincipalName or samAccountName at REALM
> Where are details for #1, #2, #3 ?
> 4) What specifically determines that a principal is a valid Kerberos service principal? I can't find where this is actually written down, and I'm not entirely clear what exact restriction I should implement on these mappings, if any.
> For #1 above i.e. format of "Server Principal Name" refer to MS-DISO section 22.214.171.124. Nothing new to add apart from what MIT Kerberos docs describe "Server Principal" to be.
> For #2 i.e. format of "Service Principal Name" text in MS-ADTS section 126.96.36.199.188.8.131.52 servicePrincipalName seems to answer it adequately.
> "MS-KILE section 184.108.40.206 Naming " also describes this and [SPNNAMES] reference in MS-KILE points to the following
> For #3, i.e. format of "Client Principal” ,
> See MS-ADTS section 220.127.116.11.1 Simple Authentication
> The UPN of an object is either:
> A value of the userPrincipalName attribute of the object, or
> Only for AD DS: The value of the sAMAccountName attribute of the object, followed by a "@" sign, followed by either:
> The DNS name of a domain in the same forest as the object, or
> A value in the uPNSuffixes attribute of the Partitions container in the config NC replica.
While uPNSuffixes is partly mentioned, msDS-SPNSuffixes is not mentioned
I think the behaviour description of uPNSuffixes and msDS-SPNSuffixes
should be improved.
Does msDS-SPNSuffixes apply to every servicePrincipalName in the forest?
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 181 bytes
Desc: OpenPGP digital signature
More information about the cifs-protocol