[cifs-protocol] 115012912337526 Where is the link between Kerberos principals and servicePrincipalName/userPrincipalName specified?

Andrew Bartlett abartlet at samba.org
Wed Feb 18 02:30:08 MST 2015

On Wed, 2015-02-18 at 04:50 +0000, Sreekanth Nadendla wrote:
> For #4, It is not clear what you mean by valid service principal. We
> know the rules of constructing an SPN and anything that follows the
> syntax is a valid one.  The Active Directory finds a match to identify
> the user/machine account given an SPN.  As for restrictions on these
> fields, section " Uniqueness Constraints" in MS-ADTS
> answers it.

Specifically, why can I get a ticket to machine$@REALM but not
administrator at REALM?

It is more than the valid construction of the name - something in the
database is different between these two similar cases. 


Andrew Bartlett

Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the cifs-protocol mailing list