[cifs-protocol] 115012912337526 Where is the link between Kerberos principals and servicePrincipalName/userPrincipalName specified?
Andrew Bartlett
abartlet at samba.org
Wed Feb 18 02:30:08 MST 2015
On Wed, 2015-02-18 at 04:50 +0000, Sreekanth Nadendla wrote:
>
> For #4, It is not clear what you mean by valid service principal. We
> know the rules of constructing an SPN and anything that follows the
> syntax is a valid one. The Active Directory finds a match to identify
> the user/machine account given an SPN. As for restrictions on these
> fields, section "3.1.1.5.1.3 Uniqueness Constraints" in MS-ADTS
> answers it.
Specifically, why can I get a ticket to machine$@REALM but not
administrator at REALM?
It is more than the valid construction of the name - something in the
database is different between these two similar cases.
Thanks,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the cifs-protocol
mailing list