[cifs-protocol] 115012912337526 Where is the link between Kerberos principals and servicePrincipalName/userPrincipalName specified?
srenaden at microsoft.com
Wed Feb 18 13:57:47 MST 2015
> Specifically, why can I get a ticket to machine$@REALM but not administrator at REALM?
Andrew, I am able to get ticket for administrator at REALM. See below.
root at ubuntunsk:/home/sreekanth# kinit administrator at 379135DOM.LAB
administrator at 379135DOM.LAB's Password:
root at ubuntunsk:/home/sreekanth# klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: administrator at 379135DOM.LAB
Issued Expires Principal
Feb 18 15:29:42 2015 Feb 19 01:29:36 2015 krbtgt/379135DOM.LAB at 379135DOM.LAB
Microsoft Windows Open Specifications
From: Andrew Bartlett [mailto:abartlet at samba.org]
Sent: Wednesday, February 18, 2015 4:30 AM
To: Sreekanth Nadendla
Cc: cifs-protocol at samba.org; MSSolve Case Email
Subject: Re: 115012912337526 Where is the link between Kerberos principals and servicePrincipalName/userPrincipalName specified?
On Wed, 2015-02-18 at 04:50 +0000, Sreekanth Nadendla wrote:
> For #4, It is not clear what you mean by valid service principal. We
> know the rules of constructing an SPN and anything that follows the
> syntax is a valid one. The Active Directory finds a match to identify
> the user/machine account given an SPN. As for restrictions on these
> fields, section "22.214.171.124.1.3 Uniqueness Constraints" in MS-ADTS
> answers it.
Specifically, why can I get a ticket to machine$@REALM but not administrator at REALM?
It is more than the valid construction of the name - something in the database is different between these two similar cases.
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the cifs-protocol