[cifs-protocol] 115012912337526 Where is the link between Kerberos principals and servicePrincipalName/userPrincipalName specified?

[Sreekanth Nadendla]

> Specifically, why can I get a ticket to machine$@REALM but not administrator at REALM?

Andrew, I am able to get ticket for administrator at REALM. See below. 

root at ubuntunsk:/home/sreekanth#  kinit administrator at 379135DOM.LAB
administrator at 379135DOM.LAB's Password:

root at ubuntunsk:/home/sreekanth#  klist

Credentials cache: FILE:/tmp/krb5cc_0
        Principal: administrator at 379135DOM.LAB

Issued		      Expires				Principal
Feb 18 15:29:42 2015  Feb 19 01:29:36 2015     krbtgt/379135DOM.LAB at 379135DOM.LAB


Regards,
Sreekanth Nadendla
Microsoft Windows Open Specifications

-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org] 
Sent: Wednesday, February 18, 2015 4:30 AM
To: Sreekanth Nadendla
Cc: cifs-protocol at samba.org; MSSolve Case Email
Subject: Re: 115012912337526 Where is the link between Kerberos principals and servicePrincipalName/userPrincipalName specified?

On Wed, 2015-02-18 at 04:50 +0000, Sreekanth Nadendla wrote:
> 
> For #4, It is not clear what you mean by valid service principal. We 
> know the rules of constructing an SPN and anything that follows the 
> syntax is a valid one.  The Active Directory finds a match to identify 
> the user/machine account given an SPN.  As for restrictions on these 
> fields, section "3.1.1.5.1.3 Uniqueness Constraints" in MS-ADTS 
> answers it.

Specifically, why can I get a ticket to machine$@REALM but not administrator at REALM?

It is more than the valid construction of the name - something in the database is different between these two similar cases. 

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba