[cifs-protocol] Where is the link between Kerberos principals and servicePrincipalName/userPrincipalName specified?

Andrew Bartlett abartlet at samba.org
Wed Jan 28 17:50:54 MST 2015

In MS-KILE, following on from 114121712176508 which is in a bit of a
dead end, I'm wondering about where the mapping between the values in
LDAP and the valid values for client and server principal names in
Kerberos is specified?

We 'know' most of this - either a userPrincipalName or the
samAccountName @ REALM (or netbios domain) is a valid client principal,
and samAccountName @ REALM or servicePrinicpalName @ REALM is a valid
server principal, but I can't find where this is actually written down,
and I'm not entirely clear what exact restriction I should implement on
these mappings, if any.  

In particular, what specifically determines that a principal is a valid
Kerberos service principal?


Andrew Bartlett
Andrew Bartlett
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the cifs-protocol mailing list