[jcifs] username dialog syntax changes

Michael B Allen mba2000 at ioplex.com
Sat Mar 25 03:19:55 GMT 2006

On Fri, 24 Mar 2006 15:06:01 -0600
"Tapperson Kevin" <Kevin.Tapperson at hcahealthcare.com> wrote:

> > correct fix would be to use RFC 2052 SRV DNS lookups to find the domain
> > controller for the particular realm.
> In this case, what is the relationship then between a realm and a
> domain.

A realm is the name of a database that contains encryption keys of user
and service principals. A domain is the name of a database that contains
all persistent information about users (minus their encryption keys).

The difference is an implementation detail of the security model. I guess
putting keys into Active Directory is less secure than putting them into
a separate database on a separate machine specifically designated for
that purpose.

There is a 1:1 mapping between a user principal name and a SAM account
name but the realm and domain are not required to be the same. For example
in a large company you might divide up your domains by department with
a single realm.

I'm not sure if one form is to be favored over the other though.
Personally I think the DOMAIN\username SAM account name form is a little
easier to work with since it's usually more specific and it's what people
are used to.


More information about the jcifs mailing list