[jcifs] username dialog syntax changes
Michael B Allen
mba2000 at ioplex.com
Sat Mar 25 03:19:55 GMT 2006
On Fri, 24 Mar 2006 15:06:01 -0600
"Tapperson Kevin" <Kevin.Tapperson at hcahealthcare.com> wrote:
> > correct fix would be to use RFC 2052 SRV DNS lookups to find the domain
> > controller for the particular realm.
>
> In this case, what is the relationship then between a realm and a
> domain.
A realm is the name of a database that contains encryption keys of user
and service principals. A domain is the name of a database that contains
all persistent information about users (minus their encryption keys).
The difference is an implementation detail of the security model. I guess
putting keys into Active Directory is less secure than putting them into
a separate database on a separate machine specifically designated for
that purpose.
There is a 1:1 mapping between a user principal name and a SAM account
name but the realm and domain are not required to be the same. For example
in a large company you might divide up your domains by department with
a single realm.
I'm not sure if one form is to be favored over the other though.
Personally I think the DOMAIN\username SAM account name form is a little
easier to work with since it's usually more specific and it's what people
are used to.
Mike
More information about the jcifs
mailing list