Does Samba support UPN authentication using NTLM?
Isaac Boukris
iboukris at gmail.com
Wed Oct 5 19:48:17 UTC 2016
Hi Uri,
On Thu, Sep 1, 2016 at 9:20 AM, Uri Simchoni <uri at samba.org> wrote:
> Just my 2c...
>
> With Kerberos authentication, UPNs are handled as "enterprise names"
> (RFC 6806), so you just ask for a TGT of b at domain, marking b at domain as
> an enterprise principal name and asking the DC to cannonicalize it. In
> the PAC of the reply you can see that it's domain\a.
Thanks for the information about enterprise names in Kerberos.
Note however, that this lead me to section "3.3.5.6.1 Client Principal
Lookup" in MS-KILE document.
In short, it looks like AD would try several combinations in order to
find a match.
More information about the samba-technical
mailing list