Re: [cifs-protocol] 115012912337526 Where is the link between Kerberos principals and servicePrincipalName/userPrincipalName specified?

Wed, 18 Feb 2015 00:03:07 -0800 

Hi Sreekanth,

> Hello Andrew,  below are the answers for your questions (numbered for 
> convenience). 
> 
> 
> 1)    A valid Server Principal Name would be  samAccountName @ REALM
> 2)    And  for a  Service it would be  ServicePrinicpalName @ REALM
> 3)    A valid Client Principal Name would be   userPrincipalName   or   
> samAccountName@REALM
> 
> Where are details for #1, #2, #3 ?
> 
> 
> 4)    What specifically determines that a principal is a valid Kerberos 
> service principal? I can't find where this is actually written down, and I'm 
> not entirely clear what exact restriction I should implement on these 
> mappings, if any.
> 
> 
> ANSWERS:
> =========
> 
> For #1 above i.e. format of "Server Principal Name" refer to MS-DISO section 
> 7.4.5.5. Nothing new to add apart from what MIT Kerberos docs describe 
> "Server Principal" to be.
> 
> For #2  i.e. format of "Service Principal Name" text in MS-ADTS section 
> 3.1.1.5.3.1.1.4 servicePrincipalName seems to answer it adequately. 
> 
> "MS-KILE section 3.1.5.11 Naming " also describes this and [SPNNAMES] 
> reference in MS-KILE points to the following 
> https://msdn.microsoft.com/en-us/library/ms677601(v=vs.85).aspx 
> https://msdn.microsoft.com/en-us/library/ms676921(v=vs.85).aspx
> 
> For #3, i.e. format of "Client Principal” , 
> 
> See MS-ADTS section 5.1.1.1.1 Simple Authentication
> 
> <SNIPPET>
> The UPN of an object is either:
> A value of the userPrincipalName attribute of the object, or
> 
> Only for AD DS: The value of the sAMAccountName attribute of the object, 
> followed by a "@" sign, followed by either:
> The DNS name of a domain in the same forest as the object, or
> A value in the uPNSuffixes attribute of the Partitions container in the 
> config NC replica.
> </SNIPPET>

While uPNSuffixes is partly mentioned, msDS-SPNSuffixes is not mentioned
at all.
I think the behaviour description of uPNSuffixes and msDS-SPNSuffixes
should be improved.
Does msDS-SPNSuffixes apply to every servicePrincipalName in the forest?

metze

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
cifs-protocol mailing list
[email protected]
https://lists.samba.org/mailman/listinfo/cifs-protocol

Reply via email to