> Specifically, why can I get a ticket to machine$@REALM but not > administrator@REALM?
Andrew, I am able to get ticket for administrator@REALM. See below. root@ubuntunsk:/home/sreekanth# kinit [email protected] [email protected]'s Password: root@ubuntunsk:/home/sreekanth# klist Credentials cache: FILE:/tmp/krb5cc_0 Principal: [email protected] Issued Expires Principal Feb 18 15:29:42 2015 Feb 19 01:29:36 2015 krbtgt/[email protected] Regards, Sreekanth Nadendla Microsoft Windows Open Specifications -----Original Message----- From: Andrew Bartlett [mailto:[email protected]] Sent: Wednesday, February 18, 2015 4:30 AM To: Sreekanth Nadendla Cc: [email protected]; MSSolve Case Email Subject: Re: 115012912337526 Where is the link between Kerberos principals and servicePrincipalName/userPrincipalName specified? On Wed, 2015-02-18 at 04:50 +0000, Sreekanth Nadendla wrote: > > For #4, It is not clear what you mean by valid service principal. We > know the rules of constructing an SPN and anything that follows the > syntax is a valid one. The Active Directory finds a match to identify > the user/machine account given an SPN. As for restrictions on these > fields, section "3.1.1.5.1.3 Uniqueness Constraints" in MS-ADTS > answers it. Specifically, why can I get a ticket to machine$@REALM but not administrator@REALM? It is more than the valid construction of the name - something in the database is different between these two similar cases. Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba _______________________________________________ cifs-protocol mailing list [email protected] https://lists.samba.org/mailman/listinfo/cifs-protocol
