On Fri, 12 May 2006 00:15:23 +0100 "Markus Moeller" <[EMAIL PROTECTED]> wrote:
> Which information does a w2k3(active directory) server use to identify a > user [EMAIL PROTECTED] when using kinit [EMAIL PROTECTED] ? Is it the > samAccountName fred together with the Domain name DOMAIN.COM of the w2k3 > server or the userPrincipalName [EMAIL PROTECTED] where DOM.COM is the > netbios > domain name or ???? I'm not really sure what you're asking but in a windows domain you have two names 1) the NT domain name like "SALES-NYC" and 2) the Kerberos realm like "MINUS.COM". Conceptually the NT domain name and the Kerberos realm serve the same purpose (namespace for accounts) although the Kerberos realm is used primarily (exclusively?) for authentication purposes. I believe an NT domain maps to a realm whereas a realm does not necessarily map back to one domain but they are otherwise largely interchangeable in many places. For example I believe you can log into a Windows workstation with SALES-NYC\fred, [EMAIL PROTECTED], or [EMAIL PROTECTED] If we're talking about authentication then I think the Kerberos realm is preferred. If we're talking about ACLs I'm not sure anything but the NT domain form will work as that is what is directly mapped to a SID and SIDs are what go into security descriptors. Mike ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
