Mike, >I'm not really sure what you're asking but in a windows domain you have >two names 1) the NT domain name like "SALES-NYC" and 2) the Kerberos realm >like "MINUS.COM". Conceptually the NT domain name and the Kerberos realm >serve the same purpose (namespace for accounts) although the Kerberos >realm is used primarily (exclusively?) for authentication purposes. I >believe an NT domain maps to a realm whereas a realm does not necessarily >map back to one domain but they are otherwise largely interchangeable in
This is a bit vague -- I can't think of any examples where the mapping between short (NetBIOS) and long (DNS) realms is not 1:1. OK, maybe you can come up with a case for W2K3 domain renames but not in the general case. Windows uses the long name if you logon with a UPN, otherwise it uses the short name selected in the drop down list box. >about authentication then I think the Kerberos realm is preferred. If >we're talking about ACLs I'm not sure anything but the NT domain form >will work as that is what is directly mapped to a SID and SIDs are what >go into security descriptors. The name to SID mapping protocol allows a variety of name types to be specified, including UPNs. -- Luke -- ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
