----- Original Message ----- From: "Luke Howard" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]>; <[email protected]> Sent: Friday, May 12, 2006 7:28 AM Subject: Re: Authenticating users against w2k3
> >>> Windows uses the long name if you logon with a UPN, otherwise it uses >>> the short name selected in the drop down list box. >> >>Mmm, I thought the last big network I was on had multiple NT domains >>under one realm. Perhaps not. > > Well, giving the impression that this is the case is one of the reasons > UPNs exist -- for example, you could set all users' UPN suffix to that > of the forest root (or some other arbitrary domain) and they can logon > as [EMAIL PROTECTED], [EMAIL PROTECTED] (!) even though mba2000's real > domain might be win.ioplex.com and mine xad.ioplex.com. :-) If I do that how would the krb5.conf look like ? Can I do a kinit [EMAIL PROTECTED] ? How does Kerberos decide to go to win or xad to authenticate the user ? > >>> The name to SID mapping protocol allows a variety of name types to be >>> specified, including UPNs. >> >>Meaning you can use UPNs with something like >>LsarLookupNames? Interesting. Didn't know that. > > Yes. > > -- Luke > > -- > Thanks Markus ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
