The reason I am asking is that I intend to change the UPN to the email address and I like to understand the effect for any Kerberos authentication from Unix or via kfw.
Thanks Markus "Luke Howard" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > > Mike, > >>I'm not really sure what you're asking but in a windows domain you have >>two names 1) the NT domain name like "SALES-NYC" and 2) the Kerberos realm >>like "MINUS.COM". Conceptually the NT domain name and the Kerberos realm >>serve the same purpose (namespace for accounts) although the Kerberos >>realm is used primarily (exclusively?) for authentication purposes. I >>believe an NT domain maps to a realm whereas a realm does not necessarily >>map back to one domain but they are otherwise largely interchangeable in > > This is a bit vague -- I can't think of any examples where the mapping > between short (NetBIOS) and long (DNS) realms is not 1:1. OK, maybe you > can come up with a case for W2K3 domain renames but not in the general > case. > > Windows uses the long name if you logon with a UPN, otherwise it uses > the short name selected in the drop down list box. > >>about authentication then I think the Kerberos realm is preferred. If >>we're talking about ACLs I'm not sure anything but the NT domain form >>will work as that is what is directly mapped to a SID and SIDs are what >>go into security descriptors. > > The name to SID mapping protocol allows a variety of name types to be > specified, including UPNs. > > -- Luke > > -- > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos > ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
