Last time I looked, Windows 2000 defines a number of different Kerberos principal name types that needed to be supported by the KDC, eg. KRB5_NT_MS_PRINCIPAL, KRB5_NT_ENTERPRISE_PRINCIPAL.
-- Luke >From: "Jim McDonough" <[EMAIL PROTECTED]> >Subject: Re: New approach to win2k joins... >To: Jean Francois Micouleau <[EMAIL PROTECTED]> >Cc: [EMAIL PROTECTED] >Date: Mon, 5 Aug 2002 18:51:56 -0400 > > >>> But when I try to logon, it tries to use the short version of the domain >as >>> the realm...which my MIT KDC doesn't like. Any ideas here? >> >>when is it supposed to get the realm ? are you sure it's getting it >>correctly ? >I'm not sure exactly what your question is, but this is exactly how a win2k ><->win2k interaction is. If there is a short (netbios) domain name that >shows up in the logon screen, that's what gets sent as the realm for the >principal to the KDC...and the tgt that is returned has the full true realm >name in the principal...! >>do you have a trace of a user logging on the box ? >I can give you this or the equivalent in win2k<->win2k, and you'll see the >realm thing I'm talking about... > > >---------------------------- >Jim McDonough >IBM Linux Technology Center >Samba Team >6 Minuteman Drive >Scarborough, ME 04074 >USA > >[EMAIL PROTECTED] >[EMAIL PROTECTED] > >Phone: (207) 885-5565 >IBM tie-line: 776-9984 > > > -- Luke Howard | lukehoward.com PADL Software | www.padl.com
