Authenticating users against w2k3
Michael B Allen
mba2000 at ioplex.com
Thu May 11 20:31:34 EDT 2006
On Fri, 12 May 2006 00:15:23 +0100
"Markus Moeller" <huaraz at moeller.plus.com> wrote:
> Which information does a w2k3(active directory) server use to identify a
> user fred at DOMAIN.COM when using kinit fred at DOMAIN.COM ? Is it the
> samAccountName fred together with the Domain name DOMAIN.COM of the w2k3
> server or the userPrincipalName fred at DOM.COM where DOM.COM is the netbios
> domain name or ????
I'm not really sure what you're asking but in a windows domain you have
two names 1) the NT domain name like "SALES-NYC" and 2) the Kerberos realm
like "MINUS.COM". Conceptually the NT domain name and the Kerberos realm
serve the same purpose (namespace for accounts) although the Kerberos
realm is used primarily (exclusively?) for authentication purposes. I
believe an NT domain maps to a realm whereas a realm does not necessarily
map back to one domain but they are otherwise largely interchangeable in
many places. For example I believe you can log into a Windows workstation
with SALES-NYC\fred, fred at SALES-NYC, or fred at MINUS.COM. If we're talking
about authentication then I think the Kerberos realm is preferred. If
we're talking about ACLs I'm not sure anything but the NT domain form
will work as that is what is directly mapped to a SID and SIDs are what
go into security descriptors.
Mike
More information about the Kerberos
mailing list