Authenticating users against w2k3
Markus Moeller
huaraz at moeller.plus.com
Fri May 12 02:31:08 EDT 2006
The reason I am asking is that I intend to change the UPN to the email
address and I like to understand the effect for any Kerberos authentication
from Unix or via kfw.
Thanks
Markus
"Luke Howard" <lukeh at padl.com> wrote in message
news:200605120319.k4C3JHDk024223 at au.padl.com...
>
> Mike,
>
>>I'm not really sure what you're asking but in a windows domain you have
>>two names 1) the NT domain name like "SALES-NYC" and 2) the Kerberos realm
>>like "MINUS.COM". Conceptually the NT domain name and the Kerberos realm
>>serve the same purpose (namespace for accounts) although the Kerberos
>>realm is used primarily (exclusively?) for authentication purposes. I
>>believe an NT domain maps to a realm whereas a realm does not necessarily
>>map back to one domain but they are otherwise largely interchangeable in
>
> This is a bit vague -- I can't think of any examples where the mapping
> between short (NetBIOS) and long (DNS) realms is not 1:1. OK, maybe you
> can come up with a case for W2K3 domain renames but not in the general
> case.
>
> Windows uses the long name if you logon with a UPN, otherwise it uses
> the short name selected in the drop down list box.
>
>>about authentication then I think the Kerberos realm is preferred. If
>>we're talking about ACLs I'm not sure anything but the NT domain form
>>will work as that is what is directly mapped to a SID and SIDs are what
>>go into security descriptors.
>
> The name to SID mapping protocol allows a variety of name types to be
> specified, including UPNs.
>
> -- Luke
>
> --
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
More information about the Kerberos
mailing list