"Michael B Allen" writes:

> Active Directory does not use the userPrincipalName attribute to do
> Kerberos authentication. It uses sAMAccountName@dnsRoot.

I just tested against our Active Directory with an account that had both
userPrincipalName and sAMAccountName set to different values and was able
to authenticate using either of the two names via kinit from a Debian
system. Either returned valid tickets for the principal name that I used,
and both had the same password and hence were using the same Active
Directory record.

Russ Allbery (rra@stanford.edu)