Samba-3.0.7-1.3E Active Directory Issues
Luke Howard
lukeh at padl.com
Wed Nov 10 02:31:21 GMT 2004
Did some more testing, it appears the behaviour has another
explanation. It appears that the standard Kerberos password salt
algorithm is applied in Windows 2003, just that the source principal
name is different.
Here is what I've been able to deduce from creating a bunch of
different accounts:
Type of account Principal for Salting
========================================================================
Computer Account host/<SAM-Name-Without-$>.realm at REALM
User Account Without UPN <SAM-Name>@REALM
User Account With UPN <LHS-Of-UPN>@REALM
Note that if the computer account's SAM account name does not include
the trailing '$', then the entire SAM account name is used as input to
the salting principal. Setting a UPN for a computer account has no
effect.
It seems to me odd that the RHS of the UPN is not used in the salting
principal. For example, a user with UPN foo at mydomain.com in the realm
MYREALM.COM would have a salt of MYREALM.COMfoo. Perhaps this is to
allow a user's UPN suffix to be changed without changing the salt. And
perhaps using the UPN for salting signifies a move away SAM names and
their associated constraints.
For more information on how UPNs relate to the Kerberos protocol,
see:
http://www.ietf.org/proceedings/01dec/I-D/draft-ietf-krb-wg-kerberos-referrals-02.txt
-- Luke
--
More information about the samba-technical
mailing list