Samba-3.0.7-1.3E Active Directory Issues
Markus Moeller
huaraz at moeller.plus.com
Tue Nov 9 21:24:17 GMT 2004
I got some details from MS of how the salt has changed for computer accounts
in 2003:
In 2003 (not sure if it is SP1) computer accounts and only computer accounts
take the following salt:
1) For a principal host/testserver.mycountry.mydomain.com at MYREALM.COM mapped
to testserver-host the salt is:
MYREALM.COMhosttestserver-host.myrealm.com
2) For a principal HTTP/testserver.mycountry.mydomain.com at MYREALM.COM mapped
to testserver-HTTP the salt is:
MYREALM.COMhosttestserver-HTTP.myrealm.com
3) For a principal root/admin at MYREALM.COM mapped to root-admin the salt is:
MYREALM.COMhostroot-admin.myrealm.com
assuming the realm MYREAL.COM belongs to the windows domain myrealm.com
w2k and user accounts in 2003 are unaffected.e.g.
A principal HTTP/testserver.mycountry.mydomain.com at MYREALM.COM mapped to
testserver-HTTP has the salt:
MYREALM.COMHTTPtestserver.mycountry.mydomian.com which is the output of
krb5_principal2salt
The correct salt is also send in the KERB_error reply under Error Data ->
Preauth data list -> PA-ETYPE-INFO -> encryption type -> PA-PW-SALT if
you fail to authenticate with a keytab.
Does this help ?
Regards
Markus
"Jeremy Allison" <jra at samba.org> wrote in message
news:20041027232658.GB8085 at legion.cup.hp.com...
> On Wed, Oct 27, 2004 at 05:02:31PM -0400, Nalin Dahyabhai wrote:
>>
>> I'll be happy to look at anything you have there
>
> I'm still working on it.
>
>> though as you've
>> noticed, I'm not an expert on these things.
>
> You could have fooled me :-). Seriously, congratulations on the work
> you've done so far and the fixes you've tracked down - great work !
>
> Jeremy.
>
More information about the samba-technical
mailing list