Samba-3.0.7-1.3E Active Directory Issues
huaraz at moeller.plus.com
Tue Nov 9 21:24:17 GMT 2004
I got some details from MS of how the salt has changed for computer accounts
In 2003 (not sure if it is SP1) computer accounts and only computer accounts
take the following salt:
1) For a principal host/testserver.mycountry.mydomain.com at MYREALM.COM mapped
to testserver-host the salt is:
2) For a principal HTTP/testserver.mycountry.mydomain.com at MYREALM.COM mapped
to testserver-HTTP the salt is:
3) For a principal root/admin at MYREALM.COM mapped to root-admin the salt is:
assuming the realm MYREAL.COM belongs to the windows domain myrealm.com
w2k and user accounts in 2003 are unaffected.e.g.
A principal HTTP/testserver.mycountry.mydomain.com at MYREALM.COM mapped to
testserver-HTTP has the salt:
MYREALM.COMHTTPtestserver.mycountry.mydomian.com which is the output of
The correct salt is also send in the KERB_error reply under Error Data ->
Preauth data list -> PA-ETYPE-INFO -> encryption type -> PA-PW-SALT if
you fail to authenticate with a keytab.
Does this help ?
"Jeremy Allison" <jra at samba.org> wrote in message
news:20041027232658.GB8085 at legion.cup.hp.com...
> On Wed, Oct 27, 2004 at 05:02:31PM -0400, Nalin Dahyabhai wrote:
>> I'll be happy to look at anything you have there
> I'm still working on it.
>> though as you've
>> noticed, I'm not an expert on these things.
> You could have fooled me :-). Seriously, congratulations on the work
> you've done so far and the fixes you've tracked down - great work !
More information about the samba-technical