Samba-3.0.7-1.3E Active Directory Issues

Markus Moeller huaraz at
Tue Nov 9 21:24:17 GMT 2004

I got some details from MS of how the salt has changed for computer accounts 
in 2003:

In 2003 (not sure if it is SP1) computer accounts and only computer accounts 
take the following salt:

1) For a principal host/ at MYREALM.COM mapped 
to testserver-host the salt is:

2) For a principal HTTP/ at MYREALM.COM mapped 
to testserver-HTTP the salt is:

3) For a principal root/admin at MYREALM.COM mapped to root-admin the salt is:

assuming the realm MYREAL.COM belongs to the windows domain

w2k and user accounts in 2003 are unaffected.e.g.

A principal HTTP/ at MYREALM.COM mapped to 
testserver-HTTP has the salt: which is the output of 

The correct salt is also send in the KERB_error reply under Error Data ->
Preauth data list -> PA-ETYPE-INFO -> encryption type ->  PA-PW-SALT  if
you fail to authenticate with a keytab.

Does this help ?


"Jeremy Allison" <jra at> wrote in message 
news:20041027232658.GB8085 at
> On Wed, Oct 27, 2004 at 05:02:31PM -0400, Nalin Dahyabhai wrote:
>> I'll be happy to look at anything you have there
> I'm still working on it.
>> though as you've
>> noticed, I'm not an expert on these things.
> You could have fooled me :-). Seriously, congratulations on the work
> you've done so far and the fixes you've tracked down - great work !
> Jeremy.

More information about the samba-technical mailing list