Samba-3.0.7-1.3E Active Directory Issues

Huaraz huaraz at moeller.plus.com
Wed Nov 10 06:59:05 GMT 2004


Luke,

thanks for the further clarification.

Markus
----- Original Message ----- 
From: "Luke Howard" <lukeh at padl.com>
To: <lukeh at padl.com>
Cc: <huaraz at moeller.plus.com>; <samba-technical at lists.samba.org>
Sent: Wednesday, November 10, 2004 2:31 AM
Subject: Re: Samba-3.0.7-1.3E Active Directory Issues


>
> Did some more testing, it appears the behaviour has another
> explanation. It appears that the standard Kerberos password salt
> algorithm is applied in Windows 2003, just that the source principal
> name is different.
>
> Here is what I've been able to deduce from creating a bunch of
> different accounts:
>
> Type of account Principal for Salting
> ========================================================================
> Computer Account                host/<SAM-Name-Without-$>.realm at REALM
> User Account Without UPN        <SAM-Name>@REALM
> User Account With UPN           <LHS-Of-UPN>@REALM
>
> Note that if the computer account's SAM account name does not include
> the trailing '$', then the entire SAM account name is used as input to
> the salting principal. Setting a UPN for a computer account has no
> effect.
>
> It seems to me odd that the RHS of the UPN is not used in the salting
> principal. For example, a user with UPN foo at mydomain.com in the realm
> MYREALM.COM would have a salt of MYREALM.COMfoo. Perhaps this is to
> allow a user's UPN suffix to be changed without changing the salt. And
> perhaps using the UPN for salting signifies a move away SAM names and
> their associated constraints.
>
> For more information on how UPNs relate to the Kerberos protocol,
> see:
>
> http://www.ietf.org/proceedings/01dec/I-D/draft-ietf-krb-wg-kerberos-referrals-02.txt
>
> -- Luke
>
> --
> 




More information about the samba-technical mailing list