Samba-3.0.7-1.3E Active Directory Issues

Huaraz huaraz at
Wed Nov 10 06:59:05 GMT 2004


thanks for the further clarification.

----- Original Message ----- 
From: "Luke Howard" <lukeh at>
To: <lukeh at>
Cc: <huaraz at>; <samba-technical at>
Sent: Wednesday, November 10, 2004 2:31 AM
Subject: Re: Samba-3.0.7-1.3E Active Directory Issues

> Did some more testing, it appears the behaviour has another
> explanation. It appears that the standard Kerberos password salt
> algorithm is applied in Windows 2003, just that the source principal
> name is different.
> Here is what I've been able to deduce from creating a bunch of
> different accounts:
> Type of account Principal for Salting
> ========================================================================
> Computer Account                host/<SAM-Name-Without-$>.realm at REALM
> User Account Without UPN        <SAM-Name>@REALM
> User Account With UPN           <LHS-Of-UPN>@REALM
> Note that if the computer account's SAM account name does not include
> the trailing '$', then the entire SAM account name is used as input to
> the salting principal. Setting a UPN for a computer account has no
> effect.
> It seems to me odd that the RHS of the UPN is not used in the salting
> principal. For example, a user with UPN foo at in the realm
> MYREALM.COM would have a salt of MYREALM.COMfoo. Perhaps this is to
> allow a user's UPN suffix to be changed without changing the salt. And
> perhaps using the UPN for salting signifies a move away SAM names and
> their associated constraints.
> For more information on how UPNs relate to the Kerberos protocol,
> see:
> -- Luke
> --

More information about the samba-technical mailing list