Samba-3.0.7-1.3E Active Directory Issues

Doug VanLeuven roamdad at
Thu Oct 14 22:21:51 GMT 2004

Nalin Dahyabhai wrote:

>I recently spent a chunk of time looking at this, too.  From what I can
>tell, your patch is very much on the right track.  My tests point to AD
>salting passwords which are used for generating keys with salts which
>differ from the ones Samba is using.
>Specifically, for a host "" joined to a domain named
>"AD.EXAMPLE.COM", the salt which AD uses is produced by giving the
>principal-to-salt function "host/ at AD.EXAMPLE.COM".
>This salt is apparently used when generating keys for any service which
>runs on sparky.
If you want to join a computer whose DNS domain is different than the 
REALM, please see this bug report

so sparky would join as HOST/ at AD.EXAMPLE.COM which 
won't work with the native kerberos.  Should be 
HOST/ at AD.EXAMPLE.COM with a domain name mapping of = AD.EXAMPLE.COM in /etc/krb5.conf.

Since I filed the bug report, the workaround I'm using with success is:
1. add the machine to the AD
2. add to the DNS domain
3. use MS adsi edit to add HOST/ and 
CIFS/ to servicePrincipalName in ADS for the machine.

I add the DNS record after the join otherwise my samba managed keytab 
ends up as instead of which 
isn't what a reverse DNS lookup would do.

My 2 cents.

Regards, Doug

More information about the samba-technical mailing list