Samba-3.0.7-1.3E Active Directory Issues

Nalin Dahyabhai nalin at redhat.com
Fri Oct 15 00:03:10 GMT 2004


On Thu, Oct 14, 2004 at 03:21:51PM -0700, Doug VanLeuven wrote:
> Nalin Dahyabhai wrote:
> 
> >I recently spent a chunk of time looking at this, too.  From what I can
> >tell, your patch is very much on the right track.  My tests point to AD
> >salting passwords which are used for generating keys with salts which
> >differ from the ones Samba is using.
> >
> >Specifically, for a host "sparky.example.com" joined to a domain named
> >"AD.EXAMPLE.COM", the salt which AD uses is produced by giving the
> >principal-to-salt function "host/sparky.ad.example.com at AD.EXAMPLE.COM".
> >This salt is apparently used when generating keys for any service which
> >runs on sparky.
>
> If you want to join a computer whose DNS domain is different than the 
> REALM, please see this bug report
> https://bugzilla.samba.org/show_bug.cgi?id=1651

I agree: if your realm name doesn't match your DNS domain name, you're
going to have some weirdness.  Bug #1651 looks very much like #705.

I'm fairly certain that the difference in the selection of the salt is
an unrelated problem.  Elaborating on my example, if the client makes a
request to the KDC for credentials to authenticate to "sparky$",
"SPARKY$", "cifs/sparky.example.com", or even "imap/sparky.example.com",
the KDC will still derive keys for each of those services using the salt
corresponding to "host/sparky.ad.example.com at AD.EXAMPLE.COM".

Nalin


More information about the samba-technical mailing list