Samba-3.0.7-1.3E Active Directory Issues
nalin at redhat.com
Fri Oct 15 00:03:10 GMT 2004
On Thu, Oct 14, 2004 at 03:21:51PM -0700, Doug VanLeuven wrote:
> Nalin Dahyabhai wrote:
> >I recently spent a chunk of time looking at this, too. From what I can
> >tell, your patch is very much on the right track. My tests point to AD
> >salting passwords which are used for generating keys with salts which
> >differ from the ones Samba is using.
> >Specifically, for a host "sparky.example.com" joined to a domain named
> >"AD.EXAMPLE.COM", the salt which AD uses is produced by giving the
> >principal-to-salt function "host/sparky.ad.example.com at AD.EXAMPLE.COM".
> >This salt is apparently used when generating keys for any service which
> >runs on sparky.
> If you want to join a computer whose DNS domain is different than the
> REALM, please see this bug report
I agree: if your realm name doesn't match your DNS domain name, you're
going to have some weirdness. Bug #1651 looks very much like #705.
I'm fairly certain that the difference in the selection of the salt is
an unrelated problem. Elaborating on my example, if the client makes a
request to the KDC for credentials to authenticate to "sparky$",
"SPARKY$", "cifs/sparky.example.com", or even "imap/sparky.example.com",
the KDC will still derive keys for each of those services using the salt
corresponding to "host/sparky.ad.example.com at AD.EXAMPLE.COM".
More information about the samba-technical