Samba-3.0.7-1.3E Active Directory Issues

Nalin Dahyabhai nalin at
Fri Oct 15 00:03:10 GMT 2004

On Thu, Oct 14, 2004 at 03:21:51PM -0700, Doug VanLeuven wrote:
> Nalin Dahyabhai wrote:
> >I recently spent a chunk of time looking at this, too.  From what I can
> >tell, your patch is very much on the right track.  My tests point to AD
> >salting passwords which are used for generating keys with salts which
> >differ from the ones Samba is using.
> >
> >Specifically, for a host "" joined to a domain named
> >"AD.EXAMPLE.COM", the salt which AD uses is produced by giving the
> >principal-to-salt function "host/ at AD.EXAMPLE.COM".
> >This salt is apparently used when generating keys for any service which
> >runs on sparky.
> If you want to join a computer whose DNS domain is different than the 
> REALM, please see this bug report

I agree: if your realm name doesn't match your DNS domain name, you're
going to have some weirdness.  Bug #1651 looks very much like #705.

I'm fairly certain that the difference in the selection of the salt is
an unrelated problem.  Elaborating on my example, if the client makes a
request to the KDC for credentials to authenticate to "sparky$",
"SPARKY$", "cifs/", or even "imap/",
the KDC will still derive keys for each of those services using the salt
corresponding to "host/ at AD.EXAMPLE.COM".


More information about the samba-technical mailing list