Samba-3.0.7-1.3E Active Directory Issues

Doug VanLeuven roamdad at
Wed Oct 20 11:19:26 GMT 2004

Nalin Dahyabhai wrote:

>My experiments suggest that the servicePrincipalName is only used for
>retrieving the computer account's password.  Once the computer's
>password is determined, the servicePrincipalName and dnsHostName values
>in the computer account entry seem to have no impact on the derivation
>of the key.  The machine name and realm name appear to be the only
>values which influence things.
OK.  In the KDC's ERR_PREAUTH_REQUIRED response to the initial AS-REQ 
for the TGT, PA-ENCTYPE-INFO, Salt shows the KDC using instead of

>>It works to join a windows box to the REALM from outside the AD DNS 
>>domain and have Kerberos work, it's just that since the 
>>servicePrincipalName is only assigned on re-boot of the machine, a 
>>security setting has to be changed to allow the re-booting machine to 
>>pick it's own domain instead of being assigned one by the DC or 
>You've lost me here.  Are you saying that a Windows host attempts to set
>(or reset) its servicePrincipalName values every time it's booted, and
>that there's a configuration flag somewhere on the server which needs to
>be toggled for this to be allowed?
Uncheck the box for "Change primary DNS suffix when domain membership 
Join the w2k workstation to the domain
Shut down the computer.
Dump the entry for the workstation in the AD
dNSHostName and servicePrincipalName have not yet been created.
They will be created on the first boot of the w2k workstation after the 
Can't say if it would happen on subsequent boots.

To do this, the OU security requires SELF - "Read DNS Host name 
attributes" and "Write DNS Host name attributes".  Inheritance gives 
this right to the computers in the OU.
There was a writeup from MS, but I can't find it anymore.

For my purposes, I needed to find out if there was some unknown issue 
lurking to sandbag me after a production rollout and I now know there 
isn't.  It would be nice to join the REALM from a different DNS domain, 
but I can live with that.  I just wish it was better publicized along 
with the consequences.  I have half a mind to open a support incident 
with MS.

Regards, Doug

More information about the samba-technical mailing list