Summary of DES salt for 2000 & 2003

Dave Daugherty dave.daugherty at
Fri Jul 7 17:00:26 GMT 2006

> From: Gerald (Jerry) Carter Friday, July 07, 2006 9:43 AM

> - From the "I-hate-DES-keys-department":

> Dave,

> Here's what I've been able to confirm (no surprises):

>	The DES salt for machine accounts is always
>	"strlower(host/${cn}.${REALM}) + @${REALM}"
>	with the exception of Win2k DCs, when the salt
>	is the UPN attribute (if present).

> I assuming but have not confirmed yet is that the UPN
> behavior is based on the domain functional level.  So that
> a domain with Windows 2000 and 2003 DCs would have a
> domain functional level of "Windows 2000" and therefore
> honor the UPN attibute for salt.

Yes that agrees with my investigations.  I did not try a mixed 2K / 2K3
environment, but I suspect you are right.

As Andrew says, the only way to be sure is to coerce the Windows KDC
into telling you what the salt is.   But that requires Kerberos API mods
to get it to return it.

To coerce Windows KDC...

You either don't supply preauth data up front (at which time Windows
will send back the salt along with a PREAUTH REQUIRED error - which can
then be used to generate the preauth data, and is available to return to
the application), or by supply enctype RC4-HMAC as the primary and DES
variants as secondary encs.  In this case, if the DES bit is set on the
computer account, the Windows KDC will reject the RC4-HMAC preauth but
will tell you the enctypes it supports along with the salt.


cheers, jerry
Samba                                    -------
Centeris                         -----------
"What man is a man who does not make the world better?"      --Balian
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE -


More information about the samba-technical mailing list