Summary of DES salt for 2000 & 2003

Gerald (Jerry) Carter jerry at
Fri Jul 7 21:38:35 GMT 2006

Hash: SHA1

Dave Daugherty wrote:

>> I assuming but have not confirmed yet is that the UPN
>> behavior is based on the domain functional level.  So that
>> a domain with Windows 2000 and 2003 DCs would have a
>> domain functional level of "Windows 2000" and therefore
>> honor the UPN attibute for salt.
> Yes that agrees with my investigations.  I did not try 
> a mixed 2K / 2K3 environment, but I suspect you are right.

Just confirming that a "Windows 2000 native domain" with
mixed 2000 and 2003 DCs does follow the salting rules for

For the record:

Windows 2003 provides a MsDs-Behavior-Version attribute
in the partitions object that is specifies the functional
level for the forest.  Windows 2003 also provides a few
attributes in the rootDSE:

  domainFunctionality: 0
  forestFunctionality: 0
  domainControllerFunctionality: 2

So in order to determine the functional level of a domain,
query the rootDSE for the above listed attributes.  If there
are not present, you know its a Windows 2000 functional domain.
Our set_dc_type_and_flags() call which uses the
DsGetPrimaryDomInfo() can tell you mixed or native but we
really don't care about that for DES keys.

If the attributes are present, then just look at the value
of domainFunctionality.  If it is anything but 0, use the
Windows 2003 DES salting algorithm.

For more information, see

cheers, jerry
Samba                                    -------
Centeris                         -----------
"What man is a man who does not make the world better?"      --Balian
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE -


More information about the samba-technical mailing list