Finishing up the new ads join code [was Re: svn commit: samba
dave.daugherty at centrify.com
Tue May 16 16:01:52 GMT 2006
Luke Howard wrote:
>> * Setting the UPN. Still thinking about this one...
>> Do you really need to set the UPN? What are
>> you setting it to?
> The original comment in the code said something about
> needing a UPN to be able to a 'kinit -k' but I'm not
> sure I believe that. I thought the sAMAccountName
> would work but I haven't dug into this issue yet.
For what it is worth results of my humble researches:
Win 2K Servers - if the Computer Account UPN is set, it is used as the
DES Salt. If the UPN is NOT set, the Service Principal Name is used.
Win 2k3 Servers - Computer account UPN is always ignored and the Service
Principal Name is used as DES Salt.
Because of the above nonsense, we at Centrify wound up modifying the MIT
Kerberos libraries to recover the salt from the wire (AS-REQ
"Preauthentication Required Response" and "No Supp for Encryption" type
will tell you want the salt is).
We do not set the UPN on the computer account, unless we are
interoperating with Samba - then we set it, because Samba needs it.
More information about the samba-technical