Finishing up the new ads join code [was Re: svn commit: samba r15543...]

Gerald (Jerry) Carter jerry at
Tue May 16 16:06:57 GMT 2006

Hash: SHA1

Dave Daugherty wrote:

> Win 2K Servers - if the Computer Account UPN is set, 
> it is used as the DES Salt.  If the UPN is NOT set, the
> Service Principal Name is used.

Thanks.  Good to know.  But the UPN is never set when a
Windows client joins.

> Win 2k3 Servers - Computer account UPN is always ignored 
> and the Service Principal Name is used as DES Salt.

Makes mroe sense.

> Because of the above nonsense, we at Centrify wound up 
> modifying the MIT Kerberos libraries to recover the
> salt from the wire (AS-REQ "Preauthentication Required
> Response" and "No Supp for Encryption" type will tell
> you want the salt is).
> We do not set the UPN on the computer account, 
> unless we are interoperating with Samba - then we
> set it, because Samba needs it.

?????  <looks up and beats his chest at the heavens...>
Why do *we* need it ?  That sounds completely bogus.

(not you dave, that requirement).

If we do, I don't think we'll need it much longer....

cheers, jerry
Samba                                    -------
Centeris                         -----------
"What man is a man who does not make the world better?"      --Balian
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE -


More information about the samba-technical mailing list