Maybe Linux is doing a different type of salting then I'm familiar with. I thought salting was like this: SALT + Password = hash All you do is you put the salt unique id with the password (beginning, end, middle...wherevever). Then you make a hash out of it. You don't need to know the salt. as the entire salt+password is hashed. once you break the hash you now have the salt+password.
My understanding of Rainbow is that it uses the entire string as the password. It assumes there is no salt. It will then find a string that hashes into the hash it is given. It will then return this as a password. The key to this is that it assumes no salt is given. Also, you, as a breaker, would not know how long the salt string is. Rainbow is producing a password based on a 12-char password, rather than a 4-cahr salt+8-char password. It doesn't know to look at only the portion of the given hash to produce a portion of a password.