[31447] in Kerberos

home help back first fref pref prev next nref lref last post

Re: msktutil problem with Windows 2008

daemon@ATHENA.MIT.EDU (Markus Moeller)
Wed Sep 2 22:28:47 2009

From: "Markus Moeller" <huaraz@moeller.plus.com>
In-Reply-To: <mailman.48.1251902470.12456.kerberos@mit.edu>
Date: Thu, 3 Sep 2009 00:17:24 +0100
MIME-Version: 1.0
Message-ID: <vdKdnZRaFfHJYAPXnZ2dnUVZ8uydnZ2d@brightview.co.uk>
To: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu


"Douglas E. Engert" <deengert@anl.gov> wrote in message 
news:mailman.48.1251902470.12456.kerberos@mit.edu...
> Markus Moeller wrote:
>> I found the problem with msktutil. It uses the wrong salt. For a computer 
>> name with uppercase parts (e.g. squid-HTTP) it uses 
>> DOM.LOCALhostsquid-HTTP.dom.local as salt instead of 
>> DOM.LOCALhostsquid-http.dom.local.
>
> I would like to reword this...
>
> Windows AD appears to generate a salt for computer accounts using the
> concatenation of:
>    uppercase(domain) "host" lowercase(SAMAccountName) "." 
> lowercase(domain)
>
> But msktutil was using:
>    uppercase(domain) "host" SAMAccountName "." lowercase(domain)
>
> So only accounts where the account name had mixed case would this be a 
> problem.
> The circumvention is it use msktutil --computername some-lowercase-name
> i.e. always use lower case for the computer name.
>
> Windows 2003 does the same thing. All of our computer accounts had been
> lowercase, so we never ran across this problem.
>

Also on 2003 you mainly use RC4 which doesn't use a salt.  I assume you will 
create a vers 8 of msktutil. If so can you fix the VERBOSE calls ?

--- msktkrb5.c  2007-12-22 14:02:40.000000000 +0000
+++ msktkrb5.c.new      2009-09-03 00:13:55.000000000 +0100
@@ -446,7 +446,7 @@
                        }
                }

-               VERBOSE("    Using salt of %s", (char *) salt.data);
+               VERBOSE("    Using salt of %.*s", salt.length, (char *) 
salt.data);
                pass.data = flags->password;
                pass.length = PASSWORD_LEN;
                ret = krb5_string_to_key(flags->context, &eblock, &key, 
&pass, &salt);
@@ -501,7 +501,7 @@
                        }
                }

-               VERBOSE("    Using salt of %s", (char *) 
salt.saltvalue.data);
+               VERBOSE("    Using salt of %.*s", salt.saltvalue.length, 
(char *) salt.saltvalue.data);
                pass.data = &(flags->password[0]);
                pass.length = PASSWORD_LEN;
                ret = krb5_string_to_key_data_salt(flags->context, eblock, 
pass, salt, &key);


Regards
Markus 

________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
home help back first fref pref prev next nref lref last post