[31448] in Kerberos
Re: msktutil problem with Windows 2008
daemon@ATHENA.MIT.EDU (Douglas E. Engert)
Thu Sep 3 09:20:23 2009
Message-ID: <4A9FC276.9010107@anl.gov>
Date: Thu, 03 Sep 2009 08:19:50 -0500
From: "Douglas E. Engert" <deengert@anl.gov>
MIME-Version: 1.0
To: Markus Moeller <huaraz@moeller.plus.com>
In-Reply-To: <vdKdnZRaFfHJYAPXnZ2dnUVZ8uydnZ2d@brightview.co.uk>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Markus Moeller wrote:
> "Douglas E. Engert" <deengert@anl.gov> wrote in message
> news:mailman.48.1251902470.12456.kerberos@mit.edu...
>> Markus Moeller wrote:
>>> I found the problem with msktutil. It uses the wrong salt. For a computer
>>> name with uppercase parts (e.g. squid-HTTP) it uses
>>> DOM.LOCALhostsquid-HTTP.dom.local as salt instead of
>>> DOM.LOCALhostsquid-http.dom.local.
>> I would like to reword this...
>>
>> Windows AD appears to generate a salt for computer accounts using the
>> concatenation of:
>> uppercase(domain) "host" lowercase(SAMAccountName) "."
>> lowercase(domain)
>>
>> But msktutil was using:
>> uppercase(domain) "host" SAMAccountName "." lowercase(domain)
>>
>> So only accounts where the account name had mixed case would this be a
>> problem.
>> The circumvention is it use msktutil --computername some-lowercase-name
>> i.e. always use lower case for the computer name.
>>
>> Windows 2003 does the same thing. All of our computer accounts had been
>> lowercase, so we never ran across this problem.
>>
>
> Also on 2003 you mainly use RC4 which doesn't use a salt. I assume you will
> create a vers 8 of msktutil. If so can you fix the VERBOSE calls ?
Yes, but not soon. I will add your fix. Thanks.
>
> --- msktkrb5.c 2007-12-22 14:02:40.000000000 +0000
> +++ msktkrb5.c.new 2009-09-03 00:13:55.000000000 +0100
> @@ -446,7 +446,7 @@
> }
> }
>
> - VERBOSE(" Using salt of %s", (char *) salt.data);
> + VERBOSE(" Using salt of %.*s", salt.length, (char *)
> salt.data);
> pass.data = flags->password;
> pass.length = PASSWORD_LEN;
> ret = krb5_string_to_key(flags->context, &eblock, &key,
> &pass, &salt);
> @@ -501,7 +501,7 @@
> }
> }
>
> - VERBOSE(" Using salt of %s", (char *)
> salt.saltvalue.data);
> + VERBOSE(" Using salt of %.*s", salt.saltvalue.length,
> (char *) salt.saltvalue.data);
> pass.data = &(flags->password[0]);
> pass.length = PASSWORD_LEN;
> ret = krb5_string_to_key_data_salt(flags->context, eblock,
> pass, salt, &key);
>
>
> Regards
> Markus
>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
