[19824] in Kerberos_V5_Development
Creating a keytab for an AD user
daemon@ATHENA.MIT.EDU (Markus Moeller)
Sun Sep 23 11:05:28 2018
Message-ID: <D0B3DA50EAD64FC59AC7581EBA9CCC33@Ultrabook1>
From: "Markus Moeller" <huaraz@moeller.plus.com>
To: <krbdev@mit.edu>
Date: Sun, 23 Sep 2018 16:05:03 +0100
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
Hi Development Team,
Are you aware of a change in the salt of AD users ?
I could do the following for AD in the past and can still do it for a Samba server:
#ktutil
ktutil: addent -password -p markus -k 1 -e aes256-cts-hmac-sha1-96
Password for markus@SAMBA.HOME:
ktutil: wkt markus.keytab
ktutil: exit
#kinit -kt markus.keytab markus
#
klist -e
Ticket cache: DIR::/run/user/1000/krb5cc/tktxfHebc
Default principal: markus@SAMBA.HOME
Valid starting Expires Service principal
23/09/18 15:56:34 24/09/18 01:56:34 krbtgt/SAMBA.HOME@SAMBA.HOME
renew until 24/09/18 15:56:34, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
But when I try to perform the same against AD 2012 It fails and when I look at the details I see the salt is not what I expect i.e. it is not DOMAINuser, but DOMAINfullname.
Is that a known change (i.e. which AD attribute is used instead of the user id) and can ktutil addent get an option to set the salt ?
Thank you
Markus
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev