[19827] in Kerberos_V5_Development

home help back first fref pref prev next nref lref last post

Re: Creating a keytab for an AD user

daemon@ATHENA.MIT.EDU (=?UTF-8?Q?Mark_Pr=c3=b6hl?=)
Mon Sep 24 04:05:08 2018

To: krbdev@mit.edu
From: =?UTF-8?Q?Mark_Pr=c3=b6hl?= <mark@mproehl.net>
Message-ID: <784ba1a8-9f7e-61cc-a195-277a86d1448e@mproehl.net>
Date: Mon, 24 Sep 2018 10:04:38 +0200
MIME-Version: 1.0
In-Reply-To: <D0B3DA50EAD64FC59AC7581EBA9CCC33@Ultrabook1>
Content-Language: de-DE
Content-Type: text/plain; charset="utf-8"
Errors-To: krbdev-bounces@mit.edu
Content-Transfer-Encoding: 8bit

Hi,

msktutil is a tool for managing keytabs in active directory. I started
documenting my knowledge of ADs salting mechanism plus some thoughts here:

https://github.com/msktutil/msktutil/blob/master/windows-salt.txt

Salting differs for machine accounts and user accounts. For user
accounts it turned out to be a difference weather they have a
userPrincipalname attribute or not. According to your mail, there could
be more distinctions, e.g. the version of your AD environment (2008/R2,
2012/R2, 2016 or Samba) and maybe others

What are the versions of AD that use "DOMAINuser" and "DOMAINfulluser"?
	
A question to the developers of MIT Kerberos: is there an API in libkrb5
to get the salt string from a KDC replay?

Regards,

Mark Pröhl

On 09/23/2018 05:05 PM, Markus Moeller wrote:
> Hi Development Team,
> 
>     Are you aware of a change in the salt of AD users ?
> 
>     I could do the following for AD in the past and can still do it for a Samba server:
> 
> #ktutil
> ktutil:  addent -password -p markus -k 1 -e aes256-cts-hmac-sha1-96
> Password for markus@SAMBA.HOME:
> ktutil:  wkt markus.keytab
> ktutil:  exit
> #kinit -kt markus.keytab markus
> #
> klist -e
> Ticket cache: DIR::/run/user/1000/krb5cc/tktxfHebc
> Default principal: markus@SAMBA.HOME
> 
> Valid starting     Expires            Service principal
> 23/09/18 15:56:34  24/09/18 01:56:34  krbtgt/SAMBA.HOME@SAMBA.HOME
>         renew until 24/09/18 15:56:34, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
> 
> 
>   But when I try to perform the same against AD 2012 It fails and when I look at the details I see the salt is not what I expect i.e. it is not DOMAINuser, but DOMAINfullname.
> 
>   Is that a known change (i.e. which AD attribute is used instead of the user id)  and can ktutil addent get an option to set the salt ?
> 
> Thank you
> Markus
> 
> 
> 
> 
> _______________________________________________
> krbdev mailing list             krbdev@mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev
> 


_______________________________________________
krbdev mailing list             krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev


home help back first fref pref prev next nref lref last post