[19827] in Kerberos_V5_Development
Re: Creating a keytab for an AD user
daemon@ATHENA.MIT.EDU (=?UTF-8?Q?Mark_Pr=c3=b6hl?=)
Mon Sep 24 04:05:08 2018
To: krbdev@mit.edu
From: =?UTF-8?Q?Mark_Pr=c3=b6hl?= <mark@mproehl.net>
Message-ID: <784ba1a8-9f7e-61cc-a195-277a86d1448e@mproehl.net>
Date: Mon, 24 Sep 2018 10:04:38 +0200
MIME-Version: 1.0
In-Reply-To: <D0B3DA50EAD64FC59AC7581EBA9CCC33@Ultrabook1>
Content-Language: de-DE
Content-Type: text/plain; charset="utf-8"
Errors-To: krbdev-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Hi,
msktutil is a tool for managing keytabs in active directory. I started
documenting my knowledge of ADs salting mechanism plus some thoughts here:
https://github.com/msktutil/msktutil/blob/master/windows-salt.txt
Salting differs for machine accounts and user accounts. For user
accounts it turned out to be a difference weather they have a
userPrincipalname attribute or not. According to your mail, there could
be more distinctions, e.g. the version of your AD environment (2008/R2,
2012/R2, 2016 or Samba) and maybe others
What are the versions of AD that use "DOMAINuser" and "DOMAINfulluser"?
A question to the developers of MIT Kerberos: is there an API in libkrb5
to get the salt string from a KDC replay?
Regards,
Mark Pröhl
On 09/23/2018 05:05 PM, Markus Moeller wrote:
> Hi Development Team,
>
> Are you aware of a change in the salt of AD users ?
>
> I could do the following for AD in the past and can still do it for a Samba server:
>
> #ktutil
> ktutil: addent -password -p markus -k 1 -e aes256-cts-hmac-sha1-96
> Password for markus@SAMBA.HOME:
> ktutil: wkt markus.keytab
> ktutil: exit
> #kinit -kt markus.keytab markus
> #
> klist -e
> Ticket cache: DIR::/run/user/1000/krb5cc/tktxfHebc
> Default principal: markus@SAMBA.HOME
>
> Valid starting Expires Service principal
> 23/09/18 15:56:34 24/09/18 01:56:34 krbtgt/SAMBA.HOME@SAMBA.HOME
> renew until 24/09/18 15:56:34, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
>
>
> But when I try to perform the same against AD 2012 It fails and when I look at the details I see the salt is not what I expect i.e. it is not DOMAINuser, but DOMAINfullname.
>
> Is that a known change (i.e. which AD attribute is used instead of the user id) and can ktutil addent get an option to set the salt ?
>
> Thank you
> Markus
>
>
>
>
> _______________________________________________
> krbdev mailing list krbdev@mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev
>
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev