configure Kerberos client to always send (timestamp)

swbell kerygma2 at
Mon Feb 3 10:50:33 EST 2003

I assume the API that allows this is
And the associated krb5_get_init_creds_opt_set_preauth_list.

Where is there documentation on putting stuff in the preauth list?

My Active Directory domain controller (Windows 2003) wants three preauth
types (debug output below):

salt len=-1; preauth data types: 11 2 15
etype info 0: etype 3 salt len=17 'KERYGMA.ORGnelson>\xef\xbf\xbd9'
etype info 1: etype 1 salt len=17 'KERYGMA.ORGnelson'

It looks like you could always guess that the salt is the realm with the
username concatenated.

These correspond to
documented (??)

Anyone know about PADATA type 15?

in article 87d6m9xwqb.fsf at, Sam Hartman at hartmans at
wrote on 2/3/03 8:28 AM:

>>>>>> "Wood," == Wood, Justin S <Justin.S.Wood at> writes:
>   Wood,> Perhaps I've missed the point, but should it not be
>   Wood,> possible to configure the client to always send preauth,
>   Wood,> and hence remove the initial redundant protocol
>   Wood,> interaction?
> I believe that current APIs allow this, but kinit does not currently
> implement that feature.
> In future, it will be less useful as the client will need more
> information from the KDC to make a correct guess about what preauth or
> encryption types to use.
> So you should not expect to see anyone actually exposing this support
> in kinit.
> ________________________________________________
> Kerberos mailing list           Kerberos at

More information about the Kerberos mailing list