msktutil problem with Windows 2008

Markus Moeller huaraz at moeller.plus.com
Wed Sep 2 19:17:24 EDT 2009


"Douglas E. Engert" <deengert at anl.gov> wrote in message 
news:mailman.48.1251902470.12456.kerberos at mit.edu...
> Markus Moeller wrote:
>> I found the problem with msktutil. It uses the wrong salt. For a computer 
>> name with uppercase parts (e.g. squid-HTTP) it uses 
>> DOM.LOCALhostsquid-HTTP.dom.local as salt instead of 
>> DOM.LOCALhostsquid-http.dom.local.
>
> I would like to reword this...
>
> Windows AD appears to generate a salt for computer accounts using the
> concatenation of:
>    uppercase(domain) "host" lowercase(SAMAccountName) "." 
> lowercase(domain)
>
> But msktutil was using:
>    uppercase(domain) "host" SAMAccountName "." lowercase(domain)
>
> So only accounts where the account name had mixed case would this be a 
> problem.
> The circumvention is it use msktutil --computername some-lowercase-name
> i.e. always use lower case for the computer name.
>
> Windows 2003 does the same thing. All of our computer accounts had been
> lowercase, so we never ran across this problem.
>

Also on 2003 you mainly use RC4 which doesn't use a salt.  I assume you will 
create a vers 8 of msktutil. If so can you fix the VERBOSE calls ?

--- msktkrb5.c  2007-12-22 14:02:40.000000000 +0000
+++ msktkrb5.c.new      2009-09-03 00:13:55.000000000 +0100
@@ -446,7 +446,7 @@
                        }
                }

-               VERBOSE("    Using salt of %s", (char *) salt.data);
+               VERBOSE("    Using salt of %.*s", salt.length, (char *) 
salt.data);
                pass.data = flags->password;
                pass.length = PASSWORD_LEN;
                ret = krb5_string_to_key(flags->context, &eblock, &key, 
&pass, &salt);
@@ -501,7 +501,7 @@
                        }
                }

-               VERBOSE("    Using salt of %s", (char *) 
salt.saltvalue.data);
+               VERBOSE("    Using salt of %.*s", salt.saltvalue.length, 
(char *) salt.saltvalue.data);
                pass.data = &(flags->password[0]);
                pass.length = PASSWORD_LEN;
                ret = krb5_string_to_key_data_salt(flags->context, eblock, 
pass, salt, &key);


Regards
Markus 




More information about the Kerberos mailing list