msktutil problem with Windows 2008
Markus Moeller
huaraz at moeller.plus.com
Wed Sep 2 19:17:24 EDT 2009
"Douglas E. Engert" <deengert at anl.gov> wrote in message
news:mailman.48.1251902470.12456.kerberos at mit.edu...
> Markus Moeller wrote:
>> I found the problem with msktutil. It uses the wrong salt. For a computer
>> name with uppercase parts (e.g. squid-HTTP) it uses
>> DOM.LOCALhostsquid-HTTP.dom.local as salt instead of
>> DOM.LOCALhostsquid-http.dom.local.
>
> I would like to reword this...
>
> Windows AD appears to generate a salt for computer accounts using the
> concatenation of:
> uppercase(domain) "host" lowercase(SAMAccountName) "."
> lowercase(domain)
>
> But msktutil was using:
> uppercase(domain) "host" SAMAccountName "." lowercase(domain)
>
> So only accounts where the account name had mixed case would this be a
> problem.
> The circumvention is it use msktutil --computername some-lowercase-name
> i.e. always use lower case for the computer name.
>
> Windows 2003 does the same thing. All of our computer accounts had been
> lowercase, so we never ran across this problem.
>
Also on 2003 you mainly use RC4 which doesn't use a salt. I assume you will
create a vers 8 of msktutil. If so can you fix the VERBOSE calls ?
--- msktkrb5.c 2007-12-22 14:02:40.000000000 +0000
+++ msktkrb5.c.new 2009-09-03 00:13:55.000000000 +0100
@@ -446,7 +446,7 @@
}
}
- VERBOSE(" Using salt of %s", (char *) salt.data);
+ VERBOSE(" Using salt of %.*s", salt.length, (char *)
salt.data);
pass.data = flags->password;
pass.length = PASSWORD_LEN;
ret = krb5_string_to_key(flags->context, &eblock, &key,
&pass, &salt);
@@ -501,7 +501,7 @@
}
}
- VERBOSE(" Using salt of %s", (char *)
salt.saltvalue.data);
+ VERBOSE(" Using salt of %.*s", salt.saltvalue.length,
(char *) salt.saltvalue.data);
pass.data = &(flags->password[0]);
pass.length = PASSWORD_LEN;
ret = krb5_string_to_key_data_salt(flags->context, eblock,
pass, salt, &key);
Regards
Markus
More information about the Kerberos
mailing list