msktutil problem with Windows 2008

Douglas E. Engert deengert at anl.gov
Thu Sep 3 09:19:50 EDT 2009



Markus Moeller wrote:
> "Douglas E. Engert" <deengert at anl.gov> wrote in message 
> news:mailman.48.1251902470.12456.kerberos at mit.edu...
>> Markus Moeller wrote:
>>> I found the problem with msktutil. It uses the wrong salt. For a computer 
>>> name with uppercase parts (e.g. squid-HTTP) it uses 
>>> DOM.LOCALhostsquid-HTTP.dom.local as salt instead of 
>>> DOM.LOCALhostsquid-http.dom.local.
>> I would like to reword this...
>>
>> Windows AD appears to generate a salt for computer accounts using the
>> concatenation of:
>>    uppercase(domain) "host" lowercase(SAMAccountName) "." 
>> lowercase(domain)
>>
>> But msktutil was using:
>>    uppercase(domain) "host" SAMAccountName "." lowercase(domain)
>>
>> So only accounts where the account name had mixed case would this be a 
>> problem.
>> The circumvention is it use msktutil --computername some-lowercase-name
>> i.e. always use lower case for the computer name.
>>
>> Windows 2003 does the same thing. All of our computer accounts had been
>> lowercase, so we never ran across this problem.
>>
> 
> Also on 2003 you mainly use RC4 which doesn't use a salt.  I assume you will 
> create a vers 8 of msktutil. If so can you fix the VERBOSE calls ?

Yes, but not soon. I will add your fix. Thanks.

> 
> --- msktkrb5.c  2007-12-22 14:02:40.000000000 +0000
> +++ msktkrb5.c.new      2009-09-03 00:13:55.000000000 +0100
> @@ -446,7 +446,7 @@
>                         }
>                 }
> 
> -               VERBOSE("    Using salt of %s", (char *) salt.data);
> +               VERBOSE("    Using salt of %.*s", salt.length, (char *) 
> salt.data);
>                 pass.data = flags->password;
>                 pass.length = PASSWORD_LEN;
>                 ret = krb5_string_to_key(flags->context, &eblock, &key, 
> &pass, &salt);
> @@ -501,7 +501,7 @@
>                         }
>                 }
> 
> -               VERBOSE("    Using salt of %s", (char *) 
> salt.saltvalue.data);
> +               VERBOSE("    Using salt of %.*s", salt.saltvalue.length, 
> (char *) salt.saltvalue.data);
>                 pass.data = &(flags->password[0]);
>                 pass.length = PASSWORD_LEN;
>                 ret = krb5_string_to_key_data_salt(flags->context, eblock, 
> pass, salt, &key);
> 
> 
> Regards
> Markus 
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444



More information about the Kerberos mailing list