querying salt and kvno via KDC-REQ

Mark Pröhl mark at mproehl.net
Sun Aug 3 13:03:31 EDT 2014


I would like to improve some parts of msktutil 
(https://code.google.com/p/msktutil/) and need a way to get information 
about salt and  principal's kvno via KDC requests. Do the MIT krb5 
libraries provide functions for this?

Some background information:

The problem with the salt is currently being discussed on this list 
("ktutil - problems generating AES keys (salt?)).

In the current version msktutil is getting the kvno via LDAP search 
(attribute msds-keyversionnumber). This leads to problems when AD 
replication is slow. Network sniffs performed after password changes 
show that AS-REP messages already contain the principal's new kvno (in 
the client part) while its LDAP attribute msds-keyversionnumber has 
still the old value.

MIT's kvno utility only determines the kvno for service principals by 
getting a service ticket and printing its kvno. I am looking for a way 
to do this for client principals by analysing the client part of AS-REP.

-- 
Mark Pröhl
mark at mproehl.net
www.kerberos-buch.de



More information about the Kerberos mailing list