querying salt and kvno via KDC-REQ
Mark Pröhl
mark at mproehl.net
Sun Aug 3 13:03:31 EDT 2014
I would like to improve some parts of msktutil
(https://code.google.com/p/msktutil/) and need a way to get information
about salt and principal's kvno via KDC requests. Do the MIT krb5
libraries provide functions for this?
Some background information:
The problem with the salt is currently being discussed on this list
("ktutil - problems generating AES keys (salt?)).
In the current version msktutil is getting the kvno via LDAP search
(attribute msds-keyversionnumber). This leads to problems when AD
replication is slow. Network sniffs performed after password changes
show that AS-REP messages already contain the principal's new kvno (in
the client part) while its LDAP attribute msds-keyversionnumber has
still the old value.
MIT's kvno utility only determines the kvno for service principals by
getting a service ticket and printing its kvno. I am looking for a way
to do this for client principals by analysing the client part of AS-REP.
--
Mark Pröhl
mark at mproehl.net
www.kerberos-buch.de
More information about the Kerberos
mailing list