Preliminary discussion: DB alias entries

Luke Howard lukeh at
Fri Mar 13 09:51:36 EDT 2009

> I initially tried making the salt always random, but that obviously
> didn't work, if the libs are fixed to accept a random salt with all
> enctypes that would be also nice.

It can save the client a round trip if the salt is well known. For AD,  
the rules for the salting principal input (NOT the salt itself) are:

For users: samAccountName at DOMAIN, unless the user has a UPN, in which  
case it is LHS-of-UPN at DOMAIN.

For machine accounts: host/samAccountName-without-$.domain at DOMAIN.

For trust and TGS accounts, krbtgt/DOMAIN1 at DOMAIN2.

-- Luke

More information about the krbdev mailing list