Preliminary discussion: DB alias entries
lukeh at padl.com
Fri Mar 13 09:51:36 EDT 2009
> I initially tried making the salt always random, but that obviously
> didn't work, if the libs are fixed to accept a random salt with all
> enctypes that would be also nice.
It can save the client a round trip if the salt is well known. For AD,
the rules for the salting principal input (NOT the salt itself) are:
For users: samAccountName at DOMAIN, unless the user has a UPN, in which
case it is LHS-of-UPN at DOMAIN.
For machine accounts: host/samAccountName-without-$.domain at DOMAIN.
For trust and TGS accounts, krbtgt/DOMAIN1 at DOMAIN2.
More information about the krbdev