Preliminary discussion: DB alias entries

Simo Sorce ssorce at
Fri Mar 13 11:28:27 EDT 2009

On Sat, 2009-03-14 at 00:51 +1100, Luke Howard wrote:
> > I initially tried making the salt always random, but that obviously
> > didn't work, if the libs are fixed to accept a random salt with all
> > enctypes that would be also nice.
> It can save the client a round trip if the salt is well known. For AD,  
> the rules for the salting principal input (NOT the salt itself) are:
> For users: samAccountName at DOMAIN, unless the user has a UPN, in which  
> case it is LHS-of-UPN at DOMAIN.
> For machine accounts: host/samAccountName-without-$.domain at DOMAIN.
> For trust and TGS accounts, krbtgt/DOMAIN1 at DOMAIN2.

I use pre-authentication anyway so I already have to do the second round
trip, shouldn't be a problem in that case, right ?


Simo Sorce * Red Hat, Inc * New York

More information about the krbdev mailing list