Preliminary discussion: DB alias entries
Simo Sorce
ssorce at redhat.com
Fri Mar 13 11:28:27 EDT 2009
On Sat, 2009-03-14 at 00:51 +1100, Luke Howard wrote:
> > I initially tried making the salt always random, but that obviously
> > didn't work, if the libs are fixed to accept a random salt with all
> > enctypes that would be also nice.
>
> It can save the client a round trip if the salt is well known. For AD,
> the rules for the salting principal input (NOT the salt itself) are:
>
> For users: samAccountName at DOMAIN, unless the user has a UPN, in which
> case it is LHS-of-UPN at DOMAIN.
>
> For machine accounts: host/samAccountName-without-$.domain at DOMAIN.
>
> For trust and TGS accounts, krbtgt/DOMAIN1 at DOMAIN2.
I use pre-authentication anyway so I already have to do the second round
trip, shouldn't be a problem in that case, right ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the krbdev
mailing list