Incompatibility between krb's AES256-CTS-HMAC-SHA1-96 and Microsoft Windows Domain

Isaac Boukris iboukris at
Fri Nov 10 01:42:41 EST 2017

On Fri, Nov 10, 2017 at 7:08 AM, Ido Shlomo <shloim at> wrote:
> Thank you. I understand the options, but I am not familiar with tools that
> may do that automatically. (currently this entire process is automated using
> shell scripts).

If you know the salt and it is different than what ktutil uses, then
you may be able to build the ktutil from git master which let's you
specify the salt.
For troubleshooting, i'd still suggest to try kinit and see what salt
the actually is, like:
KRB5_TRACE=/dev/stdout kinit principal |grep salt


More information about the krbdev mailing list