Incompatibility between krb's AES256-CTS-HMAC-SHA1-96 and Microsoft Windows Domain

Isaac Boukris iboukris at
Tue Oct 31 11:59:20 EDT 2017

On Tue, Oct 31, 2017 at 5:47 PM, Isaac Boukris <iboukris at> wrote:
> On Tue, Oct 31, 2017 at 4:44 PM, Ido Shlomo <shloim at> wrote:
>> Since this is an automated task, I cannot generate anything outside the
>> machine.
>> Is it possible to specify the salt using ktutil?
> You can try an AS request where the KDC tells the salt, like:
> # KRB5_TRACE=/dev/tty kinit principal
> btw, for user-account in AD the salt is the UPN attribute of the user.

Sorry, I misread the question, thought you were asking how to find the
actual salt.
I am not familiar with such option in ktutil, though according to the
source code the recent version of it does provide this option
(alternatively, you can use the same code that ktutil uses and specify
the salt).


More information about the krbdev mailing list