Creating a keytab for an AD user

Mark Pröhl mark at
Mon Sep 24 04:04:38 EDT 2018


msktutil is a tool for managing keytabs in active directory. I started
documenting my knowledge of ADs salting mechanism plus some thoughts here:

Salting differs for machine accounts and user accounts. For user
accounts it turned out to be a difference weather they have a
userPrincipalname attribute or not. According to your mail, there could
be more distinctions, e.g. the version of your AD environment (2008/R2,
2012/R2, 2016 or Samba) and maybe others

What are the versions of AD that use "DOMAINuser" and "DOMAINfulluser"?
A question to the developers of MIT Kerberos: is there an API in libkrb5
to get the salt string from a KDC replay?


Mark Pröhl

On 09/23/2018 05:05 PM, Markus Moeller wrote:
> Hi Development Team,
>     Are you aware of a change in the salt of AD users ?
>     I could do the following for AD in the past and can still do it for a Samba server:
> #ktutil
> ktutil:  addent -password -p markus -k 1 -e aes256-cts-hmac-sha1-96
> Password for markus at SAMBA.HOME:
> ktutil:  wkt markus.keytab
> ktutil:  exit
> #kinit -kt markus.keytab markus
> #
> klist -e
> Ticket cache: DIR::/run/user/1000/krb5cc/tktxfHebc
> Default principal: markus at SAMBA.HOME
> Valid starting     Expires            Service principal
> 23/09/18 15:56:34  24/09/18 01:56:34  krbtgt/SAMBA.HOME at SAMBA.HOME
>         renew until 24/09/18 15:56:34, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
>   But when I try to perform the same against AD 2012 It fails and when I look at the details I see the salt is not what I expect i.e. it is not DOMAINuser, but DOMAINfullname.
>   Is that a known change (i.e. which AD attribute is used instead of the user id)  and can ktutil addent get an option to set the salt ?
> Thank you
> Markus
> _______________________________________________
> krbdev mailing list             krbdev at

More information about the krbdev mailing list