Creating a keytab for an AD user
mark at mproehl.net
Mon Sep 24 04:04:38 EDT 2018
msktutil is a tool for managing keytabs in active directory. I started
documenting my knowledge of ADs salting mechanism plus some thoughts here:
Salting differs for machine accounts and user accounts. For user
accounts it turned out to be a difference weather they have a
userPrincipalname attribute or not. According to your mail, there could
be more distinctions, e.g. the version of your AD environment (2008/R2,
2012/R2, 2016 or Samba) and maybe others
What are the versions of AD that use "DOMAINuser" and "DOMAINfulluser"?
A question to the developers of MIT Kerberos: is there an API in libkrb5
to get the salt string from a KDC replay?
On 09/23/2018 05:05 PM, Markus Moeller wrote:
> Hi Development Team,
> Are you aware of a change in the salt of AD users ?
> I could do the following for AD in the past and can still do it for a Samba server:
> ktutil: addent -password -p markus -k 1 -e aes256-cts-hmac-sha1-96
> Password for markus at SAMBA.HOME:
> ktutil: wkt markus.keytab
> ktutil: exit
> #kinit -kt markus.keytab markus
> klist -e
> Ticket cache: DIR::/run/user/1000/krb5cc/tktxfHebc
> Default principal: markus at SAMBA.HOME
> Valid starting Expires Service principal
> 23/09/18 15:56:34 24/09/18 01:56:34 krbtgt/SAMBA.HOME at SAMBA.HOME
> renew until 24/09/18 15:56:34, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
> But when I try to perform the same against AD 2012 It fails and when I look at the details I see the salt is not what I expect i.e. it is not DOMAINuser, but DOMAINfullname.
> Is that a known change (i.e. which AD attribute is used instead of the user id) and can ktutil addent get an option to set the salt ?
> Thank you
> krbdev mailing list krbdev at mit.edu
More information about the krbdev