Creating a keytab for an AD user

Markus Moeller huaraz at
Mon Sep 24 19:42:42 EDT 2018

Hi Greg,

   I have used msktutil for some time but only for computer accounts. And 
looking again at the package I noticed the comment about the salt.

the salt of machine accounts.
(Note: samaccountname_nodollar is lower case for machine accounts)
(Note: only for DES/AES; arcfour-hmac-md5 doesn't use salts at all)

Salt for service accounts is created in a different way:
- if userPrincpalName is not set:
  (Note: samAccountName is case sensitive for service accounts)
- if userPrincpalName is set:
  realm_name + first component from userPrincpalName

I think when I last tried it was with arcfour i.e. no salt. Now with aes I 
run into the issue of a set userprincpal to the email address.

Thank you

-----Original Message----- 
From: Greg Hudson
Sent: Sunday, September 23, 2018 6:13 PM
To: Markus Moeller ; krbdev at
Subject: Re: Creating a keytab for an AD user

On 09/23/2018 11:05 AM, Markus Moeller wrote:
>    Is that a known change (i.e. which AD attribute is used instead of the 
> user id)  and can ktutil addent get an option to set the salt ?

I do not know if Active Directory changed.  On the MIT krb5 side, we
added a -salt option to ktutil addent in release 1.16.  We also have an
unfinished feature to fetch the salt from the KDC; I can't say if and
when that work will be completed.

There is also a popular third-party tool called msktutil which may be
easier to use for this operation.

In the future, please use kerberos at for operational questions
like this, not the development list.

More information about the krbdev mailing list