I expect this is probably a known issue, though I can't really find any definitive source:
I am integrating with an AD domain. If using RC4 encryption I am able to generate a keytab file using either window's ktpass or via ktutil on the Linux side (assuming the account's password is known) However when using AES, the keytab generated using ktutil appears to create the wrong key. My guess is that ktutil is using an improper salt (or none at all). According to MS-KILE section 3.1.1.2 when creating a key for a computer account to use the following salt: ---- Computer accounts: < DNS name of the realm, converted to upper case > | "host" | < computer name, converted to lower case with trailing "$" stripped off > | "." | < DNS name of the realm, converted to lower case > --- The document is worded poorly as it can be interpreted that this salt is used for all enctypes, but I believe that only AES is salted in this way and based on my testing RC4 doesn't get salted. This would make sense that ktutil can properly generate a compatible RC4 key if no salt is required, but fails in the AES key. I see no way to feed ktutil a salt when generating the key. Is there another supported method to create keytabs using the kerberos tools while providing a salt? I don't want to resort to samba or something similar, and not sure I even can since I've actually need to support *only* AES within the AD domain (i.e. no RC4). I have a semi-workaround in that if I generate a key using ktpass I can simply take the key (without having to transfer the entire keytab) and use: addent -key -p principal -k kvno -e aes256-cts and then provide the key generated on the windows side...however this still involves work done on the windows system. Can someone confirm my findings are accurate, and if there is a better solution? I have found a tool called msktutil which I have built and it generates keytabs properly, I would prefer a method I know will exist with every krb5 distribution. Thanks! ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
