On 08/02/2014 02:19 AM, Ben H wrote: > The document is worded poorly as it can be interpreted that this salt is > used for all enctypes, but I believe that only AES is salted in this way > and based on my testing RC4 doesn't get salted.
The RC4 enctype completely ignores the salt, so it doesn't matter if ktutil picks the wrong one. > I see no way to feed ktutil a salt when generating the key. I think that's correct. We would like ktutil (or perhaps a successor program) to be able to make an AS request to get the actual salt from the KDC, but this hasn't been implemented. Being able to manually specify a salt could also be useful in some cases. > I have found a tool called msktutil which I have built and it generates > keytabs properly, I would prefer a method I know will exist with every krb5 > distribution. I don't have personal experience generating keytabs for an AD domain. I think msktutil may be the most common way of doing it, but I'm not certain. The salt you described from the Microsoft documentation matches the default RFC 4120 salt for a host/fqdn@REALM principal, so if you specify the principal in exactly the right form (with the correct case), I would expect ktutil to use the correct salt. So I'm not sure why it isn't working for you. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
