I would like to improve some parts of msktutil
(https://code.google.com/p/msktutil/) and need a way to get information
about salt and principal's kvno via KDC requests. Do the MIT krb5
libraries provide functions for this?
Some background information:
The problem with the salt is currently being discussed on this list
("ktutil - problems generating AES keys (salt?)).
In the current version msktutil is getting the kvno via LDAP search
(attribute msds-keyversionnumber). This leads to problems when AD
replication is slow. Network sniffs performed after password changes
show that AS-REP messages already contain the principal's new kvno (in
the client part) while its LDAP attribute msds-keyversionnumber has
still the old value.
MIT's kvno utility only determines the kvno for service principals by
getting a service ticket and printing its kvno. I am looking for a way
to do this for client principals by analysing the client part of AS-REP.
--
Mark Pröhl
[email protected]
www.kerberos-buch.de
________________________________________________
Kerberos mailing list [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos
