Discussion:
Creating a keytab for an AD user
Markus Moeller
2018-09-23 15:05:03 UTC
Permalink
Hi Development Team,

Are you aware of a change in the salt of AD users ?

I could do the following for AD in the past and can still do it for a Samba server:

#ktutil
ktutil: addent -password -p markus -k 1 -e aes256-cts-hmac-sha1-96
Password for ***@SAMBA.HOME:
ktutil: wkt markus.keytab
ktutil: exit
#kinit -kt markus.keytab markus
#
klist -e
Ticket cache: DIR::/run/user/1000/krb5cc/tktxfHebc
Default principal: ***@SAMBA.HOME

Valid starting Expires Service principal
23/09/18 15:56:34 24/09/18 01:56:34 krbtgt/***@SAMBA.HOME
renew until 24/09/18 15:56:34, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96


But when I try to perform the same against AD 2012 It fails and when I look at the details I see the salt is not what I expect i.e. it is not DOMAINuser, but DOMAINfullname.

Is that a known change (i.e. which AD attribute is used instead of the user id) and can ktutil addent get an option to set the salt ?

Thank you
Markus




_______________________________________________
krbdev mailing list ***@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
Greg Hudson
2018-09-23 17:13:45 UTC
Permalink
Post by Markus Moeller
Is that a known change (i.e. which AD attribute is used instead of the user id) and can ktutil addent get an option to set the salt ?
I do not know if Active Directory changed. On the MIT krb5 side, we
added a -salt option to ktutil addent in release 1.16. We also have an
unfinished feature to fetch the salt from the KDC; I can't say if and
when that work will be completed.

There is also a popular third-party tool called msktutil which may be
easier to use for this operation.

In the future, please use ***@mit.edu for operational questions
like this, not the development list.
_______________________________________________
krbdev mailing list ***@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
Idan Freiberg
2018-09-23 19:37:27 UTC
Permalink
Microsoft’s utility called ‘ktpass’ and it fetches the salt from KDC.
Post by Markus Moeller
Post by Markus Moeller
Is that a known change (i.e. which AD attribute is used instead of
the user id) and can ktutil addent get an option to set the salt ?
I do not know if Active Directory changed. On the MIT krb5 side, we
added a -salt option to ktutil addent in release 1.16. We also have an
unfinished feature to fetch the salt from the KDC; I can't say if and
when that work will be completed.
There is also a popular third-party tool called msktutil which may be
easier to use for this operation.
like this, not the development list.
_______________________________________________
https://mailman.mit.edu/mailman/listinfo/krbdev
--
Idan Freiberg

GPG FP: 8108 7EC9 806E 4980 75F2 72B3 8AD3 2D04 337B 1F18
_______________________________________________
krbdev mailing list ***@mit.edu
https://mailman.mit.edu/mailman/li
Markus Moeller
2018-09-24 23:42:42 UTC
Permalink
Hi Greg,

I have used msktutil for some time but only for computer accounts. And
looking again at the package I noticed the comment about the salt.

the salt of machine accounts.
realm_name+"host"+samAccountName_nodollar+"."+lower_realm_name
(Note: samaccountname_nodollar is lower case for machine accounts)
(Note: only for DES/AES; arcfour-hmac-md5 doesn't use salts at all)

Salt for service accounts is created in a different way:
- if userPrincpalName is not set:
realm_name+samAccountName
(Note: samAccountName is case sensitive for service accounts)
- if userPrincpalName is set:
realm_name + first component from userPrincpalName


I think when I last tried it was with arcfour i.e. no salt. Now with aes I
run into the issue of a set userprincpal to the email address.


Thank you
Markus

-----Original Message-----
From: Greg Hudson
Sent: Sunday, September 23, 2018 6:13 PM
To: Markus Moeller ; ***@mit.edu
Subject: Re: Creating a keytab for an AD user
Post by Markus Moeller
Is that a known change (i.e. which AD attribute is used instead of the
user id) and can ktutil addent get an option to set the salt ?
I do not know if Active Directory changed. On the MIT krb5 side, we
added a -salt option to ktutil addent in release 1.16. We also have an
unfinished feature to fetch the salt from the KDC; I can't say if and
when that work will be completed.

There is also a popular third-party tool called msktutil which may be
easier to use for this operation.

In the future, please use ***@mit.edu for operational questions
like this, not the development list.


_______________________________________________
krbdev mailing list ***@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
Mark Pröhl
2018-09-24 08:04:38 UTC
Permalink
Hi,

msktutil is a tool for managing keytabs in active directory. I started
documenting my knowledge of ADs salting mechanism plus some thoughts here:

https://github.com/msktutil/msktutil/blob/master/windows-salt.txt

Salting differs for machine accounts and user accounts. For user
accounts it turned out to be a difference weather they have a
userPrincipalname attribute or not. According to your mail, there could
be more distinctions, e.g. the version of your AD environment (2008/R2,
2012/R2, 2016 or Samba) and maybe others

What are the versions of AD that use "DOMAINuser" and "DOMAINfulluser"?

A question to the developers of MIT Kerberos: is there an API in libkrb5
to get the salt string from a KDC replay?

Regards,

Mark Pröhl
Post by Markus Moeller
Hi Development Team,
Are you aware of a change in the salt of AD users ?
#ktutil
ktutil: addent -password -p markus -k 1 -e aes256-cts-hmac-sha1-96
ktutil: wkt markus.keytab
ktutil: exit
#kinit -kt markus.keytab markus
#
klist -e
Ticket cache: DIR::/run/user/1000/krb5cc/tktxfHebc
Valid starting Expires Service principal
renew until 24/09/18 15:56:34, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
But when I try to perform the same against AD 2012 It fails and when I look at the details I see the salt is not what I expect i.e. it is not DOMAINuser, but DOMAINfullname.
Is that a known change (i.e. which AD attribute is used instead of the user id) and can ktutil addent get an option to set the salt ?
Thank you
Markus
_______________________________________________
https://mailman.mit.edu/mailman/listinfo/krbdev
_______________________________________________
krbdev mailing list ***@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbd
Greg Hudson
2018-09-24 14:43:17 UTC
Permalink
Post by Mark Pröhl
A question to the developers of MIT Kerberos: is there an API in libkrb5
to get the salt string from a KDC replay?
We do not. Now that I have read windows-salt.txt, I will dust off
https://github.com/krb5/krb5/pull/670 and revise and integrate it
(soonish), so it should appear in 1.17.

As part of the revisions, I had been planning on renaming the new API to
krb5_get_etype_info(). Please let me know if you think any other
changes are needed for msktutil's purposes.
_______________________________________________
krbdev mailing list ***@mit.edu
https://
Isaac Boukris
2018-09-27 04:13:37 UTC
Permalink
Post by Greg Hudson
Post by Mark Pröhl
A question to the developers of MIT Kerberos: is there an API in libkrb5
to get the salt string from a KDC replay?
We do not. Now that I have read windows-salt.txt, I will dust off
https://github.com/krb5/krb5/pull/670 and revise and integrate it
(soonish), so it should appear in 1.17.
Just wanted to comment that from my experience this neat feature would
be of a great help to many developers and users.

Thanks!

_______________________________________________
krbdev mailing list ***@mit.edu
https://mailman.mit.edu/mailman/listinfo

Loading...