Creating a keytab for an AD user

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Creating a keytab for an AD user

Markus Moeller
Hi Development Team,

    Are you aware of a change in the salt of AD users ?

    I could do the following for AD in the past and can still do it for a Samba server:

#ktutil
ktutil:  addent -password -p markus -k 1 -e aes256-cts-hmac-sha1-96
Password for [hidden email]:
ktutil:  wkt markus.keytab
ktutil:  exit
#kinit -kt markus.keytab markus
#
klist -e
Ticket cache: DIR::/run/user/1000/krb5cc/tktxfHebc
Default principal: [hidden email]

Valid starting     Expires            Service principal
23/09/18 15:56:34  24/09/18 01:56:34  krbtgt/[hidden email]
        renew until 24/09/18 15:56:34, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96


  But when I try to perform the same against AD 2012 It fails and when I look at the details I see the salt is not what I expect i.e. it is not DOMAINuser, but DOMAINfullname.

  Is that a known change (i.e. which AD attribute is used instead of the user id)  and can ktutil addent get an option to set the salt ?

Thank you
Markus




_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: Creating a keytab for an AD user

Greg Hudson
On 09/23/2018 11:05 AM, Markus Moeller wrote:
>    Is that a known change (i.e. which AD attribute is used instead of the user id)  and can ktutil addent get an option to set the salt ?

I do not know if Active Directory changed.  On the MIT krb5 side, we
added a -salt option to ktutil addent in release 1.16.  We also have an
unfinished feature to fetch the salt from the KDC; I can't say if and
when that work will be completed.

There is also a popular third-party tool called msktutil which may be
easier to use for this operation.

In the future, please use [hidden email] for operational questions
like this, not the development list.
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: Creating a keytab for an AD user

Idan Freiberg
Microsoft’s utility called ‘ktpass’ and it fetches the salt from KDC.

בתאריך יום א׳, 23 בספט׳ 2018 ב-20:14 מאת Greg Hudson <[hidden email]>:

> On 09/23/2018 11:05 AM, Markus Moeller wrote:
> >    Is that a known change (i.e. which AD attribute is used instead of
> the user id)  and can ktutil addent get an option to set the salt ?
>
> I do not know if Active Directory changed.  On the MIT krb5 side, we
> added a -salt option to ktutil addent in release 1.16.  We also have an
> unfinished feature to fetch the salt from the KDC; I can't say if and
> when that work will be completed.
>
> There is also a popular third-party tool called msktutil which may be
> easier to use for this operation.
>
> In the future, please use [hidden email] for operational questions
> like this, not the development list.
> _______________________________________________
> krbdev mailing list             [hidden email]
> https://mailman.mit.edu/mailman/listinfo/krbdev
>
--
Idan Freiberg

GPG FP: 8108 7EC9 806E 4980 75F2  72B3 8AD3 2D04 337B 1F18
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: Creating a keytab for an AD user

Mark Pröhl
In reply to this post by Markus Moeller
Hi,

msktutil is a tool for managing keytabs in active directory. I started
documenting my knowledge of ADs salting mechanism plus some thoughts here:

https://github.com/msktutil/msktutil/blob/master/windows-salt.txt

Salting differs for machine accounts and user accounts. For user
accounts it turned out to be a difference weather they have a
userPrincipalname attribute or not. According to your mail, there could
be more distinctions, e.g. the version of your AD environment (2008/R2,
2012/R2, 2016 or Samba) and maybe others

What are the versions of AD that use "DOMAINuser" and "DOMAINfulluser"?
       
A question to the developers of MIT Kerberos: is there an API in libkrb5
to get the salt string from a KDC replay?

Regards,

Mark Pröhl

On 09/23/2018 05:05 PM, Markus Moeller wrote:

> Hi Development Team,
>
>     Are you aware of a change in the salt of AD users ?
>
>     I could do the following for AD in the past and can still do it for a Samba server:
>
> #ktutil
> ktutil:  addent -password -p markus -k 1 -e aes256-cts-hmac-sha1-96
> Password for [hidden email]:
> ktutil:  wkt markus.keytab
> ktutil:  exit
> #kinit -kt markus.keytab markus
> #
> klist -e
> Ticket cache: DIR::/run/user/1000/krb5cc/tktxfHebc
> Default principal: [hidden email]
>
> Valid starting     Expires            Service principal
> 23/09/18 15:56:34  24/09/18 01:56:34  krbtgt/[hidden email]
>         renew until 24/09/18 15:56:34, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
>
>
>   But when I try to perform the same against AD 2012 It fails and when I look at the details I see the salt is not what I expect i.e. it is not DOMAINuser, but DOMAINfullname.
>
>   Is that a known change (i.e. which AD attribute is used instead of the user id)  and can ktutil addent get an option to set the salt ?
>
> Thank you
> Markus
>
>
>
>
> _______________________________________________
> krbdev mailing list             [hidden email]
> https://mailman.mit.edu/mailman/listinfo/krbdev
>


_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: Creating a keytab for an AD user

Greg Hudson
On 09/24/2018 04:04 AM, Mark Pröhl wrote:
> A question to the developers of MIT Kerberos: is there an API in libkrb5
> to get the salt string from a KDC replay?

We do not.  Now that I have read windows-salt.txt, I will dust off
https://github.com/krb5/krb5/pull/670 and revise and integrate it
(soonish), so it should appear in 1.17.

As part of the revisions, I had been planning on renaming the new API to
krb5_get_etype_info().  Please let me know if you think any other
changes are needed for msktutil's purposes.
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: Creating a keytab for an AD user

Markus Moeller
In reply to this post by Greg Hudson
Hi Greg,

   I have used msktutil for some time but only for computer accounts. And
looking again at the package I noticed the comment about the salt.

the salt of machine accounts.
  realm_name+"host"+samAccountName_nodollar+"."+lower_realm_name
(Note: samaccountname_nodollar is lower case for machine accounts)
(Note: only for DES/AES; arcfour-hmac-md5 doesn't use salts at all)

Salt for service accounts is created in a different way:
- if userPrincpalName is not set:
  realm_name+samAccountName
  (Note: samAccountName is case sensitive for service accounts)
- if userPrincpalName is set:
  realm_name + first component from userPrincpalName


I think when I last tried it was with arcfour i.e. no salt. Now with aes I
run into the issue of a set userprincpal to the email address.


Thank you
Markus

-----Original Message-----
From: Greg Hudson
Sent: Sunday, September 23, 2018 6:13 PM
To: Markus Moeller ; [hidden email]
Subject: Re: Creating a keytab for an AD user

On 09/23/2018 11:05 AM, Markus Moeller wrote:
>    Is that a known change (i.e. which AD attribute is used instead of the
> user id)  and can ktutil addent get an option to set the salt ?

I do not know if Active Directory changed.  On the MIT krb5 side, we
added a -salt option to ktutil addent in release 1.16.  We also have an
unfinished feature to fetch the salt from the KDC; I can't say if and
when that work will be completed.

There is also a popular third-party tool called msktutil which may be
easier to use for this operation.

In the future, please use [hidden email] for operational questions
like this, not the development list.


_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: Creating a keytab for an AD user

Isaac Boukris
In reply to this post by Greg Hudson
On Mon, Sep 24, 2018 at 8:13 PM, Greg Hudson <[hidden email]> wrote:
> On 09/24/2018 04:04 AM, Mark Pröhl wrote:
>> A question to the developers of MIT Kerberos: is there an API in libkrb5
>> to get the salt string from a KDC replay?
>
> We do not.  Now that I have read windows-salt.txt, I will dust off
> https://github.com/krb5/krb5/pull/670 and revise and integrate it
> (soonish), so it should appear in 1.17.


Just wanted to comment that from my experience this neat feature would
be of a great help to many developers and users.

Thanks!

_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev