[36338] in Kerberos
querying salt and kvno via KDC-REQ
daemon@ATHENA.MIT.EDU (=?UTF-8?B?TWFyayBQcsO2aGw=?=)
Sun Aug 3 13:03:45 2014
Message-ID: <53DE6B63.3020307@mproehl.net>
Date: Sun, 03 Aug 2014 19:03:31 +0200
From: =?UTF-8?B?TWFyayBQcsO2aGw=?= <mark@mproehl.net>
MIME-Version: 1.0
To: kerberos@mit.edu
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
I would like to improve some parts of msktutil
(https://code.google.com/p/msktutil/) and need a way to get information
about salt and principal's kvno via KDC requests. Do the MIT krb5
libraries provide functions for this?
Some background information:
The problem with the salt is currently being discussed on this list
("ktutil - problems generating AES keys (salt?)).
In the current version msktutil is getting the kvno via LDAP search
(attribute msds-keyversionnumber). This leads to problems when AD
replication is slow. Network sniffs performed after password changes
show that AS-REP messages already contain the principal's new kvno (in
the client part) while its LDAP attribute msds-keyversionnumber has
still the old value.
MIT's kvno utility only determines the kvno for service principals by
getting a service ticket and printing its kvno. I am looking for a way
to do this for client principals by analysing the client part of AS-REP.
--
Mark Pröhl
mark@mproehl.net
www.kerberos-buch.de
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
