[cifs-protocol] RE: 600634 - RE: salt used for various
principal types
Hongwei Sun
hongweis at microsoft.com
Mon Sep 15 20:54:59 GMT 2008
Andrew,
We completed the document change regarding the key salt calculation for realm trust. The change will appear in the future release of 3.3.1 [MS-KILE] as follows.
3.3 KDC Details
3.3.1 Abstract Data Model
KILE concatenates the following information to use as the key salt for realm trusts:
Inbound trusts: <all upper case name of the remote realm> | "krbtgt" | <all upper case name of the local realm>
Outbound trusts: <all upper case name of the local realm> | "krbtgt" | <all upper case name of the remote realm>
Please let us know if you need further clarification on this subject.
Thanks
----------------------------------------------------------
Hongwei Sun - Sr. Support Escalation Engineer
DSC Protocol Team, Microsoft
hongweis at microsoft.com
Tel: 469-7757027 x 57027
-----------------------------------------------------------
-----Original Message-----
From: cifs-protocol-bounces+hongweis=microsoft.com at cifs.org [mailto:cifs-protocol-bounces+hongweis=microsoft.com at cifs.org] On Behalf Of Andrew Bartlett
Sent: Tuesday, August 26, 2008 5:07 PM
To: Richard Guthrie
Cc: pfif at tridgell.net; cifs-protocol at samba.org
Subject: [cifs-protocol] RE: 600634 - RE: salt used for various principal types
On Tue, 2008-08-26 at 08:37 -0700, Richard Guthrie wrote:
> Andrew
>
> Microsoft does use different methods of calculating the salt value
> used in encryption depending on the type account that is submitted to
> the salt calculation implementation. For example, in the case of
> interdomain trust accounts, "krbtgt" is appended. In the case of
> machine accounts, "host" is appended to the start of the salt value.
>
> Implementers are free to implement a salt algorithm of their choice, without affecting interoperability.
This would be true, but this applies only to objects of the type normally found under cn=users. The salt to use for a password stored in trustAuthIncoming/trustAuthOutgoing must be specified in the docs. It is not possible to negotiate an alternate salt for the AES or DES keys of interdomain trusts in Kerberos.
In any case, the salts as you describe should be included in a discussion of the Microsoft KDC.
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
HTML attachment scrubbed and removed
More information about the cifs-protocol
mailing list