[cifs-protocol] RE: 600634 - RE: salt used for various principal types

Andrew Bartlett abartlet at samba.org
Tue Aug 26 22:07:26 GMT 2008

On Tue, 2008-08-26 at 08:37 -0700, Richard Guthrie wrote:
> Andrew
> Microsoft does use different methods of calculating the salt value
> used in encryption depending on the type account that is submitted to
> the salt calculation implementation.  For example, in the case of
> interdomain trust accounts, "krbtgt" is appended.  In the case of
> machine accounts, "host" is appended to the start of the salt value.
> Implementers are free to implement a salt algorithm of their choice, without affecting interoperability.  

This would be true, but this applies only to objects of the type
normally found under cn=users.  The salt to use for a password stored in
trustAuthIncoming/trustAuthOutgoing must be specified in the docs.  It
is not possible to negotiate an alternate salt for the AES or DES keys
of interdomain trusts in Kerberos. 

In any case, the salts as you describe should be included in a
discussion of the Microsoft KDC.

Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/cifs-protocol/attachments/20080827/abf6bf7d/attachment.bin

More information about the cifs-protocol mailing list