Summary of DES salt for 2000 & 2003

Gerald (Jerry) Carter jerry at
Fri Jul 7 17:07:55 GMT 2006

Hash: SHA1

On Fri, 7 Jul 2006, Dave Daugherty wrote:

> To coerce Windows KDC...
> You either don't supply preauth data up front (at which time Windows 
> will send back the salt along with a PREAUTH REQUIRED error - which can 
> then be used to generate the preauth data, and is available to return to 
> the application), or by supply enctype RC4-HMAC as the primary and DES 
> variants as secondary encs.  In this case, if the DES bit is set on the 
> computer account, the Windows KDC will reject the RC4-HMAC preauth but 
> will tell you the enctypes it supports along with the salt.

I agree this is the optiomal way but we have to deal with
preexisting krb5 libs.  So I don't see a way around the current methods.
At least we don't have to guess so much anymore.

cheers, jerry
Samba                                    -------
Centeris                         -----------
"What man is a man who does not make the world better?"      --Balian
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: For info see


More information about the samba-technical mailing list