ktexport - Export Kerberos Keys from Active Directory

Michael B Allen mba2000 at ioplex.com
Wed May 3 17:01:03 GMT 2006

On Wed, 03 May 2006 07:14:31 +0200
Andrew Bartlett <abartlet at samba.org> wrote:

> On Tue, 2006-05-02 at 21:27 -0400, Michael B Allen wrote:
> > I have modified pwdump2 [1] to export a "standard" kerberos keytab
> > file. This utility is called ktexport and you can download it here:
> > 
> >   http://www.ioplex.com/utilities/
> > 
> > README.ktexport is inlined below but I just want to stress that currently
> > the key is the only data within each entry that is actually correct. The
> > vno and so on are default values that are almost certainly wrong. However,
> > it turns out that Ethereal doesn't care. So the generated sam.keytab
> > can be used with Ethereal to decrypt Kerberos tickets. Yeah!
> The other similar utility is samba4's 'net samdump keytab'.  This does
> the same thing, for the same purpose, but remotely.  You must join the
> domain as a BDC first (net join bdc <domain>).

Actually one glaring deficiency in ktexport is that, aside from the keys,
the data is wrong. It would be nice if I could extract the correct SPN
and kvno. Would you happen to know the info levels and corresponding
calls to retrieve that info?


More information about the samba-technical mailing list