ktexport - Export Kerberos Keys from Active Directory

Andrew Bartlett abartlet at samba.org
Wed May 3 21:00:01 GMT 2006 

On Wed, 2006-05-03 at 13:01 -0400, Michael B Allen wrote:
> On Wed, 03 May 2006 07:14:31 +0200
> Andrew Bartlett <abartlet at samba.org> wrote:
> 
> > On Tue, 2006-05-02 at 21:27 -0400, Michael B Allen wrote:
> > > I have modified pwdump2 [1] to export a "standard" kerberos keytab
> > > file. This utility is called ktexport and you can download it here:
> > > 
> > >   http://www.ioplex.com/utilities/
> > > 
> > > README.ktexport is inlined below but I just want to stress that currently
> > > the key is the only data within each entry that is actually correct. The
> > > vno and so on are default values that are almost certainly wrong. However,
> > > it turns out that Ethereal doesn't care. So the generated sam.keytab
> > > can be used with Ethereal to decrypt Kerberos tickets. Yeah!
> > 
> > The other similar utility is samba4's 'net samdump keytab'.  This does
> > the same thing, for the same purpose, but remotely.  You must join the
> > domain as a BDC first (net join bdc <domain>).
> 
> Actually one glaring deficiency in ktexport is that, aside from the keys,
> the data is wrong. It would be nice if I could extract the correct SPN
> and kvno. Would you happen to know the info levels and corresponding
> calls to retrieve that info?

The best way would be to read it with ldap.  The 'vampire' code in
Samba4 does this, and it could be added to the samdump keytab code if
there was interest.  (Currently this code is just enough for ethereal's
use)

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20060503/9372b999/attachment.bin

More information about the samba-technical mailing list