supplementalCredentials with aes keys?

Stefan (metze) Metzmacher metze at samba.org
Mon Feb 19 12:12:21 GMT 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Luke Howard schrieb:
>> have you ever seen keys other than ENCTYPE_DES_CBC_CRC(1) and
>> ENCTYPE_DES_CBC_MD5(3) in the Primary:Kerberos blob?
> 
> No, because those are the only types (apart from rc4-hmac, which
> is in unicodePwd) supported.

ok, thanks!

> 
> Also when replicating non-DES keys to AD domain controllers using
> my understanding of the syntax (which may be wrong), it appeared
> that AD would have trouble parsing the attribute.

Hi Luke,

does your understanding differs much from what I have in
samba4/source/librpc/idl/drsblobs.idl as package_PrimaryKerberosBlob?

Have you tried (or could you try) to replciate a PrimaryKerberos blob
with a 3rd key to an windows server? Or just replicate one key
and see if windows likes this?

see samba4/source/dsdb/samdb/ldb_modules/password_hash.c
setup_primary_kerberos() after lp_parm_bool(-1, "password_hash",
"create_aes_key", false), how I would add a 3rd key.

metze
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFF2ZQlm70gjA5TCD8RAkD3AJ44wpQ2Aljc6jWy4ak105H7eN4IMQCgjzrk
uBRCdtFeRKNwq06ZuMq9cfE=
=C+qy
-----END PGP SIGNATURE-----


More information about the samba-technical mailing list