> On 07/29/2015 07:43 AM, Osipov, Michael wrote: > > add_entry -password -p osipo...@comapny.net -k 1 -e > > aes256-cts-hmac-sha1-96 add_entry -password -p osipo...@comapny.net -k > > 1 -e aes128-cts-hmac-sha1-96 add_entry -password -p > > osipo...@comapny.net -k 1 -e arcfour-hmac > [...] > > kinit: Invalid argument while getting initial credentials > > Your primary problem here has to do with salts. From the trace logs you > provided > me, the salt string for this principal was constructed using the principal > name > michael.osi...@comapny.net (not the actual realm name), not > osipo...@comapny.net. ktutil unfortunately has no way to specify the salt > string or to retrieve it from the KDC; it can only use the default salt for > the principal > name when adding a keytab entry using a password. The RC4 enctype does not > use the salt, so you don't encounter this problem when using only an RC4 key.
I am afraid you are right. Surprisingly, I read MS-KILE, chapter "3.1.1.2 Cryptographic Material" and it does build the salt just like MIT Kerberos does. I see currently no reason why this happens to my account. I need to mention that we have a company-wide UPN suffix and every employee has an enterprise principal in the form of <firstname>.<lastname>@company.com (same as email address). Moreover, I will try a few other accounts and will give you notice. Unfortunately, I have no idea how Windows obtains the "custom" salt to derive the password but would it be feasible to modify ktutil to receive a custom salt? > I believe that people generally have better luck with msktutil for creating > keytabs > for use with Active Directory; it may solve this problem. I will try that as soon as I get it compiled on FreeBSD. The port does not compile. I was able to compile that with code modifications but unfortunately, this tool does not do the same as ktutil. I cannot simply create a keytab for a user account. It constantly tries to manipulate the machine account or create a computer/service account. > The secondary problem is that you are getting the error message "Invalid > argument" instead of something more accurate, like "Password incorrect" > or "Preauthentication failed." I don't know the exact cause of this problem > yet, > though I believe it has to do with our PKINIT code. I guess this can be improved, can't it? Michael ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos