Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Keytab created for etype AES256/AES128 does not work with Active Directory #416

Open
dasbh opened this issue Nov 18, 2020 · 1 comment · May be fixed by #484
Open

Keytab created for etype AES256/AES128 does not work with Active Directory #416

dasbh opened this issue Nov 18, 2020 · 1 comment · May be fixed by #484

Comments

@dasbh
Copy link

dasbh commented Nov 18, 2020

Current keytab.AddEntry(..) adds salts derived from the PrincipalName. This does not work in AD for AES* since Microsoft decided to implement it differently.

To deal with the issue ktutil in Linux added additional param to specify salt in version krb5-1.16-final

Supporting a similar change in gokrb5 is a minor change (maybe an additional method or option pattern) as crypto.GetKeyFromPassword already supports salts as PADATA.

Happy to provide PR.

INFO: AD salt derivation logic

AD uses the below algorithm for deriving salt.

For computer account:

realm_name+"host"+samAccountName_nodollar+"."+lower_realm_name

(Note: samaccountname_nodollar is lower case for machine accounts)
(Note: only for DES/AES; arcfour-hmac-md5 doesn't use salts at all)

Salt for service accounts is created in a different way

  • if userPrincpalName is not set:

realm_name+samAccountName

(Note: samAccountName is case sensitive for service accounts)

  • if userPrincpalName is set:

realm_name + first component from userPrincpalName

Reference:
https://syfuhs.net/2017/07/09/on-adding-aes-support-to-kerberos-net/
http://kerberos.996246.n3.nabble.com/Creating-a-keytab-for-an-AD-user-td48559.html
http://kerberos.996246.n3.nabble.com/ktutil-problems-generating-AES-keys-salt-td41104.html
@dasbh dasbh changed the title Keytab created for etype AES256/AED128 does not work with Active Directory Keytab created for etype AES256/AES128 does not work with Active Directory Nov 18, 2020
@gaxelac0
Copy link

gaxelac0 commented Aug 9, 2022

@dasbh I'm having problems decrypting successfully emitted Kerberos tickets w/ AES256_CTS_HMAC_SHA1_96 from Active Directory, everything else works but the service that implements IWA aroung gokrb5, this may be the reason?

@rilott rilott linked a pull request Aug 25, 2022 that will close this issue
Open
@glacuesta-sa glacuesta-sa mentioned this issue Dec 5, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

support adding AES keytab entries for Active Directory rilott/gokrb5
2 participants
@dasbh @gaxelac0