[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: using active directory keys



On Wed, 2005-01-05 at 21:59, Dave Love wrote: 
> Does anyone know if there's any possibility of extracting keys from an
> active directory and loading them into a Heimdal KDC (or even an MIT
> one)?  I couldn't find any relevant info from a web search.
> 
> The scenario is Windows pass-through login trusting Heimdal for SSO,
> and wanting to avoid resetting passwords on Windows accounts.

Aside from the dump format route, you could also use the Samba migration
route (net rpc vampire) and the fact that Heimdal will read the Samba
passwords, when in LDAP.  Again, this is only the arcfour-hmac-md5
encryption type for now, but it is a 128 bit hash.

https://sec.miljovern.no/bin/view/Info/HeimdalKerberosSambaAndOpenLdap

(The issue with this encryption type is lack of support in older
kerberos libs, more than anything else).

I have code that extracts more than just these keys from AD, but I've
not yet fully parsed the structure I'm given.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net

This is a digitally signed message part