[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Deleting only some salt types

"Henry B. Hotz" <hotz@jpl.nasa.gov> writes:

> The application is a cross-realm trust with Windows AD, and I don't
> know that this is the problem, but. . .
> Is there a way to delete specific salts within an encryption type?  I
> did a normal add for the krbtgt's with a password I can then type into
> Windows.  Then deleted all the encryption types except des-cbc-md5,
> and  changed the kvno back to 1.

No, there is no way to delete a specific salt + enctype, just enctype.

I usully change the [kdc]\ndefault_keys= line on the kdc when doing stuff
like this. 

> I still have two keys though, one with the normal pw-salt(), and
> another with an afs3 salt which I'm sure Windows hasn't a clue about.
> (Hmmm.  Should be both v4 and v5 salts as well as afs3?  Different
> issue.)

Windows does have problems with v4 salted password, I think its fixed, but
not released yet. You really don't need to keep afs3 salted keys around,
klog also tries v4 s2k since about 10 years ago or so.


PGP signature