Subject: | ktutil addent should be able to fetch etype-info2 for principal |
At the moment, ktutil addent requires you to specify the enctype and
salt (if it's not the default), and it just can't work if there are
s2kparams or a salt that can't be written as a C string on the command
line. There should be an option to fetch the etype-info2 value for
the principal from the KDC and use that.
To do this we need a new library interface, probably an extension of
the get_init_creds interfaces, to make an AS-REQ and extract the
etype-info2 from either the AS-REP or PREAUTH_REQUIRED error response.
(You also have to specify a kvno to ktutil addent. That information
is available from the KDC if it issues a ticket and includes a kvno in
the EncryptedData, but not if preauth is required for the principal or
if the KDC just doesn't include a kvno when issuing a ticket. So I
don't think it's worth the complexity of even trying to fetch it.)
salt (if it's not the default), and it just can't work if there are
s2kparams or a salt that can't be written as a C string on the command
line. There should be an option to fetch the etype-info2 value for
the principal from the KDC and use that.
To do this we need a new library interface, probably an extension of
the get_init_creds interfaces, to make an AS-REQ and extract the
etype-info2 from either the AS-REP or PREAUTH_REQUIRED error response.
(You also have to specify a kvno to ktutil addent. That information
is available from the KDC if it issues a ticket and includes a kvno in
the EncryptedData, but not if preauth is required for the principal or
if the KDC just doesn't include a kvno when issuing a ticket. So I
don't think it's worth the complexity of even trying to fetch it.)