.

Kerberos


Reading time: less than 1 minute

Kerberos only uses secret-key Cryptography instead of public-key cryptography. It is a lot easier to design those.

Discovering KDCs

I needed a way to find KDCs for a domain. Here’s how I did it for TCP and UDP.

dig SRV _kerberos._udp.DOMAINNAME

And similarly for TCP.

dig SRV _kerberos._tcp.DOMAINNAME

Keytab

ktutil

ktutil is a tool for creating and managing Kerberos Keytab files.

add_entry {-key|-password} -p principal -k kvno [-e enctype] [-f|-s salt]

Add principal to keylist using key or password. If the -f flag is specified, salt information will be fetched from the KDC; in this case the -e flag may be omitted, or it may be supplied to force a particular enctype. If the -f flag is not specified, the -e flag must be specified, and the default salt will be used unless overridden with the -s option.

Preauthentication failed

When you are adding passwords to your keytab, you might want to use the -f option in order to fetch the salt from the server.

Citation

If you find this work useful, please cite it as:
@article{yaltirakli,
  title   = "Kerberos",
  author  = "Yaltirakli, Gokberk",
  journal = "gkbrk.com",
  year    = "2025",
  url     = "https://www.gkbrk.com/kerberos"
}
Not using BibTeX? Click here for more citation styles.
IEEE Citation
Gokberk Yaltirakli, "Kerberos", February, 2025. [Online]. Available: https://www.gkbrk.com/kerberos. [Accessed Feb. 09, 2025].
APA Style
Yaltirakli, G. (2025, February 09). Kerberos. https://www.gkbrk.com/kerberos
Bluebook Style
Gokberk Yaltirakli, Kerberos, GKBRK.COM (Feb. 09, 2025), https://www.gkbrk.com/kerberos

Comments

© 2025 Gokberk Yaltirakli