I would have like to comment on another question but my account is too recent / not much used.
My question is really totally the same as the original one:
How and when does ktpass set the salt?
In my case this was specifically when setting up SSO for SAP HANA database (on Linux).
A SAP Note with a detailed PDF attachment does make it possible to make things work according to which methods you use to generate the keytab, but not in all cases...
Basically, if you follow the document but generate the keytab yourself on Linux with KTUTIL command it does not work because the SALT on AD side if for the AD user not for the SPN: KTUTIL uses the SALT based on the key that you create: "hdb/FQDN_HANA_SERVER", which is wrong. I got around this using the option to specify the SALT in the "add_entry" command of KTUTIL.
As the poster from 2016 I now understand things well enough how to make SSO work: to make this work without specifying the SALT in KTUTIL I had to make AD administrators run the KTPASS on Windows side to (temporarily) update the UPN.
But the main thing that still annoys me is that a manual change to the UPN does not cause a change in the SALT used when generating a ticket via kinit. For some reason (audit I think) AD administrators do not want us to keep the UPN corresponding to the SPN (which for SAP HANA is "hdb/FQDN_HANA_SERVER").
As said in the original post: when you change the UPN manually the SALT remains the one used when you updated the UPN via KTPASS. But where is this SALT stored? Will it be valid "forever"? Clearly we do not want the SALT to suddenly change. I guess it only changes when you run KTPASS; so, probably nothing to worry about other than for understanding how things work.
Best regards, Frank Olsen
I expected that there was a clear documentation for how the SALT is stored and used in AD.