This is to match the Windows KDC behaviour, optionally.
Samba will use this mode, as Samba has tests that show
the difference and is keen for bug-for-bug/byte-for-byte
rather than strict RFC compliance where there is a
reasonable choice.
The Samba test (for reference) is
samba.tests.krb5.as_canonicalization_tests
The behaviour was changed in:
commit de1f37a6aa
Author: Luke Howard <lukeh@padl.com>
Date: Mon Jan 7 15:45:36 2019 +1100
kdc: omit default salt from PA-ETYPE-INFO[2]
If the salt for the AS-REP client key matches the default password salt for the
client principal in the AS-REQ, then it can be omitted from the PA-ETYPE-INFO,
PA-ETYPE-INFO2 (RFC4120) as the client will assume the default salt in its
absence.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
d5b6869dc7