[Samba] Keytab AES export samba4.0
Christoph Langbein
ch.langbein at bytesitter.de
Sun Oct 27 02:06:54 MDT 2013
Am Sonntag, den 27.10.2013, 19:40 +1300 schrieb Andrew Bartlett:
> On Sat, 2013-10-26 at 22:22 +0200, Christoph Langbein wrote:
> > Hello,
> > how do I export a keytab with AES ?
> > If I use:
> > samba-tool domain exportkeytab /tmp/dns1.keytab
> > --principal=DNS/dc1.test.local
> >
> > I only get
> >
> > Keytab name: FILE:/tmp/dns1.keytab
> > KVNO Timestamp Principal
> > ---- -------------------
> > ------------------------------------------------------
> > 1 26.10.2013 22:02:49 DNS/dc1.test.local at EXGUIDE.LOCAL (des-cbc-crc)
> > 1 26.10.2013 22:02:49 DNS/dc1.test.local at EXGUIDE.LOCAL (des-cbc-md5)
> > 1 26.10.2013 22:02:49 DNS/dc1.test.local at EXGUIDE.LOCAL (arcfour-hmac)
> >
> >
> > If I use the samba generated dns.keytab I have all supported types.
> > How to export the keytab the same way when samba is provisioned ?
>
> That command should do it, it exports the same encryption types that the
> KDC exposes (it loads the KDC database library). My guess is that your
> domain wasn't provisioned with the right functional level, or we didn't
> set the right flags on that account.
>
> Andrew Bartlett
I've raised Domain Level to 2008_R2
Domain and forest function level for domain 'DC=test,DC=local'
Forest function level: (Windows) 2008 R2
Domain function level: (Windows) 2008 R2
Lowest function level of a DC: (Windows) 2008 R2
The keytab export is the same as before. I've another user I use as a
principal, I set msDS-SupportedEncryptionTypes to 28. But AES is no t
exported.
msDS-SupportedEncryptionTypes attribute is not used for dns account.
Background: I want to use squid_kerb_auth, Samba is version 4.0.10 on
Debian wheezy.
Maybe any other ideas ?
Christoph
More information about the samba
mailing list