[Samba] missing enctypes in exported keytab
Rowland Penny
rpenny at samba.org
Mon Apr 29 17:56:40 UTC 2019
On Mon, 29 Apr 2019 19:31:55 +0200
Christian via samba <samba at lists.samba.org> wrote:
> >> root at dc1:~# samba-tool domain level show
> >> Domain and forest function level for domain 'DC=.....'
> >>
> >> Forest function level: (Windows) 2003
> >> Domain function level: (Windows) 2003
> >> Lowest function level of a DC: (Windows) 2008 R2
> >>
> > That explains it ;-)
> >
> > Try raising the functional level to 2008R2
> >
> > samba-tool domain level raise --forest-level=2008_R2
> > --domain-level=2008_R2
> >
> > Rowland
> >
> Still the same:
>
> root at dc1:~# rm -f dns.keytab
> root at dc1:~# samba-tool domain level show
> Domain and forest function level for domain 'DC=.......'
>
> Forest function level: (Windows) 2008 R2
> Domain function level: (Windows) 2008 R2
> Lowest function level of a DC: (Windows) 2008 R2
> root at dc1:~# samba-tool domain exportkeytab dns.keytab
> --principal=dns-dc1 Export one principal to dns.keytab
> root at dc1:~# klist -ke dns.keytab
> Keytab name: FILE:dns.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------------------
> 1 dns-dc1 at XXX (arcfour-hmac)
> 1 dns-dc1 at XXX (des-cbc-md5)
> 1 dns-dc1 at XXX (des-cbc-crc)
>
>
> I should mention that the AD is the result of a classicupgrade...
> Thanks,
That shouldn't make any difference, the 2003 level only used the three
enctypes you have now, this is on one of my DC's:
root at dc4:~# samba-tool domain level show
Domain and forest function level for domain 'DC=samdom,DC=example,DC=com'
Forest function level: (Windows) 2008 R2
Domain function level: (Windows) 2008 R2
Lowest function level of a DC: (Windows) 2008 R2
root at dc4:~# klist -ke /root/dns.keytab
Keytab name: FILE:/root/dns.keytab
KVNO Principal
---- --------------------------------------------------------------------------
1 dns-dc4 at SAMDOM.EXAMPLE.COM (aes256-cts-hmac-sha1-96)
1 dns-dc4 at SAMDOM.EXAMPLE.COM (aes128-cts-hmac-sha1-96)
1 dns-dc4 at SAMDOM.EXAMPLE.COM (arcfour-hmac)
1 dns-dc4 at SAMDOM.EXAMPLE.COM (des-cbc-md5)
1 dns-dc4 at SAMDOM.EXAMPLE.COM (des-cbc-crc)
Have you restarted the Samba DC ?
Rowland
More information about the samba
mailing list