samba domain member "net ads keytab" syntax - encryption types
Robert Freeman-Day
presgas at gmail.com
Fri Feb 18 10:34:59 MST 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello,
I am working with integrating various Linux distros as domain members
with an Active Directory Domain running on Windows Server 2008 R2 native.
The Domain admins have allowed des keys for backwards (nfs)
compatibility, but prefers the default enctypes supported in 2008 r2:
http://support.microsoft.com/kb/977321
* AES256-CTS-HMAC-SHA1-96
* AES128-CTS-HMAC-SHA1-96
* RC4-HMAC
I would like to allow the Domain Members to work with their own keytabs
via the "net ads keytab" command set but have found that the default
(i.e. "net ads keytab create -P" or "net ads keytab add HTTP -P") only
creates the two des and ArcFour with HMAC/md5 enctypes, no AES enctypes
are listed. The Domain admins can use tools on their side to create
SPNs and keytabs that have AES and we would prefer them over DES/ArcFour
except in special circumstances.:
# klist -ke
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
- ----
- --------------------------------------------------------------------------
5 host/iu-itps-rhel6ad.ads.iu.edu at ADS.IU.EDU (DES cbc mode with CRC-32)
5 host/iu-itps-rhel6ad.ads.iu.edu at ADS.IU.EDU (DES cbc mode with RSA-MD5)
5 host/iu-itps-rhel6ad.ads.iu.edu at ADS.IU.EDU (ArcFour with HMAC/md5)
5 host/IU-ITPS-RHEL6AD at ADS.IU.EDU (DES cbc mode with CRC-32)
5 host/IU-ITPS-RHEL6AD at ADS.IU.EDU (DES cbc mode with RSA-MD5)
5 host/IU-ITPS-RHEL6AD at ADS.IU.EDU (ArcFour with HMAC/md5)
5 IU-ITPS-RHEL6AD$@ADS.IU.EDU (DES cbc mode with CRC-32)
5 IU-ITPS-RHEL6AD$@ADS.IU.EDU (DES cbc mode with RSA-MD5)
5 IU-ITPS-RHEL6AD$@ADS.IU.EDU (ArcFour with HMAC/md5)
5 ssh/iu-itps-rhel6ad.ads.iu.edu at ADS.IU.EDU (DES cbc mode with CRC-32)
5 ssh/iu-itps-rhel6ad.ads.iu.edu at ADS.IU.EDU (DES cbc mode with RSA-MD5)
5 ssh/iu-itps-rhel6ad.ads.iu.edu at ADS.IU.EDU (ArcFour with HMAC/md5)
5 ssh/IU-ITPS-RHEL6AD at ADS.IU.EDU (DES cbc mode with CRC-32)
5 ssh/IU-ITPS-RHEL6AD at ADS.IU.EDU (DES cbc mode with RSA-MD5)
5 ssh/IU-ITPS-RHEL6AD at ADS.IU.EDU (ArcFour with HMAC/md5)
# net ads keytab list -P
Vno Type Principal
5 DES cbc mode with CRC-32 host/iu-itps-rhel6ad.ads.iu.edu at ADS.IU.EDU
5 DES cbc mode with RSA-MD5 host/iu-itps-rhel6ad.ads.iu.edu at ADS.IU.EDU
5 ArcFour with HMAC/md5 host/iu-itps-rhel6ad.ads.iu.edu at ADS.IU.EDU
5 DES cbc mode with CRC-32 host/IU-ITPS-RHEL6AD at ADS.IU.EDU
5 DES cbc mode with RSA-MD5 host/IU-ITPS-RHEL6AD at ADS.IU.EDU
5 ArcFour with HMAC/md5 host/IU-ITPS-RHEL6AD at ADS.IU.EDU
5 DES cbc mode with CRC-32 IU-ITPS-RHEL6AD$@ADS.IU.EDU
5 DES cbc mode with RSA-MD5 IU-ITPS-RHEL6AD$@ADS.IU.EDU
5 ArcFour with HMAC/md5 IU-ITPS-RHEL6AD$@ADS.IU.EDU
5 DES cbc mode with CRC-32 ssh/iu-itps-rhel6ad.ads.iu.edu at ADS.IU.EDU
5 DES cbc mode with RSA-MD5 ssh/iu-itps-rhel6ad.ads.iu.edu at ADS.IU.EDU
5 ArcFour with HMAC/md5 ssh/iu-itps-rhel6ad.ads.iu.edu at ADS.IU.EDU
5 DES cbc mode with CRC-32 ssh/IU-ITPS-RHEL6AD at ADS.IU.EDU
5 DES cbc mode with RSA-MD5 ssh/IU-ITPS-RHEL6AD at ADS.IU.EDU
5 ArcFour with HMAC/md5 ssh/IU-ITPS-RHEL6AD at ADS.IU.EDU
Is there a way to have the "net" command specify enctypes when working
with keytabs? Can the enctypes be narrowed down via /etc/krb5.conf? I
fear that the enctypes are hard coded in (see here in lines 264-269 -
http://gitweb.samba.org/?p=samba.git;a=blob;f=source3/libads/kerberos_keytab.c;h=721a8c6f53086faf0b058eca690d76c79c2e4e64;hb=HEAD#l264),
is that the case?
Any clarification is much appreciated!
Thanks,
Robert
- --
________
Robert Freeman-Day
https://launchpad.net/~presgas
GPG Public Key:
http://keyserver.ubuntu.com:11371/pks/lookup?op=get&search=0xBA9DF9ED3E4C7D36
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk1ercMACgkQup357T5MfTbMFQCgjOORplhBKrK6SSfDrxDQEAZ8
ofwAoIKmczamxavqg3oYlQw9RzL75wQP
=Z6Cw
-----END PGP SIGNATURE-----
More information about the samba-technical
mailing list