samba domain member "net ads keytab" syntax - encryption types

Andrew Bartlett abartlet at
Mon Feb 21 23:54:17 MST 2011

On Fri, 2011-02-18 at 12:34 -0500, Robert Freeman-Day wrote:
> Hash: SHA1
> Hello,
> I am working with integrating various Linux distros as domain members
> with an Active Directory Domain running on Windows Server 2008 R2 native.
> The Domain admins have allowed des keys for backwards (nfs)
> compatibility, but prefers the default enctypes supported in 2008 r2:
>     * AES256-CTS-HMAC-SHA1-96
>     * AES128-CTS-HMAC-SHA1-96
>     * RC4-HMAC
> I would like to allow the Domain Members to work with their own keytabs
> via the "net ads keytab" command set but have found that the default
> (i.e. "net ads keytab create -P" or "net ads keytab add HTTP -P") only
> creates the two des and ArcFour with HMAC/md5 enctypes, no AES enctypes
> are listed.  The Domain admins can use tools on their side to create
> SPNs and keytabs that have AES and we would prefer them over DES/ArcFour
> except in special circumstances.:

The Samba3 Kerberos code does not understand AES, and so we restrict the

The Samba Team is actively trying to unify the authentication subsystems
which handle this area between Samba3 and Samba4, and we hope to support
this across the whole codebase in the future. 

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 
Samba Developer, Cisco Inc.

More information about the samba-technical mailing list