samba domain member "net ads keytab" syntax - encryption types

Robert Freeman-Day presgas at
Tue Feb 22 08:06:04 MST 2011

Hash: SHA1

On 02/22/2011 01:54 AM, Andrew Bartlett wrote:
> On Fri, 2011-02-18 at 12:34 -0500, Robert Freeman-Day wrote:
>> Hash: SHA1
>> Hello,
>> I am working with integrating various Linux distros as domain members
>> with an Active Directory Domain running on Windows Server 2008 R2 native.
>> The Domain admins have allowed des keys for backwards (nfs)
>> compatibility, but prefers the default enctypes supported in 2008 r2:
>>     * AES256-CTS-HMAC-SHA1-96
>>     * AES128-CTS-HMAC-SHA1-96
>>     * RC4-HMAC
>> I would like to allow the Domain Members to work with their own keytabs
>> via the "net ads keytab" command set but have found that the default
>> (i.e. "net ads keytab create -P" or "net ads keytab add HTTP -P") only
>> creates the two des and ArcFour with HMAC/md5 enctypes, no AES enctypes
>> are listed.  The Domain admins can use tools on their side to create
>> SPNs and keytabs that have AES and we would prefer them over DES/ArcFour
>> except in special circumstances.:
> The Samba3 Kerberos code does not understand AES, and so we restrict the
> list.  
> The Samba Team is actively trying to unify the authentication subsystems
> which handle this area between Samba3 and Samba4, and we hope to support
> this across the whole codebase in the future. 
> Andrew Bartlett

Thanks for the reply, Andrew,

So, if they are restricted, is there a way to restrict further?  For
example, only using RC4-HMAC enctypes?  Any "net" syntax tweaks for the
keytab set?

- -- 

Robert Freeman-Day
GPG Public Key:
Version: GnuPG v1.4.10 (GNU/Linux)


More information about the samba-technical mailing list