Missing encryption type in keytab entry.

[Daniele Dario]

Hi Dewayne, list,

On Tue, 2013-01-29 at 15:02 +1100, Dewayne wrote:
> I seem to be missing encryption types aes128-cts-hmac-sha1-96 and aes256-cts-hmac-sha1-96 
> during manual keytab generation?
> 
> The correct keytab that I have for dns.keytab, verified with 
> ktutil -k /usr/local/samba/private/dns.keytab list
> /usr/local/samba/private/dns.keytab:
> 
> Vno  Type                     Principal             Aliases
>   1  des-cbc-crc              DNS/t4.as.lan at AS.LAN
>   1  des-cbc-crc              dns-t4 at AS.LAN
>   1  des-cbc-md5              DNS/t4.as.lan at AS.LAN
>   1  des-cbc-md5              dns-t4 at AS.LAN
>   1  arcfour-hmac-md5         DNS/t4.as.lan at AS.LAN
>   1  arcfour-hmac-md5         dns-t4 at AS.LAN
>   1  aes128-cts-hmac-sha1-96  DNS/t4.as.lan at AS.LAN
>   1  aes128-cts-hmac-sha1-96  dns-t4 at AS.LAN
>   1  aes256-cts-hmac-sha1-96  DNS/t4.as.lan at AS.LAN
>   1  aes256-cts-hmac-sha1-96  dns-t4 at AS.LAN
> 
> However when I generate another keytab using:
> 
> /usr/local/samba/bin/samba-tool user create dns-t2 --random-password
> /usr/local/samba/bin/samba-tool spn add DNS/t2.as.lan dns-t2
> /usr/local/samba/bin/samba-tool domain exportkeytab --principal=dns-t2 at as.lan dns-t2.keytab
> /usr/local/samba/bin/samba-tool domain exportkeytab --principal=DNS/t2.as.lan dns-t2.keytab
> ktutil -k dns-t2.keytab list
> dns-t2.keytab:
> 
> Vno  Type                     Principal             Aliases
>   1  des-cbc-crc              dns-t2 at as.lan
>   1  des-cbc-md5              dns-t2 at as.lan
>   1  aes128-cts-hmac-sha1-96  dns-t2 at as.lan
>   1  aes256-cts-hmac-sha1-96  dns-t2 at as.lan
>   1  arcfour-hmac-md5         dns-t2 at as.lan
>   1  des-cbc-crc              DNS/t2.as.lan at AS.LAN
>   1  des-cbc-md5              DNS/t2.as.lan at AS.LAN
>   1  arcfour-hmac-md5         DNS/t2.as.lan at AS.LAN
> 
> Have I made an error, or am I incorrectly performing a step.  I expected all principles to include enc-types of aes128 & aes256?  I
> suspect the SPN option in samba-tool to be missing some pieces?
> 
> The installation was provisioned as follows:
> REALM=AS.LAN; DOM=AS; ADMIN_PWD="AnAdmin27"; LDAP_PWD="ASimplePwd27"
> 
> /usr/local/samba/bin/samba-tool domain provision --realm=${REALM} --domain=${DOM} \
>   --adminpass="${ADMIN_PWD}" --server-role=dc --host-ip=${S4SVR_IP} --debuglevel=2 \
>   --ldapadminpass=${LDAP_PWD} --host-name=${HOSTNAME} --use-rfc2307 \
>   --function-level=2008_R2 --use-xattrs=yes --dns-backend=BIND9_FLATFILE
> 
> I performed the same steps for other users/spn's with similar results, missing aes* 
> 
> Regards, Dewayne.
> Sydney, Australia (GMT +11 hours)
> 

in order to get the isc-dhcpd able to update dns entries of samba
internal dns I created a user like you and exported the keytab so a
script can kinit with that user and than run nsupdate -g but I get
several failures "kinit failed".

Could these errors be related to the same issue?
Listing the keytab content I see aes128 & aes256 enc-types missing too.

Regards,
Daniele.