'Missing' AES encryption type in keytab entry due to msDS-SupportedEncryptionTypes

Andrew Bartlett abartlet at samba.org
Tue Jan 29 01:05:21 MST 2013 

On Tue, 2013-01-29 at 15:02 +1100, Dewayne wrote:
> I seem to be missing encryption types aes128-cts-hmac-sha1-96 and aes256-cts-hmac-sha1-96 
> during manual keytab generation?
> 
> The correct keytab that I have for dns.keytab, verified with 
> ktutil -k /usr/local/samba/private/dns.keytab list
> /usr/local/samba/private/dns.keytab:
> 
> Vno  Type                     Principal             Aliases
>   1  des-cbc-crc              DNS/t4.as.lan at AS.LAN
>   1  des-cbc-crc              dns-t4 at AS.LAN
>   1  des-cbc-md5              DNS/t4.as.lan at AS.LAN
>   1  des-cbc-md5              dns-t4 at AS.LAN
>   1  arcfour-hmac-md5         DNS/t4.as.lan at AS.LAN
>   1  arcfour-hmac-md5         dns-t4 at AS.LAN
>   1  aes128-cts-hmac-sha1-96  DNS/t4.as.lan at AS.LAN
>   1  aes128-cts-hmac-sha1-96  dns-t4 at AS.LAN
>   1  aes256-cts-hmac-sha1-96  DNS/t4.as.lan at AS.LAN
>   1  aes256-cts-hmac-sha1-96  dns-t4 at AS.LAN
> 
> However when I generate another keytab using:
> 
> /usr/local/samba/bin/samba-tool user create dns-t2 --random-password
> /usr/local/samba/bin/samba-tool spn add DNS/t2.as.lan dns-t2
> /usr/local/samba/bin/samba-tool domain exportkeytab --principal=dns-t2 at as.lan dns-t2.keytab
> /usr/local/samba/bin/samba-tool domain exportkeytab --principal=DNS/t2.as.lan dns-t2.keytab
> ktutil -k dns-t2.keytab list
> dns-t2.keytab:
> 
> Vno  Type                     Principal             Aliases
>   1  des-cbc-crc              dns-t2 at as.lan
>   1  des-cbc-md5              dns-t2 at as.lan
>   1  aes128-cts-hmac-sha1-96  dns-t2 at as.lan
>   1  aes256-cts-hmac-sha1-96  dns-t2 at as.lan
>   1  arcfour-hmac-md5         dns-t2 at as.lan
>   1  des-cbc-crc              DNS/t2.as.lan at AS.LAN
>   1  des-cbc-md5              DNS/t2.as.lan at AS.LAN
>   1  arcfour-hmac-md5         DNS/t2.as.lan at AS.LAN
> 
> Have I made an error, or am I incorrectly performing a step.  I expected all principles to include enc-types of aes128 & aes256?  I
> suspect the SPN option in samba-tool to be missing some pieces?

The reason these are 'missing' is that the principal has not had the
msDS-SupportedEncryptionTypes attribute set to indicate that this host
supports AES.  

	typedef [public,bitmap32bit] bitmap {
		ENC_CRC32 = 0x00000001,
		ENC_RSA_MD5 = 0x00000002,
		ENC_RC4_HMAC_MD5 = 0x00000004,
		ENC_HMAC_SHA1_96_AES128  = 0x00000008,
		ENC_HMAC_SHA1_96_AES256  = 0x00000010
	} netr_SupportedEncTypes;

You would want to set it to 0x1c, eg 28.

The interface that 'samba-tool domain exportkeytab' uses is the one the
KDC uses to encrypt tickets for a TGS-REQ.  The different between the
two forms is because for AS-REQ, no incompatibility can occur from
supporting two many encryption types, so we accept the stronger types.  

Of course, only set this if the thing that accepts the ticket really can
do AES, and all the other modern krb5/GSSAPI features that are turned on
by supporting AES!

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list