[Samba] net ads keytab syntax - encryption types

Robert Freeman-Day presgas at gmail.com
Wed Feb 9 08:49:39 MST 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

I am working with integrating various Linux distros as domain members
with an Active Directory Domain running on Windows Server 2008 R2 native.

The Domain admins have allowed des keys for backwards (nfs)
compatibility, but prefers the default enctypes supported in 2008 r2:
http://support.microsoft.com/kb/977321
    * AES256-CTS-HMAC-SHA1-96
    * AES128-CTS-HMAC-SHA1-96
    * RC4-HMAC

I would like to allow the Domain Members to work with their own keytabs
via the "net ads keytab" command set but have found that the default
(i.e. "net ads keytab create -P" or "net ads keytab add HTTP -P") only
creates the two des and ArcFour with HMAC/md5 enctypes, no AES enctypes
are listed.  The Domain admins can use tools on their side to create
SPNs and keytabs that have AES and we would prefer them over DES/ArcFour
except in special circumstances.:

# klist -ke
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
- ----
- --------------------------------------------------------------------------
   5 host/iu-itps-rhel6ad.ads.iu.edu at ADS.IU.EDU (DES cbc mode with CRC-32)
   5 host/iu-itps-rhel6ad.ads.iu.edu at ADS.IU.EDU (DES cbc mode with RSA-MD5)
   5 host/iu-itps-rhel6ad.ads.iu.edu at ADS.IU.EDU (ArcFour with HMAC/md5)
   5 host/IU-ITPS-RHEL6AD at ADS.IU.EDU (DES cbc mode with CRC-32)
   5 host/IU-ITPS-RHEL6AD at ADS.IU.EDU (DES cbc mode with RSA-MD5)
   5 host/IU-ITPS-RHEL6AD at ADS.IU.EDU (ArcFour with HMAC/md5)
   5 IU-ITPS-RHEL6AD$@ADS.IU.EDU (DES cbc mode with CRC-32)
   5 IU-ITPS-RHEL6AD$@ADS.IU.EDU (DES cbc mode with RSA-MD5)
   5 IU-ITPS-RHEL6AD$@ADS.IU.EDU (ArcFour with HMAC/md5)
   5 ssh/iu-itps-rhel6ad.ads.iu.edu at ADS.IU.EDU (DES cbc mode with CRC-32)
   5 ssh/iu-itps-rhel6ad.ads.iu.edu at ADS.IU.EDU (DES cbc mode with RSA-MD5)
   5 ssh/iu-itps-rhel6ad.ads.iu.edu at ADS.IU.EDU (ArcFour with HMAC/md5)
   5 ssh/IU-ITPS-RHEL6AD at ADS.IU.EDU (DES cbc mode with CRC-32)
   5 ssh/IU-ITPS-RHEL6AD at ADS.IU.EDU (DES cbc mode with RSA-MD5)
   5 ssh/IU-ITPS-RHEL6AD at ADS.IU.EDU (ArcFour with HMAC/md5)
# net ads keytab list -P
Vno  Type        Principal
  5  DES cbc mode with CRC-32		 host/iu-itps-rhel6ad.ads.iu.edu at ADS.IU.EDU
  5  DES cbc mode with RSA-MD5		 host/iu-itps-rhel6ad.ads.iu.edu at ADS.IU.EDU
  5  ArcFour with HMAC/md5		 host/iu-itps-rhel6ad.ads.iu.edu at ADS.IU.EDU
  5  DES cbc mode with CRC-32		 host/IU-ITPS-RHEL6AD at ADS.IU.EDU
  5  DES cbc mode with RSA-MD5		 host/IU-ITPS-RHEL6AD at ADS.IU.EDU
  5  ArcFour with HMAC/md5		 host/IU-ITPS-RHEL6AD at ADS.IU.EDU
  5  DES cbc mode with CRC-32		 IU-ITPS-RHEL6AD$@ADS.IU.EDU
  5  DES cbc mode with RSA-MD5		 IU-ITPS-RHEL6AD$@ADS.IU.EDU
  5  ArcFour with HMAC/md5		 IU-ITPS-RHEL6AD$@ADS.IU.EDU
  5  DES cbc mode with CRC-32		 ssh/iu-itps-rhel6ad.ads.iu.edu at ADS.IU.EDU
  5  DES cbc mode with RSA-MD5		 ssh/iu-itps-rhel6ad.ads.iu.edu at ADS.IU.EDU
  5  ArcFour with HMAC/md5		 ssh/iu-itps-rhel6ad.ads.iu.edu at ADS.IU.EDU
  5  DES cbc mode with CRC-32		 ssh/IU-ITPS-RHEL6AD at ADS.IU.EDU
  5  DES cbc mode with RSA-MD5		 ssh/IU-ITPS-RHEL6AD at ADS.IU.EDU
  5  ArcFour with HMAC/md5		 ssh/IU-ITPS-RHEL6AD at ADS.IU.EDU

Is there a way to have the "net" command specify enctypes when working
with keytabs?

Thanks,
Robert
- -- 
________

Robert Freeman-Day

https://launchpad.net/~presgas
GPG Public Key:
http://keyserver.ubuntu.com:11371/pks/lookup?op=get&search=0xBA9DF9ED3E4C7D36
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk1St5MACgkQup357T5MfTaH3ACeMion3aBVfmu5UkHT1e9jgi2m
p5MAoJIGjeIWs7LTQvy1jAIxq5IXyhsV
=bDeC
-----END PGP SIGNATURE-----


More information about the samba mailing list