[Samba] New Windows 8 RSAT and "OU=Domain Controllers" support?

Pekka L.J. Jalkanen pekka.jalkanen at vihreat.fi
Fri Apr 26 04:05:05 MDT 2013 

On 26.4.2013 6:13, Andrew Bartlett wrote:
> On Wed, 2013-04-24 at 17:39 +0300, Pekka L.J. Jalkanen wrote:
>> By the way, is a kerberos keytab actually necessary to decrypt the
>> GSS-API packets in Wireshark? Samba Wiki
>> (https://wiki.samba.org/index.php/Capture_Packets) doesn't say so (just
>> tells to capture the kerberos exchange), but I became somewhat
>> suspicious, while reading the following page:
>> http://wiki.wireshark.org/Kerberos
>>
>> Just trying to figure out how to inspect my own capture here...
> 
> Yes, the whole point of GSSAPI security with Kerberos is that without
> super-secret-knowledge (the keytab in this case) you can't decrypt a
> network sniff.

OK... but in that case I'm having another rather surprising problem:

root at samba4dc:~# samba-tool domain exportkeytab ./dcdump.keytab
[0000] 00 00 00 00 62 00 00 00   00 00 00 00 20 00 20 00   ....b... .... . .
[0010] 20 00 20 00 20 00 20 00   20 00 20 00 20 00 20 00    . . . .  . . . .
[0020] 20 00 20 00 20 00 20 00   20 00 20 00 20 00 20 00    . . . .  . . . .
[0030] 20 00 20 00 20 00 20 00   20 00 20 00 20 00 20 00    . . . .  . . . .
[0040] 20 00 20 00 20 00 20 00   20 00 20 00 20 00 20 00    . . . .  . . . .
[0050] 20 00 20 00 20 00 20 00   20 00 20 00 20 00 20 00    . . . .  . . . .
[0060] 20 00 20 00 20 00 20 00   20 00 20 00 50 00 00      . . . .  . .P..
ERROR(runtime): uncaught exception - Invalid argument
  File
"/usr/local/samba4/lib/python2.6/site-packages/samba/netcmd/__init__.py", line
175, in _run
    return self.run(*args, **kwargs)
  File
"/usr/local/samba4/lib/python2.6/site-packages/samba/netcmd/domain.py",
line 103, in run
    net.export_keytab(keytab=keytab, principal=principal)

So it seems that for some reason, exporting the keytab from Samba DC
doesn't work. I tried to kinit first using the domain admin account, but
to no avail--exportkeytab still throws the same error.

Now, for the purposes of bug 9828 I could probably export it from our
Windows DC using ktpass.exe, but I'd naturally like to know what's wrong
here.

What should I do? Am I missing something here?

Pekka L.J. Jalkanen

More information about the samba mailing list