[Samba] samba-tool domain exportkeytab failure

Andrew Bartlett abartlet at samba.org
Mon May 6 17:32:14 MDT 2013


On Mon, 2013-05-06 at 13:41 +0300, Pekka L.J. Jalkanen wrote:
> On 4.5.2013 0:22, Andrew Bartlett wrote:
> > On Fri, 2013-05-03 at 19:21 +0300, Pekka L.J. Jalkanen wrote:
> >> On 26.4.2013 13:05, Pekka L.J. Jalkanen wrote:
> >>>
> >>> So it seems that for some reason, exporting the keytab from Samba DC
> >>> doesn't work. I tried to kinit first using the domain admin account, but
> >>> to no avail--exportkeytab still throws the same error.
> >>>
> >>> Now, for the purposes of bug 9828 I could probably export it from our
> >>> Windows DC using ktpass.exe, but I'd naturally like to know what's wrong
> >>> here.
> >>>
> >>> What should I do? Am I missing something here?
> >>
> >> I forgot this for some time... as the samba-tool exportkeytab didn't
> >> work, the easiest way to get a proper keytab for decrypting the capture
> >> was apparently just copy secrets.keytab from the Samba DC and feed that
> >> file to Wireshark. At least I've now managed to decrypt the stuff myself.
> > 
> > It would be useful to know why samba-tool exportkeytab didn't work, it
> > is tested in our make test.  Perhaps run it with -d10 and see if it
> > gives more clues?
> 
> Not much--only the two lines above the hexdump:

Those are the important details I needed. 

> -----
> 
> gendb_search_v: DC=mydomain,DC=site NULL -> 1
> ndr_pull_error(11): Pull bytes 2 (../librpc/ndr/ndr_basic.c:103)
> [0000] 00 00 00 00 62 00 00 00   00 00 00 00 20 00 20 00   ....b... .... . .
> [0010] 20 00 20 00 20 00 20 00   20 00 20 00 20 00 20 00    . . . .  . . . .
> [0020] 20 00 20 00 20 00 20 00   20 00 20 00 20 00 20 00    . . . .  . . . .
> [0030] 20 00 20 00 20 00 20 00   20 00 20 00 20 00 20 00    . . . .  . . . .
> [0040] 20 00 20 00 20 00 20 00   20 00 20 00 20 00 20 00    . . . .  . . . .
> [0050] 20 00 20 00 20 00 20 00   20 00 20 00 20 00 20 00    . . . .  . . . .
> [0060] 20 00 20 00 20 00 20 00   20 00 20 00 50 00 00      . . . .  . .P..
> ERROR(runtime): uncaught exception - Invalid argument
>   File
> "/usr/local/samba4/lib/python2.6/site-packages/samba/netcmd/__init__.py", line
> 175, in _run
>     return self.run(*args, **kwargs)
>   File
> "/usr/local/samba4/lib/python2.6/site-packages/samba/netcmd/domain.py",
> line 103, in run
>     net.export_keytab(keytab=keytab, principal=principal)

The issue here is that when we migrated the key from your existing
database, we were unable to read this attribute correctly.  I'm
surprised this works at all actually.

What does 'samba-tool dbcheck' show?

> > While I
> > do take GPG encrypted stuff, I prefer not to unless I'm actually fixing
> > database errors in databases or other things that would never be
> > reproduced again.
> 
> I understand your point. Sorry that can't help quickly, but if you don't
> see a delay of one to two months to be a problem, I can try this then.
> If you do, then the encryption is the only way. I'm not in terrible
> hurry, even if it would be nice to get this fixed.

The failure to parse the keys in the supplementalCredentials attribute
counts as a database error.  Once we solve that, let's see what other
problems we have.  

If you can send me all the files (including the smb.conf) for your
domain GPG encrypted I'll take a look.  My current GPG fingerprint is
below:

pub   4096R/C8021865 2012-07-04 [expires: 2018-07-03]
      Key fingerprint = 8160 9BF8 5375 BA5E 510C  CEA1 FE00 1D44 C802
1865
uid                  Andrew Bartlett <abartlet at ozlabs.org>
uid                  Andrew Bartlett <abartlet at samba.org>
uid                  Andrew Bartlett <abartlet at abartlet.net>
sub   4096R/D899268D 2012-07-04 [expires: 2018-07-03]

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba/attachments/20130507/6e949e8c/attachment.pgp>


More information about the samba mailing list