[Samba] Exporting keytab for SPN failure
Michael A Weber
mweber.subscriptions01 at gmail.com
Wed Sep 14 16:23:00 UTC 2016
> On Sep 14, 2016, at 10:44 AM, Achim Gottinger via samba <samba at lists.samba.org> wrote:
>
>
>
> Am 14.09.2016 um 05:53 schrieb Michael A Weber via samba:
>> Experts—
>>
>> I’m attempting to export a keytab for a created SPN on the AD DC machine but I’m receiving an error:
>>
>> ERROR(runtime): uncaught exception - Key table entry not found
>> File "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py", line 175, in _run
>> return self.run(*args, **kwargs)
>> File "/usr/lib64/python2.6/site-packages/samba/netcmd/domain.py", line 129, in run
>> net.export_keytab(keytab=keytab, principal=principal)
>>
>> Steps taken to recreate:
>>
>> 1. Create a user for the SPN
>>
>> samba-tool user create web-intranet-macmini
>> <provided password when prompted>
>>
>> 2. Add the SPN:
>>
>> samba-tool spn add HTTP/hostname.domain2.domain1.tld at DOMAIN2.DOMAIN1.TLD web-intranet-macmini
>> <succeeded without error>
>>
>> 3. Export the keytab file to be used on the intranet host:
>>
>> samba-tool domain exportkeytab ~/intranet-macmini.keytab —principal=HTTP/hostname.domain2.domain1.tld at DOMAIN2.DOMAIN1.TLD
>>
>> <Get the error listed above>
>>
>> Now, I tried adding another SPN without the realm, and exporting without the realm, and I did not receive an error.
>>
>> I then deleted both SPNs via samba-tool spn delete, recreated the SPN using the realm just to make sure I’m not completely crazy and didn’t fat finger anything (and to make sure my contact lenses are making me see what I think I’m seeing) and I still get the error.
>>
>> When I do samba-tool spn list web-intranet-macmini, I see the SPN(s) associated with that user, and they are correct.
>>
>> Is there something glaringly obvious I’m missing?
>>
>> Mike
> Last time i created an SPN it was not neccessary to add the realm part when creating the realm. It should be added automatically adn you can verify it with
> klist -Kek [your keytabfile]
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
I did previously create an SPN without the realm, but the SPN attribute on the user also did not contain the realm. Then, I deleted the SPN and re-created it with the realm.
Achim, I just tested your recommendation and verified with the klist command above, and they do look correct (sanitized below, of course):
Keytab name: FILE:/root/intranet-macmini.keytab
KVNO Principal
---- --------------------------------------------------------------------------
1 HTTP/intranet.domain2.domain1.tld at DOMAIN2.DOMAIN1.TLD (des-cbc-crc)
1 HTTP/intranet.domain2.domain1.tld at DOMAIN2.DOMAIN1.TLD (des-cbc-md5)
1 HTTP/intranet.domain2.domain1.tld at DOMAIN2.DOMAIN1.TLD (arcfour-hmac)
> On Sep 14, 2016, at 1:38 AM, Rowland Penny via samba <samba at lists.samba.org> wrote:
>
> Yes, the principal isn't the SPN when you try to export the keytab, it
> is the user.
>
> Rowland
>
Rowland, when I use your method of specifying the principal as the user and not the SPN, I get what I would think for Apache would be a completely incorrect keytab as verified by the klist -Kek command:
Keytab name: FILE:/root/intranet-macmini.keytab
KVNO Principal
---- --------------------------------------------------------------------------
1 web-intranet-macmini at DOMAIN2.DOMAIN1.TLD (des-cbc-crc)
1 web-intranet-macmini at DOMAIN2.DOMAIN1.TLD (des-cbc-md5)
1 web-intranet-macmini at DOMAIN2.DOMAIN1.TLD (aes128-cts-hmac-sha1-96)
1 web-intranet-macmini at DOMAIN2.DOMAIN1.TLD (aes256-cts-hmac-sha1-96)
1 web-intranet-macmini at DOMAIN2.DOMAIN1.TLD (arcfour-hmac)
Experts--
So, which method is the correct way to export a keytab for an SPN for, say, Apache?
Question though, just for my curiosity:
The encryption algorithms specified after each SPN: I see that aes-256 is listed when I export the user, but not the SPN. Are those expected, or have I done something wrong and used incorrect algorithms somewhere? I recall reading that DES is not secure enough and that AES-256 (I think I read this during TLS enablement) is what should be used.
Mike
More information about the samba
mailing list