[Samba] Exporting keytab for SPN failure
Achim Gottinger
achim at ag-web.biz
Wed Sep 14 17:23:53 UTC 2016
Am 14.09.2016 um 18:23 schrieb Michael A Weber:
> Question though, just for my curiosity:
>
> The encryption algorithms specified after each SPN: I see that
> aes-256 is listed when I export the user, but not the SPN. Are those
> expected, or have I done something wrong and used incorrect algorithms
> somewhere? I recall reading that DES is not secure enough and that
> AES-256 (I think I read this during TLS enablement) is what should be
> used.
I get the same behaviour here. If i do nout use the FQDN and only the
hostname without the domain part the aes keys are included. In your case
--principal HTTP/intranet.
The encryption methods used can be controlled with net ads enctypes.
If i run (after kinit Administrator)
net ads enctypes list dc1$
i get
'dc1$' uses "msDS-SupportedEncryptionTypes": 31 (0x0000001f)
[X] 0x00000001 DES-CBC-CRC
[X] 0x00000002 DES-CBC-MD5
[X] 0x00000004 RC4-HMAC
[X] 0x00000008 AES128-CTS-HMAC-SHA1-96
[X] 0x00000010 AES256-CTS-HMAC-SHA1-96
If i use
net ads enctypes list dc1.domain.local$
i get
no account found with filter:
(&(objectclass=user)(sAMAccountName=dc1.domain.local$))
Seems "samba-tool domain exportkeytab" uses an similar algorythm and
therefore does not find the account and uses des and arcfour keys per
default.
More information about the samba
mailing list