[Samba] Exporting keytab for SPN failure

Achim Gottinger achim at ag-web.biz
Wed Sep 14 17:23:53 UTC 2016

Am 14.09.2016 um 18:23 schrieb Michael A Weber:
> Question though, just for my curiosity:
> The encryption algorithms specified after each SPN:  I see that 
> aes-256 is listed when I export the user, but not the SPN.  Are those 
> expected, or have I done something wrong and used incorrect algorithms 
> somewhere?  I recall reading that DES is not secure enough and that 
> AES-256 (I think I read this during TLS enablement) is what should be 
> used.
I get the same behaviour here. If i do nout use the FQDN and only the 
hostname without the domain part the aes keys are included. In your case 
--principal HTTP/intranet.

The encryption methods used can be controlled with net ads enctypes.

If i run (after kinit Administrator)
net ads enctypes list dc1$
i get
'dc1$' uses "msDS-SupportedEncryptionTypes": 31 (0x0000001f)
[X] 0x00000001 DES-CBC-CRC
[X] 0x00000002 DES-CBC-MD5
[X] 0x00000004 RC4-HMAC
[X] 0x00000008 AES128-CTS-HMAC-SHA1-96
[X] 0x00000010 AES256-CTS-HMAC-SHA1-96

If i use
net ads enctypes list dc1.domain.local$
i get
no account found with filter: 

Seems "samba-tool domain exportkeytab" uses an similar algorythm and 
therefore does not find the account and uses des and arcfour keys per 

More information about the samba mailing list