[Samba] Exporting keytab for SPN failure

Achim Gottinger achim at ag-web.biz
Wed Sep 14 17:48:05 UTC 2016

Am 14.09.2016 um 19:23 schrieb Achim Gottinger via samba:
> Am 14.09.2016 um 18:23 schrieb Michael A Weber:
>> Question though, just for my curiosity:
>> The encryption algorithms specified after each SPN:  I see that 
>> aes-256 is listed when I export the user, but not the SPN.  Are those 
>> expected, or have I done something wrong and used incorrect 
>> algorithms somewhere?  I recall reading that DES is not secure enough 
>> and that AES-256 (I think I read this during TLS enablement) is what 
>> should be used.
> I get the same behaviour here. If i do nout use the FQDN and only the 
> hostname without the domain part the aes keys are included. In your 
> case --principal HTTP/intranet.
> The encryption methods used can be controlled with net ads enctypes.
> If i run (after kinit Administrator)
> net ads enctypes list dc1$
> i get
> 'dc1$' uses "msDS-SupportedEncryptionTypes": 31 (0x0000001f)
> [X] 0x00000001 DES-CBC-CRC
> [X] 0x00000002 DES-CBC-MD5
> [X] 0x00000004 RC4-HMAC
> [X] 0x00000008 AES128-CTS-HMAC-SHA1-96
> [X] 0x00000010 AES256-CTS-HMAC-SHA1-96
> If i use
> net ads enctypes list dc1.domain.local$
> i get
> no account found with filter: 
> (&(objectclass=user)(sAMAccountName=dc1.domain.local$))
> Seems "samba-tool domain exportkeytab" uses an similar algorythm and 
> therefore does not find the account and uses des and arcfour keys per 
> default.
After modifying the enctypes domain exportkeytab still exports all the 
enctypes so it does not seem to inspect the 
msDS-SupportedEncryptionTypes attribute, neighter of the user account 
(UPN) nor of the hosts account (hostname part of the SPN). I'm using an 
4.4.5 backport on debian jessie btw.

More information about the samba mailing list